Disabling Java, Fuzzing an X-Ray Machine and Watching Cat Videos


In this week’s Drunken Security News, the stories of the week that the Security Weekly crew were talking about, Paul talked about the experience following the advice of security experts around the world, including the Department of Homeland Security, and disabled Java in all of his browsers. You may remember back a week or so when the Java 0day was released and the mild hysteria that was caused. Keeping in mind that Java != Javascript, you might find that unless your business has a requirement to use Java, you might almost never need it. When Paul went to uninstall it from his Chrome browser, it wasn’t even there! So much for Java being everywhere.

See Paul and John’s January 29th webcast on why NOT to uninstall Java

Paul also got a little worked up over an article where the author compared selling vulnerabilities to shooting someone with a gun. In the article, the quote: "If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops – it’s the same concept," About the only thing this quote does is jumps on the current hysteria surrounding guns. Why not say selling vulnerabilities is the same thing as Kim an Kanye having a baby? It’s the same thing as a guy taking drugs so he can pedal a bicycle faster? It’s about as accurate. If you get shot with a gun, every single human is going to get hurt or worse. That’s just a fact of nature. However a 0day vulnerability is either harmless or would not even exist in the first place if developers started writing better code. If you don’t ever interact with any Java code, a Java 0day will not affect you. So no, guns and computer vulnerabilities are not the same thing.

The guys also talked about a couple researchers and how they were able to fuzz the remote authentication system of a hospital x-ray machine and then get access to anything they wanted. Just as previous demonstrations have showed that you can hack an insulin pump or even someone’s pacemaker shows that the medical and medical device field have a long way to go toward incorporating a security mindset.

Want to make a little cash on the side and have some familiarity with hacking Adobe products or Internet Explorer? A bug bounty program is offering $7,000 for new vulnerabilities on each. Have at it.

 Lastly, this was probably our favorite story of the week that explains why it’s a good idea to proactively check your logs. According to the Verizon Risk Team Security Report, one company checked their logs and found a long-term and frequent open VPN connection to China. At first, they believed someone was infected with malware, as the connection was always to the same machine. However, upon further investigation, there was no malware. The connection was intentional. One of their employees had found a way to outsource his own job to China! Instead of developing code, he’d do some shopping on eBay, some status updates on Facebook and enjoy cat videos. However, a couple other ironies stuck out about this guy. He was frequently commended for writing great, clean code and completing projects in a very timely manner. He was seen as one of the best employees in the firm. Additionally, he was able to defeat his company’s two-factor authentication requirement by sending his RSA token to China via Fed-Ex. Our take on this? This man clearly needs to be promoted to management. He has some serious management potential.

And if you’ve made it this far, as we talked about on the show, please follow Jack Daniel on twitter for some daily enlightenment.

Patrick Laverty

Patrick is a Security Consultant and a Penetration Tester for Rapid 7. He has a Executive Masters in Cyber Security from Brown University. Coordinates and executes SE-RI Conference.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.