UNM4SK3D: Tor, Facebook, and MantisTek
#vulnerabilityThe 'TorMoil' vulnerability has been wreaking havoc for Mac and Linux users of the anonymity browser by leaking their real IP addresses. That is, until a patch was released 11/03 for browser version 7.0.8Want the good news first? Windows users running Tor Browser 7.0.8 were not affected and the patch is in an upgrade to Tor Browser 7.0.9, so users are advised to update as soon as possible. And now for the vulnerability details. The vulnerability was discovered by Italian security researcher and CEO of We Are Segment, Filippo Cavallarin, who initially disclosed the bug on October 26, 2017. It appears the vulnerability resides in FireFox and since Tor uses FireFox at its core to allow users to remain anonymous, that is where the issue began. Specifically, "TorMoil is triggered when users click on links that begin with file:// addresses, instead of the more common https:// and https:// addresses."The day after the initial disclosure, The Tor Project issued a temporary workaround to prevent real IP leakage, but this workaround could temporarily affect when users navigate file:// URLs in the browser. In a statement, the Tor Project stated, "In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136." There does not appear to be evidence that this vulnerability was exploited by hackers however, the Tor Project has stated they are remaining committed to user privacy. They are planning to release Tor 0.3.2.1-alpha that includes support for the next generation onion services, including better encryption and authentication.
Due to a Firefox bug in handling ‘file://’ URLs, it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. -The Tor ProjectIs Tor really secure? Get the information you need to stay safe and anonymous, here.
#privacyFacebook is making more than just friend requests these days. The social network recently announced that they are requesting users to upload their personal nude photographs to the site in order to protect against misuse. Yes. You read that correctly. While Facebook has yet to disclose the full details, it appears they are planning to use hashes of nude images, whereby an uploaded nude photo while return a digital fingerprint that becomes a string of letters and numbers. Once this process is complete, you can’t turn the hash back into the photo but the same photo, or identical copies of it, will always create the same hash. So, the idea is that you can send the photos via Messenger, "enabling Facebook to take action to prevent any re-uploads, without the photo being stored or viewed by employees." According to Facebook, they will not be storing the nude pictures but, will use photo-matching technology to tag the images after they’re sent via their encrypted Messenger service.This pilot program is being launched in Australia, Canada, the US, and the UK. Under the program, users can preemptively notify safety organizations working with Facebook about specific photos. As expected, there have been a variety of reactions from the public, many of which surround the issue of privacy and the security of the Messenger feature within Facebook. What if someone was able to hack Messenger? What if someone was able to upload non-harmful photos that do not belong to them and prevent others from posting it? That could be especially pertinent if the photo surrounds any sensitive social issues. At this point, Facebook has not provided enough detail about the program for users to make a well-inform decision about using the feature. Initial gut instinct would say proceed with caution!
If somebody tried to upload that same image, which would have the same digital footprint or hash value, it will be prevented from being uploaded. -Julie Inman Grant, Australia’s e-safety commissionerConcerned about the safety of Facebook Messenger? Read 'Malware Using Facebook Messenger to Serve up Multi-Platform Threats.'
#keyloggerUsers of the popular 104-key GK2 Mechanical Gaming Keyboard are accusing the Chinese manufacturer MantisTek that their product contains spyware that's sending keystroke data back to the company’s servers. Too bad they can't just hit delete on the accusations. The users who initially discovered the spyware began posting about it on retailer Banggoood’s website and on Reddit, pointing to network traffic analysis logs which indicated "the keyboard was sending data that appeared to be keylogger data without a user’s explicit permission." As a refresher, a keylogger is "a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information." Further analysis from Tom's Hardware indicated the device used a 'cloud driver' that was sending keyboard data to a MantisTek server located on Alibaba Group’s cloud infrastructure.After an even closer look, Tom's team realized "MantisTek keyboard does not include a full-fledged keylogger. Instead, it captures how many times a key has been pressed and sending this data back to online servers." The dialogue around the situation shifted as some users theorized the company just wanting to better understand durability and failure rates of its keyboards. Others maintained capturing and uploading keystroke counts without consent violates trust and puts systems' security at risk. MantisTek has yet to release a statement on the matter. In the meantime, those concerned about their privacy while using the keyboard can disable the keyboards cloud driver, blocking network access.
So apparently the software of the MantisTek GK2 is sending all our keypress to an Alibaba.com server! This is sick, imagine the level of information they have about passwords and logins. -Reddit userHow can keyloggers be used to hack social networks? Read the Heimdal blog for insight.
#factbyteInstsamotor surveyed 1,500 Americans and found almost 9 in 10 (87%) say online data privacy is “very important” to them, but less than half of respondents change their passwords regularly (41%) and more than half (62%) display personal information on their social media profiles (birthday, phone number, employers, etc.)Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!