Insanely News

Diffusione di informazioni obiettive e costruttive.

Insanely News

Categoria: Security

Donald Trump intercettato da Cina e Russia

L’iphone del presidente degli Stati Uniti è stato intercettato e lui continua a usarlo per telefonare ai suoi amici, scrive il New York Times, e non vuole sentire ragioni

I servizi segreti della Cina e della Russia spiano regolarmente le telefonate che il presidente degli Stati Uniti, Donald Trump, effettua tramite il suo iPhone personale ignorando le molte richieste di maggiori cautele da parte dei suoi consiglieri e dell’intelligence statunitense, che gliene hanno fortemente sconsigliato l’utilizzo. Le pratiche di comunicazione poco sicure seguite da Trump e i rischi per la sicurezza nazionale sono stati raccontati dal New York Times in un lungo articolo basato sulla testimonianza di collaboratori della Casa Bianca e dei servizi segreti, frustrati dalla noncuranza con cui Trump utilizza smartphone che possono essere facilmente intercettati.

Trump ha tre iPhone: due modificati dall’NSA – l’agenzia governativa che si occupa della sicurezza informatica – per ridurre i rischi di intercettazioni, e uno personale sul quale non ci sono particolari limitazioni e che è quindi la principale fonte di preoccupazione per l’intelligence statunitense e i collaboratori del presidente. Il terzo iPhone viene usato da Trump perché, a differenza degli altri due, dà la possibilità di mantenere una rubrica con i numeri di telefono.

I due iPhone modificati dall’NSA sono predisposti rispettivamente per utilizzare Twitter e alcune altre applicazioni, e per effettuare telefonate. Le loro funzionalità sono molto limitate, compresa l‘impossibilità di mantenere una lista dei contatti, e per questo Trump ne utilizza un terzo, personale, con il quale fa sostanzialmente ciò che vuole. Non potendogli impedire di usarlo, e non essendo mai riusciti a convincere Trump a usare la linea fissa e protetta della Casa Bianca, i suoi assistenti si limitano ormai a sperare che il presidente non diffonda informazioni riservate durante le chiamate ai suoi amici che potrebbero essere intercettate, spiega il New York Times.

Trump sembra snobbare quasi completamente i rischi che comporta l’uso di un normale smartphone per le sue attività, e ignora diverse altre regole pensate per ridurre i pericoli. I protocolli di sicurezza prevedono che il presidente cambi i propri smartphone ogni 30 giorni, evitando che vengano utilizzati per tempi più lunghi cellulari che potrebbero essere stati compromessi. Le fonti consultate dal New York Times dicono che questa pratica non viene quasi mai seguita, perché a Trump non piace che si perdano per strada i dati salvati sui telefoni, che non possono essere trasferiti da un modello all’altro proprio per il rischio di importare eventuali malware nei nuovi.

L’accesso limitato ai mezzi di comunicazione diretta è un problema con il quale devono fare i conti da tempo i presidenti degli Stati Uniti, e più in generale tutti i capi di stato e di governo. A Barack Obama, il predecessore di Trump, fu concesso l’utilizzo di un iPhone solamente durante il suo secondo mandato (prima utilizzava un BlackBerry modificato), ma lo smartphone era pesantemente limitato: non poteva effettuare chiamate, non poteva ricevere email se non da una particolare selezione di contatti, non aveva fotocamera e microfono, non poteva essere usato per scaricare applicazioni a discrezione di Obama e aveva il sistema di invio degli SMS disabilitato. Raccontando le limitazioni del suo iPhone, durante un’intervista televisiva al Tonight Show di Jimmy Fallon nel 2016, Obama disse: “È un gran telefono, il migliore sulla piazza, ma non scatta foto e non ti fa mandare messaggi. La funzione telefono non è attiva, non puoi nemmeno ascoltarci la musica. Hai presente i telefoni giocattolo dei bambini di 3 anni? Una cosa del genere”.

