Daily Archives: April 3, 2017

Tor, once known only by network nerds, has now become something of a hot topic. This is thanks largely to the anonymous network's reputation for hosting drug marketplaces like Silk Road, and other unsavoury sites.

But what exactly is Tor? What is it good for? Does it have any legitimate uses? And how can those not versed in the finer details of network technologies actually access it?

03/04/3017:The Tor browser will take greater advantage of the Rust programming language developed by Mozilla to keep user interactions more secure, it has been revealed.

Although Tor developers have been gunning for the news for a long time (since 2014, in fact), the Mozilla-powered code will play a bigger role in the secretive browser's future.

According to Bleeping Computer, Tor developers met last week to discuss the future of the private browser and decided to use more of the C++-based code in future, hoping to replace the majority of its legacy C and C++ base in the coming months or years.

"We didn't fight about Rust or Go or modern C++. Instead, we focused on identifying goals for migrating Tor to a memory-safe language, and how to get there," Tor developer Sebastian Hahn said.

"With that frame of reference, Rust emerged as a extremely strong candidate for the incremental improvement style that we considered necessary."

The reason why it decided to make such a big change was because a tiny mistake in the C programming language used in the current version of Tor could have a huge impact on users, Tor developer Isis Agora Lovecruft said on Twitter.

"A tipping point in our conversation around 'which safe language' is the Tor Browser team needs Rust because more & more Firefox is in Rust. Also the barrier to entry for contributing to large OSS projects written in C is insanely high."

13/12/2016:The first sandboxed version of the Tor Browser was released in alpha last weekend, bringing privacy fans one step closer to secure browsing.

Version 0.0.2 of the software was released by Tor developer Yawning Angel on Saturday, who is tackling the project largely single-handed. Official binaries are yet to be released, but early adopters can take it for a spit by compiling the code themselves from GitHub.

The project has been a labour of love for Yawning Angel. "We never have time to do this," he said back in October. "We have a funding proposal to do this but I decided to do it separately from the Tor Browser team. I've been trying to do this since last year."

The efforts have been given new urgency by a zero-day vulnerability in Firefox. Discovered last month, the error was being used to de-anonymise Tor users, as the browser is heavily based on Firefox code.

Sandboxed instances of Tor are different from the normal version in that they run in a self-contained silo. This means that if an attacker uses an exploit against the browser, the amount of data it can collect through it from the rest of the machine and operating system is limited.

However, Yawning Angel has stressed that the software is still a very early alpha, and cannot be trusted to be entirely secure. "There are several unresolved issues that affect security and fingerprinting," he wrote as part of the software's README.

01/12/2016:A zero day vulnerability found in both Firefox and Tor web browsers has been exploited in the wild, allowing attackers to target users for their IP and MAC addresses.

Internet security firm Malwarebytes first discovered the flaw, which was shown to be almost identical to the one used by the FBI to expose Tor browser users in 2013.

"The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code," said Daniel Veditz, security lead at Mozilla, in a blog post on Wednesday.

Hackers were able to exploit Tor and Firefox browsers to send user hostnames and IP and MAC addresses to a remote server identified as 5.39.27.226, which has now been taken down.

"The goal is to leak user data with as minimal of a footprint as possible. There's no malicious code downloaded to disk, only shell code is ran directly from memory," said Jerome Segura, lead malware intelligence analyst at Malwarebytes.

"Browsers and their plugins remain the best attack vector to deliver malware or leak data via drive-by attacks," added Segura.

Malwarebytes recommend users adjust the security settings of their Tor browser to 'High' within the privacy settings, which will thwart any similar attacks of this kind. Users running the Malwarebytes Anti-Exploit tool will already by protected from the vulnerability. Both Mozilla and Tor have released patches to address the security flaw.

08/11/2016:FBI illegally used malware against innocent people, say privacy experts

Privacy experts have accused the FBI of overstepping its legal bounds and hacking innocent dark web users, as part of its investigation into child pornography sites using Tor's hidden services.

Unsealed court documents from 2013 reveal that as part of an operation to identify visitors to sites owned by Freedom Hosting - which the FBI had seized earlier that year - the agency obtained a warrant to use a piece of malware called a 'network investigative technique' (NIT) against around 300 specific users of the TorMail secure webmail service, all of whom were allegedly linked to child porn.

However, users who were affected by the NIT told Motherboard that the malware was deployed before users even reached the login page, meaning that it would have been impossible for the FBI to determine who its malware was actually targeting.

