security : Java Glossary

Relative Danger

The most dangerous things are at the top:

1. Opening a file attached to an email, even if at first glance it does not appear to be an executable exe, msi, scr, bat…
2. Installing a program from a lesser known source, usually a zip or exe. Even if a PADSite like CNet verifies it is virus free, it can still do damage.
3. Running anything in your browser from a disreputable/porn site. Don’t accept improved drivers etc.
4. Running an self-signed Applet.
5. Running a signed Applet
6. Installing an program directly from an established company such as O&O.
7. Installing an program directly from a well-known company such as Adobe. Getting it from a third party pirate is suicide.
8. Installing an open source program directly from the authors.
9. Running JavaScript
10. Running an unsigned Applet.

Because installing apps is so common, most people think it is the safest. Not so. An installer or installed app can do anything it wants to any file on your computer. Because of rumours and misunderstanding, people are most afraid of unsigned Java Applets, which are actually the safest form of code. They are much safer than signed Applets. Signed Applet because the identity of the author is assured, are trusted to do almost anything an exe file can do. Unsigned Applets are severely restricted by the sandbox they run in. The restrictions are so onerous that many programmers complained they were too strict. Conversely they think installed exe file must be the safest, simply because they are so common. The industry should have a rating system easy for consumers to understand.

Java Security

Digital Signing And Encryption Schemes

There are many digital signing and encryption protocols. Here is a summary based on a table on page 218 of Web Security & Commerce.

Security Holes

Most of the panic news items about the latest security holes do not concern you. The usual simple preventive measures still apply:

• Do not open email attachments, even from friends.
• Run your virus scans at least weekly.
• Be reluctant about installing software from third party sources or software people you trust did not recommend.
• Keep your OS (Operating System) and software updates fresh.
• Do backups at least weekly so that in a pinch you can erase your entire computer, reinstall all your pass, then restore the files to the state they were before infection. Anything you did not back up, you will lose forever.

You can browser for security at Symantec Find out for example if your browser is secretly blabbing your email address to every website it visits.

Your Java security is only as good as the OS security backing it up. These two websites will probe your OS for security holes and report them back to you. www.DSLREPORTS.com (pay) and grc.com (free). When I ran the GRC (Gibson Research Corporation) ’s report my hair stood on end about all the information NT was blabbing to the universe without my permission.

Windows NT/2000 has over 1000 known security holes. There are ways of plugging some of them. Stat is a tool for managing this giant piece of Swiss cheese.

Books

Book referral for The CERT Oracle Secure Coding Standard for Java

	recommend book⇒The CERT Oracle Secure Coding Standard for Java
	by	Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda	978-0-321-80395-5	paperback
	publisher	Addison-Wesley Professional	978-0-13-288284-2	WebBook
	published	2011-09-18	B005LVNX5W	kindle
(SEI Series in Software Engineering) The CERT Oracle Secure Coding Standard for Java provides rules designed to eliminate insecure coding practices that can lead to exploitable vulnerabilities. Application of the standard’s guidelines will lead to higher-quality systems — robust systems that are more resistant to attack. Such guidelines are required for the wide range of products coded in Java — for devices such as PCs, game players, mobile phones, home appliances and automotive electronics.
Online bookstores carrying The CERT Oracle Secure Coding Standard for Java abe books anz abe books.ca abe books.de amazon.ca amazon.de Chapters Indigo amazon.es Chapters Indigo eBooks iberlibro.com abe books.com abe books.fr amazon.com amazon.fr Barnes & Noble abe books.it Nook at Barnes & Noble amazon.it Kobo junglee.com Google play abe books.co.uk O’Reilly Safari amazon.co.uk Powells other stores
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

Book referral for Web Security, Privacy and Commerce, second edition

	recommend book⇒Web Security, Privacy and Commerce, second edition
	by	Simson Garfinkel	978-0-596-00045-5	paperback
	publisher	O’Reilly	978-1-4493-0524-6	eBook
	published	2002-01-15	B004V9MQZS	kindle
Good for overview, not practical detail. The shark book.
Online bookstores carrying Web Security, Privacy and Commerce, second edition abe books anz abe books.ca abe books.de amazon.ca amazon.de Chapters Indigo amazon.es Chapters Indigo eBooks iberlibro.com abe books.com abe books.fr amazon.com amazon.fr Barnes & Noble abe books.it Nook at Barnes & Noble amazon.it Kobo junglee.com Google play abe books.co.uk O’Reilly Safari amazon.co.uk Powells other stores
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

Learning More