Disclosing Firefox add-on vulnerabilities – why this week?

Background:

A vulnerability related to commercial add-ons (or extensions) of software vendors, which do not have their extensions hosted on https://addons.mozilla.org, was reported on 30th May.
The answer is simple, the final release week of Firefox 2.0.0.4 and 1.5.0.12 was publicly reported by Mozilla Foundation and several news sources in April. This was expected, because the supported state of FF 1.5.x reportedly ends in May too. I.e. there is no security and stability updates coming for versions 1.5.x any more.

There is no updated add-ons available from these vendors mentioned by Mr. Soghoian. So, the researcher possibly decided that disclosing this problem before the major security release of Firefox will help to notice the importance of this issue.
BTW, the response of Mozilla developers released yesterday is located here.

The following statement is a good signal from Mozilla developers:

For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels

Share

Dmitry’s Summer of Code (SoC)

So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.

Peace,

!Dmitry

dmitry.chan@gmail.com

Share

Soloway: Another spammer bites the dust

A big victory against spam. From the nwsource.com article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

http://www.mortgagespam.com/soloway/

Early press accounts:

http://www.kndo.com/Global/story.asp?S=6587991

http://seattletimes.nwsource.com/html/nationworld/2003727576_webspam30m.html

http://seattlepi.nwsource.com/local/317795_soloway31.html?source=mypi

Update post and more documents:
http://blogs.securiteam.com/index.php/archives/919

Share

Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,
ge@beyondsecurity.com.

Share

In memory of Michael Lowery

it is not every day that a member of our community passes away, especially not in such a fashion.

i feel very badly, and hope the family gets through this without unnecessary difficulties on top of what they already have to face. :(

“i’m sorry” doesn’t really cut it and i feel uncomfortable saying it. i am honoured to quote this blog post by randy abrams of eset, michael’s co-worker and friend, instead:

not your typical security blog

sometimes you just have to take a step back and appreciate what really matters. security is important. the problems we face are enormous and can cost a lot of money to deal with – even more if not dealt with correctly. but for all that, there is something much more valuable – our friends.

we at eset mourn the loss of one of our friends who passed away on memorial day weekend. mike lowery was our training manager. a highly talented and skilled individual, mike possessed a smile and heart that warmed all – he was the consummate professional and friend.

the measure of our loss is equal to the blessings we received in knowing and working with mike.

as we continue our work at eset we will all endeavor to honor his memory by making eset the best company we possibly can. great work, great fun, and great kindness are the attributes to which we at eset can best aspire in order to honor the memory of our dear friend.

randy abrams
friend of michael lowery

Sun Shine.

Share

Bad bunny – first OpenOffice virus and it’s crossplatform!

some people have a one-track mind...

It runs on Windows, Mac and Linux computers, acting differently for each OS. Anti-malware vendor Sophos admits it poses a low threat, especially as it’s only a proof-of-concept that hasn’t actually been discovered ‘in the wild’.

For the full article, please visit:

http://apcmag.com/6162/first_openoffice_virus_emerges

Share

WMD in Second Life

hi guys and gals, how are you all doing? :)

i’ve always been a fan of virtual worlds (although for my own life’s sake, i don’t participate in them). this time around it’s about what some refer to as a wmd, and i like it.

http://www.joystiq.com/2007/05/28/user-created-wmds-do-massage-damage-in-second-life-beta-test/

funny how history repeats itself and he couldn’t control his “virus”. :)

gadi evron,
ge@beyondsecurity.com.

Share

War Fears Turn Digital After Data Siege in Estonia

The New York Times carries a good popular-level accounting of what happened in the recent Estonian information warfare incident. Suggested reading.

http://www.nytimes.com/2007/05/29/technology/29estonia.html (subscription required)
Syndicated: Times Daily

Share

What’s Behind the BBB Phishing Emails?

We’ve identified two different Better Business Bureau phishing scams circulating over the past few months. One has an attachment which downloads a bunch of other stuff, including the Bandok trojan. The other one links to a website that tries to entice you to download and run an executable – this one is a BHO which sends all of your posts to any site to the phisher’s repository. Not just bank or Paypal or ebay logins – all interactive data sent to every site you visit. Couple this with the fact that the emails are being targeted only at senior management at companies and you have a potentially very damaging scheme.

