Monthly Archives: April 2020

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.

If youre on the regular version of Firefox, youre looking to upgrade from 74.0 to 74.0.1 and if youre using the Extended Support Release (ESR), you should upgrade from ESR 68.6.0 to ESR 68.6.1.

The Tor Browser followed suit shortly afterwards [updated 2020-04-06T22:30Z], so if youre a Tor user, you want to make sure you upgrade from 9.0.7 to 9.0.8. (See below for screenshots.)

Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.

(If you have ESR version X.Y.0, you essentially remain on the feature set of Firefox X.0, but with all the security fixes that have come out up to and including Firefox (X+Y).0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but dont want to lag behind on security patches.)

What we cant tell you yet are any details about exactly how long ago the bug was found by the attackers, how they are exploiting it, what theyre doing with it, or whos been attacked so far.

Right now, Mozilla is saying no more than this:

The bug details in Mozillas bug database arent open for public viewing yet [2020-04-04T14:30Z], presumably because the Mozilla coders who fixed the flaw have, of necessity, described and discussed it in sufficient detail to make additional exploits very much easier to create.

A use-after-free is a class of bug caused by incautious use of memory blocks by a program.

Usually, a program returns blocks of memory to the operating system after it has finished with them, allowing the memory to be used again for something else.

Returning memory when you are done with it stops your program from hogging more and more RAM the longer it runs until the whole system bogs down.

The function call by which memory is returned to be used again is called free(), and once youve freed the memory, you rather obviously shouldnt access it again.

Most importantly, if you read and trust data that now belongs to another part of the program for example, memory that just got re-allocated as a place to store untrusted content that was downloaded from a web page or generated by JavaScript fetched from outside then you may inadvertently put your code at the mercy of data that was carefully crafted by a crook and served up to trick you on purpose.

Not all use-after-free bugs are exploitable, and not all exploits are made equal for example, an attacker might only be able to change the content of an icon or a message you are about to display, which could be used to deceive users (for example by giving positive feedback when something actually failed), but not to implant malware directly.

But in some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browsers usual security checks or are you sure dialogs.

Thats the most serious sort of exploit, known in the jargon as RCE, short for remote code execution, which means just what it says that a crook can run code on your computer remotely, without warning, even if theyre on the other side of the world.

Were assuming, because these bugs are dubbed critical, that they involve RCE.

What one team of crooks has already found, others might find in turn, especially now they have at least a vague idea of where to start looking.

So, as always, patch early, patch often!

Most Firefox users should get the update automatically, but you might as well check to make sure its there because the act of checking will itself trigger an update if you havent got it yet.

Click the three-bar icon (hamburger menu) icon at the top right, then choose Help > About Firefox.

See the original post:
Firefox zero day in the wild: patch now (Tor Browser too!) - Naked Security

Dark web players have seized on the chaos caused by the coronavirus pandemic to cultivate a vast range of scams that target everyone from vulnerable consumers to unprepared medical facilities.

According to a new report from global threat intelligence firm IntSights, a mixture of cybercriminals and state-sponsored actors are exploiting the confusion and fear around the COVID-19 pandemic to launch schemes that include registering domain names to run phishing campaigns, new types of malware and ransomware, intercepting traffic from the growing amount of videoconferencing, and hawking phony coronavirus products.

Charity Wright, a cyber threat analyst at IntSights, specializes in Chinese disinformation campaigns and the dark web. While shes seen plenty of nefarious activity over the years from the dark web, she was still stunned by the amount of coronavirus-related activity the company detected.

What weve seen is an exponential increase, she said. Its overwhelming. Its much more than I expected.

As the number of coronavirus cases have surged, governments and private companies have been worried about growing amounts of disinformation and various types of fraud. Last week, an EU official criticized companies such as Google, Facebook, and Amazon for continuing to make money from advertising for various misleading claims and products.

IntSights, based in New York City, has developed a threat detection platform that uses artificial intelligence and machine learning to scour the deep and dark webs for specific keywords that can be used to alert potential targets. The deep web can be accessed from a typical web browser by someone who knows where to look, while the dark web requires someone to be using the Tor Browser.

The IntSights report scanned both the deep and dark webs, though primarily the latter. Looking through hacker forums and black markets, the companys platform analyzed the coronavirus-related schemes being discussed and launched.

One of the biggest strategies being shared on the dark web is how to use domain names to create phishing campaigns. There has been an explosion in domain name registrations related to the coronavirus that are then used to harvest peoples emails, passwords, and personal information.

According to IntSights analysis, in 2019 only 190 domains containing some version of corona and covid were registered. By January, that number had jumped to 1,400, then 5,000 in February, then 38,000 in March.

