Changes between Version 48 and Version 49 of TorWeeklyNews/2013/5


Ignore:
Timestamp:
Aug 7, 2013, 12:19:53 PM (6 years ago)
Author:
lunar
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/5

    v48 v49  
    33'''Editor:''' Lunar
    44
    5 '''Status:''' ''Frozen! — '''only language edits allowed''''', publication due on 2013-08-07 12:00 UTC. New items should go on [wiki:TorWeeklyNews/2013/6 next week newsletter].
    6 
    7 '''Subject:''' Tor Weekly News — August, 7th 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                         August 7th, 2013
    12 ========================================================================
    13 
    14 Welcome to the 6th issue of Tor Weekly News, the weekly newsletter that
    15 covers what is happening in the resilient Tor community.
    16 
    17 Large hidden services provider compromised, attacks older TBB versions
    18 ----------------------------------------------------------------------
    19 
    20 Andrew Lewman wrote [1]: “Around midnight on August 4th we were
    21 notified by a few people that a large number of hidden service addresses
    22 have disappeared from the Tor network.”
    23 
    24 It turned out that Freedom Hosting, a company specializing in hosting
    25 websites accessible through Tor hidden services, was compromised. As
    26 Andrew puts it, “From what is known so far, the breach was used to
    27 configure the server in a way that it injects some sort of JavaScript
    28 exploit in the web pages delivered to users. This exploit is used to
    29 load a malware payload to infect user’s computers.” Andrew also
    30 reiterated that “the person, or persons, who run Freedom Hosting are in
    31 no way affiliated or connected to The Tor Project, Inc., the
    32 organization coordinating the development of the Tor software and
    33 research”.
    34 
    35 The Tor Browser is currently based on Mozilla Firefox 17 ESR. With the
    36 help of Mozilla [2] and other researchers [3] it was understood that
    37 the exploit used a vulnerability in Firefox JavaScript engine to attack
    38 Windows users of the Tor Browser Bundle. This vulnerability was fixed
    39 in Firefox 17.0.7 ESR [4] and subsequently in versions 2.3.25-10
    40 (released June 26 2013) [5], 2.4.15-alpha-1 (released June 26 2013)
    41 [5] 3.0alpha2 (released June 30 2013) [6] and 2.4.15-beta-1
    42 (released July 8 2013) [7].
    43 
    44 Users running updated versions, and those who have disabled JavaScript,
    45 are not affected by the exploit.
    46 
    47 Roger Dingledine issued a security advisory [8] with advice to mitigate
    48 future issues: “be sure you’re running a recent enough Tor Browser
    49 Bundle”, “be sure to keep up-to-date in the future”, “consider disabling
    50 JavaScript”, “consider switching to a “live system” approach like
    51 Tails”, “be aware that many other vectors remain for vulnerabilities in
    52 Firefox”. It is strongly advised to read the advisory in full.
    53 
    54 The versions of Firefox used in Pluggable Transport bundles are still
    55 vulnerable. Replacements have been built, with credit to David Field,
    56 but they are yet to be released [9].
    57 
    58 The press is running many stories covering these events, several
    59 containing false information. A better example is Kevin Poulsen’s
    60 article published in Wired on August, 5th [10] It did however assert
    61 “the malware only targets Firefox 17 ESR, the version of Firefox that
    62 forms the basis of the Tor Browser Bundle”, in-fact most recent Tor
    63 Browser Bundle releases, with the exception of Pluggable Transports
    64 bundles, contained the patched version of Firefox ESR.