And it works – we were able to locate one cache of stolen data. In it were over 1000 individuals, almost all were senior management from companies all over, large and small, at VP level and above (yes, even a few CEOs), along with a record of every website they’ve visited, and every field from every form they’ve posted (regardless of SSL encryption).

Read the whole writeup here: http://www.secureworks.com/research/threats/bbbphish

Share

Botnets are old-fashioned – P2P networks are behind of massive DDoS attacks

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!

Share

Right-clicking can be dangerous too – the Opera way

New vulnerability in Opera browser versions below 9.21 confirms that a simple right-clicking can cause a code execution state too.
iDefense states that technically

The buffer overflow is triggered when the user right clicks on the item
in the download pane.

Opera’s KB document Malicious torrent files can execute arbitrary code in Opera is located here, in turn.

This vulnerability has been assigned as CVE-2007-2809 recently.

Share

TSA and SNL

Fergie sent this to funsec after reading it at Schneier’s:
http://www.youtube.com/watch?v=ykzqFz_nHZE

Now, isn’t that true.

Share

DDoS against Finnish broadcasting company took 3 days

Today was the third day when the Web site of Finnish broadcasting company YLE (Yleisradio) suffer problems of large-scale DDoS attack.

From the YLE News site:

The company’s web pages were targeted by of a concerted attack on Monday and Tuesday. Two other major web sites, those of the telecommunications service provider Eniro, and the Suomi24 portal also reported similar attack.

There are several possible motives – Finland was the host of Eurovision Song Contest 2007 last weekend and our second place in hockey World Championship during the next day.

Some people said earlier that there was connections to recent DoS attacks on Estonian government sites too.

Share

Gresham, Akerlof, and security (lack of) quality

I didn’t read Schneier’s Wired article (http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419) until it came out in his newsletter, but it struck an immediate chord.  He was commenting on Akerlof’s work proving that, when vendors know a lot more than buyers, the marketplace ends up flooded with bad “goods.”  (http://en.wikipedia.org/wiki/The_Market_for_Lemons)  (He doesn’t mention Gresham, who showed that items of inherent value tend to disappear from the market (http://en.wikipedia.org/wiki/Gresham%27s_Law).)

As a reviewer of security books, I see this all the time.  It takes time to write a book.  It also takes time to learn something of value to put into a book.  So it’s a lot easier to write a bunch of nonsense and sell it.  After all, almost by definition, the people to whom you are selling the books will not know the difference.  If they could tell the difference between good advice and bad advice, they wouldn’t need any advice.

I’m also seeing the same thing in conferences.  Conferences are expensive to organize.  And, increasingly, conferences are organized by professional event companies, not anyone who really knows or cares about the topic.  Therefore, it is easier and cheaper to get vendor representatives as speakers for the events.  (Generally the vendors are only too happy to send their people, and will pay all the expenses, and sponsor something for the conference as well.)  People who actually know something probably don’t want to pay their own way to speak at these things (or can’t), or can’t be bothered to jump through the hoops held out by the event companies.

Share

From broadband routers insecurity to significance of what we do

fergie replied on nanog to my recent post on the subject of broadband routers insecurity:

> i’ll even go a step further, and say that if isps keep punting
> on the whole botnet issue, and continue to think of themselves
> as ‘common carriers’ in some sense — and continue to disengage
> on the issue — then you may eventually forced to address those
> issues at some point in the not-so-distant future.
>
> i understand the financial disincentives, etc., but if the problem
> continues to grow and fester, and consumer (and financial institutions)
> losses grow larger, things may take a really ugly turn.

he is right, but i have a comment i felt it was important – to me – to make. not just on this particular vulnerability, but on the “war”.

i must admit, vulnerabilities are endless and new exploitation vectors will never end, even if it was possible and we were all 100% secure, someone (an attacker rather than a vulnerability) will find a way to make it 99% again for the right investment or with the right moment of brilliance.

enough with cheap philosophy though… as tired (even exhausted) as i am of the endless repeating circle which security is, on all levels (from the people involved through the interests involved all the way to the same-old-fud) i still haven’t burned out, and i am still here.