The American Civil Liberties Union's principal technologist Christopher Soghoian has condemned this illegal hacking of innocent users, telling Motherboard that "while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade".

"The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community," Soghoian continued, "nor does it acknowledge that the government delivered their malware to innocent TorMail users."

"This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation."

The FBI has denied that it acted outside its remit, stating that "as a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants."

07/11/2016: If you think the dark web is nothing more than a wretched hive of scum and villainy, think again - research has shown that the majority of content hosted on it is perfectly legal.

A new report from security firm Terbian Labs reveals that while most people associate the dark web with questionable pornography, exotic narcotics and unlicensed arms deals, the reality is actually quite dull, with over 50% of all domains and URLs in the survey's sample comprised of legal content.

"These Tor Hidden Services play host to Facebook, European graphic design firms, Scandinavian political parties, personal blogs about security, and forums to discuss privacy, technology, even erectile dysfunction," the report explains. "Anonymity does not equate criminality, merely a desire for privacy."

However, the report also conceded that illegal content was also rampant on the dark web. Drugs make up 12.3% of total content on the dark web (and a whopping 45% of all illicit content), while hacking and fraud-related content is also common.

"The dark web receives a fair amount of negative attention because of the anonymity it provides. To outside observers, the desire for anonymity goes handin-hand with criminal activity, and many summaries of the dark web focus exclusively on this criminal activity," the report said. "Most discussions of the dark web entirely gloss over the existence of legal content."

18/10/2016: The Tor Project has released a major update for the Tor software to fix a vulnerability which allows remote attackers to crash Tor servers.

According to a blog post on the Tor Project, Tor 0.2.8.9 backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority.

It said the update prevents a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string.

At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur, said the blog post.

The project urged all Tor users to upgrade to this version, or to 0.2.9.4-alpha. Patches will be released for older versions of Tor.

31/09/2016:The Tor Project has unveiled a new release: Tor Browser 6.0.5, arriving with a host of updates and improvements. Available for Windows, Linux, and Mac OS X, the new release isself-contained software that can run off a USB flash drive to ensure the anonymity of the user.

Another major change coming to this release is the important security updates that fix the newly revealed extension update vulnerability. According to FossBytes, this loophole allows a hacker to obtain a valid certificate for addons.mozilla.org to imitate Mozillas servers and serve a malicious update.

The new Tor Browser 6.0.5 also comes with updated HTTPS-Everywhere and a new Tor stable version 0.2.8.7.

16/09/2016:The Tor Project has criticised moves by the US government that would enable the FBI to hack computers and conduct surveillance on electronic devices.

It made a public plea against plans to amend Rule 41 of the Federal Rules of Criminal Procedure, which is due to take effect on 1 December.

The amendments would allow the Department of Justice to hack computers and conduct surveillance with a single search warrant, regardless of where the device is located.

It specifies that computers using technology to conceal data, such as encryption or using a Tor browser, would fall inside the scope of changes.

The broad search warrants allowable under these new rules will apply to people using Tor in any country - even if they are journalists, members of a legislature or human rights activists, the Tor Project said in a blog post.

The FBI will be permitted to hack into a persons computer or phone remotely and to search through and remove their data. The FBI will be able to introduce malware into computers. It will create vulnerabilities that will leave users exposed.

In the US Senate, Democrat senator Ron Wyden said that Congress should debate these changes.

If the Senate does nothing, if the Senate fails to act, whats ahead for Americans is a massive expansion of government hacking and surveillance powers, he said.

The Tor Project added: We are at a critical point in the United States regarding surveillance law. Some public officials, like those at the US Department of Justice understand very well how surveillance technology works and the implications of the Rule 41 changes.

31/08/2016: Tor has published its new Social Contract in a bid to improve member conduct and pledged against introducing backdoors into the tool.

In a blog post, the Tor Project has collated the six-point social contract pledging to adhere to standards of conduct, being more transparent and honest about technological capabilities as well as advancing human rights.

The last of the clauses underlined the projects commitment to not harm users, even when pressured to do so by external forces.

We take seriously the trust our users have placed in us. Not only will we always do our best to write good code, but it is imperative that we resist any pressure from adversaries who want to harm our users. We will never implement front doors or back doors into our projects. In our commitment to transparency, we are honest when we make errors, and we communicate with our users about our plans to improve, said the project.

The standards have been brought about after a number of sexual misconduct allegations against some Tor developers.

