Jump to content

Search the Community

Showing results for tags 'backdoors'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 5 results

  1. Microsoft CEO believes backdoors aren't the answer Satya Nadella chooses privacy and public safety over backdoors (Image credit: Mike Moore) As Apple is once again in the midst of another fight over encryption following a recent shooting at Pensacola naval base, Microsoft CEO Satya Nadella weighed in with his thoughts on the encryption question. During a recent meeting with reporters, Nadella reiterated Microsoft's opposition to encryption backdoors while also expressing support for future legal and technical solutions, saying: “I do think backdoors are a terrible idea, that is not the way to go about this. We’ve always said we care about these two things: privacy and public safety. We need some legal and technical solution in our democracy to have both of those be priorities.” However, Microsoft's CEO also expressed support for key escrow systems which researchers have previously proposed versions of. Encryption debate The encryption systems Apple uses on its iPhones first became a point of controversy following the 2016 San Bernardino shooting. At that time, the company was urged by law enforcement agencies to help them unlock the shooter's iPhone as it may have contained valuable information. While Apple ultimately ended up not unlocking the iPhone involved in the 2016 attack, a recent shooting at a naval base in Pensacola has reopened the encryption debate. A Saudi national undergoing flight training with the US Navy killed three people and injured eight in the attack. However, two iPhones linked to the attacker are still protected via Apple's device encryption and remain inaccessible to investigators. Nadella may be against backdoors but Microsoft's CEO did not say that companies should never provide data under such circumstances. He did make the case for possible legislative solutions when it comes to encryption though, saying: “We can’t take hard positions on all sides... [but if they’re] asking me for a backdoor, I’ll say no. My hope is that in our democracy these are the things that arrive at legislative solutions.” Source: Microsoft CEO believes backdoors aren't the answer (TechRadar)
  2. Attackers Hide Backdoors and Cryptominers in WAV Audio Files Attackers behind a new malicious campaign are using WAV audio files to hide and drop backdoors and Monero cryptominers on their targets' systems as BlackBerry Cylance threat researchers discovered. While various other malware peddlers were previously observed injecting payloads in JPEG or PNG image files [1, 2, 3] with the help of steganography, a well-known technique used to evade anti-malware detection, this is only the second time threat actors were seen abusing audio files for their malicious purposes. More precisely, in June, Symantec researchers spotted the Russian-backed Turla threat group (aka Waterbug or Venomous Bear) while delivering the publicly available Metasploit Meterpreter backdoor embedded within a WAV track onto their victims' compromised computers. Cryptominers hidden in plain sight Recently, Cylance found that the same steganography method was employed to infect targeted devices with XMRig Monero cryptominers or Metasploit code designed to establish a reverse shell. "Each WAV file was coupled with a loader component for decoding and executing malicious content secretly woven throughout the file’s audio data," says the report. "When played, some of the WAV files produced music that had no discernible quality issues or glitches. Others simply generated static (white noise)." The Metasploit and XMRig payloads were discovered on the same machines hinting at a campaign designed to allow its operators to use their victims' devices for cryptojacking purposes, while also establishing a command and control reverse connection. Cylance also found that the WAV file loaders used three different methods to decode and execute the malicious code: • Loaders that employ Least Significant Bit (LSB) steganography to decode and execute a PE file. • Loaders that employ a rand()-based decoding algorithm to decode and execute a PE file. • Loaders that employ rand()-based decoding algorithm to decode and execute shellcode. Any of the three techniques could allow the attackers to theoretically conceal payloads within any file type explain the researchers, "provided the attacker does not corrupt the structure and processing of the container format." Furthermore, "adopting this strategy introduces an additional layer of obfuscation because the underlying code is only revealed in memory, making detection more challenging." Similar, yet different While Turla used WAV audio files and this steganography loader before to drop Metasploit backdoors in their attacks, attributing the attacks Cylance spotted to the same threat group is challenging given that any other threat actor could use similar malicious tools and TTPs. "Also, our analysis focuses primarily on loaders, which are an initial stage of execution used to launch additional code," Cylance says. "Different threat actors may use the same publicly available loader to execute unrelated second-stage malware." "The similarities between these methods and known threat actor TTPs may indicate an association or willingness to emulate adversary activity, perhaps to avoid direct attribution," concludes Cylance. In-depth technical details on the WAV file loaders and indicators of compromised (IOCs) including malware sample hashes and C2 infrastructure indicators are available at the end of BlackBerry Cylance's report. Source: Attackers Hide Backdoors and Cryptominers in WAV Audio Files
