Issue A hacking group called “AnonGhost” is claiming they have compromised “Mozilla Emails Managers” and exposed the email address and a 16-character value for 50 accounts. Upon investigation we’ve determined the 16-character values are not user passwords. Instead, they are activation codes used for the initial activation of user accounts for a Mozilla blogging software. Impact The claim relates to 50 Mozilla employees, former Mozilla employees and other people in the Mozilla community. The activation code can not be used to directly access any systems. In all…
Web App Security
-
Most Topular Stories
-
Responding to Claims of Compromise
Mozilla Security Blog13 Jun 2013 | 1:57 pm -
Liquidmatrix Security Digest Podcast – Episode 2C
Liquidmatrix Security Digest18 Jun 2013 | 11:30 amEpisode 0x2C This is the 49th time! All I can hear is the voice of Edward R. Rooney saying “Nine Times”… well, that and the 49th parallel (which is 6 parallels north of where 3/5ths of the gang is hanging out). No one reads the notes so I know that I’m just talking to myself here. It’s probably bad when you start talking to yourself. Perhaps. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs – no arguing or discussion allowed And if… -
Analyzing Yahoo's PRISM non-denial
slight paranoia8 Jun 2013 | 6:35 pmToday, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems. Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data. We want to set the record straight about stories that Yahoo! has joined a program called… -
openxadvertising.com Mass Malvertising Campaign
Zscaler Research18 Jun 2013 | 2:58 pm<!-- /* Font Definitions */ @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536859905 -1073711037 9 0 511 0;} @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:- -
Updating and Tweaking your Firefox OS Developer Preview phone/Geeksphone
Mozilla Hacks - the Web developer blog19 Jun 2013 | 5:07 amDeveloper Preview editions of the Firefox OS phone are now becoming widely available to the community, mainly through Geeksphone. Since these are for developers, naturally we want to encourage you to tinker and play with them as much as possible! In this post we will cover some basic tips on how to keep your phone up to date and how to tweak the system Gaia applications. Updating your Geeksphone to the latest images Firefox OS updates can be be downloaded from within the the Settings app, listed under Device information. The phone can be set to check for updates daily, weekly or monthly. In…
-
Mozilla Security Blog
-
Responding to Claims of Compromise
13 Jun 2013 | 1:57 pmIssue A hacking group called “AnonGhost” is claiming they have compromised “Mozilla Emails Managers” and exposed the email address and a 16-character value for 50 accounts. Upon investigation we’ve determined the 16-character values are not user passwords. Instead, they are activation codes used for the initial activation of user accounts for a Mozilla blogging software. Impact The claim relates to 50 Mozilla employees, former Mozilla employees and other people in the Mozilla community. The activation code can not be used to directly access any systems. In all… -
Web Developer Security 1.0
12 Jun 2013 | 6:29 pmRaymond Forbes and I will be presenting Web Developer Security 1.0 on Tuesday, June 18th at 12:15 pm PDT. The training will be held in Mozilla’s Mountain View office and also broadcast online. We will cover a grab bag of proactive security measures Web Developers can take to protect their users and their site. Rather than focusing on how to attack a website, this training focuses on how you can safeguard your website from common threats. Some of the topics we will cover include Content Security Policy, X-Frame-Options, cookie security flags, iframe sandbox, content sanitization, and… -
Content Security Policy 1.0 Lands In Firefox
11 Jun 2013 | 5:09 pmContent Security Policy (usually abbreviated as CSP) is a way for web pages to restrict the sites allowed to include content within the page. It also can restrict whether inline scripts are allowed to run and inline styles/CSS are allowed to be applied to the page. In general, CSP allows web developers greater control over their content, helping mitigate several security problems. One major benefit of CSP is that, by default, it prevents inline scripts from executing. This greatly helps mitigate the threat of XSS (Cross Site Scripting) or other forms of script injection. For a great… -
Mixed Content Blocking in Firefox Aurora
