Daily Archives: June 28, 2021

People who value a high level of privacy protectionor who depend on this protection for political reasonscan access websites using Tor without leaving any traces on the net. With a Tor browser, users'internet traffic is automatically routed through several Tor servers, which ensure anonymity through encryption. Only then does it go to the actual destination:the web server users intendto visit.

This process is called routing. Tor actually stands for "The Onion Routing"because the Tor servers layer their encryption on top of the encryption of other servers reminiscent of onionlayers.

Tor is secure by design. For this reason, there have hardly been any major security incidents to the detriment of users. Its browser, which is based on the Firefox browser, is continuously developed and secured by the free, open source Tor project.

Content providers who want to offer their content directly in the Tor network operate an "onion service." This is a web server that is directly connected to the Tor network. These websites can be recognized by the extension .onionand can only be accessed via the Tor browser.

Deutsche Welle has also been operating its own onion service for some time, making it easier for users all over the world to access free media anonymously especially people who fear repression for using such free media. Tor can also be a useful tool for journalists, for example when they cannot conduct regular research because they are being persecuted by state actors and intelligence agencies. This is crucial because fear of surveillance alone canquickly lead to self-censorship.

Tor not only protects users' anonymity, but also offers them paths to free information in censored markets.

For example, authoritarian states often block content from international information providers such as DW, the BBC and The New York Times. With Tor, this state censorship can be circumvented. The previous web address of Deutsche Welle was:https://dwnewsvdyyiamwnp.onion.

But this is now changing.

As you can probably already tell from the long and difficult-to-readonion service addresses, cryptography is involved here. Tor does not have a central domain systemwhich forwardsreadable web addresses like dw.com to the IP addresses of computers.

Address allocation is decentralized and consists of a cryptographic key. This makes it particularly secure. Part of this key is the onion service address.

Attackers can get hold of such a key by brute force. So far, they have mostly used these attacks to hack passwords.

The longer the key or password, the more computing power is required and the more difficult such an attack becomes.

It is precisely this massive computing power that is now available to some authoritarian regimes in the form of Bitcoin mining farms. In recent months, computing capacity has grown very quickly in countries such as China and Iran.

As a result, the Tor project has decided to only support addresses with a length of 56 characters and has adopted the "Onion v3 standard" for this purpose. Addresses in the new standard are considered secure for the next few years, not only because of their greater length, but also because of other modern cryptographic functions.

DW's new onion service address as of now is:

https://dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion

Because these v3 addresses are very difficult to read and remember, it is also sufficient to enter the publicly known addresses in the Tor browser for exampl:e dw.com. The browser then offers to use the complicated Tor address once and automatically on future page requests.

But be careful: This procedure means that you briefly leavethe secure Tor network, so users who need the highest level of anonymity should only use the long cryptographic v3 Tor address.

Shortly after winning a major prize at the Cannes Film Festival with "A Man of Integrity," the Hamburg-based director returned to Iran in September 2017. Iranian authorities then confiscated Rasoulof's passport and banned him from directing new films. In July 2019, he was sentenced to a year in prison. He nevertheless managed to shoot "There Is No Evil" (photo), which won the Golden Bear in 2020.

Abdolreza Kahani migrated to France in 2015 after three of his films were banned in the Islamic Republic and he was prevented from submitting them to international festivals. "We are born into censorship. Censorship affects not just literature, music and film. Censorship begins inside the home," he told the Center for Human Rights in Iran (CHRI) in a recent interview.

Getting a screening permit for films that premiered at world festivals can take years: Kianoush Ayari's "The Paternal House," from 2012, was only released in Iran last year after the director agreed to make some edits. But a week later, in November 2019, the film was banned, prompting 200 film personalities to sign an open letter condemning state censorship and calling for freedom of expression.

He is one of the few directors to have won the Oscar for best foreign film twice: "A Separation" (2012) and in 2016, "The Salesman" (photo). Farhadi boycotted the second ceremony, which took place shortly after Trump's "Muslim travel ban." Even though Iranian officials were behind Farhadi's Oscar entries, the filmmaker was among the signatories of the 2019 open call condemning state censorship.

Iranian-Kurdish filmmaker Bahman Ghobadi directed the world's first Kurdish-language feature film, the 2000 "A Time for Drunken Horses" (photo). Following his semi-documentary about the underground indie music scene in Tehran, "No One Knows About Persian Cats" (2009), Ghobadi fled Iran, as intelligence agents repeatedly threatened him and urged him to leave. Those two films won awards at Cannes.

