Research & News in Tor, Privacy, & Security – Dec 15th, 2014

3 minute read

Posted by: Kiell

December 15, 2014

Tor Browser 4.0.2 has been released. The new release fixes compiler bugs in Windows, ensures that cache entires are isolated by domain, and prevents user locale settings from being leaked by the Javascript engine.

Tor Browser 4.5-alpha-2 is now out. This version includes improvements to Torbutton’s circuit visualization feature, and removes a custom fix to the POODLE vulnerability, implementing Mozilla’s fix.

Tails 1.2.1 has been released. The package contains routine updates to the Tor Browser (4.0.2) and Linux (3.16.7-1). Truecrypt has finally been disabled, and GnuPG is now configured in line with accepted best practices.

George Kadianakis has updated his proposal to collect statistics about hidden services from Tor relays. The proposal suggests that collecting these statistics could help us understand hidden service usage across the network, such as how often these services are used and how much load they put on the network. He suggests collecting these statistics by adding some fields to a relay’s extra-info descriptor, and keeping track of a relay’s hidden service directory or rendezvous point activities. These extra-info descriptors would then be submitted to directory authorities every 24 hours.

This updated proposal was released through the tor-dev mailing list. You can view the original email here.

David Fifield released a report outlining the costs incurred during November by infrastructure for the meek pluggable transport. The results showed a strong increase in the amount of users, with the amount of simultaneous users increasing from 247 to 750. A summary of all costs is as follows:

App Engine + Amazon + Azure = total by month
February 2014 $0.09 + — + — = $0.09
March 2014 $0.00 + — + — = $0.00
April 2014 $0.73 + — + — = $0.73
May 2014         $0.69 +      — +    — =   $0.69
June 2014        $0.65 +      — +    — =   $0.65
July 2014        $0.56 +   $0.00 +    — =   $0.56
August 2014      $1.56 +   $3.10 +    — =   $4.66
September 2014   $4.02 +   $4.59 + $0.00 =   $8.61
October 2014    $40.85 + $130.29 + $0.00 = $171.14
November 2014  $224.65 + $362.60 + $0.00 = $587.25

total by CDN   $273.80 + $500.58 + $0.00 = $774.38 grand total

This report was released through the tor-dev mailing list. You can view the original email here.

Eleven United States senators, ten Democratic and one independent, have called for a review of policies governing use of IMSI-catchers, or “Stingray” devices. In a letter sent to Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson, the senators aim to clear up any ambiguity about use of the devices. The letter requests information regarding use of the devices, policies governing use of the devices, retention and use of any collected information, and cooperation between state and federal agencies.

The payment service CHARGE Anywhere announced that they have uncovered an attack against their network. The company discovered the malware on September 22, 2014, and have been taking time to perform a full investigation. The malware targets information that is sent during a payment card authorization request, which may include a cardholder’s name, account number, expiration date, and card verification code. The company reports that, “the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.” Any cards used at relevant merchants between November 5, 2009 and September 24, 2014 may have been affected.

Researchers from Blue Coat Labs have discovered sophisticated malware that they believe was developed by a powerful adversary, possibly a well-resourced nation-state. The malware was first used against targets in Russia and other Eastern European countries, and later targeted “individuals in strategic positions: executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials.” The malware, which has been dubbed “Inception”, is delivered via emails containing infected attachments.

In all attacks observed by Blue Coat, malware components have been embedded in Rich Text Format (RTF) files. The malware exploits two known RTF vulnerabilities, CVE-2014-1761 and CVE-2012-0158. Command and control is done through a Swedish cloud hosting platform (, and the attackers have also created a proxy network composed of home routers, mostly located in South Korea. Once a machine is infected, the malware collects information about the device, including OS version, computer name, user name, user group membership, the process it is running in, locale ID’s, and system drive and volume information. The attackers also target mobile platforms, including Android, BlackBerry, and iOS. This malware records incoming and outgoing calls, saving them to an mp4 file. This information is then encrypted and sent to cloud storage via the WebDAV protocol.

Updated: 2014-12-15