16 May 2013 | 10:26 pmFirefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker is enabled by default in Firefox 23 and protects our users from man-in-the-middle attacks and eavesdroppers on HTTPS pages. When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. With the latest Aurora, Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking. What types of Mixed Content are blocked by default and what types are not? -
Orangfuzz – an experimental user interaction fuzzer for Firefox OS
17 Apr 2013 | 1:10 pmOne of the goals of the fuzzing team is to identify security vulnerabilities within our products using various techniques. As we continue working with Firefox OS, we need to build and adapt the proper tools to enable fuzz testing on the mobile device. Orangfuzz is an experimental user interaction fuzzer. It builds on generate-orangutan-script.py and uses the Orangutan framework. Orangutan injects events directly into the low-level kernel device file that represents an Android device’s touch screen. It supports actions such as “tapping” and “dragging”, simulated from…
-
Liquidmatrix Security Digest
-
Liquidmatrix Security Digest Podcast – Episode 2C
18 Jun 2013 | 11:30 amEpisode 0x2C This is the 49th time! All I can hear is the voice of Edward R. Rooney saying “Nine Times”… well, that and the 49th parallel (which is 6 parallels north of where 3/5ths of the gang is hanging out). No one reads the notes so I know that I’m just talking to myself here. It’s probably bad when you start talking to yourself. Perhaps. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs – no arguing or discussion allowed And if… -
Liquidmatrix Security Digest Podcast – Episode 2B
11 Jun 2013 | 11:08 amEpisode 0x2B — Or !2b Nothin that we can’t fix Infosec news is pretty light this week. Let’s have a good start for year two of Liquidmatrix Security Digest Podcast. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs – no arguing or discussion allowed And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at… -
No security without maturity
9 Jun 2013 | 4:08 pmSecurity vulnerabilities are the symptom, lack of IT maturity is the disease; information security is not the cure to security vulnerabilities, IT maturity is. It’s not unusual to see a company with hundreds if not thousands of known security defects, commonly called vulnerabilities, presents in their network, on servers and in applications. The tools to detect these defects are easy to purchase and run, the tools to deploy patches are readily available. Yet these well understood defects, these publicly documented issues that sometimes even have step-by-step instructions for how to use them… -
Liquidmatrix Security Digest Podcast – Episode 2A
4 Jun 2013 | 9:14 amEpisode 0x2A — Happy One Year Later And we still suck at scheduling Despite efforts to the contrary… we’re still not good at this. We should be getting better. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs – no arguing or discussion allowed And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work. -
LinkedIn Links Up With Two Factor Auth
2 Jun 2013 | 5:09 pmTwo factor authentication roll outs seem to be are definitely a theme for the last week. LinkedIn announced on Friday (May 31) that they have now rolled out two factor authentication to help their user base protect their user’s profiles. From LinkedIn: Most internet accounts that become compromised are illegitimately accessed from a new or unknown computer (or device). Two-step verification helps address this problem by requiring you to type a numeric code when logging in from an unrecognized device for the first time. This code will be sent to your phone via SMS. When enabled, two-step…
-
slight paranoia
-
Analyzing Yahoo's PRISM non-denial
8 Jun 2013 | 6:35 pmToday, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems. Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data. We want to set the record straight about stories that Yahoo! has joined a program called… -
A few words on patronage
24 Nov 2012 | 2:14 pmOver the past couple years, I've taken several big companies to task for their woeful privacy and security practices. Just as it is important to call out these flaws, I believe it is also important to give companies credit when they go the extra mile to protect their customers. When Google began protecting Gmail with HTTPS by default, I praised the company. When it started voluntarily publishing statistics for government requests, I again praised the company. When AT&T protected its customers' voicemail accounts from caller ID spoofing by forcing users to enter PINs, I praised the company. -
Responding to Wired's ad hominem hatchet job
