Disable Java in your browsers now

Java is a computer language for getting things done. If you have Java installed on your computer, you have enabled your computer to “talk” this language, which is a good thing.

Problem is, nowadays Java is used primarily to remotely take control of your computer by criminals and use your resources and information to make money. This is a bad thing.

Therefore, I will echo the advice of most computer security experts and suggest that you disable Java for your browsers (Firefox, Internet Explorer, Chrome etc) now.

Windows users are the ones most at risk – there are known exploit kits out there that actively exploit Java to take control of your computer. First, check if you have Java installed on your computer – is there a “Java” icon in Windows’ Control Panel? If not, you have nothing to worry about as you don’t have Java on your computer.

If, as most people, you do have Java installed, don’t worry, it’s easy to secure it: Two steps:

  1. Update your installation of Java to the latest version released by Oracle here: http://java.com/en/download/manual.jsp – After downloading and installing it, you will have the latest and more secure Java for your computer to use.
  2. Disable the use of Java in your browsers, by going to Control Panel, then “Java”, and then in the “Security” tab un-ticking the box before “Enable Java content in the browser“.Disabling Java for browsers

That’s all you need to do.

Note: GNU/Linux and Mac users, you are not out of danger – the same vulnerability can be used to exploit your systems too, so it’s recommended that you disable Java in your browsers as well. See my advice from 2011 about “How much Java do you need?” and Brian Krebs’ recent FAQ for more.

The financial services industry view on cybercrime

I recently attended Jim Oakes’ “Cybercrime, Global Underground Economy Developments and Challenges” talk. All the hype about his 30-year service for the police, anti-fraud teams, financial services organisations yada yada made me very sceptical to begin with, but the session turned into a quite useful overview of the (depressingly many) ways you can be ripped off by criminals while doing business with/through your bank.

I let this draft lie for a few months now, as I wasn’t sure how to digest the hordes of information in Jim’s presentation into a more friendly, easily digestable message. Shall we just say it’s pretty bad out there?

Practical advice:

  • DO NOT use the same password for different websites. Use something like Oplop to generate passwords and a password manager to store them.
  • DO NOT do eBanking from your smartphone just yet. I have some reservations about the iPhone, but Android phones can certainly currently not be trusted.
  • If you need to do eBanking using a computer (laptop, desktop etc) then start the computer with a bootable CD or USB disk and then do your eBanking. Unless you are personally targeted by law enforcement or criminals, this should give you a computer you can trust. Don’t take my word for it – take Krebs‘ word for it. Computer security is in *such* a sad state.

The myth of the pimples-ridden malware author

Overheard in an Internet Cafe recently:

(guy storms in and purposefully walks towards the counter)

Distressed guy: “Hi, I have a virus on this USB stick and I can´t use it, can you clean it for me?”

Internet Cafe attendant: “…”

Distressed guy: “Look, I didn´t do anything funny, just because some little c*** has nothing better to do but write a virus I can´t access my files now!”

I take issue with this statement. It regurgitates the popular misconception that malware (also known as a virus, a worm, a trojan) is software written by someone who hates mankind. It is their effort to take blind revenge on the world, to mindlessly harm everyone for no real reason other than malice.

Er… no.

Malware takes effort to create. This means skill, patience, equipment and time. All this means money.

Slightly paraphrasing Mikko Hypponen, most malware is created for three reasons:

  1. Money via criminal activities. See Peter Gutmann’s figures in his “The Commercial Malware Industry” from years ago to glimpse at just how much money is involved in this global underground market.
  2. Idealism – which creates the composite term “hacktivism”. Groups like Anonymous fall in this category.
  3. Control – this is state-level information warfare waged either against other nation-states or against the state’s citizens.

Some years ago, malware might have been an annoying prank of kids who had a gripe against the world.

This is no longer the case. Things are far more serious now.