In another case, IntSight researchers uncovered a malware tool created by a Russian underground vendor that masquerades as the Johns Hopkins coronavirus map. People can embed a version of the map on a website where it will pull in the actual data from the Johns Hopkins map, but meanwhile it secretly installs malware on a users computer to steal their information.

Dark web actors are also sharing tips on how to sell products that claim to be virus tests or vaccines. One such offering claims to sell blood and saliva from a coronavirus survivor to boost peoples immune systems. In various forums, templates and images are being shared to make it easier for others to create their own customized version of these scams.

The scammers are also targeting mobile platforms. The company detected a surge in fake mobile apps that are primarily made for Android-based phones. These apps have been found to include ransomware, trojans, and spyware.

Finally, the growth in remote work has become a rich source of information for criminals. As people have turned to collaboration and video conferencing platforms, IntSights reports a big uptick in conversations on dark web forums about tips for exploiting the various vulnerabilities.

This graph shows an increase in conversations, for instance, around how to attack Zoom:

For now, Wright and IntSights are cautioning individuals and companies to take commonsense precautions. Companies should reevaluate their threat landscape to include threats to remote working, increase monitoring of collaboration tools and endpoint security, enforce rules on use of VPNs and passwords, and take aggressive steps to educate employees.

That said, Wright predicts that the volume and variety of coronavirus-related cyber scams is only going to increase in the coming weeks.

Its not slowing down much right now, Wright said. Unfortunately, thats because threat actors have been very successful in using them.

Read more here:
IntSights: The dark web is a wretched hive of coronavirus scams and pandemic cybercrime - VentureBeat

If you want to protect your privacy online, you need to know about and start using Tor. In this article, we will talk about what Tor is, along with who uses it and why.

From there, well get into exactly how Tor works, how it provides anonymity, and the limitations of the service.

Well finish up by walking through downloading, installing, and starting to use Tor on your own computer.

Tor began its life in the 1990s when researchers at the US Naval Research Laboratory developed onion routing. Onion routing makes it possible to pass messages through a network anonymously. It uses multiple layers of encryption that get peeled off one by one (like peeling an onion) as the message passes through multiple nodes in the network.

In 2004, the Navy released the second generation of Tor. In 2006, researchers involved in Tor incorporated the Tor Project and took responsibility for maintaining Tor.

Tor stands for the onion router. It is a network of thousands of computers around the world that implements onion routing. Originally designed to protect US Intelligence Agency communications online, it now serves millions of users, military, government, and civilian, in every country on Earth.

How does Tor protect your privacy?

We were going to try to explain how Tor protects your privacy, but why not let the Tor team do it themselves?

People from around the world who want to / need to protect their privacy by using the Internet anonymously use Tor. Here are some of the types of users were talking about:

To get an idea of how many people use Tor, as well as all sorts of other statistics, visit Tor Metrics.

As far as we can determine, it is legal to use Tor anywhere in the world. That might be surprising but look at all the different types of users. Governments and law enforcement agencies around the world rely on Tor, as do all sorts of civilian groups.

Whether Tor is safe or not depends on what you mean by safe.

Is the Tor Browser safe to use (free of spyware and so on)? Yes, if you download it from the official Tor Project page.

Is the Tor network safe to use? Yes, if you use Tor to browse regular websites.

Is every place you can visit with Tor safe and legal? Hell no! Tor gives you access to sites on the Internet that you cant reach with Google Chrome or other regular web browsers. But so what? You can use a regular web browser to go to places on the public Internet that arent safe or legal either.

As with most other things in life, whether Tor is safe or not depends on you using it safely.

Using Tor Might Attract Unwanted Attention

While you may use Tor safely and legally, the fact that you are using it may attract unwanted attention. Law enforcement and spy agencies around the world are likely interested in anyone using Tor or any technology that makes it harder for them to spy on you.

As Edward Snowden showed us years ago, the US government and numerous others seem intent on spying on 100% of everything that everyone on Earth does online anyway. But it is possible that some human or AI (Artificial Intelligence) analyst might pay more attention to the info they gather on you if you use Tor. Youll need to decide if doing things anonymously is worth the possibility of increased attention by these groups.

It is theoretically possible to hack Tor. The network was hacked in 2014, apparently by the FBI. There are also more recent stories of the computers of Tor users being hacked to get information for criminal investigations.

In addition, a sufficiently powerful entity (a global adversary) could theoretically monitor all of the entry and exit points of the Tor network. Using statistical analysis, they could likely de-anonymize users of the network.

So yes, Tor can be hacked. But again, so what? Nothing in this world is 100% foolproof. If you want to protect your privacy online, using Tor can help. If you want to do something that will set the NSA, KGB, NCCU, or other powerful security agencies on your tail, there may be nowhere you can hide.

Understanding the basics of how Tor works isnt hard. Understanding it in depth is a lot tougher. Well go through the basics first. If all you want to know is the basics, great. You can skip ahead once you are done with this section.