16/08/2016: One of the Silk Road's ex-administrators is to be extradited to the US on Friday, following a ruling by Ireland's High Court.

27-year-old Gary Davis, of County Wicklow, was allegedly one of the black market site's chief administrators, going by the name of "Libertas".

According to Davis' legal counsel, the fact that he suffers from Asperger's Syndrome made him unsuitable for incarceration in a US facility, and that the potentially harsh treatment meant he could pose a suicide risk.

In his ruling, Justice Paul McDermott expressed his faith that "the United States authorities will act to protect his mental and physical health and take the appropriate steps to address any symptoms of depression of continuing anxiety by appropriate treatment".

US authorities claim that Davis was a paid employee of the dark web marketplace, which sold large amounts of drugs alongside other illegal goods and services. Site founder Ross Ulbright wasconvicted last yearof various offences relating to the site's operation and is currently serving life without parole.

Davis was charged by the federal government in 2013, alongside two other suspected admins who were supposedly known as "inigo" and "Samesamebutdifferent" on the site.

The trio has been charged with computer hacking conspiracy, money laundering conspiracy and narcotics trafficking conspiracy, charges which could net each suspect life in prison.

According to the 2013 Silk Road indictment, Davis' main role centred around customer satisfaction, and the indictment claimed he was tasked with "responding to customer service inquiries and resolving disputes between buyers and vendors".

15/08/2016:One of Nigel Farage's most trusted political confidantes has been caught using Tor to offer money laundering services on the dark web.

22-year-old George Cottrell was arrested in an FBI sting, The Telegraph reports, after allegedly advertising on the dark web under the pseudonym of "Bill".

An FBI team posing as a cadre of drug traffickers contacted the young aristocrat in 2014, whereupon - according to court documents - he promised to funnel their dirty money through his offshore accounts in order to launder it with "complete anonymity and security".

Cottrell organised for the 'drug traffickers' to send him an initial payment of 15,500 after a meeting in Las Vegas. However, he later attempted to extort the supposed criminals, threatening to turn them over to law enforcement if they did not transfer him 62,000 in bitcoin.

Cottrell faces 21 charges, including money laundering, fraud and attempted extortion, and was arrested at Chicago's O'Hare airport whilst travelling with chief Brexiteer and ex-UKIP leader Nigel Farage.

The authorities have frozen Cottrell's email and financial accounts, The Telegraph has claimed, which has resulted in Farage being unable to access his calendar.

26/07/2016: O2 customers have found their details being sold on the dark web after criminals used logins stolen from other sites to obtain access to their accounts.

The BBC's Victoria Derbyshire show learned of the sale after being contacted by an ethical hacker and found that names, passwords, email addresses and telephone numbers were all available to buyers.

O2 was quick to point out that its systems had not been breached, and that the attackers accessed customer data through password reuse attacks - also known as 'credential stuffing'.

"Credential stuffing is a challenge for businesses and can result in many company's customer data being sold on the dark net," an O2 spokesperson said.

"We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations."

Following a joint investigation with O2, the Victoria Derbyshire programme learned that the credentials used to access the site had most likely come from games streaming site XSplit, which was hacked back in 2013.

The news underlines how easy it can be for criminals to use one hack to complete another, daisy-chaining breaches together.

"The problem with reusing passwords," says ESET security specialist Mark James, "is when a location gets breached that does not have very good security, the criminals will take that data and use it to attempt to log into websites for monetary gain."

"It makes no difference how good the security is for PayPal if you use the same username (often your email address) and password on a smaller not so well protected site."

15/07/2016:The Tor Project's entire board of directors has stepped down, following the scandal over alleged rapist Jacob Appelbaum's employment by the organisation.

"I think this was an incredibly brave and selfless thing for the board to do," said Tor's executive director Shari Steele as part of a blog post. "They're making a clear statement that they want the organisation to become its best self."

Wendy Seltzer, Ian Goldberg, Meredith Hoban Dunn, Rabbi Rob Thomas, Julius Mittenzwei, Nick Mathewson and Roger Dingledine have all agreed to leave their posts, stating "it is time that we pass the baton of board oversight".

Co-founders Dingledine and Mathewson will continue to lead the project's technical research and development efforts, however.

The outgoing directors have elected as their replacements six leading lights from the security and privacy communities. These include the Electronic Frontier Foundation's executive director Cindy Cohn, executive director of the Human Rights Data Analysis Group Megan Price, and security and cryptography guru Bruce Schneier.