L’iPhone che Trump usa per Twitter non usa la rete cellulare e si può collegare a Internet solamente tramite WiFi. Il problema però è il modo in cui viene utilizzato da Trump: dovrebbe collegarsi solamente a reti wireless fidate e sicure, ma sembra ci siano state occasioni in cui ne abbia usate di meno affidabili. A questo si aggiungono dimenticanze e trascuratezze: nel 2016 Trump dimenticò il suo iPhone su un golf cart in un campo da golf nel New Jersey, rendendo necessaria una ricerca su larga scala del suo telefono che rischiava di rimanere perduto per sempre, con dentro i dati del presidente degli Stati Uniti.

L’articolo del New York Times non spiega però nel dettaglio quali possano essere le tecniche utilizzate dai servizi segreti cinesi e russi per intercettare le telefonate di Trump, limitandosi a questa descrizione:

Le chiamate effettuate dal telefono sono intercettate mentre viaggiano da un ripetitore ai sistemi via cavo ai centralini, che costituiscono le reti di telefonia a livello internazionale. Le chiamate effettuate da qualsiasi cellulare – che sia iPhone, Android o vecchi modelli Samsung – sono vulnerabili.

La descrizione è molto generica – forse volutamente, per non offrire troppi dettagli: per prassi articoli del genere non contengono mai informazioni che possano minare la sicurezza nazionale – o forse perché è contemplata la possibilità che siano impiegati più sistemi per intercettare Trump. Alex Stamos, ex responsabile della sicurezza di Facebook, ha scritto su Twitter che le intercettazioni potrebbero avvenire sfruttando una non meglio definita vulnerabilità del sistema “Voice over LTE” (VoLTE), cioè sfruttando la rete 4G per effettuare anche le chiamate vocali con una migliore qualità audio. Stamos ha però ricordato che a oggi non ci sono sistemi noti per decifrare le chiamate su LTE, anche se questo non esclude che esistano soluzioni per farlo e che le intelligence di alcuni governi ne siano a conoscenza.

A prescindere dai sistemi utilizzati nella pratica da Cina e Russia, l’articolo del New York Times è stato accolto con toni preoccupati da parte di numerosi esperti di sicurezza informatica e nazionale negli Stati Uniti. In misura diversa, buona parte dei governi del mondo si spiano a vicenda, ma ognuno di loro segue comunque alcune precauzioni per mitigare i rischi. Le linee fisse della Casa Bianca, per esempio, offrono maggiori tutele e sicurezza, ma Trump non è sempre disposto a utilizzarle, soprattutto quando vuole fare chiamate personali con amici e personaggi con cui mantiene gli affari di famiglia e di cui non vuole sia mantenuta traccia.

Il lavoro più intenso di spionaggio delle telefonate avviene da parte del governo cinese, scrive sempre il New York Times. Già in passato, con altri presidenti, la Cina aveva provato a sfruttare le loro reti di conoscenze per influenzarne le politiche, in modo da trarre qualche vantaggio soprattutto sul piano commerciale. La possibilità di accedere direttamente a ciò che Trump dice al telefono ad amici e conoscenti amplifica queste capacità, consentendo alla Cina di avere un maggiore controllo nelle proprie tattiche d’influenza.

L’obiettivo del governo cinese nell’ultimo periodo è stato quello di evitare una continua escalation nella cosiddetta “guerra commerciale” tra Stati Uniti e Cina, avviata dallo stesso Trump con la decisione di imporre dazi su numerosi beni importati dal mercato cinese. L’idea è che, grazie alle intercettazioni e all’influenza di alcuni conoscenti, si possa tenere sotto controllo la situazione evitando danni più gravi al sistema economico. Secondo le fonti consultate dal New York Times, il governo russo mantiene invece un controllo più rudimentale, considerati i buoni rapporti personali tra il presidente russo, Vladimir Putin, e lo stesso Trump. Gli interessi della Russia sarebbero al momento già tutelati a sufficienza, non rendendo necessarie attività di influenza come quelle tentate dal governo cinese.

Fonte https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html

hack linux

LINUX HACK, BSD SYSTEMS FACE STACK CLASH VULNERABILITY

(InsanelyNews) Linux, BSD, Solaris and other open source frameworks are defenceless against a nearby benefit acceleration vulnerability known as Stack Clash that enables an attacker to execute code at the root.

