Weekly Tor and Security News – October 21, 2014

Posted by: Kiell

October 21, 2014

Tor News

Earlier this week, the Anonabox raised over $500,000 after launching a campaign on Kickstarter. The anonabox, created by August Germar, is a device designed to route all of a network’s traffic through the Tor network. It runs alongside an existing modem or router, and claims to be fully Open Source. However, after controversy surrounding the project generated quite a bit of attention, Kickstarter suspended the campaign. Users voiced concerns about the originality of the project, who claimed that similar hardware was already available in China. Some claimed that they were actually using hardware identical to the products already available. Others seemed sceptical of the necessity of the hardware, since Tor is already free and easy to use. At the time of this article, Kickstarter funding for the project was still suspended.

Phillip Winter published an article on the Tor blog titled, “A closer look at the Great Firewall of China”. In the post, he outlines findings from a project where he and a group of others tried to analyze censorship mechanisms used against Tor users in China – a country that is notorious for its advanced attempts to block access to the Tor network. The group studied connections between Tor relays and computers located inside the China Education and Research Network (CERNET). They found that many computers within the network are able to connect to at least a few Tor relays. They also discovered that blacklisting of Tor relays is mostly done at the Internet Exchange Point (IXP) level. Although Tor relays can easily be blocked because they are listed publicly, Tor bridges are much more difficult to blacklist. The report outlines how China is able to block these Tor bridges dynamically. If a firewall detects possible Tor traffic, it will run a scan on the server believed to be acting as a bridge. Next, other computers will attempt to “speak Tor” to the suspected bridge. If the node accepts Tor traffic, the server is marked as a Tor bridge and blacklisted.

Tails 1.2 has been released, and the new software contains numerous updates. Rather than using Iceweasel with TorButton as the default web browser, Tails now uses the Tor Browser Bundle. There is also a separate browser dedicated to I2P, a move designed to isolate I2P traffic from Tor traffic. An update to the newest version of Firefox fixes a vulnerability related to POODLE. Truecrypt, which was recently discontinued by its developers, is still included in Tails 1.2. However, the developers have stated that it will definitely be removed in Tails 1.2.1.

Tor Browser 4.0 has also been released. One update, primarily effecting users dealing with censorship, is the upgrade of the “meek” pluggable transport. It is now believed that users in China will be able to use the transport without manually obtaining bridge addresses. The developers have also stated that they intend to deprecate all 32-bit releases of the Tor Browser Bundle for OSX, so Mac users using 32-bit OSX 10.6 will need to update their operating system to use the software.

Future releases of the Tor Browser will include a “Security Slider”, possibly a button on the Tor first launch page, designed to make it simple for users to change Javascript security settings. This should make it easier for users to enable and disable all scripts on a page, rather than having to separately enable/disable many sub-scripts. This Security Slider will also set NoScript to block all scripts globally by default, rather than allowing all scripts globally by default.

There was a security advisory sent out over the tor-talk and tor-relay mailing lists for all relay operators using OpenSSL. The OpenSSL vulnerability could allow remote attackers to perform a DOS attack on effected relays. The vulnerability affects relays running OpenSSL versions 1.0.1j, 1.0.0o, or 0.9.8zc with the ‘no-ssl3’ option. Newer versions of Tor contain a workaround, so relay operators that are using these versions should manually update Tor.

Security News

The POODLE vulnerability, which stands for ‘Padding Oracle on Downgraded Legacy Encryption’ was revealed on October 14, 2014. The vulnerability was discovered by Thai Duong, Krzysztof Kotowicz, and Bodo Möller, from Google’s Security team. This vulnerability effects all implementations of SSL version 3.0 (SSLv3). This version of SSL, which has largely been replaced by TLS 1.0+, is still supported by most web browsers. In a practice called the “downgrade dance”, web browsers attempt to support the largely obsolete protocol in order to sustain a smooth user experience. This attack depends on SSLv3 using cipher block chaining (CBC). If an attacker performs a Man-in-the-Middle attack and exploits this vulnerability, they can decrypt a single byte of the session cookie at a time. If the attacker were to run this attack for long enough, it would allow them to decrypt the entire session cookie of a secure connection. You can view a full description of the exploit here.

President Obama signed an executive order on Friday, October 17, designed to speed up the adoption of EMV standards in the US. EMV – which stands for Europay, Mastercard, and Visa, the companies behind development of the standard – utilizes an embedded chip rather than a magnetic strip to store data on a credit card. The US has largely been criticized for its slow adoption of EMV standards, which have been available and widely used for years. President Obama also stated that all government credit and debit cards would begin to utilize chip-and-pin technology. The use of chip-and-pin cards requires point-of-sale terminals that are able to read the embedded chip; most point-of-sale terminals in the US are designed to read the classic magnetic strip. It has been decided between lawmakers and the major credit card companies that they will collectively transition to the EMV standard by October, 2015.

In an event dubbed “the Snappening”, hundreds of thousands of Snapchat photos were leaked following a security breach of a third-party service called Snapsaved. Snapsaved allowed users to save Snapchat images and videos to external servers. Responding to allegations of child pornography being included in the leaks, Snapsaved stated that they had always tried to remove child pornography from their servers, claiming that they had even reported some users to Swedish and Norwegian authorities. The service claimed that the hack was the result of a misconfigured Apache server, and that only 500MB of data had been compromised. However, leaked copies of the data are said to contain 13GB of photographs and videos.

Updated: 2014-10-21