8 Aug 2012 | 3:08 amI have long been a fan of Wired's coverage of privacy and security issues, particularly the insightful reporting and analysis by Ryan Singel, currently the editor of the Threat Level blog. It is for that reason that I am saddened to see Ryan stoop to twisting my words in support of a lengthy character assassination piece targeted against me. Brief background Two weeks ago, Wired published a glowing, 2000 word story by Quinn Norton about CryptoCat, an encrypted chat tool. Quinn was not the first journalist to shower praise upon Cryptocat -- writers at the New York Times and Forbes had… -
Tech journalists: Stop hyping unproven security tools
30 Jul 2012 | 2:43 pmPreface: Although this essay compares the media's similar hyping of Haystack and Cryptocat, the tools are, at a technical level, in no way similar. Haystack was at best, snake oil, peddled by a charlatan. Cryptocat is an interesting, open-source tool created by a guy who means well, and usually listens to feedback. In 2009, media outlets around the world discovered, and soon began to shower praise upon Haystack, a software tool designed to allow Iranians to evade their government's Internet filtering. Haystack was the brainchild of Austin Heap, a San Francisco software developer, who the… -
The known unknowns of Skype interception
26 Jul 2012 | 2:15 pmOver the past few weeks, the technical blogosphere, and most recently, the mainstread media have tried to answer the question: What kind of assistance can Skype provide to law enforcement agencies? Most of the stories have been filled with speculation, sometimes informed, but mostly not. In an attempt to paint as clear a picture as possible, I want to explain what we do and don't know about Skype and surveillance. Skype has long provided assistance to governments The Washington Post reported yesterday that: Skype, the online phone service long favored by political dissidents, criminals and…
-
Zscaler Research
-
openxadvertising.com Mass Malvertising Campaign
18 Jun 2013 | 2:58 pm<!-- /* Font Definitions */ @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536859905 -1073711037 9 0 511 0;} @font-face {font-family:"Courier New"; panose-1:2 7 3 9 2 2 5 2 4 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:- -
Phishers target Yahoo users
4 Jun 2013 | 3:37 pmYahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) and can be used to verify a user's identity when asking for a password reset. Two-factor authentication has been in the news a fair bit lately as LinkedIn and Twitter have -
Rise in Red Kit Exploit Kit Activity
1 Jun 2013 | 10:15 amThis week, a malicious pattern of activity was observed in websites being compromised, which in turn redirected to a Red Kit exploit kit (EK) landing page. Some infected websites that were seen: neptunebenson[dot]com route66marathon[dot]com whitesteeple[dot]com (Warning! these sites may still be infected). Two different mechanisms were used to infect the websites. The first one being a -
Darkleech attack continues to grow
21 May 2013 | 7:57 amThe Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up about the Darkleech infection mechanism on the server -
Fake YouTube page targets Chrome users
16 May 2013 | 1:10 pmFake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encountered fake YouTube page host at http://facebook-java.com targets Google Chrome users only. Fake YouTube page We have found a many malicious sites that specifically target
-
Mozilla Hacks - the Web developer blog
-
Updating and Tweaking your Firefox OS Developer Preview phone/Geeksphone
19 Jun 2013 | 5:07 amDeveloper Preview editions of the Firefox OS phone are now becoming widely available to the community, mainly through Geeksphone. Since these are for developers, naturally we want to encourage you to tinker and play with them as much as possible! In this post we will cover some basic tips on how to keep your phone up to date and how to tweak the system Gaia applications. Updating your Geeksphone to the latest images Firefox OS updates can be be downloaded from within the the Settings app, listed under Device information. The phone can be set to check for updates daily, weekly or monthly. In… -
Compete in the “Amp Your Firefox” Add-ons Contest
13 Jun 2013 | 12:07 amPeople love their add-ons—85% of Firefox users have them installed, and there have been over 3 billion downloads since they revolutionized browsing in 2004. There are add-ons for almost everything under the sun: fun, productivity, personalization, even for making tea. Between June 13 – July 18, 2013, we challenge you to delight these fans by creating or updating add-ons that amp up their Firefox. We’re also challenging you on the mobile front—with more than 10 million people using Firefox for Android, this is your chance to take the fun and personalization of add-ons to a fast-growing… -
May MDN sprint wrap-up