Having permanently left Iran as a young adult, Marjane Satrapi didn't have to deal with Iranian authorities as an author and filmmaker. Her best-known comic book, "Persepolis" (photo) adapted into a film that won the Cannes Jury Prize in 2007, offers a personal depiction of how a teenager can get into trouble with the police by disregarding modesty codes and buying music banned by the regime.

Released shortly before the 9/11 attacks, Mohsen Makhmalbaf's 2001 film, "Kandahar," became a must-see work about the fate of Afghan women. Many of the award-winning director's films are banned in Iran, and he left the country to live in France after Mahmoud Ahmadinejad's election. His most recent feature film, "The President" (photo) opened the Venice Film Festival in 2014.

The daughter of Mohsen Makhmalbaf is one of the most influential directors of the Iranian New Wave. Her first feature film, "The Apple," which she directed at the age of 17, premiered at the Cannes Film Festival in 1998. Two years later, she won the Cannes Jury Prize with "Blackboards. (photo). She then became the youngest person to sit on the jury of festivals such as Cannes, Venice and Berlin.

Winning a Cannes award with his 1995 feature debut, "The White Balloon," Panahi kept receiving international acclaim despite increasing restrictions in Iran. Since 2010, he has been banned from making films and leaving the country, but still managed to secretly direct more works, including the Golden Bear-winning "Taxi" (2015) and "3 Faces" (photo), which won Cannes' best screenplay prize in 2018.

A decade after winning the International Award at the Venice Biennale, the visual artist's feature debut, "Women Without Men" (photo) was also honored at the Venice film festival in 2009. A critic of political injustice, Neshat lives in self-imposed exile in New York. "While I am critical of the West, women artists in Iran still face censorship, torture and, at times, execution," she said.

Author: Elizabeth Grenier

Continued here:
Protection from hackers: How Tor is tightening security - DW (English)

Open-source Tor browser has been updated to version 10.0.18 with fixes for multiple issues, including a privacy-defeating bug that could be used to uniquely fingerprint users across different browsers based on the apps installed on a computer.

In addition to updating Tor to 0.4.5.9, the browser's Android version has been upgraded to Firefox to version 89.1.1, alongside incorporating patches rolled out by Mozilla for several security vulnerabilities addressed in Firefox 89.

Chief among the rectified issues is a new fingerprinting attack that came to light last month. Dubbed scheme flooding, the vulnerability enables a malicious website to leverage information about installed apps on the system to assign users a permanent unique identifier even when they switch browsers, use incognito mode, or a VPN.

Put differently, the weakness takes advantage of custom URL schemes in apps as an attack vector, allowing a bad actor to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor, effectively circumventing cross-browser anonymity protections on Windows, Linux, and macOS.

"A website exploiting the scheme flooding vulnerability could create a stable and unique identifier that can link those browsing identities together," FingerprintJS researcher Konstantin Darutkin said.

Currently, the attack checks a list of 24 installed applications that consists of Adobe, Battle.net, Discord, Epic Games, ExpressVPN, Facebook Messenger, Figma, Hotspot Shield, iTunes, Microsoft Word, NordVPN, Notion, Postman, Sketch, Skype, Slack, Spotify, Steam, TeamViewer, Telegram, Visual Studio Code, WhatsApp, Xcode, and Zoom.

The issue has serious implications for privacy as it could be exploited by adversaries to unmask Tor users by correlating their browsing activities as they switch to a non-anonymizing browser, such as Google Chrome. To counter the attack, Tor now sets "network.protocol-handler.external" to false so as to block the browser from probing installed apps.

Of the other three browsers, while Google Chrome features built-in safeguards against scheme flooding it prevents launching any application unless it's triggered by a user gesture, like a mouse click the browser's PDF Viewer was found to bypass this mitigation.

"Until this vulnerability is fixed, the only way to have private browsing sessions not associated with your primary device is to use another device altogether," Darutkin said. Tor browser users are recommended to move quickly to apply the update to ensure they are protected.

The development arrives little over a week after encrypted messaging service Wire addressed two critical vulnerabilities in its iOS and web app that could lead to a denial-of-service (CVE-2021-32666) and permit an attacker to take control of a user account (CVE-2021-32683).

Go here to read the rest:
Patch Tor Browser Bug to Prevent Tracking of Your Online Activities - The Hacker News

Theres been yet another technique discovered to fingerprint users, and this one can even work in the Tor browser. Scheme flooding works by making calls to application URLs, something like steam://browsemedia. If your machine supports the requested custom URL, a pop-up is displayed, asking permission to launch the external application. That pop-up can be detected by JavaScript in the browser. Detect enough apps, and you can build a reasonable fingerprint of the system the test is run on. Unlike some previous fingerprinting techniques, this one isnt browser dependent it will theoretically give the same results for any browser. This means even the Tor browser, or any browser being used over the Tor network, can give your potentially unique set of installed programs away.