The mass departure comes on the heels of a high-profile incident involving Tor Project developer Jacob Appelbaum, who has been accused of numerous counts of sexual harassment and rape.Appelbaum has vehemently denied the allegations.

However, testimony from one of his alleged victims has indicated that the organisation's board knew about the claims against him for over a year.

The board's perceived inaction against Appelbaum, who remained a public figure within the Tor community until his departure, drew substantial criticism from community members who thought they should have acted sooner.

08/07/2016:Malware that uses the Tor network to communicate with its command and control (C2) servers and is able to steal credentials stored in Mac OS X's keychain credentials and maintain a backdoor into the system has been discovered.

Keydnap, as it has been called, is delivered to a computer as a compressed Mach-O file, which is disguised as a benign extension, such as .jpg or .txt. However, there is an additional space at the end of these extensions, causing the file to launch in Terminal when double clicked, not in Preview or TextEdit.

However Gatekeeper, one of OS X's inbuilt security features that stops machines launching programmes in the Mac operating system has prevented the malware from spreading far and wide. Although it could become a problem if users have opted for the operating system to launch anything, regardless of the source.

If a user does allow all requests to pass, they could be at risk of letting the malware in via the persistent backdoor known as icloudsyncd and the keychain password stealer.

"[Keydnap] is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS Xs keychain," Eset researcher Marc-Etienne M.Leveille said.

He examined the malware attack, which was apparently stolen from a Github proof of concept created by software developer Juuso Salonen.

"The author simply took a proof-of-concept [that] reads securityds memory and searches for the decryption key for the users keychain," he explained in his report.

29/06/2016: The FBI is choosing not to divulge the Tor Browser exploit used to track and arrest 1,500 users of a dark web child pornography site last month, reports Engadget.

Mozilla requested that the FBI reveal the exploit used to track users' PCs with location-tracking malware, but the request was thrown out after being approved citing national security concerns.

"The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," the attorneys wrote in a filing this month.

20/06/2016:The Tor Project is building a special 'hardened' browser to prevent it being hacked by the FBI.

Security researchers have published a paper outlining how their newly-developed 'selfrando' technique is being used to protect against code reuse attacks that could bedeployed by US law enforcementagainst the browser.

Go here to see the original:
Tor Browser news: Tor browser will rely on more Rust code | Cloud Pro - Cloud Pro

In a 2016 study on global encryption trends published by the Ponemon Institute, encryption being used consistently across businesses grew from 16 percent to 41 percent since 2005.

Encryption converts any data into scrambled, unreadable text in order to mask the information from potential hackers.

WinMagic Data Security Solutions COO Mark Hickman says data encryptors require three key goals to successfully protect their information.

The first is to make encryption manageable so you can manage files on your network, cloud, and different devices. Second is to enhance the user experience encrypt the data without the user having to be aware of it. The last part is no compromised security: We cant compromise data security, even if it improves manageability or user experience, said Hickman.

UW Tacoma information technology graduate Sameer Hakimi believes its important to encrypt. Nowadays, you never know who has access to your information. If you dont keep your info private, anyone can know anything about you, said Hakimi.

Corporate businesses demand a high volume of security, but a lack of protection exists for the average consumer. On March 23, the U.S. Senate voted to decrease regulation, which allowed internet providers like Comcast and AT&T to share consumers information with other companies. According to Hari Sreenivasan of PBS NewsHour, this includes sharing browsing data, history, financial, health, communication and location information without your explicit permission.

Youtuber Philip DeFranco, called the situation the beginning to the end of privacy online.

Despite his thoughts on the end of privacy, he has many options to curtail data extraction. DeFranco stressed the importance of data encryption by mentioning different ways for everyday people to encrypt their information such as the Tor browser and virtual private networks.

Encryption is your best friend, said DeFranco.

Tor is a free online browser that, according to the Tor website, encrypts all of your incoming and outgoing browsing traffic and relays it through a number of volunteer nodes before sending it to its destination. DeFranco says this prevents internet providers from viewing the web pages the browser selects.

Hakimi says he has used Tor in the past, but feels as though there are better ways to encrypt data.

Tor is just a slower browser than Chrome, said Hakimi.

A VPN is another way to stop service providers from knowing your information. A VPN encrypts your entire web traffic, stopping service providers from seeing your information.

ILLUSTRATION BY ALEXX ELDER

More:
The importance of data encryption in our everyday cloud - The Ledger