Firefox add-ons with obfuscated code will be banned by Mozilla

By Lisa Vaas

In order to protect Firefox users from malicious add-ons, Mozilla has banned extensions that contain obfuscated code.

Caitlin Neiman, Add-ons Community Manager at Mozilla, said in a blog post on Thursday that the new policy will go into effect on 10 June.

Here’s the gist of that new policy:

We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included.

If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.

And here’s a link to the add-on policy in full.

Blocking, also called “blocklisting,” add-ons that contain obfuscated code means disabling them in the browser after the user installed them, Neiman explained.

Extensions that violate Mozilla’s policies will face the wrath of a newly proactive Mozilla, Neiman said:

We will be casting a wider net, and will err on the side of user security when determining whether or not to block.

Neiman said that Mozilla will also keep on blocking extensions that intentionally violate its policies or that have critical security vulnerabilities, or that compromise user privacy or skirt user consent or control. Other unexpected “surprises” that Mozilla doesn’t want to see (without a clearly worded opt-in and clearly stated name of what add-on is asking for what) include extensions that change default settings, such as the new tab page, homepage or search engine; extensions that make unexpected changes to the browser or web content; or ones with features or functionality not related to the add-on’s core function(s).

Read more at https://nakedsecurity.sophos.com/2019/05/07/firefox-add-ons-with-obfuscated-code-will-be-banned-by-mozilla/

Dark web marketplace Wall Street Market busted by international police

By Lisa Vaas

An international bust has led to the shuttering of two dark web marketplaces for drugs, weapons, hacked data, hacking tools and other illegal goods: the Wall Street Market (WSM) and the Valhalla Market (better known by its Finnish name, Silkkitie).

Europol and German police announced the “double blow” to dark web marketplaces on Friday, saying that German authorities have arrested three suspects and seized over €550,000 in cash, along with cryptocurrencies Bitcoin and Monero in “6-digit amounts,” several vehicles, computers and data storage, and at least one firearm.

An investigation by the Attorney General in Los Angeles also led to the arrest of two suspects who are alleged to be among the markets’ biggest drug sellers.

On Friday, Finnish Customs said that they’d seized the Silkkitie web server earlier this year and seized a “significant” amount of Bitcoin. They said that after shutting down Silkkitie, some of the Finnish drug dealers moved to other illegal sites on the Tor network, including WSM.

German investigators had their eye on the three suspects since March – a 31-year-old from Bad Vilbel, a 29-year-old from the district of Esslingen and one 22-year-old from Kleve, all three of whom are German nationals.

The stench of exit scam

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday, 26 April, and which said that the “maintenance” would last a week.

Read more at https://nakedsecurity.sophos.com/2019/05/07/dark-web-marketplace-wall-street-market-busted-by-international-police/

Blockchain project settles cross-border payment

By Danny Bradbury

Singapore’s central bank sent a payment to Canada using blockchain technology last week, in a clear signal that the technology has value – as long as you’re realistic about it.

The Monetary Authority of Singapore (MAS) sent $105 Singapore dollars to the Bank of Canada (BoC) in a proof-of-concept project that inches them closer to solving one of banking’s biggest headaches: cross-border payments and settlements.

In a November 2018 report on cross-border interbank payments and settlements, the two organizations and the Bank of England detailed the challenges of settling transactions between banks in different countries. Banks must navigate an array of hurdles including anti-money-laundering and know-your-customer regulations.

If a bank has no presence in the recipient country, it must also rely on another intermediary bank to process the payment on its behalf, in what’s known as the correspondent banking model. All the parties will have their own legacy systems that make it difficult to process the transaction uniformly. It is an expensive process that can take several days, and parties never quite know when the money will arrive.

The biggest problem is counterparty risk – when a bank sends money via an intermediary to buy something, it can‘t be certain that the intermediary will deliver the funds, or that the other bank in the transaction will hold up its end of the bargain.

Reducing counterparty risk

BoC and MAS wanted to use the blockchain to settle payments while reducing counterparty risk. Each organization already had its own distributed ledger for processing the clearing and settlement of payments and securities domestically. In 2016, BoC created Project Jasper, while MAS created Project Ubin. This latest project brought the two distributed ledger technologies together so they could collaborate on transactions.

Read more at https://nakedsecurity.sophos.com/2019/05/07/blockchain-project-settles-cross-border-payment/