Now for the good news. The Chrome devs are already working on this issue, and in fact, Chrome on my Linux desktop didnt respond to the probes in a useful way. Feel free to check out the demo, and see if the results are accurate. And as for Tor, you really should be running that on a dedicated system or in a VM if you really need to stay anonymous. And disable JavaScript if you dont want the Internet to run code on your computer.

Windows system security and Linux system security are quite different. OK, thats probably both something of an understatement, and pretty obvious. In a project like Samba, which re-implements the Server Message Block protocol, those differences are a constant challenge. Sometimes, like in the case of CVE-2021-20254, the results are unusual.

This story really begins at Linkping University, where [Peter Eriksson] discovered that someone was able to delete a file on a Samba share, when that should not have been possible. He apparently tracked down the problem, which is in the Samba code that maps Windows SIDs to Unix Group IDs. Samba caches these lookups, and a possible cached result is that a match cannot be found. The bug is triggered when that cached response is fetched again, reading past the end of the buffer. There isnt a known technique for triggering this bug intentionally, but thats likely a failure of imagination, so make sure you get this one patched.

There are odd machines still connected to the Plain Old Telephone System (POTS). This thought was apparently keeping [Valtteri Lehtinen] up at night, because he built a system to call 56,874 different phone numbers, and then documented what he found. His testing rig is a bit odd, using WarVOX as the dialer. That program only supports IAX2, a VoIP protocol introduced by the Asterisk project that has been mostly forgotten in favor of SIP. His interface to the outside world was a SIP-to-GSM gateway and a cheap prepaid SIM card. To make WarVOX talk to the SIP gateway, he stood up an Asterisk instance to do the translation. His target was the freephone numbers, similar to a 1-800 number in the States mostly businesses rather than individuals.

He spent 60 seconds per call, and recorded the results, running the experiment for 40 days. His results? About 2% of the numbers were interesting. He categorized those, and came up with 74 unique systems he had reached. For an example of what that means, seven of his calls reached dedicated fax lines. These were indistinguishable from each other, so only accounts for a single unique system. Eleven calls just played music, but several of those seemed to be playing the exact same music, making for seven unique systems.

There are a few really oddball recordings that [Valtteri] found. Two numbers contain a prompt about the zombie apocalypse, asking the caller if he wants to be rescued. These remind me very much of the various joke phone numbers, like the rejection hotline. He also found a couple numbers that sound very much like old mechanical phone switching hardware. Wouldnt it be interesting to know exactly what hardware is on the other end of those calls? We cant recommend taking up wardialing as a hobby, but there are certainly still some interesting endpoints out there. Want to look into the recordings for yourself? Check out his blog post, where many of the recordings are available to listen to.

Theres a very odd problem with the iPhone thats attracted a lot of attention this week. Connecting to a WiFi network with a name like %p%s%s%s%s%n made the phones WiFi subsystem crash, and prevented connection to any other networks. That string looks interesting, doesnt it? Almost like a format string. For those not following, most programming languages have string formatting functions that take a series of inputs, combined with a format string like this one, and plug the inputs into the string. Cs printf() is one of the more familiar to many of us. The catch here is that when the inputs dont match what the string calls for, you enter the realm of undefined behavior, AKA crashes and vulnerabilities.

[CodeColorist] took a deeper look at the problem, and confirmed that it is indeed a format string issue. When the device attempts to connect to a new WiFi network, a message is written to the system log: Attempting Apple80211AssociateAsync to and then the network name, using a format string method. The process of writing the string to the log invokes another such method, but this time the SSID is now part of the format string. The inputs no longer match, leading to a crash of the WiFi process. While its certainly an annoying bug, it doesnt appear to be one that can lead to RCE.

Password reset systems have always been something of a weak point of security schemes. Of particular note are the schemes that use a four- or six-digit reset code to protect the account. Have you ever wondered what stops an attacker from triggering a reset, and then simply trying all one million possible codes, assuming a six-digit number? The usual answer is a combination of expiring codes and rate limiting on guesses. This story is about Apple accounts, but the background is that [Laxman Muthiyah] first found a way to exploit the password reset function of Instagram.

Heres the setup. When you start the password reset process on Instagram, a six-digit code is emailed to the email address on file. If you have access to that email, you type in the code within ten minutes, proving that youre the account owner. After ten minutes, the code expires. If youre an attacker, you can start the password reset process, and then guess that six-digit code again, one million possible values. Try to brute force the code, and about 200 attempts go through before the rate-limiting kicks in. That gives you a 1-in-5,000 chance in breaking into the account.

