Facebook Attackers Exploited Java Zero-Day Bug - PC Magazine

Java's reputation took a beating again, after Facebook revealed that attackers had infiltrated its internal systems after exploiting a zero-day vulnerability. As PCMag.com reported late yesterday afternoon, Facebook said its systems had been "targeted in a sophisticated attack" in January. Some Facebook employees, presumably developers, were infected after visited a third-party mobile developer site, the company said in a Facebook Security post on the site. Attackers had previously compromised the developer site and injected malicious code which exploited a security hole in the Java plugin. The zero-day exploit bypassed the Java sandbox to install the malware on victim computers, Facebook said. Facebook reported the exploit to Oracle, and it was patched Feb. 1. Oracle at the time said the fix had been scheduled for Feb. 19, but had accelerated the release because it was being exploited in the wild. It's not clear at this point which of the 39 (out of 50) Java Runtime Environment bugs fixed in that patch was the one used in this exploit. Facebook assured users that none of the user data had been compromised in the attack, but did not indicate whether any of its internal data had been affected. Twitter the Other Victim? Facebook notified several other companies who had been hit by the same attack and turned the investigation over to federal law enforcement. While the company did not identify other victims, the timing of the attack coincides with Twitter's breach. User credentials had been exposed in that attack. Now that we know some of the details of the attack on Facebook, Twitter's cryptic warning about disabling Java browser plugins makes sense. As SecurityWatch previously reported, Twitter's director of information security Bob Lord has said, "We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers." Piling on AV Not the Point Facebook noted the compromised laptops "were fully-patched and running up-to-date antivirus software." Some security experts pounced on the fact to reiterate their arguments that antivirus was a "failed technolog." A few said that Facebook should disclose the name of the antivirus vendor so that other customers would know whether they are at risk. The story to focus on here is not whether antivirus should have detected the Java exploit, but rather that Facebook successfully used its layered defense to detect and stop the attack. The company's security team continuously monitors the infrastructure for attacks and flagged the suspicious domain in the corporate DNS logs, Facebook said. The team traced it back to an employee laptop, found a malicious file after conducting a forensic examination, and flagged several other compromised laptops with the same file. "Hats off to Facebook for their quick reaction to this attack, they nipped it in the bud," Andrew Storms, director of security operations at nCircle, told SecurityWatch. Along with layered security, Facebook also regularly conducts simulations and drills to test defenses and work with incident responders. Ars Technica recently chronicled a fascinating account of one such exercise at Facebook where the security teams thought they were dealing with a zero-day exploit and backdoor code. These kinds of simulations are used in several organizations, both in the public and private sectors. Not so Easy to Get Rid of Java As SecurityWatch noted earlier this month, it is easy to advise users to disable Java in their browsers, but many business tools still rely on the browser's Java plugin. While I am not aware of any developer tools that require Java in the browser, there are plenty of other predominant business tools that do. Just the other day, I had trouble getting WebEx to work on Chrome (Java disabled) and had to remember to switch to Internet Explorer (Java enabled). Attackers are getting sneaky, compromising legitimate sites and attacking visitors to those sites. Keep your software and operating system patched, and run up-to-date security software. Reduce your attack surface where you can, but most importantly, be aware of what is happening on your network. via Technology - Google News http://news.google.com/news/url?sa=t&fd=R&usg=AFQjCNEulzxp38cE6lRaSdckbCGf65JGpw&url=http://securitywatch.pcmag.com/none/308172-facebook-attackers-exploited-java-zero-day-bug

Put the internet to work for you. via Personal Recipe 2598265