  3. Chinese hacking group backdoors products from three Asian gaming companies ESET suspects that tens or hundreds of thousands of users have been infected already. Image: Screengrab of Infestation homepage A notorious Chinese cyber-espionage outfit known as the Winnti Group has breached the networks of two game makers and a gaming platform in Asia to include a backdoor trojan within their products. Two of the compromised products no longer include the Chinese hackers' backdoor, according to a report published earlier today by Slovak cyber-security firm ESET. However, the third, a game named Infestation --produced by Thai developer Electronics Extreme-- is still pushing updates and available for download in its backdoored version despite ESET's efforts to notify the game developer through various channels since February. While ESET didn't wish to name the other two impacted products, an infected file hashincluded in the ESET report's IOC (Indicators Of Compromise) section points the finger at the Garena gaming platform as the second impacted product. The name of the third impacted product (a game) is still unknown. "We have worked with one of the affected developers, and we respected their wish to stay anonymous and handle the situation on their end," Léveillé told ZDNet in an email. "To be fair, we decided to simply avoid mentioning the names of publishers that already remediated the issue." As for the backdoor itself, Léveillé said that the Winnti Group modified the executable of the three products in a similar fashion. The malicious code is included in the games' main executable, and it is decrypted at runtime and launched into execution in the PC's memory, while the original game/gaming platform runs as intended. "This may suggest that the malefactor changed a build configuration rather than the source code itself," Léveillé said. The researcher also told ZDNet that the Winnti Group appears to have used the normal game updates as a means to push the backdoored versions to users, a reason why the infection wasn't spotted right away and contained, reaching a large number of users. "On the bright side, the C&C [command and control] servers were taken offline later and this limited the attack," Léveillé told ZDNet. This means that with the backdoor still being active in Electronics Extreme's Infestation game, new users are getting infected to this day, but the backdoor won't be able to contact its C&C servers to download additional malware on infected hosts. "Given the popularity of the compromised application that is still being distributed by its developer, it wouldn't be surprising if the number of victims is in the tens or hundreds of thousands," ESET researcher Marc-Etienne M. Léveillé said today. Based on ESET's telemetry data, most of the victims are from Asian countries, which isn't surprising since the games are popular in the region. One particular oddity was the backdoor wouldn't run on computers where the local language settings were either Chinese or Russia (some computers were infected in Russia because they used non-Russian language settings). The backdoor's role was to download a second stage trojan which ESET said it was a bulky DLL file. Researchers weren't able to analyze and see what this second malware strain does, as the C&C server that controlled this second-stage payload wouldn't return additional files to trigger the malware's execution. Because the original backdoor only supports four commands and its C&C servers are down, users are somewhat safe from this second malware strain, for the time being. However, because Infestation game devs have failed to clean up their servers, the Winnti Group could deploy a new malicious game update with a new backdoor that communicates with a different C&C server and re-activate all previously infected users. Infestation gamers are advised to reinstall their systems as soon as possible. ESET isn't sure why the Winnti Group is targeting gamers and what's the endgame for this campaign, but the group has used compromised games in the past to distribute cyber-espionage malware. For example, it did so before in 2011. The Winnti Group is a cyber-espionage outfit that is known to carry out such types of hacks --known as supply-chain attacks. A ProtectWise 401TRG 2018 report lists several past incidents, along with their last year's predisposition for gathering code signing certificates from hacked software companies in the preparation of future supply-chain attacks. Source
