DHS Warns About Java; Red October Connection?

A few days ago, the U.S. Department of Homeland Security issued a warning to temporarily disable Java on your computers, warning of:

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

Now this morning we have this from ARS Technica: Red October relied on Java exploit to infect PCs

Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.


Oracle developers patched the bug in October, 2011, the malicious Java archive file was compiled the following February.

Be warned.

The Skin Gun

And now for something completely different.

As you probably know, I generally use this blog to talk about entertaining and fun and unusually talented people, many of whom are friends of mine, and some of which you may not know about.  I generally stick to anything involving the creative arts, but am open to anything that’s interesting and perhaps a bit unusual.

This is one of those posts, and it’s not just fascinating, it represents a significant medical breakthrough.  And it’s a bit serious, so brace yourself for the subject matter.

Below is a video on YouTube that is a snippet of a National Geographic piece about something new they’re calling the “Skin Gun”.  The idea is that if someone is a burn victim and has lost a relatively large area of skin, this spray gun, which is sort of like a spray paint device, can be used to apply a solution to the burned area and allow the patient to heal quickly.

And “quickly” is an understatement.  In the video, you’ll see the first patient on which the device was used – Matthew Uram, described in the video as a Pennsylvania state police officer.   After experiencing second-degree burns, his doctor asked him if he was interested in trying this device, and he did.  It took 90 minutes to prepare the solution and apply it.  “They did it on a Friday, my follow-up was that Monday and … it was healed.”


Note:  I generally embed videos into my blog posts, but the video below is not embedded.  It looks like it is, but when you click on it, you’ll see how it reacts and you’ll be able to tell that it’s not embedded, it’s actually a link to the YouTube site, so you’ll see it over on the YouTube site.  The reason I set it up in this unusual way is simple:  if I embed a YouTube video, the video automatically incorporates the “splash” screen chosen by the YouTube user who uploaded the video.  For this video, the user apparently chose a somewhat shocking “splash” image from the video of a burn victim.  It makes sense over at YouTube, he was clearly trying to get attention and convey that it’s a burn victim video.  And you’ll see that image in the video below.  It’s not completely revolting – I’m sure you’ve seen worse – but it’s a bit shocking in the context of Skere9, which is a fun and entertaining site.  I wanted a chance to say “brace yourself” first.  So consider yourself warned!

The video is below, and highly fascinating.


The Skin Gun

Security Inside The Perimeter

A key in a keyboard lock

One of the issues that was being discussed at this past Oracle Open World 2012 was the importance of considering security during the design stage of a system development effort.  Technology journalist Michael Lee wrote about this issue last fall in a piece titled Developers ignore their security responsibilities: Oracle.  In it, Lee addressed the observations of Oracle Chief Security Officer Mary Ann Davidson:

Marines don’t consider perimeters to be completely unbreachable, and hence, need to be prepared to defend themselves from attack from the inside … Davidson said that many organisations still assumed that attackers won’t get inside their perimeter … [1]

Davidson is totally right, but it is starting to change.  An increasing number of the customers I work with are starting to operate on the assumption that security perimeters will be breached.  Security measures are no longer limited to protection at the perimeter.

This is one place where analytics can play a role.  I’m not just talking about security information and event management (SIEM).  Through data collection and pattern analysis, an alert system can proactively monitor for aberrations in the data flows and process flows within a system, and can help identify probabilities of a possible intrusion and take actions accordingly. But the point is that most security starts with a healthy dose of common sense, applied at all levels of a system’s operational capabilities.

I live in the suburbs of Washington, DC, but recently attended an NFL football game in Philadelphia, and afterwards was having dinner in downtown Philly, when I received a call on my mobile phone from Visa.  They said it was a courtesy call regarding my credit card, and offered some proof of who they were and how they knew my account, and then asked a few questions to confirm who I was.  The exchange was professional and left me confident of the authenticity of the call.  They then asked if they could review a few recent purchase requests on my credit card, and I said – sure.  Sitting there in the restaurant, I listened as they asked me if I had authorized a purchase of gasoline in Pennsylvania that morning?  I said well yes, as a matter of fact, and feeling comfortable that they were who they said they were, I offered that I was heading to the Redskins-Eagles game that day, and was intending to use the same card to pay for the dinner I was eating as they were speaking to me.

They then asked if I’d attempted to purchase a washing machine at a Target department store in Washington, DC on that same afternoon.

I said – uh – no.  I was sitting in the Eagles stadium in Philadelphia about that time.

What about a refrigerator at a second location, also in DC?