Significant Linux and open source merchants have made patches accessible today, and frameworks running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 equipment ought to be refreshed soon. The hazard introduced by this defect, CVE-2017-1000364, winds up noticeably particularly if attackers are as of now show on a powerless framework. They would now have the capacity to chain this weakness with other basic issues, including the as of late tended to Sudo vulnerability, and afterwards run subjective code with the most noteworthy benefits, said specialists at Qualys who found the vulnerability.

The vulnerability was found in the stack, a memory administration locale on these frameworks. The attack sidesteps the stack protect page moderation presented in Linux in 2010 after attacks in 2005 and 2010 focused on the stack.

Qualys prescribes in its consultative expanding the span of the stack monitor page to 1MB at the very least as a transient arrangement until the point when an update can be linked. It additionally prescribes recompiling all userland code with the –fstack-check choice which would keep the stack pointer from moving into other memory locales. Qualys surrenders, notwithstanding, this is a costly arrangement, however one that can’t be crushed unless there is an obscure vulnerability in the –fstack-check alternative.

 

Source

wannacry ransomware

New Global Ransomware attack creates turmoil across the Globe

(InsanelyNews) Computer systems across the world are attacked by a ransomware, which bore similarities to a recent assault that crippled millions of network.

Many companies in Russia, United States, and across the globe are reporting that their It systems are being disrupted as a result of the cyber attack. British advertising agency WPP, Ukrainian firms, including the state power company and Kiev’s main airport, were among the first to report about the issue.

The Ukrainian’s Nuclear Power Plant, Chernobyl, had to switch manual checking of radiation level after its Window-based sensors were affected by a cyber attack.

According to the Experts, the malware is exploiting the same weaknesses that were used by the WannaCry ransomware attack last month.

“It initially appeared to be a variant of a piece of ransomware that emerged last year,” said computer scientist Prof Alan Woodward. “The ransomware was called Petya and the updated version Petrwrap. “However, now that’s not so clear.” The Russian cyber security firm Kaspersky Lab said that the malware was a “new ransomware that has not been seen before,” but it resembles Petya, an old malware. As a result, the firm named it NotPetya.

They reported that it attacks had been detected in Poland, Italy, Germany, France and the US in addition to the UK, Russia, and Ukraine.

 

Source

cybersecurity

Cybersecurity threats emerging from webcams worldwide

(InsanelyNews) Webcams which are utilised for numerous applications both at individual and organisational levels have transformed into new cybersecurity dangers, another report said on Tuesday. As indicated by a report titled “Vulnerabilities in Foscam IP Cameras” by Finland-based digital security firm F-Secure, different vulnerabilities are tormenting a huge number of web-associated cameras around the world.

The scientists found an aggregate of 18 vulnerabilities in these webcams and expressed that an aggressor can see the video sustain, control the camera operation and transfer and download records from the inherent FTP server.

“Foscam-made IP cameras have multiple vulnerabilities that can lead to full device compromise,” the report claimed.

“An unauthenticated attacker can persistently compromise these cameras by employing a number of different methods leading to full loss of confidentiality, integrity and availability, depending on the actions of the attacker,” it added.

F-secure informed Foscam about the vulnerabilities, however, got no reaction. As indicated by F-secure, Foscam has purportedly a background marked by bugs enabling access to video nourishes from IP cameras and infant screens.

Source

hacker news virgin media

HACKER NEWS: VIRGIN MEDIA ROUTERS VULNERABLE

(InsanelyNews) HACKER NEWS: Virgin Media has cautioned 800,000 clients using its Super Hub 2 switch to change their passwords in light of the fact that a security helplessness could open their passwords to programmers, empowering aggressors to pick up control of other brilliant gadgets on the system.

Hacker News

The organization says that the danger of trade off is just negligible, however, clients who haven’t changed the default watchword shown on a sticker connected to the switch to change both that and their system secret key with a specific end goal to ensure against potential assaults.

Virgin has exhorted Super Hub 2 clients to change to a “one of a kind” secret word which ought to contain no less than 12 characters utilizing a blend of upper and lower case letters and numbers.

The notice comes after an examination by moral programmers at SureCloud who discovered they could invade Super Hub 2 and utilize it to access to other family unit associated gadgets including youngsters’ toys, web associated IP cameras, smartlocks and that’s only the tip of the iceberg. Indeed, even Amazon Echo was found to have a defenselessness with respect to voice requesting, yet it was difficult to break. An aggregate of 15 gadgets were associated with a testing domain and scientists discovered vulnerabilities in eight of them, including the Super Hub 2 switch, the passage to every one of the gadgets inside the earth. Moral programmers say they could rupture it inside days.

