[Sunnet Alert] Advisory #231 - Greasemonkey, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Mon May 7 14:43:19 EST 2007 

Sžnnet Beskerming Alert List Advisory #231

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Greasemonkey
	- Remote Hacker Manual Security Bypass
	- Time Since Discovery - Same Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Shrinking IT Companies
2.2	Struggling With Getting Security Right
=====================================

1.	SECURITY

1.1	Greasemonkey - Remote Hacker Manual Security Bypass

	-- Products Affected --
	All versions of Greasemonkey

	-- Technical Description --
	Greasemonkey will automatically download files from the Internet to  
the local temp directory if the Internet URL ends with .user.js.   
This behaviour will also take place if Greasemonkey is disabled.   
While attacks have not been developed to take advantage of this  
behaviour, it could potentially lead to blended attacks against  
Firefox users who use Greasemonkey.

	-- Description --
	Greasemonkey is a popular extension for the Firefox web browser,  
allowing users to control the elements of websites as they load.  It  
has been discovered that Greasemonkey will automatically download any  
file that it encounters that is suffixed with a particular  
extension.  While this is not an immediate threat, there is risk that  
attackers may make use of this unique behaviour to carry out extended  
attacks against Firefox users.  Disabling Greasemonkey, but leaving  
it installed, will not prevent this behaviour from taking place.

	-- Recommended Action --
	Consider temporarily uninstalling Greasemonkey until a patch can be  
released.

	-- Source --
	(Paid subscription required to access)

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	7	7  (High)
	Corporate	7	7  (High)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Shrinking IT Companies

Shifting technologies and shifting corporate focus are two of the  
leading reasons behind job losses at IT services companies.   
Suggestions that IBM Global Services is to trim 100,000 jobs has been  
met with a level of incredulity by many, and dismay by others.  Even  
if many of the positions will be recreated in another, cheaper  
country, the loss of so many skilled positions from a small number of  
countries (the US workforce for IBM is only Å120k, so not all losses  
will come from there) is going to have a significant long term  
economic impact, especially if those workers are not able to re-enter  
the workforce easily.

While there is argument over the final number of job losses (most  
believe it to be in the tens of thousands), few are arguing that IBM  
is not cutting jobs.

Smaller IT marketplaces can also suffer from the sudden loss of many  
jobs, such as is taking place in Australia with the losses being  
suffered at KAZ, an IT services company that is a subsidiary of  
Telstra.  Almost a quarter of the employees of KAZ are expected to  
lose their jobs over the next few weeks, with many already having had  
their employment terminated.  As with the IBM job losses, it is being  
reported that many company clients are being left with substandard  
service as a result of the employees servicing that account being fired.


2.2	Struggling With Getting Security Right

A security breach only requires a single point of failure before a  
system or network might be compromised (assuming that defence in  
depth is not an option).  Reporting on the worsening TJX data theft  
case suggests that the entire breach scaled from the breach of a  
single wireless access point secured with WEP, from which the  
attackers were able to sniff authentication details for more secure  
network segments and data stores, and then able to break in and steal  
the customer records database.

Seasoned security experts will immediately note that TJX elected to  
use a security method with known weaknesses (WEP can be rapidly  
cracked by an unauthenticated network client) and that they did not  
practice effective defence in depth, by not isolating the wireless  
network from the wired network effectively.  While many people will  
claim that by using WEP they are making themselves a more difficult  
target than their neighbour, this case is a clear demonstration that  
a motivated attacker will effortlessly bypass that difficulty to  
access the information that they are after.

What should be shocking for companies is the fact that the hackers  
who targeted TJX were professionals, specifically there to break into  
the network.  WEP and other security measures may be enough to  
prevent access by the semi-interested amateur, but few will prevent  
attack from the professional.

TJX isn't the only company to have embarrassing security problems  
highlighted in recent days.  AOL.com users who selected passwords  
with more than eight characters might be surprised to discover that  
their password actually in use on the site is an order of magnitude  
less secure than they thought.  This is because the processing  
systems for AOL.com truncate all passwords to a maximum of eight  
characters, which makes something like a dictionary attack much more  
effective (words of eight characters or longer with numbers suffixed  
will always identify as the same first eight characters).

AOL.com isn't the only site to have this issue.  MySpace's limit  
kicks in after 10 characters, and there have been major software  
products that had similar truncation issues (Windows NT, OS X,  
Solaris, AIX).  Even worse, some systems have been known to trim out  
non-alphanumeric characters (i.e. not a-z, A-Z, 0-9) from passwords  
entered by users.

=======================================

Sincerely,

Sžnnet Beskerming Team
info at beskerming.com
Sžnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sžnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sžnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sžnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list