    65 
    66    [1] https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
    67    [2] https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
    68    [3] http://tsyrklevich.net/tbb_payload.txt
    69    [4] https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
    70    [5] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages
    71    [6] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
    72    [7] https://blog.torproject.org/blog/tor-02415-rc-packages-available
    73    [8] https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
    74    [9] https://trac.torproject.org/projects/tor/ticket/9391
    75   [10] http://www.wired.com/threatlevel/2013/08/freedom-hosting/
    76 
    77 Monthly status reports for July 2013
    78 ------------------------------------
    79 
    80 The wave of regular monthly reports from Tor project members for the
    81 month of July has begun. Philipp Winter was first this time [10],
    82 followed by reports from Arlo Breault [11], Nick Mathewson [12], Noel
    83 David Torress Taño [13], Colin C. [14], Sherief Alaa [15], Karsten
    84 Loesing [16], Damian Johnson [17], Mike Perry [18], George
    85 Kadianakis [19], and Andrew Lewman [20].
    86 
    87   [10] https://lists.torproject.org/pipermail/tor-reports/2013-August/000294.html
    88   [11] https://lists.torproject.org/pipermail/tor-reports/2013-August/000295.html
    89   [12] https://lists.torproject.org/pipermail/tor-reports/2013-August/000296.html
    90   [13] https://lists.torproject.org/pipermail/tor-reports/2013-August/000299.html
    91   [14] https://lists.torproject.org/pipermail/tor-reports/2013-August/000297.html
    92   [15] https://lists.torproject.org/pipermail/tor-reports/2013-August/000298.html
    93   [16] https://lists.torproject.org/pipermail/tor-reports/2013-August/000300.html
    94   [17] https://lists.torproject.org/pipermail/tor-reports/2013-August/000301.html
    95   [18] https://lists.torproject.org/pipermail/tor-reports/2013-August/000302.html
    96   [19] https://lists.torproject.org/pipermail/tor-reports/2013-August/000303.html
    97   [20] https://lists.torproject.org/pipermail/tor-reports/2013-August/000304.html
    98 
    99 Miscellaneous news
    100 ------------------
    101 
    102 Tails developers issued a call for testing of the first release
    103 candidate of the upcoming 0.20 [21]. Send them your reports!
    104 
    105 Security researcher Jason Geffner presented a new tool to route all
    106 TCP/IP and DNS traffic through the Tor network on Windows called
    107 “Tortilla” [22] during Black Hat USA 2013 and subsequently on the
    108 tor-talk mailing list [23]. Binary and source code are
    109 available [24] and are awaiting reviews by the community.
    110 
    111 Wendell announced the first release of Tor.framework [25], a “Cocoa
    112 framework that allows developers to write apps for Mac OS X and iOS that
    113 work over the Tor onion routing network”. No comments have been made
    114 yet. Feel free to look at the source code [26], review and
    115 experiment.
    116 
    117 Jerzy Łogiewa asked on tor-talk [27] if Tor hidden services could be
    118 made to work near the speed of the standard web.  Arian Sanusi replied
    119 that speed of light was actually the limiting factor for latency issues:
    120 “if relays were homogeneous distributed among the globe, two random
    121 relays will be 1/4 earth circumference apart on average. […] That’s
    122 400ms from finite speed of light. Switches, routers and relays along the
    123 way will add to that.”
    124 
    125 Thanks to Michael Marz and Neo for running new mirrors of the Tor
    126 website [28,29].
    127 
    128   [21] https://tails.boum.org/news/test_0.20-rc1/
    129   [22] https://www.blackhat.com/us-13/briefings.html#Geffner2
    130   [23] https://lists.torproject.org/pipermail/tor-talk/2013-August/029254.html
    131   [24] http://www.crowdstrike.com/community-tools/
    132   [25] https://lists.torproject.org/pipermail/tor-talk/2013-July/029150.html
    133   [26] https://github.com/grabhive/Tor.framework
    134   [27] https://lists.torproject.org/pipermail/tor-talk/2013-August/029203.html
    135   [28] https://lists.torproject.org/pipermail/tor-commits/2013-August/060173.html
    136   [29] https://lists.torproject.org/pipermail/tor-commits/2013-August/060250.html
    137 
    138 Upcoming events
    139 ---------------
    140 
    141 Aug 13    | Roger at the 3rd USENIX Workshop on Free and Open
    142           | Communications on the Internet
    143           | Washington, DC, USA
    144           | https://www.usenix.org/conference/foci13/
    145           |
    146 Aug 14    | Roger at 22nd USENIX Security Symposium
    147           | Washington, DC, USA
    148           | https://www.usenix.org/conference/usenixsecurity13
    149 
    150 
    151 
    152 This issue of Tor Weekly News has been assembled by dope457, malaparte,
    153 Lunar, harmony, and Yawning.
    154 
    155 Want to continue reading TWN? Please help us create this newsletter.
    156 We still need more volunteers to watch the Tor community and report
    157 important news. Please see the project page [30], write down your
    158 name and subscribe to the team mailing-list [31] if you want to
    159 get involved!
    160 
    161   [30] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    162   [31] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    163 }}}
     5'''Status:''' '''[https://lists.torproject.org/pipermail/tor-news/2013-August/000006.html Sent]'''