In any case, Virgin Media, while noticing the helplessness, have indicated this being an issue which exists of all switches of this age, however that the organization, and also issuing exhortation to change passwords, will be overhauling clients to a more up to date form of the switch. “The security of our system and of our clients is of principal significance to us. We consistently overhaul our frameworks and hardware to guarantee that we meet all present industry gauges,” said a Virgin Media representative told ZDNet.

Source

bitcoin

Bitcoin alert: users advise of Cyber attacks ( Security Reasearch)

(InsanelyNews) Security reasearchers have warned the users  who deals in digital currencies need to be more vigilant and keep their accounts secure and safe.

After the recent  ”WannaCry” ransomware cyber attack, experts have released an other Bitcoin alert.

The ransomware has affected millions of users around the world, which locks users computer, and then ask for ransom in form of Bitcoins. “Quantum computers are able to create a ‘large factorisation’ and can detect the public and private keys used in Bitcoin transactions.

“The threat is when the ‘private key’ is sniffed by third parties, they are free to make transactions using a hacked account as the ‘private key’ proves the ownership of a Bitcoin address (used to send and receive the currency),” she told Bernama.

Zuriati, a lecturer at Universiti Putra Malaysia’s Communication Technology and Networking department, said that the  Blockchain is a public digital database that keeps records of all bitcoins transactions needs to be protected using Bitcoin’s private key.

If anyone managed to access to the private key then they could easily hack the value of Bitcoin. She said studies  have proved  that the use of Bitcoins are more secure, fast and cheap, they are more convenient rather than use of credit or debit card. Bitcoin is backed with mathematical calculations. The currency cannot be controled by the countries central banks and due to this it has become preferred mode of transactions for small business.

Source

 

malware

Bitcoin : created a malware for Raspberry-Pi that produces them

(InsanelyNews) A  Russian security site Dr.Web has discovered a new malware called Linux.MulDrop.14 which is striking Raspberry Pi computers.

While examining the two different Pi-based trojans-including Linux.MulDrop.14. They found a trojan that uses Pi to mine BitCoins some form of crypto currency. However, the another trojan sets up a proxy server. According to the website: “Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”. The malware is programmed to search for network machines which have open port 22, and then it tries to log in using the default Raspberry Pi credentials.

According to the reports of Hackaday (http://hackaday.com), “Embedded systems are inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?” The users should change their default passwords on their  Pi, so to avoid any kind of problem. And it is advised that users must use two-factor authentication.

 

Source

firefox

Firefox : Mozilla releases update for Firefox 54

(InsanelyNews) Mozilla has released a patch for a most dangerous bug and  total of 32 bugs, in the Firefox 54 browser

The company has published latest security advisory on Tuesday, three of the resolved vulnerability included the critical ones.  The bug now resolved is a use-after-free vulnerability in the Firefox 54 browser.

The vulnerability, CVE-2017-5472, was the most dangerous vulnerability. Security researcher Nils,  within the Firefox frame loader, discovered it during tree reconstruction while regenerating a CSS layout. Whenever the browser tried to using a node in the tree there is a potentially exploitable crash because the tree no longer exists. In the latest update, three other dangerous vulnerabilities were also sloved.

“One vulnerability is (CVE-2017-7749)  use-after-free vulnerability when using an incorrect URL during the reloading of a docshell, another use-after-free vulnerability which occurs during video control operations when a < track > element holds a reference to an older window if that window has been replaced in the DOM (CVE-2017-7750), and a third use-after-free vulnerability with content viewer-listeners (CVE-2017-7751).”

All of these vulnerabilities resulted in a  crash which could be exploited easily. In addition to the critical vulnerabilities, Mozilla has patched six other bugs which had high impact.  A security flaw in WebGl, an escalation bug in the Firefox installer,  out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory in the Graphite 2 library. Another bug, CVE-2017-7759, affected users of  Firefox operating system on the Android mobile. “Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local file: URLs, allowing for the reading of local data through a violation of same-origin policy,” Mozilla says.  Mozilla teams hope to lure users with the latest update which will reduce memory demands, increase performance and speed things up when surfing the Internet.

