Research & News in Tor, Privacy, & Security – Nov 24th, 2014

Posted by: Kiell

November 24, 2014

Tor Browser 4.5-alpha-1 has been released, which marks the first release of the 4.5 Tor Browser series. It includes a “security slider”, which is designed to allow a user to easily edit security preferences. The security slider has four security settings: low (default), medium-low, medium-high, and high. The new “status reporting UI” allows a user to quickly see the Tor circuit that their current connection is utilizing, something that has been missing since the removal of the Vidalia package. A user can simply click the Torbutton icon to pull up this interface.

The newest version of Tor2web, version 3.1.30, now supports access to hidden services over TLS. However, it does not allow access to TLS-enabled hidden services that have a clearnet equivalent.

The Electronic Frontier Foundation has announced the Let’s Encrypt campaign, a certificate authority (CA) initiative designed to simplify the widespread use of TLS. The intiative is combined effort between the EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan. They aim to address certain “roadblocks” that are often present during the transition to HTTPS: cost, complexity, and beurocracy. The Let’s Encrypt CA will automatically issue and manage free certificates to any website that needs one. In EFF’s tests, it took a web developer on average 1-3 hours to configure TLS. They aim to reduce configuration time to around 20-30 seconds. You can download the developer preview of the agent software here, or you can view a demo here.

The USA Freedom Act, designed to put tougher restrictions on data collection and surveillance in the US, did not pass in the Senate. The bill required 60 votes to pass, and fell short by only two votes.

Earlier this week, a BuzzFeed article revealed that an Uber executive suggested using its “God mode” functionality to snoop on journalists who are critical of the service. Days after the article was published, rival company Lyft announced that they were going to begin implementing additional restrictions on employee access to user data. In a statement to Ars Technica, a spokesperson said that the company was going to limit access of customer ride location data to a specific set of employees in order to protect customer privacy.

The Citadel Trojan, an older Trojan that is both widely used and difficult to detect, is reportedly being used to target password managers. The malware starts keylogging whenever it detects that certain processes are running. The following processes are targeted: Personal.exe, which is part of “neXus Personal Security Client”, a service that enables users to conduct financial transactions and other services. PWsafe.exe, which is part of “Password Safe”, a basic password manager that allows a user to create a database of encrypted usernames and passwords. KeePass.exe, which is part of “KeePass”, another basic password manager. The malware targets the “master password” which can be used to unlock the encrypted database, potentially compromising many user accounts.

Fifteen people across seven European countries have been arrested in connection with “peeping tom” remote access Trojans (RATs). The RATs in question are often used to covertly spy on and blackmail female victims. The arrests are the result of a sting operation by the National Crime Agency. In May 2014, over 100 people were arrested as part of a similar worldwide sting operation. The suspects were apprehended in Estonia, France, Romania, Latvia, Italy, the United Kingdom, and Norway.

Zimperium, a company specializing in mobile security, has discovered full-duplex ICMP redirect attacks in the wild. The attack, named “DoubleDirect” is a type of man-in-the-middle (MITM) attack, and it is used as an alternative to ARP poisoning and half-duplex MITM’s. While ICMP Redirect attacks are currently used in widely-available tools such as ettercap, they are only used in the context of a half-duplex MITM—meaning only the victim is poisoned using an ICMP Redirect, while the router is poisoned using classic ARP poisoning. Routers that are immune to ARP spoofing are able to prevent such an attack. With DoubleDirect, ICMP Redirect packets are used to modify a host’s routing tables. An attacker can use this technique to alter a host’s routing tables, redirecting targeted traffic to his device.

The security firm Symantec has discovered a Trojan that they believe was developed by a wealthy nation-state to spy on high-profile targets. They are calling the malware “Backdoor Regin”, and have found similarities between it and other state-sponsored malware, such as Flame and Stuxnet. Targets reportedly included private companies, government entities, and research institutions. The malware is designed to be highly resistant to detection, and is separated into five “stages”. Each of the stages is encrypted except for the first stage. Execution of the first stage causes decryption and execution of the second stage, and so on. The malware contains a variety of instructions, including general keylogging functionality and instructions to take screenshots, to monitor network traffic, and to attempt to recover deleted files. Other modules are designed for more specific purposes, such as the monitoring Microsoft IIS web server traffic and the administration of mobile telephone base station controllers. Symantec researchers have not yet located the command and control system, and they believe that undiscovered functionality may exist. Symantec researchers will continue to analyze the malware, and will be posting any updates here.

Updated: 2014-11-24