Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Tor Exit Node Adding Malware To Downloads

Posted by Soulskill on from the at-least-it's-anonymous-malware dept.

Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.

19 of 126 comments (clear)

  1. I'm accessing this article through TOR by i+kan+reed · · Score: 5, Funny

    And I'm glad the article says everything is just fine and there are no problems. What a relief.

  2. Checksums by Anonymous Coward · · Score: 2, Insightful

    Or check the checksum

    1. Re:Checksums by thieh · · Score: 3, Interesting

      What assurances do you have that they are not patching the checksum as well?

    2. Re:Checksums by gweihir · · Score: 2

      None. What you need is a digital signature instead.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Checksums by bug1 · · Score: 3, Insightful

      What you need is a digital signature instead.

      And make sure its signed by a large well known company that works at the government level. Then you are really safe !!!

    4. Re:Checksums by bug1 · · Score: 2

      So the extra exclamation points didnt help to explain it then ?

    5. Re:Checksums by smallfries · · Score: 2

      Stagger is also a verb, as in to cause staggering. Specifically to cause doubt in one's own view and to leave one reeling in disbelief. Literally: that persons sheer stupidity (as demonstrated through their inability to detect sarcasm) is of such magnitude that I am starting to doubt the world around me, as previously my world view did not include people of such low intellect. The cognitive dissonance between that world view and this one has left me spinning and powerless to resist.

      Hope this helps. Additional language lessons are available for the low low price of $1.99.

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    6. Re:Checksums by Bob_Who · · Score: 2

      The inability of some people to detect sarcasm is also staggering.

      In fairness, I think the sarcasm was encrypted.

    7. Re:Checksums by gweihir · · Score: 2

      Thanks, that is what I meant. I find that as I get older, my tolerance for clueless people gets lower.

      A side-note on this: That the CA never sees your private key is a myth. In practically all real-world situations, the CA generates your private key (stupid, yes, I know, but greed, a.k.a. "business", trumps reason in this world) with the one exception of a PGP web-of-trust. That is why PGP signatures are a lot more trustworthy when verifying binaries these days.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. So if TOR nodes can easily do it by phorm · · Score: 2, Informative

    Who's to say that your friendly ISP or government agency isn't doing the same? Or even better yet, how about for OS updates.

    Last time I checked even my linux *.list files were referencing HTTP hosts rather than HTTPS (not that HTTPS is really much better, when gov't agencies are concerned)

    Might make sense to use an SSL-enabled connection and a key that's provided with the distro.

  4. SSL/TLS may not help if you use Cloudflare by Animats · · Score: 4, Interesting

    Cloudflare offers a fake SSL service called "Flexible SSL". Cloudfront gets a cert generated with a long list of domains. Users connect to Cloudfront, Cloudflare sets up a secure connection from the user's browser to Cloudflare, acts as a man-in-the-middle, and makes an unencrypted connection to the destination host.

    And, of course, there's an exploit for this.

    Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys. Does Clouldflare take responsiblity for the security of your private keys? No.

    So do not use Cloudflare for sites which handle any valuable data, such as credit card numbers.

    1. Re:SSL/TLS may not help if you use Cloudflare by pavon · · Score: 2

      While that is good information in general, SSL would help in this particular attack, as it would still block the Tor exit node from seeing the data.

    2. Re:SSL/TLS may not help if you use Cloudflare by hawguy · · Score: 2

      There is no cloud service provider that is approved for handling credit card information at this time. That is not an accident.

      It's not clear which flavor of "cloud" you're referring to.

      If you mean IaaS, Amazon AWS is PCI certified:

      https://aws.amazon.com/complia...

      If you mean PaaS, WIndows Azure is certified:

      http://azure.microsoft.com/blo...

      If you mean SaaS, Stripe is certified:

      https://stripe.com/help/securi...

      Of course, even if the service provider is certified, it's up to the customer to ensure that their own implementation is compliant - the service provider certification is just one checkmark in the requirements.

  5. Re:Defaults by lgw · · Score: 4, Informative

    Sorry, "HTTPS everywhere", not "-only" - it tries HTTPS first, which helps with a bunch of sites so you don't have to bookmark the https version specifically, but still falls back to HTTP when needed.

    Everyone should use that plugin in normal browsing IMO - it will drive traffic to HTTPS, and really there's no reason for non-HTTPS sites anymore Slashdot are you listening, you HTTP-only weenies?

    --
    Socialism: a lie told by totalitarians and believed by fools.
  6. Bitcoin users also MITM by exit nodes recently by qubezz · · Score: 2

    There have been several reports of Bitcoin users that use online wallets and exchanges, even over https, getting MITM attacked when using Tor. They visit the wallet site, get bad certificates but continue anyway, and poof, their Bitcoins in the service are gone and their passwords are known by the attacker. With recent SSL vulnerabilities or clever redirection, the cert errors could be avoided also. For other sites, users can be piped through a "universal phisher" to steal any credentials.

    Clearly Tor users are under attack by exit nodes, many of them running automated tools against many web destinations.

    1. Re:Bitcoin users also MITM by exit nodes recently by NotInHere · · Score: 5, Insightful

      if you
      1) use an online wallet
      2) accept bad certs
      you certainly live a risky life.

  7. I would hope your OS updates are signed by Sycraft-fu · · Score: 2

    Probably varies Linux distro to distro. In Windows, the MSU files are all signed by MS so the download path isn't of issue, since if it is compromised any alterations to the file would break the signature.

  8. This is not really big news. by MartinG · · Score: 2

    Tor provides anonymity. It does not provide authenticity or secrecy, and doesn't pretend to. If you want those things, you should use something else in addition to tor. For example, TLS or SSH might suit your needs.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  9. Re:Defaults by aztracker1 · · Score: 2

    See SNI and StartSSL

    --
    Michael J. Ryan - tracker1.info