7 Jun 2013 | 7:59 amHere are some of the high points from the MDN sprint that took place last weekend, May 31st and June 1st. New content Mixed security content blocking is now turned on by default in Firefox Aurora. David Bruant and Xavier Borderie improved the Mixed content page and David created How to fix a website with blocked mixed content. Jérémie Patonnier hosted the meet-up in the Paris office, and finished documenting the WebFM API. Jérémie has been documenting lots of the hardware device APIs. Check out this Device orientation example, if your browser and device support it. -
Building a simple paint game with HTML5 Canvas and Vanilla JavaScript
5 Jun 2013 | 11:47 pmWhen the talk is about HTML5 Canvas you mostly hear about libraries to make it work for legacy browsers, performance tricks like off-screen Canvas and ways to draw and animate sprites and tiles. This is only one part of Canvas, though. On the lowest level, Canvas is a way to manipulate pixels of a portion of the screen. Either via a painting API or by directly manipulating the pixel array (which by the way is a typed array and thus performs admirably). Using this knowledge, I thought it’d be fun to create a small game I saw in an ad for a tablet: a simple game for kids to paint letters. -
The Proximity API
5 Jun 2013 | 3:54 amSomething that’s very nice with bringing the web to the mobile platform with Firefox OS and WebAPIs is the ability to connect more into the physical world. One part there is the Proximity API, which is also a W3C Working Draft – Proximity Events. What it is The API is about detecting how close the device is to any other physical object, by accessing the proximity sensor. There are two ways of working with proximity Device proximity User proximity From the spec: The DeviceProximityEvent interface provides web developers information about the distance between the hosting device and…
-
Didier Stevens
-
PDFiD: False Positives
10 Jun 2013 | 1:48 amI’m giving a 2-day training on PDF at Brucon 2013. Early-bird price applies til June 15th. Sometimes PDFiD will give you false positives for /JS and /AA. This happens with files of a couple of MBs or bigger, because it’s statistically very likely that /AA or /JS (only three bytes long) appear inside a stream. And since PDFiD, contrary to pdf-parser, has no notion of pdf objects and streams, it can produce false positives, like this: PDFiD 0.1.2 CCNPSecurityFIREWALL642617OfficialCertGuide.pdf PDF Header: %PDF-1.6 obj 6018 endobj 6017 stream 1897 endstream 1897 xref 1 trailer 1… -
pdf-parser: Searching Inside Streams
30 May 2013 | 5:38 amI’m giving a 2-day training on PDF at Brucon 2013. Early-bird price applies til June 15th. This new version of pdf-parser comes with options to search inside streams. For example, you can select all objects with the word Linux inside a stream with this command: pdf-parser.py --searchstream Linux manual.pdf The search is not case sensitive. To make it case sensitive, use option –casesensitive. Filters are applied to streams (e.g. decompressed) before the search is performed. To search in the raw stream data, use option –unfiltered. Regular expression searching is done with… -
Quickpost: Signed PDF Stego
15 May 2013 | 7:08 amA signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation. Open a signed PDF document in a hex editor and search for string /ByteRange. You’ll find something like this: 36 0 obj <</ByteRange[0 227012 248956 23362 ] /Contents<308226e106092a864886f7 This indicates which byte sequences are used for the hash calculation (position and length of each sequence). So in this example, byte sequence 227013-248955 is excluded, because it contains the signature in hex format padded with… -
Adobe Reader and CRLs
13 May 2013 | 11:08 amThere’s something that I wanted to test out for quite some time, but kept postponing until recently. Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action to do so. But what about the Certificate Revocation List in a signed PDF document? When you open a signed PDF document with Adobe Reader, the signature gets checked automatically. If the signature is not OK, for example because it doesn’t chain up to a trusted root CA, revocations checks are not performed. In other words, the CRL is not downloaded: But when I change the settings so… -
Howto: Make Your Own Cert And Revocation List With OpenSSL
8 May 2013 | 3:34 amHere is a variant to my “Howto: Make Your Own Cert With OpenSSL” method. This time, I needed a signing cert with a Certificate Revocation List (CRL) extension and an (empty) CRL. I used instructions from this post. Adding a CRL extension to a certificate is not difficult, you just need to include a configuration file with one line. But creating a CRL file requires more steps, that’s why I needed this howto. The start of this howto is the same as my previous howto. First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: openssl genrsa -out…
