OT SpreadFirefox web site hacked

[Max Wachtel]

Quote from ZDNet-
"Attackers broke into the Web site by exploiting an unpatched security
vulnerability in the software that runs SpreadFirefox.com, the Mozilla
Foundation said in an e-mail alert to registered users of the site late
Thursday."
http://news.zdnet.com/2100-1009_22-5790030.html?tag=nl.e589
Article goes on to say that Mozilla failed to apply the patches that
were available for the software(Drupal-PHP vulnerability) that runs the
site.
-max

 

[Mel]

Quote from ZDNet-
"Attackers broke into the Web site by exploiting an unpatched security
vulnerability in the software that runs SpreadFirefox.com, the Mozilla
Foundation said in an e-mail alert to registered users of the site late
Thursday."
http://news.zdnet.com/2100-1009_22-5790030.html?tag=nl.e589
Article goes on to say that Mozilla failed to apply the patches that
were available for the software(Drupal-PHP vulnerability) that runs the
site.
-max

However, it is possible that attackers obtained usernames and passwords
and any other information people may have provided to the site, such as
e-mail and home addresses, birth dates and instant-messaging names,
Mozilla said.

As a result of the attack, Mozilla is urging the estimated 100,000
SpreadFirefox users to change their passwords. If those people use the
same passwords for other Web sites, they should be changed there too,
Mozilla advises.

 

[Max Wachtel]

However, it is possible that attackers obtained usernames and passwords
and any other information people may have provided to the site, such as
e-mail and home addresses, birth dates and instant-messaging names,
Mozilla said.

As a result of the attack, Mozilla is urging the estimated 100,000
SpreadFirefox users to change their passwords. If those people use the
same passwords for other Web sites, they should be changed there too,
Mozilla advises.

I expect to see some postings of good password generators/managers.
-max

 

[Mel]

I expect to see some postings of good password generators/managers.
-max

The Problem
===========
If you're like most people, you have a few passwords that you use over
and over again on many different websites. You know this isn't secure,
yet you do it anyway. Why? Because it's difficult to remember a unique
password for each and every web site that requires one.

Existing Solutions
==================
Maybe you do use unique passwords, and get around the problem of
remembering them by storing them in a spreadsheet or other file. Maybe
you even use one of the many password managers that are available. But
now you've centralized your passwords and access to them becomes
difficult while at work, a friend's, or a public internet terminal. You
can't get to your passwords without carrying them around or publishing
them on the internet. Some people even carry a USB keychain with their
passwords wherever they go. How inconvenient. And publishing them on the
internet? Yikes! We need not even mention the security risks inherent
with that solution. Even if you trust the company storing the passwords,
you can be sure every hacker in the world is drooling over the prospect
of accessing their database.

Our Solution
============
PasswordMaker solves all of these issues. It is a small, lightweight,
free, open-source extension for Firefox and Mozilla which creates
unique, secure passwords that are very easy to retrieve. Nothing is
stored anywhere, anytime, so there's nothing to be hacked, lost, or
stolen.

How It Works
============
You provide PasswordMaker two pieces of information: a "master password"
- that one, single password you like - and the URL of the website
requiring a password. Through the magic of one-way hash algorithms,
PasswordMaker calculates a message digest, also known as a digital
fingerprint, which can be used as your password for the website.
Although hash functions have a number of interesting characteristics,
the one capitalized by PasswordMaker is that the resulting fingerprint
(password) does "not reveal anything about the input that was used to
generate it". In other words, if someone has one or more of your
PasswordMaker-generated passwords, it is computationally infeasible for
him to derive your master password or to calculate your other passwords.

What About Portability?
=======================
For times when you simply must use non-Firefox browsers or can't install
Firefox extensions, there's an on-line version which mimicks the
extension and works in all browsers new and old. No downloads or
installations required. WML (for WAP mobile phones) and J2ME versions
(for Java-enabled phones or PIMs) are coming shortly.

http://passwordmaker.mozdev.org/index.html

Extension For Firefox and Mozilla

http://passwordmaker.mozdev.org/installation.html

Online Version:

http://passwordmaker.mozdev.org/passwordmaker.html

Downloadable HTML Version:

http://passwordmaker.mozdev.org/passwordmaker-online.zip

 

[Mel]

I expect to see some postings of good password generators/managers.
-max

The Problem
===========
If you're like most people, you have a few passwords that you use over
and over again on many different websites. You know this isn't secure,
yet you do it anyway. Why? Because it's difficult to remember a unique
password for each and every web site that requires one.

Existing Solutions
==================
Maybe you do use unique passwords, and get around the problem of
remembering them by storing them in a spreadsheet or other file. Maybe
you even use one of the many password managers that are available. But
now you've centralized your passwords and access to them becomes
difficult while at work, a friend's, or a public internet terminal. You
can't get to your passwords without carrying them around or publishing
them on the internet. Some people even carry a USB keychain with their
passwords wherever they go. How inconvenient. And publishing them on the
internet? Yikes! We need not even mention the security risks inherent
with that solution. Even if you trust the company storing the passwords,
you can be sure every hacker in the world is drooling over the prospect
of accessing their database.

Our Solution
============
PasswordMaker solves all of these issues. It is a small, lightweight,
free, open-source extension for Firefox and Mozilla which creates
unique, secure passwords that are very easy to retrieve. Nothing is
stored anywhere, anytime, so there's nothing to be hacked, lost, or
stolen.

How It Works
============
You provide PasswordMaker two pieces of information: a "master password"
- that one, single password you like - and the URL of the website
requiring a password. Through the magic of one-way hash algorithms,
PasswordMaker calculates a message digest, also known as a digital
fingerprint, which can be used as your password for the website.
Although hash functions have a number of interesting characteristics,
the one capitalized by PasswordMaker is that the resulting fingerprint
(password) does "not reveal anything about the input that was used to
generate it". In other words, if someone has one or more of your
PasswordMaker-generated passwords, it is computationally infeasible for
him to derive your master password or to calculate your other passwords.

What About Portability?
=======================
For times when you simply must use non-Firefox browsers or can't install
Firefox extensions, there's an on-line version which mimicks the
extension and works in all browsers new and old. No downloads or
installations required. WML (for WAP mobile phones) and J2ME versions
(for Java-enabled phones or PIMs) are coming shortly.

http://passwordmaker.mozdev.org/index.html

Extension For Firefox and Mozilla

http://passwordmaker.mozdev.org/installation.html

Online Version:

http://passwordmaker.mozdev.org/passwordmaker.html

Downloadable HTML Version:

http://passwordmaker.mozdev.org/passwordmaker-online.zip