May 2007

Disclosing Firefox add-on vulnerabilities – why this week?

Background:

A vulnerability related to commercial add-ons (or extensions) of software vendors, which do not have their extensions hosted on https://addons.mozilla.org, was reported on 30th May.
The answer is simple, the final release week of Firefox 2.0.0.4 and 1.5.0.12 was publicly reported by Mozilla Foundation and several news sources in April. This was expected, because the supported state of FF 1.5.x reportedly ends in May too. I.e. there is no security and stability updates coming for versions 1.5.x any more.

There is no updated add-ons available from these vendors mentioned by Mr. Soghoian. So, the researcher possibly decided that disclosing this problem before the major security release of Firefox will help to notice the importance of this issue.
BTW, the response of Mozilla developers released yesterday is located here.

The following statement is a good signal from Mozilla developers:

For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels

Dmitry’s Summer of Code (SoC)

So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.

Peace,

!Dmitry

dmitry.chan@gmail.com

Soloway: Another spammer bites the dust

A big victory against spam. From the nwsource.com article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

http://www.mortgagespam.com/soloway/

Early press accounts:

http://www.kndo.com/Global/story.asp?S=6587991

http://seattletimes.nwsource.com/html/nationworld/2003727576_webspam30m.html

http://seattlepi.nwsource.com/local/317795_soloway31.html?source=mypi

Update post and more documents:
http://blogs.securiteam.com/index.php/archives/919

Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,
ge@beyondsecurity.com.