Definitely not.

They then said well, you probably didn’t authorize these additional six or seven attempts to purchase large appliances at five different department stores in Washington, DC this afternoon, if you’re in Philly at a football game.  I said – no, not at all.

Thank you, they said, we rejected all of those attempts and just wanted to confirm we did the right thing.  And should you use the card to purchase your dinner tonight, it will be approved with no problem.  But we’re going to cancel this number and issue a new credit card to you, you’ll not be charged.

I said – thank you.

I enjoyed the rest of dinner, paid for it with no trouble, and two days later I had my new credit card with the new number.  I was never charged anything inaccurate or fraudulent.  It all worked out remarkably well.

To help put the incident in perspective, I had the correct physical credit card with me at all times, and the would-be scammer did not, but whoever it was had my credit card number, and he or she was attempting to use the number alone – without the card – to make these purchases.  Visa rejected them all, and according to what they told me, it was in large part due to the fact that the purchases conflicted with my patterns.  Also, this all happened right before Visa began issuing cards with an additional numeric code printed on the back of the card.  That started immediately after these events, so it didn’t apply to these circumstances.

At the end of the day, security is not only about the latest technological breakthrough.  It’s about a combination of two things:

  • A sound understanding of the how the fundamentals of technology operate
  • A common sense approach to defense against classic con games

Any system developer must keep these concepts in mind, and recognize them in securing perimeters, and in developing a solid plan of defense for those times when perimeters are broken.  Perimeters will be broken.  The only question is:  how will you respond?


[1] http://www.zdnet.com/developers-ignore-their-security-responsibilities-oracle-7000005808/

Social Media Rock Stars Jon Ealy and Jeremiah Anthony

In October 2011, two students at Iowa City’s West High decided to use social networking to complimenet and encourage fellow students, as something of a counter to the practice of cyber-bullying that’s been reported in various news articles lately. The students are named Jon Ealy and Jeremiah Anthony. The practice has attracted a good amount of notice, particularly from Skere9.  There’s a photo at Pinterest of Jon and Jeremiah working together on the sites.  Their sites include a Twitter account named @WestHighBros.

And here’s a video – that only mentions Jeremiah for some reason, but – see below.

For “Old Christmas”: Carrie Underwood and “How Great Thou Art”

Today is January 6, which is “Old Christmas” in many parts of the world.  In Ireland, January 6 is observed as “Little Christmas“. The Feast of Epiphany may or may not be January 6 – it depends.  But the tradition of “Old Christmas” is always observed on January 6.

January 6 is also the day my grandfather passed away, twenty-seven years ago today, a day I’ll never forget.  He was born in Myrtle Beach, South Carolina on December 25 – Christmas Day – and at his funeral, I heard some of the folks there in South Carolina remark that he was born on “New Christmas” and passed away on “Old Christmas”.

My grandfather was James Demery, and he was a great man.  And he played electric guitar a lot like Vince Gill plays in this video, a fact I didn’t know for years, even after I’d picked up the guitar myself at ten years old.  And whenever i think of gospel music like this – which I love – I often think of my grandfather.

I don’t generally post on Sunday, but this isn’t just any Sunday, not to me. So for today, here’s a unique video. This is perhaps the best performance of one of the greatest hymns ever – Carrie Underwood singing “How Great Thou Art”, with Vince Gill on guitar.

For more about Old Christmas, see:

The Cowboy Chicken Club

I had the fortunate opportunity to attend last week’s football game between my favorite team, the Washington Redskins, and our longtime rival, the Dallas Cowboys. The Redskins were victorious, amazingly enough, and we’re all looking forward to going to the playoffs this week, something that hasn’t happened in quite a while.

I was digging around for some old Redskins performance records and stumbled on this fascinating piece of history I’d never heard before, found at Wikipedia page titled Cowboys-Redskins Rivalry“:

In December 1961, an unknown number of Cowboys fans sneaked into D. C. Stadium, armed with bags of chicken feed. When Alaskan snow dogs were to drag Santa Claus onto the field during the halftime show, the pranksters would unleash dozens of hungry chickens onto the field – 75 white, one black. The significance of the black chicken was to symbolize how [Redskins owner George Preston] Marshall was the only owner in the league who would not recruit an African-American football player; Marshall stating, “We’ll start signing Negroes when the Harlem Globetrotters start signing whites.” [1]

Talk about a bizarre moments in football history.


[1] http://en.wikipedia.org/wiki/Cowboys%E2%80%93Redskins_rivalry#Cowboy_Chicken_Club