Source

Tor Browser

Tor: Configuring Hidden Services, facebook and SSL with Cert

(InsanelyNews) Tor allows clients and relays to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP address to its users. In fact, because you don’t use any public address, you can run a hidden service from behind your firewall.

If you have Tor installed, you can see hidden services in action by visiting this sample site.

This page describes the steps for setting up your own hidden service website. For the technical details of how the hidden service protocol works, see our hidden service protocol page.


Step Zero: Get Tor working

 

Before you start, you need to make sure:

  1. Tor is up and running,
  2. You actually set it up correctly.

Windows users should follow the Windows howto, OS X users should follow the OS X howto, and Linux/BSD/Unix users should follow the Unix howto.


Step One: Install a web server locally

 

First, you need to set up a web server locally. Setting up a web server can be complex. We’re not going to cover how to setup a web server here. If you get stuck or want to do more, find a friend who can help you. We recommend you install a new separate web server for your hidden service, since even if you already have one installed, you may be using it (or want to use it later) for a normal website.

You need to configure your web server so it doesn’t give away any information about you, your computer, or your location. Be sure to bind the web server only to localhost (if people could get to it directly, they could confirm that your computer is the one offering the hidden service). Be sure that its error messages don’t list your hostname or other hints. Consider putting the web server in a sandbox or VM to limit the damage from code vulnerabilities.

Once your web server is set up, make sure it works: open your browser and go to http://localhost:8080/, where 8080 is the webserver port you chose during setup (you can choose any port, 8080 is just an example). Then try putting a file in the main html directory, and make sure it shows up when you access the site.


Step Two: Configure your hidden service

 

Next, you need to configure your hidden service to point to your local web server.

First, open your torrc file in your favorite text editor. (See the torrc FAQ entry to learn what this means.) Go to the middle section and look for the line

    ############### This section is just for location-hidden services ###

This section of the file consists of groups of lines, each representing one hidden service. Right now they are all commented out (the lines start with #), so hidden services are disabled. Each group of lines consists of one HiddenServiceDir line, and one or more HiddenServicePort lines:

  • HiddenServiceDir is a directory where Tor will store information about that hidden service. In particular, Tor will create a file here named hostname which will tell you the onion URL. You don’t need to add any files to this directory. Make sure this is not the same directory as the hidserv directory you created when setting up thttpd, as your HiddenServiceDir contains secret information!
  • HiddenServicePort lets you specify a virtual port (that is, what port people accessing the hidden service will think they’re using) and an IP address and port for redirecting connections to this virtual port.

Add the following lines to your torrc:

    HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
    HiddenServicePort 80 127.0.0.1:8080

You’re going to want to change the HiddenServiceDir line, so it points to an actual directory that is readable/writeable by the user that will be running Tor. The above line should work if you’re using the OS X Tor package. On Unix, try “/home/username/hidden_service/” and fill in your own username in place of “username”. On Windows you might pick:

    HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
    HiddenServicePort 80 127.0.0.1:8080

Now save the torrc and restart your tor.

If Tor starts up again, great. Otherwise, something is wrong. First look at your logfiles for hints. It will print some warnings or error messages. That should give you an idea what went wrong. Typically there are typos in the torrc or wrong directory permissions (See the logging FAQ entry if you don’t know how to enable or find your log file.)

When Tor starts, it will automatically create the HiddenServiceDir that you specified (if necessary), and it will create two files there.

private_key
First, Tor will generate a new public/private keypair for your hidden service. It is written into a file called “private_key”. Don’t share this key with others — if you do they will be able to impersonate your hidden service.
hostname
The other file Tor will create is called “hostname”. This contains a short summary of your public key — it will look something like duskgytldkxiuqc6.onion. This is the public name for your service, and you can tell it to people, publish it on websites, put it on business cards, etc.

If Tor runs as a different user than you, for example on OS X, Debian, or Red Hat, then you may need to become root to be able to view these files.

Now that you’ve restarted Tor, it is busy picking introduction points in the Tor network, and generating a hidden service descriptor. This is a signed list of introduction points along with the service’s full public key. It anonymously publishes this descriptor to the directory servers, and other people anonymously fetch it from the directory servers when they’re trying to access your service.

