Security News

Issue

Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.

Impact to users

If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.

Status

This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.

Microsoft has released their own advisory as well.

Credit

Alexander Sotirov, Marc Stevens, and Jacob Appelbaum presented this work at the 25th Chaos Communication Congress.

Johnathan Nightingale
Human Shield

As companies everywhere seek to reduce capital and operational expenses in a
troubled economy, they ask themselves, How can we spend as little as necessary
today to minimize additional costs throughout the next year? IT and security
professionals relate to this as their goal is to never have to withdraw from
the Contingency Reserves (or similar) budget item. Contingency
Reserves is finance-speak for the allocation you must set aside to accommodate
potential financial ramifications resulting from IT security breaches. These
breaches occur when sensitive information leaks into the wrong hands, most
frequently as a result of inadvertent internal error.

I love crime shows: Law & Order SVU, Inspector Morse, CSI:, the occasional episode of Monk, and others.
(OK – I’ll admit I like some of these for the drama as well!).  I
also love a really good “Who Dunnit?” novel – usually with
a good twist or two, of which Jeffrey
Deaver is quite the modern master. 

My colleague, Paul Stamp, recently shared his thoughts on the global economic downturn and the fact that it is making
many organizations concerned that their IT security budgets will be cut.  Echoing
Paul’s observations, almost all the customers I’ve spoken with
have not seen their PCI budgets cut, but that is not to say they aren’t
concerned.  Many have expressed a desire to stretch their dollars further,
asking the question, “When it comes to PCI and my other security and
compliance initiatives, how can I do more with less?”

Click to Download/Listen (15:01)

This week’s Speaking of Security podcast features part two of an interesting discussion with Uri Rivner, Head of New Technologies for RSA. Uri talks about what organizations can do to combat fraudsters. Through a layered security approach, organizations can stay one step ahead to mitigate the risk of fraudsters targeting their business.

There has been some interest in the last few days about a recent report from a company called Bit9 about application vulnerabilities. While we’re always happy to see stories that focus on educating our users about security, there are some problems with Bit9’s methodology that hinder its ability to draw any meaningful conclusions.

Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities. Mozilla focuses a great deal of energy on building world class code, and we stand by our reputation on security; we don’t play games with it.

Mozilla security process involves regularly identifying, fixing, testing, and releasing security updates to keep our users safe, and we do that in a public way so that others can scrutinize our processes and help make them better. To suggest that this openness is a weakness because it means that we have “reported vulnerabilities” is to miss the reality: that software has bugs. A product’s responsiveness to those bugs and its ability to contain them quickly and effectively is a much more meaningful metric than counting them.

Bit9 seems to understand this in its focus on application support for updates, but again it fails to account for the real world experience.  Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released.

The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced.  That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? When people have asked that question, Firefox and Mozilla have consistently come out ahead.

Bug counting is unfortunately common because it’s easy, but it should not be a substitute for real security measurement. This is why we’ve continued to work on things like the Mozilla security metrics project, to help people make informed decisions about the security of their software. We invite people who are interested to be a part of that process.

Johnathan Nightingale
Human Shield

Also at the IANS conference, we talked extensively about enterprises’ budgets.
Apart from a few notable exceptions, most agreed that budgets hadn’t been significantly
cut…yet. It stands to reason – nobody buys security because
it’s cool, or because they have extra cash in their pockets. On the other
hand, few thought their budgets’ were immune to being cut in the near
future either, though. Either way, just about everyone was finding that they
needed extra justification for their security purchases.

I will be leaving Mozilla at the end of the year.  I am sad to be leaving, but I am excited to go work on something I have always been passionate about.  I wish I could tell you about it now, but that will have to wait for a while.

You will still get Mozilla security information here. Johnathan Nightingale, Lucas Adamski, Brandon Sterne and Mike Shaver will all be posting on the Mozilla security blog to keep users informed about security issues and announcements.  I leave you in their very capable hands and wish them the best of luck.

The Mozilla community is an incredible group of dedicated people who are really making a difference in how we experience the Internet.  The contribution you make to the world is tremendous.  I am honored to have been a small part of it for these last few years.

Thank you,
Window

Window Snyder
window@dec.net

Okay, raise your hand if you are scared of the word “policy.” Policy is sometimes an overused word that sounds simpler than the complex thing
it actually is, and if not properly thought out, can be a headache to implement. RSA’s
Information Policy and Classification team spends a lot of time focusing
on the accuracy of Data Loss Prevention (DLP) policies. This week, we’re
giving some hints for success and best practices that we’ve learned by
working with both early adopters and some of the world’s largest companies. We
know from experience that you can have the most accurate policy and it still
may not be the right policy for your organization. Here’s how
to figure it out…

I had the pleasure of attending the Institute
of Applied Network Security (IANS) conference in San Francisco last
week. For anyone not familiar with this organization, they’re a peer
to peer research organization where security practitioners come together
to talk about the issues du jour. It’s a real good way for us vendors
to get a pulse on what people are worried about, and what they think about
what we’re doing to support them.

Click to Download/Listen (11:13)

This week’s Speaking of Security podcast features a preview of the latest edition of Vantage, RSA’s magazine on information security news and trends and the first segment of a two-part discussion on how the fraudster underground operates much the same as real-world businesses. Uri Rivner, Head of New Technologies at RSA is our guest.

Issue

A malicious piece of software masquerading as a legitimate and popular Firefox plugin is spreading.  Trojan.PWS.ChromeInject.A collects a user’s passwords from banking and other sites and forwards them to a remote server.

Impact

If a user has been tricked into installing this plug-in, or had it installed through a separate vulnerability it may compromise passwords and the user’s accounts.  This trojan is not Greasemonkey, even though it uses some of Greasemonkey’s internal IDs.

Status

To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

Johnathan Nightingale blogged about it here: http://blog.johnath.com/2008/12/08/firefox-malware/

Credit

This issue was identified in the wild by BitDefender.  Their analysis is here: http://www.bitdefender.com/VIRUS-1000451-en–Trojan.PWS.ChromeInject.B.html

There are a number of business trends that are driving new security challenges.  As some companies shift to Software as a Service (SaaS), they are beginning
to realize that not having planned for a common identity framework is leaving
them with disparate representations of customers who expect a seamless user
experience.

Later today the final report of the CSIS Commission for the 44th Presidency will be officially released on Capitol Hill in Washington, D.C. The co-chairs of the Commission are: U.S. Representatives Jim Langevin (Democrat, Rhode Island) and Michael McCaul (Republican, Texas), and senior industry executives Scott Charney of Microsoft and retired Air Force Lt. General Harry Raduege of Deloitte.

Microsoft plans to release eight patches on Tuesday – six for “critical” vulnerabilities – as part of its monthly security update.

Microsoft plans to release eight patches on Tuesday – six for “critical” vulnerabilities – as part of its monthly security update.

This Web site was created to be a clearing house for technical IT security queries, and we are still fielding quite a few of those. But we continue to receive a broad variety of fascinating questions …

Only two per cent of computer users are fully patched and the other 98 per cent are running at least one insecure, unpatched program, security firm Secunia said this week.