What if there was a way to get around the rate-limiting? Hint: There was. You see, trying to send more than 200 guesses from a single IP was easily detected and rate-limited. But what if you had two different IPs? Send 200 guesses from each, at the same time, and they all get processed with no rate limiting. So to take over an Instagram account, all it takes is 5,000 IPs that you can send traffic from for a few seconds. Now how would you get 5,000 IPs to use? Three options come to mind. The cloud, a botnet, or IPv6 addresses. He used a cloud to demonstrate the attack, covering 20% of the possible key space in a single go. He netted a cool $30,000 from turning in the findings to Facebook.

Would other providers have the same weakness? [Muthiyah] took a look at Apples account recovery process, and found a way to pull off the same attack, but with some major limitations. Rather than 200 guesses from each IP, he could send six. That isnt enough for a viable attack but the target URL endpoint exists on six different IPs. That gives an attacker 36 guesses from each IP he controls. Thats on the edge of being exploitable, with only 28,000 IPs needed. Thats a *small* botnet. Apple agreed, asking him to keep the attack under his hat until they could push out fixes.

The story gets weird from here. First, what should have been a relatively simple fix took about ten months to roll out. [Laxman] asked for an update, and was told that his attack only worked against accounts not tied to a hardware device. Accounts tied to a device use a bit different password reset method, where a hashing function is used to prove that the user knows the reset code. That URL endpoint is now very well protected against his parallel brute-force attack, but he was only able to test it after the flaw was fixed.

For his trouble, Apple offered him $18,000. Sounds great, right? Hold up. A vulnerability that leads to an Apple account takeover should be worth $100,000; and if that leads to data extraction from a device, it goes up to $250,000. [Laxman] openly speculates that his attack probably worked on all accounts before it was patched, and suspects Apple of pulling a fast one. He walked away from the offered bounty, and posted the entire story for everyone to see. This isnt the first time weve covered disputes over bug bounties, and Im sure it wont be the last.

Eclypsium found a handful of problems with Dells firmware update process. BIOSConnect is a firmware update process that runs entirely from the system BIOS. From what I can tell, this means that a Dell machine could be vulnerable even if it isnt running Dells SupportAssist, or even Windows at all. The BIOS makes an HTTPS request to downloads.dell.com, but fails to properly validate the TLS certificate. It seems that any wildcard certificate for any domain will be accepted. You could fool it as easily as using a Lets Encrypt certificate for *.myuniquedomain.com, and telling an HTTPS server to use that cert for dell.com.

The saving grace here is that an attacker needs to be on the same network as the victim machine, in order to MItM the connection to the update server. Either way, if you have Dell hardware, go check for this issue and update if its there, or at least turn off BIOSConnect.

Theres been a rash of ransomware attacks against consumer NAS devices, and it looks like Western Digitals My Book Live might be the next device to be hit. Multiple users discovered their drives wiped on the 23rd, and a log note that a factory restore had been triggered. WD has released a statement, acknowledging the issue, and recommending that anyone with a My Book Live unplug it from the network right away, and leave it offline until they can get to the bottom of the issue. The latest official news is a reference to a 2018 CVE, a pre-auth network RCE. What immediately comes to mind is that a particularly obnoxious ransomware program could include this attack as part of an effort to destroy backups. The odd part is that none of the affected users have reported a ransomware note.

Microsoft announced Windows 11, and while there was the normal marketing hype and keynotes, there were a couple interesting security-related tidbits, mostly in the updated system requirements. First up is the Trusted Platform Module 2.0 requirement. Most modern motherboards ship with a firmware TPM, but often disabled by default. If you try running the upgrade check, and were told that your nearly-new system cant run Windows 11, thats probably why. But why would Microsoft require a TPM for everyone? Credit to Robert Graham for this one: TPM is a requirement for BitLocker, the high quality whole disk encryption software built into Windows. This would indicate that BitLocker is going to be on for everyone, rather than a feature you have to manually enable.

The other somewhat surprising change is that Microsoft is doing away with support for 32-bit processors, and going to 64-bit Windows only. There are sure to be some issues for people still running 16-bit code, which wont execute at all under 64-bit Windows. There are, however, quite a few security features that only run on 64-bit windows, like ASLR, signed drivers, the NX bit for Data Execution Protection, and PatchGuard. While the reduced engineering burden of dropping 32-bit Windows was likely the major driver in this decision, the Windows platform will be significantly more secure as a result.

Visit link:
This Week In Security: Schemeflood, Modern Wardialing, And More! - Hackaday