-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello List,
------------------------------------
Frequently Asked Questions
------------------------------------
Q: Who is at risk?
A: Anyone who has installed the Firefox Web Browser and one or
more
vulnerable extensions. These include, but are not limited to:
Google
Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us
Extension,
Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser
Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker.
Don't you mean anyone who has these installed and is using a rogue
or compromised DNS server?
Q: How many people are at risk?
A: Millions. Exact numbers for each toolbar/extension are not
released
by the vendors. Google Toolbar, which is one of the most popular
of
the vulnerable extensions, is installed as part of the download
process with WinZip, RealNetworks' Real Player and Adobe's
Shockwave.
Google publicly pays website publishers $1 for each copy of
Firefox +
Google Toolbar that customers download and install through a
publisher's website.
Google confirmed in 2005 that their toolbar product's user base
was
"in the millions". Given the number of distribution deals that
have
been signed, the number of users can only have grown in size
since.
Oh stop being such a drama queen. Are you suggesting "millions"
have their DNS compromised and their home routers owned? Isn't this
bug rather inconsequential for these people anyway?
Q: When am I at risk?
A: When you use a public wireless network, an untrusted Internet
connection, or a wireless home router with the default password
set.
Duh. You don't need to be running some silly toolbar to be at risk
in this scenario.
Q: What can I do to reduce my risk?
A: Users with wireless home routers should change their password
to
something other than the default.
Are you really suggesting wide scale wireless home router
compromise? Is there an army of hacker dudes driving around
compromising unprotected wireless routers in the millions that I am
not aware of? Surely the Security Focus PharmConMeter(TM) would
have alerted me if this were the case!
Q: Why is this attack possible?
A: The problem stems from design flaws, false assumptions, and a
lack
of solid developer documentation instructing extension authors on
the
best way to secure their code.
See also "because your DNS server is owned"
----------------------------------
Description Of Vulnerability
----------------------------------
Blabla, you are a technical genius. Let's move on Dr. Chris.
-----------------------------------
When Are Users Vulnerable
-----------------------------------
Users are most vulnerable to this attack when they cannot trust
their
domain name server. Examples of such a situation include:
* Using a public or unencrypted wireless network.
* Using a network router (wireless or wired) at home that has
been
infected/hacked through a drive by pharming attack. This
particular
risk can be heavily reduced by changing the default password on
your
home router.
Hahahahahahha. Drive by pharming. What a fucking joke. This
industry is the best.
------------------------
Fixing The Problem
------------------------
The number of vulnerable extensions is more lengthy than those
listed
in this document. Until vendors have fixed the problems, users
should
remove/disable all Firefox extensions except those that they are
sure
they have downloaded from the official Firefox Add-ons website
(https://addons.mozilla.org). If in doubt, delete the extension,
and
then download it again from a safe place.
No way dude, use The Internet Explorer!
---------------------------------------------------------
Self Disclosure/Conflict of Interest Statement
---------------------------------------------------------
Christopher Soghoian is a PhD student in the School of Informatics
at
Indiana University. He is a member of the Stop Phishing Research
Group. His research is focused in the areas of phishing, click-
fraud,
search privacy and airport security. He has worked an intern with
Google, Apple, IBM and Cybertrust. He is the co-inventor of
several
pending patents in the areas of mobile authentication, anti-
phishing,
and virtual machine defense against viruses. His website is
http://www.dubfire.net/chris/ and he blogs regularly at
http://paranoia.dubfire.net
Impressive. The scholarly source Wikipedia [1] says you are also
that guy that made boarding passes for Al Qaeda? Kudos.
Information on this vulnerability was disclosed for free to the
above
listed vendors.
Oi! Such a deal.
_Joey
[1] http://en.wikipedia.org/wiki/Christopher_Soghoian
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkZdngYACgkQbnLzJSXnVjORJgP/e8QL9VRf4EsTEbkg91b8+J86wf1P
3eYeDo7toYMiT7dV/mKgMSzO3XNVmgKrlrBafiieGxbaOFL1Spu5wKiz04G8DiQs5D7y
vbWeQe6o68NYwCikyE4Ed5Hs7EWJFz+6R86x0KfQ3Nn+P3L/tnssUhkmMXHeGCOLZgVi
CVVCzxM=
=Zd4G
-----END PGP SIGNATURE-----
--
Click for free info on business schools and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1I6ylOR9cWSogD0jO1TmrlUWwa/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
