Fears growfor security on Internet

Hackers pounce on Java flaw


BOSTON — Oracle Corp. is preparing an update to fix a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in Web browsers.

The government was responding to criminal hackers exploiting a security bug to attack personal computers.

Oracle officials could not be reached Saturday to say when the update would be available for the hundreds of millions of computers on which Java is installed.

Homeland Security and computer security experts said hackers had figured out how to exploit a bug in a Java version used with Web browsers to install malicious software. That bug has let hackers commit crimes ranging from identity theft to use of an infected computer as part of an ad-hoc network to attack Web sites.

Java is a computer language that lets programmers write software using just one set of codes that will run on virtually any computer, including ones that use Microsoft Corp.’s Windows, Apple Inc.’s OS X, and Linux, an operating system commonly employed by corporations.

It is installed in Internet browsers to access Web content and also directly on personal computers, server computers, and other devices to run computer programs.

Oracle said the security flaw affects only Java 7, the most recent version, and Java software that runs on browsers.

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe Systems’ Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky.

That was followed by Adobe Reader, which was involved in 28 percent of all incidents.

Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, the survey said.

The Department of Homeland Security said attackers could trick targets into visiting malicious Web sites that would infect their personal computer with software capable of exploiting the bug in Java.

It said an attacker also could infect a legitimate Web site by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without problems.

They said developers of several popular tools, known as exploit kits, used by criminal hackers to attack personal computers have added software that lets hackers exploit the newly discovered bug in Java.

Security experts have been scrutinizing Java since a scare in August that prompted some to advise using the software only as needed.

In another instance of U.S. intervention in cybersecurity matters, major banks have asked the National Security Agency for help to protect their computer systems after a barrage of assaults disrupted their Web sites, industry officials said.

The attacks, which started about a year ago but intensified in September, have grown increasingly sophisticated, officials said.

The National Security Agency has been asked to give technical assistance to help banks further assess their systems and better understand the attackers’ tactics.

The cooperation between the agency and banks, industry officials say, underscores the government’s fears about the unprecedented assault against the financial sector and is part of a broader effort by the government to work with U.S. firms on cybersecurity.

The help is likely to dismay privacy advocates, who say the world’s largest electronic spying agency has no business peering inside private firms’ systems, even for the strict purpose of improving computer security.

U.S. intelligence officials said last year they believe the attacks against the banks and other companies were carried out by Iran.

Some experts have cautioned it is difficult to determine accurately who is behind them.

“If you look at their actions, they’re taking this very seriously. The government is stepping up to the plate,” said one bank official, who requested anonymity.

The National Security Agency declined to comment beyond saying it provides help “in full compliance with all applicable laws and regulations.”

The cyber assaults against the banks are known as distributed denial-of-service attacks, in which Web servers are overwhelmed with traffic, thus slowing their responsiveness or crashing.

The disruptions — which ususally last an hour or two at most — do not involve theft of data but have interrupted online banking services and diverted security teams at a large number of financial institutions.

Banks whose Web sites have been disrupted include Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and Sun Trust.

In recent weeks, attackers have targeted up to seven banks a day, but only on Tuesdays, Wednesdays, and Thursdays.

For security experts at banks — already considered among the best at cybersecurity in the private sector — the attacks have been far more challenging than most denial-of-service incidents because the assailants have commandeered vastly more traffic to carry out the attacks.

The government’s willingness to engage “is emblematic of how these cyber-related risks are evolving,” the bank official said. “Agencies like the NSA have tremendous expertise for very sophisticated types of information security programs.”

Although the National Security Agency is known mostly for its collection of intelligence, its mission includes “information assurance” to secure the military’s computer networks and other “national security systems.”

Some company data may be shared to help derive a “signature” of the attack, former officials said.

Access to information is among the issues that concerns critics.

“The dual mission of the NSA, to promote security and to pursue surveillance, creates an intractable privacy problem,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center.