Try it now: paste the contents of the hostname file into your web browser. If it works, you’ll get the html page you set up in step one. If it doesn’t work, look in your logs for some hints, and keep playing with it until it works.


Step Three: More advanced tips

 

If you plan to keep your service available for a long time, you might want to make a backup copy of the private_key file somewhere.

If you want to forward multiple virtual ports for a single hidden service, just add more HiddenServicePort lines. If you want to run multiple hidden services from the same Tor client, just add another HiddenServiceDir line. All the followingHiddenServicePort lines refer to this HiddenServiceDir line, until you add another HiddenServiceDir line:

    HiddenServiceDir /usr/local/etc/tor/hidden_service/
    HiddenServicePort 80 127.0.0.1:8080

    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
    HiddenServicePort 6667 127.0.0.1:6667
    HiddenServicePort 22 127.0.0.1:22

Hidden services operators need to practice proper operational security and system administration to maintain security. For some security suggestions please make sure you read over Riseup’s “Tor hidden services best practices” document. Also, here are some more anonymity issues you should keep in mind:

  • As mentioned above, be careful of letting your web server reveal identifying information about you, your computer, or your location. For example, readers can probably determine whether it’s thttpd or Apache, and learn something about your operating system.
  • If your computer isn’t online all the time, your hidden service won’t be either. This leaks information to an observant adversary.
  • It is generally a better idea to host hidden services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.
  • The longer a hidden is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the hidden service’s availability and matching induced traffic patterns.

FACEBOOK e SSL with TOR

 

Today Facebook unveiled its hidden service that lets users access their website more safely. Users and journalists have been asking for our response; here are some points to help you understand our thinking.

PART ONE: YES, VISITING FACEBOOK OVER TOR IS NOT A CONTRADICTION

I didn’t even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn’t ever use Facebook. Putting aside the (still very important) questions of Facebook’s privacy habits, their harmful real-name policies, and whether you should or shouldn’t tell them anything about you, the key point here is that anonymity isn’t just about hiding from your destination.

There’s no reason to let your ISP know when or whether you’re visiting Facebook. There’s no reason for Facebook’s upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there’s still no reason to let them automatically discover what city you’re in today while you do it.

Also, we should remember that there are some places in the world that can’t reach Facebook. Long ago I talked to a Facebook security person who told me a fun story. When he first learned about Tor, he hated and feared it because it “clearly” intended to undermine their business model of learning everything about all their users. Then suddenly Iran blocked Facebook, a good chunk of the Persian Facebook population switched over to reaching Facebook via Tor, and he became a huge Tor fan because otherwise those users would have been cut off. Other countries like China followed a similar pattern after that. This switch in his mind between “Tor as a privacy tool to let users control their own data” to “Tor as a communications tool to give users freedom to choose what sites they visit” is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there’s a person out there who uses it for something you haven’t considered.

PART TWO: WE’RE HAPPY TO SEE BROADER ADOPTION OF HIDDEN SERVICES

I think it is great for Tor that Facebook has added a .onion address. There are some compelling use cases for hidden services: see for example the ones described at using Tor hidden services for good, as well as upcoming decentralized chat tools like Ricochet where every user is a hidden service, so there’s no central point to tap or lean on to retain data. But we haven’t really publicized these examples much, especially compared to the publicity that the “I have a website that the man wants to shut down” examples have gotten in recent years.

Hidden services provide a variety of useful security properties. First — and the one that most people think of — because the design uses Tor circuits, it’s hard to discover where the service is located in the world. But second, because the address of the service is the hash of its key, they are self-authenticating: if you type in a given .onion address, your Tor client guarantees that it really is talking to the service that knows the private key that corresponds to the address. A third nice feature is that the rendezvous process provides end-to-end encryption, even when the application-level traffic is unencrypted.

So I am excited that this move by Facebook will help to continue opening people’s minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services.

Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today’s era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it’s ok for their users to want more safety.

As an addendum to that optimism, I would be really sad if Facebook added a hidden service, had a few problems with trolls, and decided that they should prevent Tor users from using their old https://www.facebook.com/ address. So we should be vigilant in helping Facebook continue to allow Tor users to reach them through either address.

