New security vulnerability discovered in Firefox browser
June 22, 2012
Privacy-conscious internet users started sounding bells and whistles after Mozilla updated its popular Firefox browser. It so happens that the New Tab thumbnail feature in Firefox version 13 is taking some snapshots of the user's HTTPS session content.
Some users discovered the new feature after opening a new tab only to be greeted by their earlier online banking and webmail sessions complete with account numbers, balances, subject lines, etc, etc. Needless to say, some users were extremely shocked to see that.
Such sensitive data is behind a secure HTTPS login page for a very critical reason. In response to queries on the matter prompted by this new and shocking discovery, Mozilla acknowledged that the behavior was undesirable and promised a security patch will be issued soon.
In the meantime, Mozilla points privacy-conscious users towards various workarounds. "We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not transmit nor store personal information outside the user's direct control," Mozilla said in a statement.
The new tab thumbnails are based on internet users' browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser.
That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened in the browser.
Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools featured in Firefox, such as Private Browsing Mode.
Firefox version 13 was released on June 5th, adding new features including updated new tab and home tab pages. The updated new tab page feature is broadly akin to the Speed Dial feature already present in other browsers and displays cached copies of a user's most visited websites.
In other internet security news
An internet security vulnerability in some F5 equipment first announced in February may be in the wild, with insecure code posted to Github purporting to be a security exploit.
The original advisory stated that vulnerable installations of F5’s BigIP and other systems allowed an attacker to log in as root, because the security vulnerability exposed the device’s SSH private key.
F5 responded to this twelve days ago, but since it’s only seven days since F5 issued its advisory – and the patch – it’s likely that unpatched systems still exist out in the wild.
F5 describes the issue as “A platform-specific remote access vulnerability that has been discovered that could allow a remote attacker to gain privileged access to compromised systems using SSH.
The security vulnerability is caused by a configuration error, and isn't the result of an underlying SSH defect.”
Exploit code has been posted to Github. That code purports to gain remote access to some of the affected F5 systems-– its BigIP devices.
The security vulnerability can be addressed either by users upgrading to a non-vulnerable version, or reconfiguring SSH access. We are still awaiting an update from F5. We will keep you posted.
In other internet security news
Internet security experts are warning multinational firms with offices in Hong Kong that they are not immune at all to cyber attacks originating from China, despite the apparent shared sovereignty between the Special Administrative Region (SAR) and its mainland parent. This isn't the first time that Hong Kong has been advised to take precautions when it comes to its cyber security.
In the past, the Chinese government has often been blamed for either officially sanctioning cyber espionage attacks on foreign countries, as well as private and public organizations, or just simply turning a blind eye to financially motivated or patriotic attacks on western companies and states launched from within China.
Some internet security experts strongly believe that there is an unwritten agreement between the chinese hacking community and the authorities that these activities can continue as long as no government organizations or firms operating in China are directly affected.
But experts in the SAR have said multinationals appear to be fair game for Chinese hackers. Roy Ko, center manager of the Hong Kong Computer Emergency Response Team (HKCERT) says that his team works closely with its Chinese counterpart to pinpoint the exact location of attacks on local companies.
“Hong Kong’s overall immunity depends on our capabilities to defend ourselves, not because we’re part of China,” he argued. “We have a good communications channel in place with China's CERT organization, so when the internet attacks come from China, we can seek their help and advice fairly quickly.”
To be sure, Ian Christofis, an acting manager for Verizon Wireless in North Asia, recently said that multinationals on the mainland were worried about intellectual property theft from malicious insiders and said that Hong Kong companies were equally in the crosshairs as well.
“On any given day, Hong Kong is just as much a target as anywhere else. Hong Kong companies should not be complacent,” he added.
And for his part, Guido Crucq, general manager of internet security solutions at Asia Pacific for data systems integrator Dimension Data, agreed strongly with that notion.
"Today, cybercriminals are into hacking for the big money, so we advised our clients that we can't let our guard down simply because we are doing business in a location which we consider as friendly territory," he said.
But lawmaker Samson Tam, who is a legislative councillor for IT in the SAR, preferred to play up the threat to locally-based firms from outside of China.
“Most attacks come from smaller countries or areas with much looser controls and more liberal standards, so international police force co-operation is very important,” Tam added.
“Mainly, they are financially-motivated internet attacks because we don’t have many political, cultural or religious tensions here,” he said.
At any rate, and as it's been proven many times in the recent past, it can be frustratingly difficult for experts to accurately trace back a cyber attack to its very source.
