Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,400 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

First, I spoke at SkyDogCon 2011 in Nashville, TN on The Neurobiology of Decision Making (youtube). I was the first speaker and it was my first time speaking at a conference, I was very pleased that it was well received. I met SkyDog at DerbyCon 2011 which was my first small con and I really enjoyed it. I had easily as much fun at SkyDogCon and really enjoyed getting to spend more time with individuals talking about Mozilla, Firefox and other fun topics. It was also great fun hacking the arduino badges and learning how to pick a lock. The staff treated me exceptional well, the speakers were a fun bunch to hang out with. I really hope I get a chance to speak again at next years con.

The weekend after that I was at MozCamp EU in Berlin, Germany, again as a speaker but more importantly as a member of the Security Team. I really wanted to meet and make some connections with contributors and further the message of “we’re all in this together for the betterment of our users”. It was also a moving experience for me personally, last time I was in Germany was 1987 and as 3rd generation American of German immigrants it was really painful to see Germany divided. I fulfilled a 24yr old promise to myself to walk beneath the Brandenburg Gate.

From Berlin

Then we have the fall holiday here in the USA known as Thanksgiving. Unfortunately for me I caught some bug in my travels through London and Berlin and was pretty ill. A trip to the Dr. for meds to keep the rest of my family well and not to ruin the holiday finished up any time before the holiday and family, geocaching with the kids, socializing and eating at up the rest of my blogging time.

The rest of my month was taken up the the usual security meetings & Firefox meetings; you know the get stuff built and shipped movements.

Thankfully the traveling, meeting, talking and thinking time has left me with many things to talk about. I hope all my readers had as good a month as I did.

Meeting Location:
Sullivan University Campus, 3101 Bardstown Road, Room 254, Louisville KY 40205 – (about 15 minutes from the airport…on I-264 East)

When you arrive at the University’s main building, Drive around past the front visitor’s doors to the parking area on the right side of the Main Building. Room 254 can be accessed via a back stairway near a break area on the back right-hand side of the building, very easy to spot.

Desktop Betrayal: Exploiting Clients through the Features They Demand
In this talk, Tom Eston will explore the use of client features to gain privileged access to client systems. During previous talks around social networks, Tom Eston and fellow security researcher Kevin Johnson discovered that most of the damage they could perform against a target didn’t use an exploit against any vulnerable system. Tom and Kevin were able to create various attacks that made use of features being used on client machines. While this talk will not disclose any vulnerabilities within popular client software, Tom will be releasing multiple attacks that use these clients against their users. Tom will be discussing attacks using JavaScript, HTML5, PDF files, Flash, Data URIs, Web Workers and more. Tom will also discuss code to perform these attacks as well as add-ons to popular tools such as BeEF (Browser Exploitation Framework) that will enable these tools to make use of the attacks.

Tom Eston is the manager of the SecureState Profiling Team. Tom leads a team of highly skilled penetration testers that provides attack and penetration testing services for SecureState’s clients. Tom focuses much of his research on new technologies such as social media, mobile devices and new web technology. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including DerbyCon, Notacon, OWASP AppSec, Black Hat USA, DEFCON and ShmooCon.

Full Disclosure
I currently work for Mozilla, the group/movement behind Firefox. I have also worked in the past for Microsoft.

Ok, now lets get started. Microsoft launched a site called yourbrowsermatters.org and right off the bat my first issue is that they did this under a .org banner. Which to most people means some nice non-profit is doing this, as that is what .org addresses are for. In my opinion, this is an attempt to hide the true backer of the site, Microsoft. Yesterday when this site showed up it had a nice Windows flag style icon on the bottom (today Oct-12-2011 this is gone). Unlike most Microsoft sites the Microsoft and Azure items are at the bottom and quite small. Nor does the methodology page (http://yourbrowsermatters.org/docs/methodology.pdf) mention Microsoft. The site does use a “Metro-style” interface and unless users are familiar that means little to them. As well the methodology doc has the same layout as many Microsoft docs, but yet again unless you are familiar I doubt one would notice this. So right off the bat this began to tickle my thinking.

Also this site does not really test anything. It takes the User Agent string from the browser (which can be changed) and returns a pre-built answer for that string. How do I know, well I used the User Agent Switcher add-on for Firefox to try this out and just by switching this string I get different answers. So they could have just as easily just produced a chart that showed what they think the outcome is. Also keep in mind this is for Windows only, this does not give a score for other operating systems or OS protection models.

My take
ghackes.net did a nice write up on this as well, since this covered some of this nicely I suggest you read the analysis there as I don’t want to be repetitive on certain aspects.

