Given today's Firefox vulnerability (allowing arbitrary sites to read arbitrary files off your local disk, with no trace that it ever happened), I tried to make a list of things Firefox users should do now to protect themselves in case they've already been compromised. The list got long quickly, and I don't think it's even complete. Here's what I have so far. What else should I add?
- Update to Firefox 39.0.3, or uninstall Firefox entirely.
- If using Debian, update Iceweasel to 38.1.1esr-1 or 39.0.3-1; unfortunately, these packages are still in the queue currently: https://packages.qa.debian.org/i/iceweasel.html
2. Rotate SSH keys:
- Generate a new key.
- Update Github to the new SSH key.
- Update ~/.ssh/authorized_keys on all
servers you access via SSH. The most important thing is to make sure old keys are removed
from this file.
- Delete the old key from your system -- note that this step in itself doesn't stop any attacks, but it helps ensure that you don't accidentally use this key again in the future.
3. Rotate secrets found in .bash_history.
- Search for "user:pass@": grep '[a-zA-Z0-9_]:[^@ ]*@'~/.bash_history
- Try to remember other secrets that might be in .bash_history. :[
4. Look for files whose names contain "pass" or "access" and might contain secrets, and rotate those.
- locate -b pass
- locate -b access
5. Review other files mentioned on the Mozilla blog. (https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
): .mysql_history, .pgsql_history, configs for subversion, S3, Filezilla, .purple, Psi+, remmina
6. Although not targeted by the known exploit, consider changing any passwords that might be stored in your Chrome password manager, which is stored totally unencrypted. Also any passwords in your Firefox password manager if you do not use a master password in Firefox.
7. Although the known exploit does not appear to target cookie jars, consider refreshing all your browser cookies by logging out and back in of each important service. Also try to figure out how to tell the service to log out your sessions on other machines. Note that 2-factor authentication does NOT defend against cookie-stealing. Tips:
- Log out and back in of Sandstorm Alpha and Oasis.
- For Github, remotely log out other desktop sessions here: https://github.com/settings/security
- For Google, see devices that are logged in here: https://security.google.com/settings/security/activity
- For Google, you can "sign out all other web sessions" by going into gmail, scrolling to the bottom of your inbox, clicking the "details" link in the lower-right (under "last account activity"), and then clicking "sign out all other web sessions". Why this is not directly on the security page above, I do not know.
- If any apps on your desktop use app-specific passwords to connect to Google, revoke them here: https://security.google.com/settings/security/apppasswords
- If any apps on your desktop (such as Chrome) use OAuth to connect to Google, revoke them here: https://security.google.com/settings/security/permissions
- Generally this is a great page to visit in general for Google security: https://myaccount.google.com/security
8. Enable two-factor authentication everywhere you can: Google, Github, Facebook, Twitter, etc. (Some people think social accounts are not so important to protect. This is absolutely false: scammers love hijacking social accounts and then sending messages to your friends saying: "Help I'm travelling and I lost my wallet, please send money.")