SillyDog701

[Ramona]

I received this message late yesterday, and am sharing it for the benefit of those who may not be members of Spread Firefox:

Subject: Spread Firefox Security Notice
From: admin@spreadfirefox.com
Date: 10/3/05 11:48 PM
To: announce@spreadfirefox.com

The Spread Firefox Team became aware this week that the server hosting
Spread Firefox, our community marketing site, has been accessed by
unknown remote attackers who attempted to exploit a security
vulnerability in TWiki software installed on the server. The TWiki
software was disabled as soon as we were aware of the attempts to access
SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
did not affect mozilla.org web sites or Mozilla software.

We have scanned Spread Firefox servers and at this time do not believe
any sensitive data was taken, but as a precautionary measure we have
shutdown the site and will be rebuilding the web site from scratch. We
also recommend that you change your Spread Firefox password and the
password of any accounts where you use the same password as your Spread
Firefox account. We will notify you again when the site is back up with
instructions on how to change your password. (Note: We do use MD5
hashing on the passwords, but MD5 cannot protect all passwords against
off-line dictionary style attacks.)

After Spread Firefox was compromised in July, we instituted procedures
to ensure that we apply all security fixes to the software running the
site (Drupal and PHP) as soon as they become available. Unfortunately,
those procedures overlooked the installation of the TWiki software since
it is not used by the main Spread Firefox site. When the system is
rebuilt, all the software will be audited to ensure that security
updates will be applied in a timely manner. We deeply regret this
incident and any inconvenience this may have caused you. Sincerely,

Spread Firefox Team
Mozilla Foundation

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

[Antony]

...
The Spread Firefox Team became aware this week that the server hosting
Spread Firefox, our community marketing site, has been accessed by
unknown remote attackers who attempted to exploit a security
vulnerability in TWiki software installed on the server. The TWiki
software was disabled as soon as we were aware of the attempts to access
SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
did not affect mozilla.org web sites or Mozilla software.

Thanks Ramona for letting us know about Spread Firefox.

All software can be compromised, and the problem is that the more interactive the software is, the likely it is being abused (and or compromised).

The front page of Spread Firefox indicates the site would be back on 15th October.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5

[Alice]

The spreadfirefox.com site doesn't mention anything about being hacked, just that it isn't available, and

For updates on what is happening, please visit MozillaZine ( http://www.mozillazine.org )

I found nothing mentioned at Mozillazine yet, but a search on google news came up with a number of hits, including:
http://www.broadbandreports.com/shownews/68115
Spread Firefox Site Hacked Again
Shut down, will be 'rebuilt from scratch'

When spreadfirefox.com was hacked last July MozillaZine ran the following article, fwiw:
http://www.mozillazine.org/talkback.html?article=6947

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051001 Firefox/1.4.1

[James]

BUT... the message Ramona received from admin@spreadfirefox.com did mention being hacked and that's good enough for me. It seems reasonable and perhaps even prudent that they would simply neglect to make a public declaration of this for their own reasons but have shared this information with insiders. Anyway, what is your point in questioning this communication?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

[Alice]

My point? Confirmation from another source, which, by the way, is now available at MozillaZine:
http://www.mozillazine.org/talkback.html?article=7479

Spread Firefox Hacked Again
Tuesday October 4th, 2005

The Mozilla Foundation's community marketing site Spread Firefox has been hacked for the second time in less than three months. According to an email sent to registered users of the site, unknown remote attackers exploited a vulnerability in the Twiki wiki software, which was installed on the server but not actually used by the public website. The TWiki software has now been disabled. The Spread Firefox Team does not believe that any sensitive data was taken but they have shut down the site as a precaution. Only Spread Firefox was affected by the security breach; no other Mozilla Foundation or Mozilla Corporation sites have been hacked and the flaw does not affect users of Mozilla software.

The attack comes just weeks after Spread Firefox was compromised in July, when spammers exploited a flaw in the Drupal content management software used to run the site. It soon became apparent that an update was available for the vulnerability but the server administrators had not applied it. New procedures were put in to place to ensure that all security fixes get applied as they become available but the TWiki software was apparently overlooked because it is not used by the main Spread Firefox site.

The email sent to Spread Firefox members after this latest security lapse says that the team "will be rebuilding the web site from scratch". All the software installed on the server will be audited to ensure that relevant security updates are installed in future. When Spread Firefox relaunches, members will be advised to change their passwords as a precautionary measure.

The entire Spread Firefox site is currently down, replaced by a placeholder message pointing to www.getfirefox.com and MozillaZine. According to the notice, the site will return around Saturday 15th October. The message does not mention that a security flaw is behind the outage.

Read the full article to view the email message sent to Spread Firefox members about the server attack.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051001 Firefox/1.4.1

[Alice]

All software can be compromised, and the problem is that the more interactive the software is, the likely it is being abused (and or compromised).

The front page of Spread Firefox indicates the site would be back on 15th October.

Yes, but two things disturb me, both of which are mentioned in excerpts from MozillaZine article:

1. Security awareness and responsiveness by spreadfirefox.com site admin
How ironic that the site dedicated to promoting Firefox (the "safe, secure" browser) would itself be hacked ... twice in three months!