So lets take a look at the whole criteria:

Category:Dangerous Downloads

1. Does the browser help protect you from websites that are known to distribute socially engineered malware?
• This is a rehash of the NSS Labs Socially Engineered Malware Report, on its face this is a semi-interesting report. but I think it’s also somewhat skewed. I am still working my way through all of this report, but my first concern is around making claims with fixed versions (Apple® Safari® 5, Google Chrome™ 12 , Windows® Internet Explorer® 9 Mozilla® Firefox® 4, Opera™ 11) used in the report but using that to infer about newer versions (namely Firefox 4 ≠Firefox 7 in capability). Our current rapid release process allows us to make all kinds of changes and using a static set to make an inference about something newer is just not something I can support.
• Yes there are going to be differences between SmartScreen in Windows and StopBadware used by others, but to think they would be this large seems off to me, again I need to do more analysis of the methodology. Also why Firefox and Chrome would be so different in results when using the same list is something that bears more analysis.
2. Does your browser provide a distinct warning when you download and application that is of higher risk but not yet confirmed as malware?
• So no, Firefox does not have this capability today and we are looking into adding it. What is it? Well you take the hash of the file being downloaded and if it’s known to be a problem you tell the user, if you don’t know, you tell the user. This could be good for users if you actually know something or if they don’t really understand what they are downloading.

Category: Phishing Sites

1. Does the browser have a feature that can help protect you from phishing sites?
• Everyone gets marks for this as we all have something, so lets move along.

Category: Attack on your browser and its plug-ins

1. Does the browser have the ability to restrict an extension or a plugin on a per site basis?
• This is a point of contention, only IE gets points her. Our plugin model is directly comparable, and this is a relatively important feature. Practically speaking it’s only “more secure” if plugins default to OFF and you let users build up a whitelist which is NOT what IE does. Chrome sort of does (yes for Java, no for Flash). We definitely have a different extension model. Compare Greasemonkey, where each installed user script has a default list of sites/pages it applies to but the user can manage that list. Given that extensions and plugins are very different how does one really rate this?
2. Does the browser have a system for auto updating browser extensions?
• This is one spot where Chrome and Firefox have a feature that IE currently does not.

Category: Effective Sandbox

1. Does the browser process utilize Windows Protected Mode or implement a similar mechanism such that browser processes cannot modify parts of the system that it doesn’t have access to?
• As far as I can tell this is a literal use of the Windows Protected Mode, and no Firefox is not using this today for a variety of reasons.
2. Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?
• See #1
3. Does the browser benefit from Windows operating system features that protect against arbitrary data execution?
• We do this, why this does not show up for some Firefox UA strings on this site I don’t know.
4. Does the browser benefit from Windows operating system features that randomize the memory layout to make it harder for attackers to find their target?
• See answer to 3.
5. Does the browser benefit from Windows operating system features that protect against structured exception handling overwrite attacks
• So according to to the criteria doc link for this one this is talking about /SAFESEH, odd we don’t get a tick here as we do this on our Windows builds.

Category: Attacks on Websites

1. Does the browser automatically block insecure content from secure (HTTPs) pages?
• They are giving points for mixed content handling
2. Does the browser filter out scripts on the client to help protect against Cross-Site Scripting (XSS) attacks?
• I think I can consed on this one, even thought we do have this feature landing soon.
3. Can the browser sanitize HTML to remove potentially problematic code?
• They are giving points for their own ToStaticHTML API usage, we’ve looked at it but there is not agreement that this is the correct what to help protect from web developers doing potentially dangerous things.
4. Does the browser have features that websites can take advantage of to help protect you from Cross Site Request Forgery attacks, also known as “Click Jacking”?
• So we all get points for something that are 2 different things CSRF is not also known as Click Jacking, so this one just confuses me. In fact these 2 items require very different mitigations.

Bottom Line
So if we look at the “output” no browser has a”perfect” score, they all have things missing. The great disappointment here for me is this could have been a very good site to help encourage users who are on any older platform to pick a more modern one for safety; instead this has been warped into what I perceive as a marketing tool to promote IE. This was best said by Maxim on the browserupgrade@list.otalliance.org list“

I’m disappointed that Microsoft is using similar language to OTA’s Why Your Browser Matters campaign to serve as a marketing tool to pitch IE as superior to other browsers. The goal of this campaign was supposed to be to get people to upgrade older browsers to newer browsers, not to push one browser over another.

It’s particularly frustrating that Microsoft misrepresents Firefox as not protecting users from social engineering malware sites. This is patently untrue.

Regards,
Maxim

I shall now get off my soapbox for the time being.

So I decided to attend the bi-weekly Contribute Group Meeting, which is an open forum where we discuss how we can better engage the Mozilla community in our particular areas of focus. I went into the meeting with the idea that we (the product security) team needed to do more or do something different to engage the community to participate more in the things we are trying to accomplish. I know people care about security here and I have been talking about it on my blog, on the official security blog, on mailing lists, on twitter; but results have not really been evident. We have shared a public calendar so people can see when the meetings are, and the how to attend details; and I talk about each weeks upcoming meetings in several venues. We make the notes of these reviews public on our security wiki and try to encourage discussion on our open IRC channel #security. But still the best I’ve seen to date is one person who labeled themselves as “lurker” on an etherpad, they did not speak on the call (if they were there), did not participate in the IRC channel and did not type anything in the etherpad. Other than the paid Mozillians who have been invited directly to the meetings no-one else has really been participating. I really do want more participants in our meetings to help give their cognitive power to improving Firefox security.