-
CERIAS Combined Feed
-
Opticks and a Treatise on the PRISM Surveillance Program (Guest Blog)
16 Jun 2013 | 8:16 pmBy Mark Rasch and Sophia Hannah Last post, we wrote about the NSA‟s secret program to obtain and then analyze the telephone metadata relating to foreign espionage and terrorism by obtaining the telephone metadata relating to everyone. In this post, we will discuss a darker, but somewhat less troubling program called PRISM. As described in public media as leaked PowerPoint slides, PRISM and its progeny is a program to permit the NSA, with approval of the super-secret Foreign Intelligence Surveillance Court (FISC) to obtain “direct access” to the servers of internet companies (e.g., AOL,… -
Schrodinger’s Catnip: A Review of the NSA Phone Surveillance Program (Guest Blog)
15 Jun 2013 | 2:28 pmBy Mark Rasch and Sophia Hannah The NSA programs to retrieve and analyze telephone metadata and internet communications and files (the former we will call the telephony program, the latter codenamed PRISM) are at one and the same time narrow and potentially reasonably designed programs aimed at obtaining potentially useful information within the scope of the authority granted by Congress. They are, at one and the same time perfectly legal and grossly unconstitutional. It’s not that we are of two opinions about these programs. It is that the character of these programs are such that they… -
Spafford Answers Cyber Security Questions on CNN.com
23 May 2013 | 7:19 amMore information » -
Cloud Computing: A Way to Reduce Risk?
22 May 2013 | 6:45 amSpafford, a computer science professor at Purdue, sees issues that often aren’t discussed in cloud computing conversations. “Too often, organizations [are] told that moving things to the cloud will be safer and cheaper, and cheaper as we know is always what tends to dominate these conversations and lead to new vulnerabilities,” Spafford says. More information » -
Spafford Taking Cyber Security Questions on CNN.com
8 May 2013 | 6:33 am(CNN) The Pentagon’s claims in a new report that China is trying to extract sensitive information from U.S. government computers has put cyber security issues back in the media spotlight. But how serious is the threat to U.S. interests? How can America respond? And what other issues should be attracting policymakers’ attention? Cyber security expert Eugene Spafford, a professor of computer sciences at Purdue University and former member of the President’s Information Technology Advisory Committee, will be taking questions from GPS readers. More information »
-
Security Bloggers Network
-
SBN Sponsor Post
19 Jun 2013 | 7:00 pmSubscribe to RSA Conference podcasts in iTunes: http://rsac.me/iTunes-Podcasts -
SBN Sponsor Post
19 Jun 2013 | 7:00 pmView videos from webcasts and sessions from previous events on our YouTube channel:http://www.youtube.com/RSAConference -
Security News June 19
19 Jun 2013 | 6:43 pmYahoo’s Very Bad Idea to Release Email Addresses http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/?cid=co9003994 Matt Honan weighs in on Yahoo’s decision to release unused / dormant email addresses Cyber threats and risks spur increased security focus http://www.reuters.com/article/2013/06/19/net-us-air-show-cybersecurity-idUSBRE95I1DP20130619 Trade shows, especially in foreign countries, pose particular challenges given the large array of people coming in contact with top executives who have access to… -
RANTing Rockstar
19 Jun 2013 | 4:33 pmThe monthly RANT in London that is always good entertainment. It must have been eating its greens because it’s all grown up and had its first full on conference. If you want a proper review you can read write ups by Thom Langford or Lee Munson. I was looking forward to attending, and was honoured to be... -
Microsoft Announces Bug Bounty Program
19 Jun 2013 | 3:31 pmMicrosoft announced today the launch of its bug bounty program in which it will offer $100,000 for exploitation techniques against protections built into the latest version of Windows 8.1 Preview, plus another $50,000 for defensive ideas that accompany a qualifying mitigation bypass submission. And finally $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 preview on the latest version of Windows 8.1 Preview. But wait, what happed of the $250,000 prize that Microsoft gave away at Bluehat? The company was able to implement one of those ideas into EMET to block ROP…
