May 2007

Disclosing Firefox add-on vulnerabilities – why this week?

Background:

A vulnerability related to commercial add-ons (or extensions) of software vendors, which do not have their extensions hosted on https://addons.mozilla.org, was reported on 30th May.
The answer is simple, the final release week of Firefox 2.0.0.4 and 1.5.0.12 was publicly reported by Mozilla Foundation and several news sources in April. This was expected, because the supported state of FF 1.5.x reportedly ends in May too. I.e. there is no security and stability updates coming for versions 1.5.x any more.

There is no updated add-ons available from these vendors mentioned by Mr. Soghoian. So, the researcher possibly decided that disclosing this problem before the major security release of Firefox will help to notice the importance of this issue.
BTW, the response of Mozilla developers released yesterday is located here.

The following statement is a good signal from Mozilla developers:

For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels

Dmitry’s Summer of Code (SoC)

So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.

Peace,

!Dmitry

dmitry.chan@gmail.com

Soloway: Another spammer bites the dust

A big victory against spam. From the nwsource.com article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

http://www.mortgagespam.com/soloway/

Early press accounts:

http://www.kndo.com/Global/story.asp?S=6587991

http://seattletimes.nwsource.com/html/nationworld/2003727576_webspam30m.html

http://seattlepi.nwsource.com/local/317795_soloway31.html?source=mypi

Update post and more documents:
http://blogs.securiteam.com/index.php/archives/919

Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,
ge@beyondsecurity.com.

In memory of Michael Lowery

it is not every day that a member of our community passes away, especially not in such a fashion.

i feel very badly, and hope the family gets through this without unnecessary difficulties on top of what they already have to face. :(

“i’m sorry” doesn’t really cut it and i feel uncomfortable saying it. i am honoured to quote this blog post by randy abrams of eset, michael’s co-worker and friend, instead:

not your typical security blog

sometimes you just have to take a step back and appreciate what really matters. security is important. the problems we face are enormous and can cost a lot of money to deal with – even more if not dealt with correctly. but for all that, there is something much more valuable – our friends.

we at eset mourn the loss of one of our friends who passed away on memorial day weekend. mike lowery was our training manager. a highly talented and skilled individual, mike possessed a smile and heart that warmed all – he was the consummate professional and friend.

the measure of our loss is equal to the blessings we received in knowing and working with mike.

as we continue our work at eset we will all endeavor to honor his memory by making eset the best company we possibly can. great work, great fun, and great kindness are the attributes to which we at eset can best aspire in order to honor the memory of our dear friend.

randy abrams
friend of michael lowery

Sun Shine.

WMD in Second Life

hi guys and gals, how are you all doing? :)

i’ve always been a fan of virtual worlds (although for my own life’s sake, i don’t participate in them). this time around it’s about what some refer to as a wmd, and i like it.

http://www.joystiq.com/2007/05/28/user-created-wmds-do-massage-damage-in-second-life-beta-test/

funny how history repeats itself and he couldn’t control his “virus”. :)

gadi evron,
ge@beyondsecurity.com.