Mozilla "Improving Security for Bugzilla"

Corrine

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,391
Location
Upstate, NY
Someone was able to steal security-sensitive information from Bugzilla and Mozilla believes they used that information to attack Firefox users. From the Mozilla Security Blog:

The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised. We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6. We have no indication that any other information obtained by the attacker has been used against Firefox users. The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users.

We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in. [Bold added]
Click to expand...

Why in heaven's name weren't users with access to security-sensitive information not using two-factor authentication in the first place? How could they be so irresponsible?
 
It's Mozilla. What more could you expect from a greedy, selfish CEO. This is why I'm a pure Google user. They stay on top of their updates and have the option to make two-factor auth mandatory. In fact, some services have it auto enabled so that the device you are holding is the only one allowed in.
 
Corrine said:
Why in heaven's name weren't users with access to security-sensitive information not using two-factor authentication in the first place? How could they be so irresponsible?
Click to expand...
That's exactly what I was thinking as I was reading it - you just spoke my mind.

This has nothing to do with a greedy CEO (unless he is also the CIO and/or in charge of security). He surely does not set the security policy. This is purely someone failing to do their job.
 
Well Bill, I have a fight to pick with the CEO because of an organization he funded millions of dollars to that leaves a deep personal scar in me. So whenever there's a problem with Mozilla, I will always instantly blame the CEO.
 
Anthony N said:
It's Mozilla. What more could you expect from a greedy, selfish CEO. This is why I'm a pure Google user. They stay on top of their updates and have the option to make two-factor auth mandatory. In fact, some services have it auto enabled so that the device you are holding is the only one allowed in.
Click to expand...

There aren't yet very many services where it's mandatory - just strongly encouraged.

Also, I'd suggest checking out the problems there have been in the past about updating Android before you jump too early for Google. I'm not saying that they were entirely to blame there - the situation was more complex than Google were/were not doing their job, but I'd caution you that any personal dislike you have for the Firefox CEO does not translate across to the whole company, and any love you have for the Google brand does not make everything they do perfect.
 
but I'd caution you that any personal dislike you have for the Firefox CEO does not translate across to the whole company, and any love you have for the Google brand does not make everything they do perfect.
Click to expand...
Exactly! Plus, if concerned about personal security, IMO, you should not be using Google.

I note the CEO in question was also fired long ago.
 
To protect both the forum and our members, Sysnative has two-factor authentication set up for any Moderator functions and three-factor authentication set up for access beyond that for Admins. Yet, we're not dealing with security information -- information that in this case resulted in the compromised information being used against Firefox users. Two-factor authentication was necessary as much as 10 years or more ago in order to access certain internal databases where I worked. It is only common sense. The members of our staff group that had access to additional information were required to change our passwords every 30 days. The passwords could not be repeated and a program was run periodically to ensure that a complex pasword was being used.
 
I have been places where changing the PW every 30 days was a requirement and no one liked it. One required the PW be no less than 14 characters, have both upper and lower case letters, numbers and at least one special character. A study was done and it was determined most users just used a small variation of the previous password each time and in many cases, the PWs were written down a put somewhere within arm's reach. Hardly secure. They backed off and went to 180 days, 10 characters and a PIN plus a cookie (so you registered your computer).
 
Because we were a legal staff within a research facility, any time we walked away from our workstation, we were required to lock our computers. CADE (Ctrl+Alt+Del+Enter) quickly became the acronym for the reminder to those who perpetually forgot.
 
The more modern Windows Key + L doesn't run off the tongue quite so easily does it Corrine ;)

I've worked in places with similar rules. It's very strict, although not that hard to remember :)
 
I know that one from working in SCIFs. "Lock" is still the default so it still works in W10 too.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top