Data from Hacked Bug Database used to Target Firefox Users

Using data and information obtained through another hack, hackers were able to target Mozilla Firefox users through vulnerabilities in the popular browser. What is most interesting about this whole debacle, however, was that the attackers first hacked Bugzilla, Mozilla’s bug and vulnerability tracking system to find working exploits.

Bug trackers and vulnerability databases serve important roles in maintaining secure software. As researchers and whitehats find and discover bugs and vulnerabilities, they report it to either a third party or directly to the vendor. In this case, it was through Bugzilla to Mozilla. This allows a common platform to share the information required to demonstrate and fix the bug. Even if there is no outside facing infrastructure to report bugs, more developers probably have their own internal system for keeping up with, detailing and cataloguing bugs. For widely popular software, an attacker may not need to spend time researching their own zer0-days. Instead, they can simply hit one of these bug repositories and grab a whole host of vulnerabilities and use them as needed before they are patched.

In this case, Bugzilla got hit via as a privileged user account had the same password for Bugzilla as on another site that got hacked. Due to this, attackers were able to break into Bugzilla undetected for at least a year. They managed to get away with 185 non-public vulnerabilities of which 10 were unpatched at the time. Given how many users tend not to patch, and that Mozilla is unsure when the attackers first got in, it’s possible many users were vulnerable. In fact, one of the vulnerabilities was exploited widely for a while. In response, Mozilla is implementing steps to shore up security by things like restricting access and two-factor authentication.

Once again, it shows that security can be pretty hard and even systems introduced to better protect users can severely backfire. Given the wealth of information stored within bug repositories on various vulnerabilities, they can become a juicy target for blackhats. Just like major retailers and  the recent US government data breaches, the sensitive information means these systems are guaranteed to be attacked at some point. Another major lesson is that if you want good security, not reusing passwords, keeping patched and using two-factor authentication is key.

Security Experts Call for Government Action against Cyber Threats

Alarmed by the ever rising amount of cyber attacks around the world and industry, more and more security experts see aggressive government action as the best hope to avoid a disaster.

A lot of the experts are still outraged by the extend of U.S internet-spying exposed by Edward Snowden, but they are even more concerned about enemies with the same capabilities; Sabotage, data wipes and theft of defence and trade secrets. These threats and fears were the core subject at this years Black Hat security convention.

Dan Geer held the keynote speech and went straight for national and global policy issues. He said the U.S. government should require detailed reporting on major cyber breaches, much in the same way it’s done with deadly diseases. Critical industries such as banks should be stress tested to see if they can handle it.

“We’re so day-to-day that we forget we’re a piece of a bigger system, and that system is on the edge of breaking down.”, said Blackhat founder Jeff Moss

Speaking on his own behalf, Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage. “Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves”.

In an interview after the keynote speech, Geer said that he hadn’t seen any encouraging signs from the White House or members of Congress, but the alternative would be waiting until the next major event. He added that he hoped it wouldn’t be a catastrophic event.

Chris Inglis, who retired this year as deputy director of the NSA, said “disaster could be creeping instead of sudden, as broad swaths of data become unreliable.” “Some of Geer’s ideas, including product liability, deserved broader discussion, doing nothing at all is a worse answer”.

Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1 million in yearly protection might cost$25,000. The demand for cyber insurance has increased a lot following the high-profile data breaches such as Target or eBay, but the insurance agencies say they need more data for to calculate the rates.

With the new ideas presented by Geer and his colleagues, the government wouldn’t gain more control of the Internet itself. The root of the problem is with the ever rising number of severe flaws in software, that allow hackers to break in at will.

Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offensive attacks.

Thank you Reuters for providing us with this information.

Image courtesy of Blackhat.