|Read the Digest in
You need the free
The digest of current topics on Continuous Availability. More than Business Continuity Planning.
BCP tells you how to recover from the effects of downtime.
CA tells you how to avoid the effects of downtime.
In this issue:
Browse through our Useful Links.
Check our article archive for complete articles.
Sign up for your free subscription.
Join us on our Continuous Availability Forum.
Check out our seminars.
Check out our technical writing services.
Department of Homeland Security Says “Disable Java”
If DHS takes the unprecedented action of suggesting that certain software should be disabled, we had better pay attention. On January 10, 2013, the Computer Emergency Readiness Team (CERT) of the U.S. Department of Homeland Security (DHS) issued an alert describing a newly discovered vulnerability in Java 7 that allows hackers to install malicious code. The alert pertains primarily to browsers using Java since the vulnerability involves a malicious applet that is downloaded from an infected web site. The applet can escalate its privileges without requiring code signing, thus granting permission to itself to run arbitrary code.
This vulnerability is being actively exploited. Explicit code is available in “exploit kits,” which are pre-packaged, for-sale toolkits that can be used to install malicious code. Windows, MAC OS, and Linux systems are all affected.
DHS has a simple solution – disable Java.
The vulnerability is described in more detail in this issue’s Best Practices article entitled “Department of Homeland Security Says, 'Disable Java'.”
Rarely does a government agency recommend the disabling of software. This action clearly indicates the severity of the vulnerability. Even worse, DHS says that it is currently unaware of a practical solution to the problem. In fact, vulnerabilities continue to be found.
Dr. Bill Highleyman, Managing Editor
Casa Ley is one of Mexico’s largest, privately held grocery-store chains. It operates almost 200 supermarkets that serve over forty cities in Mexico. The company has over 22,000 employees.
The retailer initially turned to HSBC as its acquiring bank to provide and manage its point-of-sale (POS) terminals. The terminals offer many services to the retailer’s customers beyond paying for in-store purchases with credit cards and debit cards. For instance, cell phones can be topped off, bank deposits can be made, and bills can be paid online at the cash register.
Casa Ley subsequently decided to provide its own transaction-authorization switch to save card transaction fees and turned to ACI Worldwide’s BASE24 system running on HP NonStop servers for this purpose. When ACI announced its termination of support for BASE24 on NonStop servers, Casa Ley upgraded its transaction-authorization switch to Opsol’s OmniPayments and realized several additional benefits in the process. The primary benefits were upgrading to a modern active/active solution providing continuous availability at a lower price.
Our October, 2012, Never Again article “Islamic Hacktivists Attack U.S. Banks” described massive Distributed Denial of Service (DDoS) attacks against major U.S. banks carried out by Islamic hacktivists in retaliation for the posting on YouTube of the offensive anti-Islamic video entitled “Innocence of Muslims.” The group vowed to continue the attacks until the “nasty movie” was removed from the Internet.
The group has proven to be good to its word. Attacks were restarted against several banks in mid-December and continue to this day. The attacks are becoming more sophisticated. They have moved from a volunteer PC botnet to the use of data-center web servers to launch massive amounts of malicious traffic.
There is no absolute defense against DDoS attacks. Attackers become sophisticated more quickly than new, effective defenses can be deployed. Any online server, regardless of its sophistication, can be overwhelmed with enough traffic; and a dedicated attacker can generate whatever amount of malicious traffic is required to achieve its goals.
The good news is that mitigation efforts are showing some results. The number of DDoS attacks against banks has grown less frequent. Attacks are lasting for a shorter period of time and are causing less damage.
On January 10, 2013, the Computer Emergency Readiness Team (CERT) of the U.S. Department of Homeland Security (DHS) issued an alert urging computer users to disable Java in their browsers. This unprecedented action followed the discovery of a serious Java vulnerability that allows hackers to infect PCs with malicious code. The vulnerability has existed undetected for some time.
Java is a language used by hundreds of millions of computers worldwide to access interactive content and web applications. Oracle Corp. purchased Java as part of its U.S. $7.3 billion acquisition of Sun Microsystems in 2010.
According to security software maker Kaspersky Labs, Java was the most frequently attacked piece of software in 2012 and accounted for 50% of all cyber attacks that year. Kaspersky Labs is the Russian security company that discovered the devastating Stuxnet virus.
Rarely does a government agency recommend the disabling of software. This action clearly indicates the severity of the vulnerability. Even worse, DHS says that it is currently unaware of a practical solution to the problem.
The pharmaceutical industry continues to face challenges in controlling and preventing environmental pollution. The industry is growing at a rapid pace with increased production and accelerated research and development activities. With the industry’s expansion, its impact on the environment is also intensifying.
In order to take preventative measures against pharmaceutical pollution, all manufacturing and distribution processes must be carefully monitored and controlled. This requires the use of computerized systems to collect information in real time from potential polluting processes and to report this information to management in order to assist it in making decisions using up-to-date information. These systems must be highly available (four nines and beyond), as a serious lapse in reporting may have a devastating environmental impact should something go wrong during the system’s downtime.
An added plus of environmental management is that practices that adversely impact the environment are often wasteful. Reducing a company’s environmental footprint may also lead to cost savings. Wasted raw materials and returned goods do not add any value to a company. Effective management of the environmental aspects of a company’s operation can improve its bottom line.
Sign up for your free subscription at http://www.availabilitydigest.com/signups.htm
Would You Like to Sign Up for the Free Digest by Fax?
Simply print out the following form, fill it in, and fax it to:
+1 908 459 5543
The Availability Digest is published monthly. It may be distributed freely. Please pass it on to an associate.
Managing Editor - Dr. Bill Highleyman firstname.lastname@example.org.
© 2013 Sombers Associates, Inc., and W. H. Highleyman