The attack comes just weeks after Spread Firefox was compromised in July <snip > ...an update was available for the vulnerability but the server administrators had not applied it. New procedures were put in to place to ensure that all security fixes get applied as they become available but the TWiki software was apparently overlooked because it is not used by the main Spread Firefox site.

2. Lack of openness on the part of spreadfirefox.com site admin
The site was down for a few days already (I was wondering what was going on) with no mention why.

he entire Spread Firefox site is currently down, replaced by a placeholder message pointing to www.getfirefox.com and MozillaZine. According to the notice, the site will return around Saturday 15th October. The message does not mention that a security flaw is behind the outage.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051001 Firefox/1.4.1

[Antony]

I think the most affected thing arise from Spread Firefox being hacked is the Firefox download counter. Previously SillyDog701 member [sdt=9857]predicted[/sdt] 100 million downloads would occur near the end of October.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5

[Alice]

I think what will be affected, in the long run, are people's perceptions of the Firefox browser. The cumulative effect of the recent negative publicity involving Firefox security vulnerabilities affects Firefox users and potential users alike. This latest embarrassment is icing on the cake and may dishearten even the most strident Firefox supporters, as evidenced in this blog excerpt posted today at Planet Mozilla:

Chris Crews
SpreadFirefox Hacked Again...
<snip>
This is what happens when you have a website run by people who do their own thing entirely, who obviously don't pay enough attention to keeping things up to date, without keeping the mozilla system administrators in the loop, and to think, the new version of SFX is being done behind closed doors with limited community interaction. This should send plenty of messages of safety about a site that's already been hacked twice, that they're still not being open, and as a result, its the only mozilla site to be hacked. I think its time that the Mozilla Foundation/Corporation take some responsibility for what happens with SpreadFirefox.com.

Personally, I'm no longer comfortable with the way SpreadFirefox is maintained. I don't believe its admins are doing an acceptable job. (This is seperate from the Mozilla Sysadmins, who are doing the best they can) I'd like to see SFX have the ability for users to delete their account. Since obviously they're not safe. Might also make the number of accounts more realistic.

I also find it interesting, that Asa, spreadfirefox admin and frequent mozilla blogger, fails to mention on his blog at all either hacking. Guess the only mozilla news is good news.

October 04, 2005 07:05 PM

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051004 Firefox/1.4.1

[Antony]

Seems to me, Spread Firefox is not an "official" part of Mozilla Foundation. Even with some same people running them, the site itself is not handled that serious as running a real business.

I won't put Spread Firefox (website) and Mozilla Firefox (software) together. If Mozilla.org was hacked, we shall all be worried.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050603 Netscape/8.0.2

[Alice]

Seems to me, Spread Firefox is not an "official" part of Mozilla Foundation

This is the first sentence from http://www.spreadfirefox.com/ and appears in the image you posted above.

Welcome to SpreadFirefox, the official Mozilla site for Spreading Firefox, a modern Internet browser delivering a safer, faster, and better web experience.

Also, the e-mail sent out to the Spread Firefox site's registered users (which Ramona posted) was signed,

Sincerely,

Spread Firefox Team
Mozilla Foundation

Additionally, from http://www.mozillazine.org/talkback.html?article=6947
Spread Firefox Hacked Friday July 15th, 2005

According to the timeline given in the email, the attack took place on Sunday and was discovered on Tuesday. The Mozilla Foundation then took the site down, bringing it back online today along with news of the compromise. The message reassures users that only Spread Firefox was hacked; other Mozilla Foundation sites and Mozilla software were not affected.

Spreadfirefox.com is closely associated with the Mozilla Foundation, no matter what the "official" or legal relationship might be, even though, as mentioned in the last quote from MozillaZine's July article, other Mozilla Foundation sites and Mozilla software were not affected.

Like I said before, I believe that the latest spreadfirefox.com hacking incident negatively impacted the "perception" of the Firefox browser and the Mozilla Foundation. IN other words, it's an embarrassment to have any Moizilla site hacked, especially one dedicated to promoting Firefox as a "safe and secure" browser.

FWIW, this is from http://samspade.org/
whois

http://www.spreadFirefox.com = [ 207.126.111.230 ]

Domain Name.......... spreadfirefox.com
Creation Date........ 2004-07-22
Registration Date.... 2004-07-22
Expiry Date.......... 2006-07-22
Organisation Name.... Mozilla Foundation
Organisation Address. P.O. Box 13616
Organisation Address.
Organisation Address. Stanford
Organisation Address. 94309
Organisation Address. CA
Organisation Address. UNITED STATES
Admin Name........... Blake Ross
Admin Address........ P.O. Box 13616
Admin Address........
Admin Address........ Stanford
Admin Address........ 94309
Admin Address........ CA
Admin Address........ UNITED STATES
<snip>
Name Server.......... ns1.oregonstate.edu
Name Server.......... ns2.oregonstate.edu
Name Server.......... ns.mozilla.org

IPwhois

207.126.111.230 = [ virtual-sfx.mozilla.org ]

So, if you go to http://virtual-sfx.mozilla.org/ you will get http://www.spreadFirefox.com (if that means anything).

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915

[Antony]

Spread Firefox is back online after being hacked for the second time in three months recently. In an announcement about the return of Spread Firefox, Asa Dotzler explains that the team have been working to improve the underlying infrastructure of the site, which will enable many new community marketing tools to be rolled out over the next months.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5