The meeting turned out to be very impact-full, not only in ideas but how I perceive the company, the community and my role in all of it. The best quotable for me (and this is from memory) came from David Boswell; “Mozilla is a community that has an organization that supports it, not an organization with a community around it“, in essence the company exists to allow some people to be full time community contributors. It is not above or below or separate from the community but an integral part of it. For me this is a shift in thinking, this is my first experience in open source community development and being unused to the idea I had been thinking of Mozilla as more of a paid guiding hand. That we were here to make decisions that others maybe could not make and in some way apart from the community. In the end that change was realizing that I am part of the community, the community is part of Mozilla; they are inseparable and we need to remember this as we do what we do on a daily basis.

David and I continued our discussion for a bit after the meeting as I was still sort of grasping at this concept and the last key that brought it home for me is the other passion in my life. When I am not working I volunteer with the Boy Scouts of America, my son is a Cub Scout, I am an Eagle Scout and I want to pay back all the great skills and experiences I had as a young man being a Scout. Much like Mozilla the BSA is a non-profit and has a paid staff, many of whom also have children who are or were at some point Scouts. We sometimes don’t treat these paid Scouts as we would the full volunteers there is a mental block of “they are paid so they must be different“, and to be effective in our missions (both BSA and Mozilla) we have to drop this thinking. The paid BSA/Mozilla members are as much the BSA/Mozilla as any of us. We are a community with a goal, we have roles to play in that community that are based on our talents and desires. This sometimes means that decisions are made by people who are paid and sometimes are made by people who are not, but they are all the same community and we all need to show respect for all sides in these decisions.

So thanks to all Mozillians and the Contribute Group, you’ve given me something that goes beyond just my work. You’ve given me a mindset that will help me be more successful in communities that drive my passions. And hopefully I can use what I have learned to engage all of my communities more effectively and in a way that helps others have value too.

Background
So just like the instance with bugs we have to get a handle on what is going on in what we are doing, not doing or not doing well…we need data. I am going to avoid the historical path of how we got here for now, another post for another day maybe, as this would detract from what I want to focus on here right now. In the pre-new way we would edit a feature page add a name (usually mine) as a security resource and then add a section for security notes. This section would either have the notes from our meetings or a link to the review page. I would also track all this on a hand edited wiki page that first lived in my intranet profile and later moved to the public wiki and was simply known as the “radar”. The big problem is we had no way of knowing what features were coming, wich we had worked on or their status without this very manual page, and I spent a good deal of my time maintaining it as things changed as well as keeping the wiki notes and schedules running.

Where We Are

Now we have this great new wiki media form and the radar has searches (yeah! automation), so a few immediate advantages.

1. We can now search for items that we need to decide on.
2. We can track a workflow for what needs to happen.
3. We have some record of what we did and when
4. We can have a common framework and keywords that have meaning to more than our team.

With the new feature pages there is a great new section ‘Team Status Notes’ that we are going to use to accomplish just that.

The security line is actually made up of 3 elements, 2 you can see right off, the status line and notes; and a hidden element that is only visible when using the form edit ‘security health’ that gives us a color coding for visual indication. Lets start with status.

The other area that helps convey meaning beyond the notes is the health indicator that has the following set.

This should give anyone who wants to know what is going on with security on any given feature a decent clue. Questions, concerns or smart remarks can be made to me on irc or email.

-curtisk

What it is/not
This is a simply an indicator that someone feels the security team should be involved with an item. When I say security team I am talking about security on our development side (not our infrasec team). So if someone sets the keyword sec-review-needed we will triage the item and decide what kind of involvement we think is needed or any at all. This is not meant to block the landing, tracking, approval or any other normal work that would occur for a bug. Right now its just a way for us to get an idea of things we and others think we should be examining to improve security in our products. This is also primarily in Firefox, Thunderbird and their related projects. The idea is to start the scope small and get an idea of what this tells us. All these things could change or even be dropped if they are not useful.

Why
The shortest and best answer is we need data. It would be very useful to know patches or areas that have undergone security review of some kind; and those that have not. If an item later has a security incident we can check if a security was done and what we missed and why, or that a review simply wasn’t done. Taking action without data is just guessing, so we need some data to start with so we can analyze what it means and the impact of actions we take. We are doing much the same thing with features and the feature pages. As with anything we have limited resource and we want to deploy those resources with maximum affect. To do that we have to have data on what we are doing and the outcomes of those actions.

Going Forward
If for any reason you think a bug you own or even if you don’t own it could benefit by some involvement from the security team then set the keyword sec-review-needed, we will triage it; make a decision as to action, make notes in the bug, maybe have some meetings and work with the developers to find the best course of action. Again this is _not_ meant to halt work or a bug, we want to find a constructive path to completion. When we are done we will set the keyword sec-review-complete, from this we should be able to build some basic metrics around our activities and their effectiveness and then continue to drive changes to improve the process.

If you have questions find me on irc or drop me some mail.

curtisk