Given its large online population, China will naturally have a sizeable number of compromised machines which either home-grown or foreign hackers can use to launch more and more internet attacks, said HK CERT's Ko, and that's really the very worrisome part.
In other internet security news
A complex and very targeted bot virus has been discovered over the weekend that steals data from computers located in the Middle East, internet security researchers announced today.
Called 'Flame' the malware has actually been in operation since sometime in 2010, and appears to be state sponsored, Kaspersky Research Labs said today, although it wasn't sure of its exact origins.
Flame is designed to rob information on specific targeted systems as well as stored files on computers, as well as computer display contents and even audio conversations that took place in the recent past.
"The overall complexity and functionality of the newly discovered malicious software exceed those of all other cyber threats known to date," Kaspersky Labs said in a statement announcing the malware's discovery this morning.
The virus is about twenty times the size of Stuxnet, a virus that targeted the controls of an Iranian nuclear facility. The largest concentration of infected computers is in Iran, followed by the Israel/Palestine region, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
"Conducted upon an urgent request from the ITU, the preliminary findings of the research confirm the highly targeted nature of this malicious program," said Kasperky Labs' chief expert Alexander Gostev.
"And one of the most alarming facts to date is that the Flame cyber-attack campaign is currently in its active phase, and its controlling operator is consistently surveilling all infected systems, collecting information and targeting new systems to accomplish its unknown goals."
Eugene Kaspersky, the founder and CEO of Kaspersky Labs compared the new virus with Stuxnet and said it appeared to open a new front in state-sponsored cyber warfare.
But, he also said that its full significance won't be quite understood until more security researchers examine the whole contents of the malware and in very intricate details.
"The Flame virus looks to be into another phase of this never-ending war, and it's important to understand that such cyber weapons can easily be used against any country," Kaspersky said in a statement. "Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case, and that's exactly what we have to watch out for."
In other mobile news
The now famous hacker group Anonymous says it is focusing its attention to India, helping to pull down the web sites of the Supreme Court, the country’s two major political parties and several government sites in retaliation for a court injunction which led to the blocking of several video sharing and bit torrent sites. As always, the group is using DDoS (distributed denial of service) attacks to deliver its message across.
Anonymous first signalled its intent to launch Op-India in a YouTube message posted on May 9, which said the following: "We have come to the conclusion that the Indian government has failed. It is time that we all rise and stand against the corrupt government. The Department of Telecommunications has ordered Internet Service Providers to block file-sharing sites in India. We cannot let this happen."
While some sites, such as those of the two political parties and the Supreme Court, appear to still be up and running again, the Department of Telecoms and the Ministry of IT sites were still down at the time of this article.
Also down for ‘maintenance’ (!) was the site of Copyright Labs, the Chennai-based anti-piracy firm which obtained the original John Doe injunction against sites such as Vimeo, Daily Motion and The Pirate Bay to prevent illegal sharing of the local movie Dammu.
Judging by Anonymous' increasingly exasperated messages from its opindia_revenge account, some India users were worried that the DDoS attack would cause permanent damage to those sites.
One such Tweet read "We are not doing any permanent damage to the websites. We just want file sharing sites to be unblocked."
Despite some observers in the internet community predicting that the hacktivist group was on its knees after high profile arrests of alleged members last year, it has made something of a comeback lately, launching well publicized attacks on the Kremlin, Virgin Media and even the ICO.
In other internet security news
Federal police in Norwegia have arrested and charged two teenagers suspected of taking part in DDoS (distributed denial of service) attacks against the U.K.'s Serious Organized Crime Agency and several other similar targets.
Aged 18 and 19, the unnamed teens are also suspected of attacking the Norwegian financial services group DNB and Germany's Bild newspaper, according to Norwegian police.
"We have arrested the two we think were the most important in these internet attacks, but we still want to talk to more people," Norwegian prosecutor Erik Moestue said.
A spokeswoman for Norway's National Criminal Investigation Service confirmed that two suspects had been arrested, questioned and formally charged over computer and internet hacking offences.
The spokesperson was unable to confirm either the names of the suspects or the websites they had been accused of attacking. Both suspects have been released on bail pending further inquiries.
Additionally, the United Kingdom's Serious Organized Crime Agency was taken offline last week after it was flooded with DDoS traffic by some hacktivists. The police agency said the decision to take the site offline was taken in order to prevent other sites hosted by the same ISP from being affected by the assault.
SOCA characterized the attack as a "nuisance" rather than a security threat. SOCA's website was also hit by a similar denial of service attack last June. A number of UK-based individuals were charged over these assaults but the cases are yet to go to trial.
Source: The Mozilla Foundation.
You can link to the Internet Security web site as much as you like.