Firefox 3.6 to prevent harmful add-ons

The soon-to-be shipped version 3.6 of the Firefox browser will have a new feature that will make it more stable. It is called Component Directory Lockdown, and it prevents third-party applications (add-ons and plugins) to store their own code into the “components” directory, where most of Firefox’s own code is stored.

The change was announced by Johnathan Nightingale of the Firefox development team, on their official blog. He says that this should not represent major problems for developer add-ons. “If you’re already packaging your additions as an XPI, installed as an add-on it’s business as usual. If you have been dropping components directly, though, you’ll need to change to an XPI-based approach,” he writes, and directs them to migration instructions.

This seems like a most positive change, and one wonders that it hasn’t been thought of earlier, since – as Nightingale states – there are no special abilities that can be gained by add-ons installing their code in the said directory, and it only brought problems to Firefox AND the developers of these add-ons.

Source:
http://www.net-security.org/secworld.php?id=8518&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

Posted in Internet, Security | No Comments

Guide to Scary Internet Stuff

Finally, some help with explaining internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.

Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice, and hopefully be safer online after watching them…although that remains to be seen 😉

The videos cover all sorts of topics—from botnets to viruses, and everything in between. Have a look for yourself and see what you think, and subscribe to the channel to be notified when new videos are available. Or if you find yourself in my shoes, pass on the videos to those friends and family who you think could benefit from them.

Source:
http://www.youtube.com/user/SymantecEduc

Posted in Internet, Privacy, Security | No Comments

Most security products fail to perform

Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report. The “ICSA Labs Product Assurance Report” – co-authored by the Verizon Business Data Breach Investigations Report research team – details lessons gleaned from testing thousands of security products over 20 years.

The report found the number one reason why a product fails during initial testing is that it doesn’t adequately perform as intended. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic.

The failure of a product to completely and accurately log data was the second most common reason. Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures.

The report findings suggest that logging is often considered a nuisance and undervalued. According to the report, logging is a particular challenge for firewalls. Almost every network firewall (97 percent) or Web application firewall (80 percent) tested has experienced at least one logging problem.

Source:
http://www.net-security.org/secworld.php?id=8506

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Researcher busts into Twitter via SSL reneg hole

A Swiss grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol.

The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. When the flaw surfaced last week, many researchers dismissed it as an esoteric curiosity with little practical effect.

For one thing, the critics said, the protocol bug was hard to exploit. And for another, they said, even when it could be targeted, it achieved extremely limited results. The skepticism was understandable: While attackers could inject a small amount of text at the beginning of an authenticated SSL session, they were unable to read encrypted data that flowed between the two parties.

Despite those limitations, Kurmus was able to exploit the bug to steal Twitter usernames and passwords as they passed between client applications and Twitter’s servers, even though they were encrypted. He did it by injecting text that instructed Twitter’s application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.

Source:
http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/

Posted in Internet, Networking, Privacy, Security | No Comments

New Flash Attack Has No Real ‘Fix’

Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash — and there’s no simple patch for it.

The attack can occur on Websites that accept user-generated content — anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.

“Everyone is vulnerable to this, and there’s nothing anyone can do to fix it by themselves,” says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel’s File Manager. “We’re hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time.”

An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. “If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can’t fix this,” Murray says. “If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials.”

The only thing close to a “fix” is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack. Facebook already does this, he says, which makes the popular social networking site immune to hosting this type of attack.

Source:
http://www.darkreading.com/security/showArticle.jhtml?articleID=221700036&cid=RSSfeed

Posted in Internet, Security | No Comments