Internal Bug Discovery – Security Now 693

Australia vs Encryption, Google+ Bugs Hasten its Demise
— Australia’s recently passed anti-encryption legislation
— Details of a couple more mega-breaches including a bit of Marriott follow-up
— A welcome call for legislation from Microsoft — A new twist on online advertising click fraud
— The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin
— The changing landscape of TOR funding
— An entirely foreseeable disaster with a new Internet IoT-oriented protocol
— Google finds bugs in Google+ and acts responsibly — again — what that suggests for everyone else
We invite you to read our show notes.

Hosts: Steve Gibson, Leo Laporte

Silk Road Reloaded forgoes Tor for lesser-known I2P network

The original Silk Road, multiple successors and several other copycat online drug markets have all been taken offline in recent years. The one thing they’ve all had in common – aside from selling illegal goods and services – is that they’ve all lived on the Tor network.

Operators of the latest iteration of Silk Road, aptly known as Silk Road Reloaded, are taking a different approach as it uses a little-known alternative called I2P.

Another key difference between the original Silk Road and this newcomer is the fact that the new site accepts more than just Bitcoins as a form of payment. Silk Road Reloaded deals in eight different cryptocurrencies including Litecoin, Darkcoin, Anoncoin and meme-inspired Dogecoin.

Transactions processed in currencies not named Bitcoin will be converted to Bitcoin at checkout through the site’s built-in wallet.

It’s a significant change both for the site’s customers as well as its administrators. Shoppers can enjoy the added convenience of not having to convert their altcoins before purchase. The site, meanwhile, takes a small one percent service charge in addition to a slice of the profits from sellers, resulting in yet another income stream.

While Tor and I2P are both anonymizing proxy networks, there are some differences between the two. As the creators of I2P explain, Tor takes a directory-based approach that provides a centralized point to manage the overall “view” of the network as opposed to I2P’s distributed network database and peer selection. Using this approach, essentially all peers participate in routing for others.

Being less-known is likely also an advantage, especially considering that some believe the Tor network has already been compromised. After seeing so many marketplaces go down over the past few years, that’s an entirely plausible conclusion.

via Silk Road Reloaded forgoes Tor for lesser-known I2P network – TechSpot.

Rogue Tor ‘exit node’ server added malware to legitimate downloads

The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files.

Tor is short for The Onion Router, which is software that offers users a greater degree of privacy when browsing the Internet by routing traffic through a network of worldwide servers. The system is widely used by people who want to conceal their real IP address and mask their web browsing.

The suspicious server was an “exit node” for Tor, which is the last server in the winding chain used to direct web browsing traffic to its destination.

Roger Dingledine, Tor Project’s project leader and director, wrote the Russian server has been labeled a bad exit node, which should mean Tor clients will avoid using the server.

The Russian server was found by Josh Pitts, who does penetration testing and security assessments with Leviathan Security Group. He wrote he wanted to find out how common it was to find attackers modifying the binaries of legitimate code in order to deliver malware.

Binaries from large software companies have digital signatures that can be verified to make sure the code hasn’t been modified. But Pitts wrote most code isn’t signed, and even further, most don’t employ TLS (Transport Layer Security) during downloading. TLS is the successor to SSL (Secure Sockets Layer), which encrypts connections between a client and a server.

He suspected attackers were “patching” binaries during man-in-the-middle attacks and took a look at more than 1,110 Tor exit nodes.

Pitts only found one Tor exit node that was patching binaries. The node would modify only uncompressed portable executables, he wrote.

“This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries,” he wrote.

The broad lesson for users is that they should be wary of downloading code that is not protected by SSL/TLS, even if the binary itself is digitally signed, Pitts wrote.

“All people, but especially those in countries hostile to ‘Internet freedom,’ as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear—and all users should have a way of checking hashes and signatures out of band prior to executing the binary,” he wrote.

via Rogue Tor ‘exit node’ server added malware to legitimate downloads | PCWorld.

Tor-based anonymizing router gets pulled from Kickstarter for rules violations

Anonabox, a piece of home networking equipment designed to allow you to connect to the Internet anonymously, had raised nearly $600,000 in pledges on Kickstarter—blowing its $7500 goal out of the water. But on Friday, Kickstarter suspended the project, according to Ars Technica.

Wired reports that Kickstarter put a stop to the project because it felt that August Germar, the creator of the Anonabox, misled contributors when he stated that he built all the hardware himself—a violation of Kickstarter’s rules.

According to Wired, Kickstarter users pointed out that Chinese manufacturers produced similar hardware, and Germar later confirmed to the publication that he had used off-the-shelf components to build the Anonabox, but had made some adjustments to the hardware.

The story behind the story: Privacy advocates generally love Tor, and it’s a boon to those who are concerned about government tracking operations. Governments generally don’t seem to be as keen on it, as criminals sometimes use it to carry out illicit activities. In July, the Russian government actually offered a cash reward to anyone who uncovered Tor users.

Low-cost anonymity

The device would’ve cost $51, as our Jared Newman pointed out. You would plug it into your router, and it would send all your Internet traffic through the Tor network, which anonymizes you and effectively erases your online “footprints” that you would otherwise leave behind. Other network accessories achieve similar results, but some of them require a fair amount of technical know-how in order to assemble and use.

If Anonabox’s Kickstarter success is any indication, though, there’s plenty of widespread interest in online anonymity, and it’s probably safe to assume that we’ll see plenty of similar devices in the future.

via Tor-based anonymizing router gets pulled from Kickstarter for rules violations | PCWorld.