If you already feel a bit overwhelmed by Tor, but you still want some basic privacy, then we recommend a good VPN service. Nordvpn or Expressvpn are the top two privacy-focused VPN services according to our best vpn services guide.

Well also cover the details in more depth for anyone who is interested.

How Tor Works: The Basics

When you visit a website normally (without using Tor), your computer makes a direct connection to the computer where the website is located. The problem with this is that when you do it this way, the website can see all sorts of information about you. It can see your computers IP address, the operating system you are using, the web browser you are using, and more. That information can be used for tracking what you do online and possibly identifying you.

When you use Tor to visit a website, things get more complicated. The connection between your computer and the website passes through three random computers in the Tor network. Each of those computers only knows which computer gave it data and which it gives data to. No computer in the network knows the entire path. Meanwhile, the only thing the website can see is that it is connected to the final Tor computer in the path.

As a result, there is no way to identify you based on the connection between your computer and the website. This makes your connection anonymous.

How Tor Works: The Details

When you visit a website without using Tor, your computer establishes a direct connection with the computer hosting the website. Data packets pass back and forth between the two, enabling you to view and interact with the website.

Each data packet consists of the data itself (the payload) and a header with additional information, including data about your web browser, and the IP address of the source and the destination. At a minimum, a website (or anyone spying on your connection with the website) can use the IP address to figure out approximately where you are located.

Beyond that, a web browser will automatically share all sorts of information with any website it connects to. This includes things like who your Internet Service Provider is, what Operating System your computer uses, your video display mode, even the power level of your laptop battery. The figure above shows just some of the data my computer gave up when I connected it to What every Browser knows about you, a site designed to show you what your computer is telling the world without your knowledge.

Tor prevents this from happening.

When you connect to the Internet using the Tor Browser, the browser connects to a random entry point (Guard Relay) on the Tor network. The browser negotiates an encrypted connection with the Guard Relay. Data sent along this connection is encrypted using these keys so only your browser and the Guard Relay can decrypt them.

Your browser then negotiates another connection, this one from the Guard Relay to another computer in the Tor network called a Middle Relay. For this connection, it creates another set of keys that are used by the Guard Relay and Middle Relay.

Finally, your browser negotiates a third connection. This is between the Middle Relay and an Exit Relay. Again, it negotiates a set of keys that will be used to encrypt and decrypt data passing along the connection between the Middle Relay and the Exit relay.

Data passing from your browser to the Internet gets encrypted three times.

Your browser passes the triply-encoded data to the Guard Relay. The Guard Relay strips off the outermost layer of encryption. Two layers of encryption still protect the data itself. All the Guard Relay knows is where the data came from, and what Middle Relay to send it to.

The Guard Relay passes the now doubly-encoded data to the Middle Relay. The Middle Relay strips off the next layer of encryption. A layer of encryption still protects the data itself. All the Middle Relay knows is that the data came from the Guard Relay, and what Exit Relay to send it to.

The Middle Relay passes the singly-encoded data to the Exit Relay. The Exit Relay strips off the final layer of encryption. The data itself is now unprotected. The Exit Relay can see the original data, but it doesnt know that this data originated at your browser. All it knows is that the data came from the Middle Relay, and what website to send it to.

The website receives the data from the Exit Relay. As far as the website can tell, the data originated at the relay. It has no way to tell that the data originated at your browser.

Because no node in the path knows the entire path between your computer and the website, the transport of data between the two is anonymous.

Onion Services are online services that you can reach through Tor but are not accessible using a normal web browser or the standard Domain Name System (DNS).

Note: These services used to be known as Tor Hidden Services.

When you use the Internet normally, you can only see the web pages that are indexed by search engines. This is called the Surface Web. But there is another part of the Internet that you cant see. This is called the Deep Web.

The Deep Web is the part of the Internet that is not indexed by search engines. It includes things like corporate databases, government resources, medical records, and so on. Anything that is on the Internet but that doesnt show up in search engines. Researchers estimate that more than 90% of all the information on the Internet is within the Deep Web.

If you know the address and have the right permissions, you can interact with most Deep Web sites using the same stuff you use on the Surface Web.

Onion Services occupy a part of the Deep Web known as the Dark Web. You need special browsers and/or protocols to interact with Dark Web sites. The Tor Browser handles all this so you can interact with Onion Services.

All Onion Services have a 16 character name derived from the services public key and end with .onion. For example, if you entered this http://rougmnvswfsmd4dq.onion/ into a standard web browser, it would give you an error something like this:

Enter the same thing into the Tor Browser, and it would take you to the Tor Metrics Onion Service, which happens to look like this:

With names like these and no way to find them through regular search engines, it is clear that you arent going to just stumble across Onion Services. That makes sense since Onion Services are designed to protect the anonymity of both the person providing the service and the person using it.

