How to Practise Safe Java

By Ian Sutherland | Hacking

Apr 25

While writing my novel Invasion of Privacy, where the main protagonist is a computer hacker, I discovered that hackers like Java. No, more than that, they love Java. And the reason is simple, its security is like Swiss Chess. Full of holes.

Java Installer

Oracle’s Java Installer Status Window

And then, during an upgrade of Java on my own laptop, I noticed how Oracle, the makers of Java, advertised in their upgrade status window how widely deployed it is. “3 billion devices run Java”, they bragged. I checked on the java.com site. They even break it down for you:

From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!1.1 billion desktops run Java

  • 930 million Java Runtime Environment downloads each year
  • 3 billion mobile phones run Java
  • 31 times more Java phones ship every year than Apple and Android combined
  • 100% of all Blu-ray players run Java
  • 1.4 billion Java Cards are manufactured each year
  • Java powers set-top boxes, printers, games, car navigation systems, ATMs, lottery terminals, medical devices, parking payment stations, and more.

That made me stop and think!

According to Kapersky Lab, Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers exploiting software bugs. And the exploits are easily installed. A user only has to visit a website with malicious Java applet and they’re exposed. The exploits enable the malware to break outside of the Java sandbox and gain access to the underlying machine. From there, it’s rapidly downhill for the user – identity theft, data theft, becoming a node in a botnet for malware propagation or launching DDOS attacks against websites – all without the user knowing.

Even the American government has issued warnings that Java should be disabled. But it’s almost impractical. So many legitimate websites use Java applets. Gaming sites are the most popular. Ironically, some banks even use it for their secure login procedures. Over time, it will become less widespread as sites start to use HTML5 and Adobe Flash. But the countdown is from 3 billion, that’s a long way to go. And, of course, the hackers will target these alternatives as well.

Abstinence or Contraception?

I have two recommendations for you, depending on the level of your Java dependence. The first approach is complete abstinence and the second is a form of contraception, you stop wearing protection when you’re willing to risk getting pregnant.

If you are able to live on the web without Java, then I recommend that you disable it wherever possible. Here are the official instructions.

But for most people, this is impractical. The half-way house approach is to run two different internet browsers on your computer. Disable Java on your primary browser, e.g. Microsoft Explorer or Safari, and leave it enabled on the second browser, e.g. Google Chrome or Firefox. Then, whenever you stumble across a site using Java that you absolutely need to use, just fire up the second browser. But at least this way, when you stumble across a Java site that is infected, hopefully you are safely using your primary browser where Java has been completely disabled.

Follow

About the Author

Ian Sutherland is a British crime thriller author. Leveraging his career in the IT industry, Ian’s thrillers shine light on the threats we face from cybercrime as it becomes all too prevalent in our day-to-day lives. Ian lives near London with his wife and two daughters.

Get SOCIAL ENGINEER for FREE! | Sign up to download.

x