  4. A bipartisan group of House lawmakers have introduced legislation that would block the federal government from requiring technology companies to design devices with so-called back doors to allow law enforcement to access them. The bill represents the latest effort by lawmakers in Congress to wade into the battle between federal law enforcement officials and tech companies over encryption, which reached a boiling point in 2015 as the FBI tussled with Apple over a locked iPhone linked to the San Bernardino terror attack case. Top FBI and Justice Department officials have repeatedly complained that they have been unable to access devices for ongoing criminal investigations because of encryption. FBI Director Christopher Wray has suggested that devices could be designed to allow investigators to access them, though he insists the bureau is not looking for a “back door.” The bipartisan bill introduced Thursday would prohibit federal agencies from requiring or requesting that firms “design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product” by the government. Rep. Zoe Lofgren (D-Calif.) introduced the legislation along with Reps. Ted Lieu (D-Calif.), Jerrold Nadler (D-N.Y.), Matt Gaetz (R-Fla.), Thomas Massie (R-Ky.) and Ted Poe (R-Texas). The bill would also block courts from issuing an order to compel companies to design products with “back doors” to allow for surveillance or law enforcement searches. The legislation makes an exception for mandates, requests or court orders that are authorized under the Communications Assistance for Law Enforcement Act, a 1994 law requiring telephone companies to make changes to their network design in order to make it easier for the government to wiretap phone calls. The bill’s introduction comes following an FBI inspector general report that found the bureau did not exhaust all avenues when trying to unlock the San Bernardino suspect’s iPhone before pursuing a court order to force Apple to break into the device. Critics have argued that the report shows the FBI was more interested in establishing a legal precedent to get companies to bypass encryption than in actually unlocking the phone. Lofgren and other sponsors of the bill were among a group of lawmakers who wrote to Wray in April describing the report as “troubling” and suggesting that the FBI could find solutions to unlocking encrypted devices on the market instead of designing devices in order to allow law enforcement to probe them. Some, like Sen. Ron Wyden (D-Ore.), argue that altering the design of digital devices to allow for such access would weaken security. Lofgren’s bill is identical to legislation she introduced back in 2015. The bill, along with its companion in the Senate sponsored by Wyden, never went to the floor for a vote. Attorney General Jeff Sessions said this week that Congress may ultimately need to “take action” to solve the encryption problem. He and other officials have said the FBI was unable to break into thousands of devices last year despite having warrants to probe them. Sens. Dianne Feinstein (D-Calif.) and Chuck Grassley (R-Iowa), meanwhile, are said to be in the early stages of pursuing their own legislation in the Senate, though the details of what a prospective bill would look like are unclear. Source Secure Data Act of 2018 PDF Download
  5. Tor is still DHE 1024 (NSA crackable) After more revelations, and expert analysis, we still aren't precisely sure what crypto the NSA can break. But everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys. Assuming no "breakthroughs", the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips. The problem with Tor is that it still uses these 1024 bit keys for much of its crypto, particularly because most people are still using older versions of the software. The older 2.3 versions of Tor uses keys the NSA can crack, but few have upgraded to the newer 2.4 version with better keys. You can see this for yourself by going to a live listing of Tor servers, like http://torstatus.blutmagie.de/. Only 10% of the servers have upgraded to version 2.4. Recently, I ran a "hostile" exit node and recorded the encryption negotiated by incoming connections (the external link encryption, not the internal circuits). This tells me whether they are using the newer or older software. Only about 24% of incoming connections were using the newer software. Here's a list of the counts: 14134 -- 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 5566 -- 0xc013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 2314 -- 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 905 -- 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1 -- 0xc012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA The older software negotiates "DHE", which are 1024 bit Diffie-Hellman keys. The newer software chooses ECDHE, which are Elliptical-Curve keys. I show the raw data because I'm confused by the last entry, I'm not sure how the software might negotiate ECDHE+3DES, it seems like a lulz-worthy combination (not that it's insecure -- just odd). Those selecting DHE+3DES are also really old I think. I don't know enough about Tor, but I suspect anything using DHE+3DES is likely more than 5 years old. (By the way, I used my Ferret tool to generate this, typing "ferret suites -r ".) The reason software is out of date is because it takes a long time for repositories to be updated. If you type "apt-get install tor" on a Debian/Ubuntu computer, you get the 2.3 version. And this is what pops up as the suggestion of what you should do when you go to the Tor website. Sure, it warns you that the software might be out-of-date, but it doesn't do a good job pointing out that it's almost a year out of date, and the crypto the older version is using is believed to be crackable by the NSA. Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking. Therefore, I'd suggest that the Tor community do a better job getting people to upgrade to 2.4. Old servers with crackable crypto, combined with the likelyhood the NSA runs hostile Tor nodes, means that it's of much greater importance. by Robert Graham from Errata Security The feds pay for 60 percent of Tor’s development. Can users trust it? This week, we learned that the NSA had managed to circumvent much of the encryption that secures online financial transactions and other activities we take for granted on the Internet. How? By inserting backdoors into the very commercial software designed to keep sensitive medical records, bank files and other information private. The NSA’s sustained attempt to get around encryption calls into question many of the technologies people have come to rely on to avoid surveillance. One indispensable tool is Tor, the anonymizing service that takes a user’s Internet traffic and spits it out from some other place on the Web so that its origin is obscured. So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA. Last year, DoD funding accounted for more than 40 percent of the Tor Project’s $2 million budget. Other major donors include the U.S. State Department, which has an interest in promoting Internet freedom globally, and the National Science Foundation. Add up all those sources, and the government covers 60 percent of the costs of Tor’s development. Tor Executive Director Andrew Lewman wrote in an e-mail to users that just because the project accepts federal funding does not mean it collaborated with the NSA to unmask people’s online identities. “The parts of the U.S. and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman wrote. “Don’t assume that ‘the government’ is one coherent entity with one mindset.” And Roger Dingledine, a founder of the Tor Project, says that the Defense Department money is much more like a research grant than a procurement contract. “They aren’t ‘buying products’ from us,” Dingledine tells me. “They’re funding general research and development on better anonymity, better performance and scalability and better blocking-resistance. Everything we do we publish in the open.” Dingledine acknowledges that “bad guys” could conceivably introduce vulnerabilities into Tor’s open-source code. But one of the major advantages of open-source software is that the product can be inspected by anyone for defects, which raises its security somewhat. There’d only be a problem if the NSA were somehow able to insert malicious code that nobody recognized. The NSA didn’t immediately respond to a request for comment Friday afternoon. Update: Roger Dingledine writes in to explain why the government has never asked the Tor Project to install a backdoor: I think this is mainly due to two reasons: A) We’ve had that faq entry up for a long time, including the part where we say we’ll fight it and that we have lots of lawyers who will help us fight it. So they know it won’t be easy. B ) I do a lot of outreach to various law enforcement groups to try to teach them how Tor works and why they need it to be safe. See e.g. the first two paragraphs of this: I think ‘A’ used to be a sufficient reason by itself, but now we’re reading about more and more companies and services that have tried to fight such a request and given up. The architecture of the Tor network makes it more complex (there’s no easy place in the deployed network to stick a backdoor), but that doesn’t mean they won’t try. I guess we rely on ‘B’ for now, and see how things go. Source Large botnet cause of recent Tor network overload Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war. At the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph shows no signs of a decline in growth, as seen below: An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators. Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase. Thus one important thing to note is that this was an already existing botnet of massive scale, even prior to the conversion to using Tor and .onion as command and control channel. As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based). Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime. This specific version of the malware, which includes the Tor functionality, will install itself in: %SYSTEM%\config\systemprofile\Local Settings\Application Data\Windows Internet Name System\wins.exeAdditionally, it will install a Tor component in: %PROGRAMFILES%\Tor\Tor.exeThis location is regularly updated with new versions. Related md5 hashes: 2eee286587f76a09f34f345fd4e00113 (August 2013)c11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)Related md5 hashes from non-Tor version: 4841b5508e43d1797f31b6cdb83956a3 (December 2012)4773a00879134a9365e127e2989f4844 (January 2013)9fcddc45ae35d5cdc06e8666d249d250 (February 2013)b939f6ef3bd292996f97aa5786757870 (March 2013)47c8b85a4c82ed71487deab68de196ba (March 2013)3e6eb9f8d81161db44b4c4b17763c46a (April 2013)a0343241bf53576d18e9c1329e6a5e7e (April 2013)Source New Tor packages There's a new Tor to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know. https://www.torproject.org/projects/torbrowser.html.en#downloads Tor Browser Bundle (2.4.17-beta-1) Update Tor to Update NoScript to Update HTTPS Everywhere to 4.0development.11 Source
  • Create New...