the world isn’t going to end tomorrow, and even if the internet was to die (which i doubt it will), we will survive. however, in the recent couple of years a new community has been forming which we started refering to as “internet security operations”. these folks, for various motives, work to make the internet stay up and become safer (actually being safe is a long lost battle we should have never fought the way things were built).

with such a community being around, treating issues beyond our little corner of the `net is possible to a level, and at least some progress is made. some anti virus engineers no longer care only about samples, some network engineers no longer care only about their networks, etc.

is any of this a solution? no. the problems themselves will not go away, they aren’t in any significant fashion currently being dealt with beyond the tactical level of a fire brigade.

is it the end than? of course not. but operations vs. research are determined by intelligence. as we have some intelligence, i can point to yet another annoying vulnerability in the endless circle which those of us who will want to, can study, and if they feel it is justified, defend
against. that is the broadband routers issue, which personally i’d really rather avoid.

unfortunately, this limited defense is what most of us can do at our own homes, or tops as a volunteer fire brigade or neighborhood watch.

the internet is the most disconnected global village i can imagine, but we all have the funny uncle on another network and a weird one on yet another. i sometimes feel that the old analogy of the internet to the wild west is not quite it. perhaps we are living in the wild west, only if instead of wastelands and small towns, we have new york city and the laws
of a feudal dark ages kingdom.

things will eventually change, and some of us will stick around to help that change (or try to). for now though, it is about one vulnerability ignored at a time, and working on our communities.

gadi evron,
ge@beyondsecurity.com.

Share

Broadband routers and botnets – being proactive

in this post i’d like to discuss the threat widely circulated insecure broadband routers pose today. we have touched on it before.

today, yet another public report of a vulnerable dsl modem type was posted to bugtraq, this time about a potential wireless flaw with broadband routers being insecure at deutsche telekom. i haven’t verified this one myself but it refers to “deutsche telekom speedport w700v broadband router”:
http://seclists.org/bugtraq/2007/may/0178.html

if you all remember, there was another report a few months ago about a uk isp named bethere with their wireless router being accessible from the internet and exploitable, as another example:
http://blogs.securiteam.com/index.php/archives/826

two issues here:
1. illegitimate access to broadband routers via wireless communication.
2. illegitimate access to broadband routers via the wan.

i’d like to discuss #2.

some isps which provide such devices (as in the example of #2 above) use them as bridges only, preventing several attack vectors (although not all). many others don’t. most broadband isps have a vulnerable user-base on some level.

many broadband isps around the world distribute such devices to their clients.

although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. as usual, we only delayed the inevitable. i fear that the lack of awareness among some isps for this “not yet widely exploited threat” has resulted in us not being proactive and taking action to secure the internet in this regard. what else is new, we are all busy with yesterday’s fires to worry about tomorrow’s.
good people will react and solve the problem when it pops up in wide-exploitation, but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform.

my opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. i believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the wan to these devices would be a good step to consider if you haven’t already.

my suggestion would be to take a look at your infrastructure and what your users use, and if you haven’t already, add some security there. you probably have a remote login option for your tech support staff which you may want to explore – and secure. that’s if things were not left at their defaults.

then, i’d also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. whether you provide with the devices or not, many will be using different ones set to default which may pose a similar threat. being aware of the current map of vulnerable devices of this type in your networks can’t hurt.

it is not often that we can predict which of the numerous threats out there that we do not address currently, is going to become exploited next. if you can spare the effort, i’d strongly urge you to explore this front and be proactive on your own networks.

the previous unaddressed threat which most of us chose to ignore was spoofing. we all knew of it for a very long time, but some of us believed it did not pose a threat to the internet or their networks for no other reason than “it is not currently being exploited” and “there are enough bots out there for spoofing to not be necessary”. i still remember the bitter argument i had with randy bush over that one. this is a rare opportunity, let’s not waste it.

we are all busy, but i hope some of you will have the time to look into this.

i am aware of and have assisted several isps, who spent some time and effort exploring this threat and in some cases acting on it. if anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated.

thanks.

gadi evron,
ge@beyondsecurity.com.

Share