But how do you find them?

One way is to use special indexes. Indexes are lists of Onion Services. They are not search engines that are machine-generated and maintained. Each Index is compiled and maintained by hand. Here is an example of an index:

Indexes only include a tiny fraction of the Onion Services that exist. So how else do you find Onion Services?

Some of the popular search engines in the Surface Web have Onion Services as well. Heres one privacy-friendly search engine with its own Onion Service, DuckDuckGo:

This looks promising, but when you do a search, the results arent Onion Services. They are just results from the Surface Web.

There are some Onion Service search engines out there. But the ones we looked at while preparing this article didnt seem to give good results and offered lots of ads for the kinds of stuff that give the Dark Web a bad name. We wouldnt recommend using them.

Besides hand-made indexes and sketchy search engines, your options are limited. Word of mouth is one way. Following links from one Onion Service to the next is another. In other words, it isnt easy to find Onion Services that arent listed in an index.

Sometimes Onion Services Show Up in Search Engines

Despite what we just told you, Onion Services do sometimes show up in searches on regular search engines. This is because there are yet other services that make a connection between the Surface Web and Onion Services.

But think about it. Using a service like this means that you are letting one of these services sit in between your computer and Tor to handle the connection for you. There goes your anonymity.

We dont recommend using these services.

Surprisingly, the US Government pays for a lot of it. According to CNBC Internationals What is the Dark Web? video, the State Department and the Department of Defense provide 60% of the funding for the Tor Project. They support Tor so that dissidents worldwide have a secure place to organize and report on abuses. Various US government agencies use Tor as well.

Beyond the US government, several other organizations contribute. But the greatest number of contributions (if not total dollars) comes from individuals. Individuals contribute both with cash and by running Tor relays.

If you are ready to give Tor a try, nows the time. Follow the steps below, and you will be up and running on Tor is short order.

Decide Which Operating System to Use

Tor provides anonymity when using on the Internet. But if your Operating System is insecure, you are still vulnerable. If being a Tor user really does invite increased government attention, you may be more vulnerable than before.

You can run Tor on Microsoft Windows. But most people interested in privacy are moving away from Windows. Why?

Because Windows has such a large market share, it is the prime target for hackers. Because Windows has a history of being vulnerable to viruses, hackers, and all sorts of security problems. And because, at least with Windows 10, Microsoft grants itself permission to gather all sorts of information from your computer and record it in itsown database.

A better choice would be to use a version of Linux. Most security professionals see Linux as more secure than Windows or even MacOS.

The choice is, of course up to you. But whichever Operating System you choose, make sure you install the latest security updates and use a quality antivirus/antimalware program.

Were going to use Linux Mint for this example.

Download and Install the Tor Browser for Your Operating System

Go to the Tor Browser download page and click the Download button for the version for your Operating System.

Once the download is complete, click the sig link below the button to verify the Digital Signature of the package (follow the red arrow in the image below). This ensures that the Tor file has not been corrupted or hacked. If you dont know how to do this, the Verifying Signatures page has instructions.

Once you confirm the Digital Signature, install the Tor browser normally.

Before you go any further, we strongly recommend you read the warnings and suggestions in the Want Tor to really work? section of the download page. If you follow the given advice there, it will make using Tor even more secure.

Start Browsing Privately with Tor!

If you followed the preceding steps, all you need to do is launch the Tor Browser. Expect to wait a few moments as the browser establishes a connection to the Tor network. After that, you should see something like this:

Before you do anything else, heed this warning: Some people claim that you should never resize the Tor Browser window from the default that it launches in. They say that doing so will make your browser stand out a bit from those of other users who have not changed the size of the window.

We dont know whether this is something to worry about or not but wanted to throw it out there before you start playing with your shiny new Tor Browser.

Hey! What about some indexes to get us started?

Here is an Onion Service index to get you started.

We cant vouch for these guys beyond saying that they seem to be legitimate and as of 5 March 2019, they were still online.

We dont want to weasel on you, but that depends. It depends on what you do online, where you live, and how much you care about protecting your privacy. To help you figure this out, weve put together a table of Pros and Cons of using Tor from the privacy perspective:

Privacy Pros and Cons of Tor

The rest is up to you. But remember, this isnt an all or nothing affair. If you want, you can use your regular browser for regular stuff, and use Tor for things like banking and investigating that sensitive medical condition you dont want anyone to know about.

Good luck, and stay safe!

P.S For even more privacy, read our Tor vs VPN guide.

Or if your interested in an alternative to Tor, check out our article on What is I2P.

Blokt is a leading independent cryptocurrency news outlet that maintains the highest possible professional and ethical journalistic standards.

Continue reading here:
What Is the Tor Browser & How To Use It In 2020 - Blokt