PART THREE: THEIR VANITY ADDRESS DOESN’T MEAN THE WORLD HAS ENDED

Their hidden service name is “facebookcorewwwi.onion”. For a hash of a public key, that sure doesn’t look random. Many people have been wondering how they brute forced the entire name.

The short answer is that for the first half of it (“facebook”), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted.

Then they had some keys whose name started with “facebook”, and they looked at the second half of each of them to pick out the ones with pronouncable and thus memorable syllables. The “corewwwi” one looked best to them — meaning they could come up with a story about why that’s a reasonable name for Facebook to use — so they went with it.

So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with “facebook” and end with pronouncable syllables, but that’s not brute forcing all of the hidden service name (all 80 bits).

For those who want to explore the math more, read about the “birthday attack”. And for those who want to learn more (please help!) about the improvements we’d like to make for hidden services, including stronger keys and stronger names, see hidden services need some love and Tor proposal 224.

PART FOUR: WHAT DO WE THINK ABOUT AN HTTPS CERT FOR A .ONION ADDRESS?

Facebook didn’t just set up a hidden service. They also got an https certificate for their hidden service, and it’s signed by Digicert so your browser will accept it. This choice has produced some feisty discussions in the CA/Browser community, which decides what kinds of names can get official certificates. That discussion is still ongoing, but here are my early thoughts on it.

In favor: we, the Internet security community, have taught people that https is necessary and http is scary. So it makes sense that users want to see the string “https” in front of them.

Against: Tor’s .onion handshake basically gives you all of that for free, so by encouraging people to pay Digicert we’re reinforcing the CA business model when maybe we should be continuing to demonstrate an alternative.

In favor: Actually https does give you a little bit more, in the case where the service (Facebook’s webserver farm) isn’t in the same location as the Tor program. Remember that there’s no requirement for the webserver and the Tor process to be on the same machine, and in a complicated set-up like Facebook’s they probably shouldn’t be. One could argue that this last mile is inside their corporate network, so who cares if it’s unencrypted, but I think the simple phrase “ssl added and removed here” will kill that argument.

Against: if one site gets a cert, it will further reinforce to users that it’s “needed”, and then the users will start asking other sites why they don’t have one. I worry about starting a trend where you need to pay Digicert money to have a hidden service or your users think it’s sketchy — especially since hidden services that value their anonymity could have a hard time getting a certificate.

One alternative would be to teach Tor Browser that https .onion addresses don’t deserve a scary pop-up warning. A more thorough approach in that direction is to have a way for a hidden service to generate its own signed https cert using its onion private key, and teach Tor Browser how to verify them — basically a decentralized CA for .onion addresses, since they are self-authenticating anyway. Then you don’t have to go through the nonsense of pretending to see if they could read email at the domain, and generally furthering the current CA model.

We could also imagine a pet name model where the user can tell her Tor Browser that this .onion address “is” Facebook. Or the more direct approach would be to ship a bookmark list of “known” hidden services in Tor Browser — like being our own CA, using the old-fashioned /etc/hosts model. That approach would raise the political question though of which sites we should endorse in this way.

So I haven’t made up my mind yet about which direction I think this discussion should go. I’m sympathetic to “we’ve taught the users to check for https, so let’s not confuse them”, but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service. Let us know if you have other compelling arguments for or against.

PART FIVE: WHAT REMAINS TO BE DONE?

In terms of both design and security, hidden services still need some love. We have plans for improved designs (see Tor proposal 224) but we don’t have enough funding and developers to make it happen. We’ve been talking to some Facebook engineers this week about hidden service reliability and scalability, and we’re excited that Facebook is thinking of putting development effort into helping improve hidden services.

And finally, speaking of teaching people about the security features of .onion sites, I wonder if “hidden services” is no longer the best phrase here. Originally we called them “location-hidden services”, which was quickly shortened in practice to just “hidden services”. But protecting the location of the service is just one of the security features you get. Maybe we should hold a contest to come up with a new name for these protected services? Even something like “onion services” might be better if it forces people to learn what it is.

From

tor

blogTor

 

Powered by WordPress & Theme by Anders Norén

English English Italian Italian