Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Tor Exit Node Adding Malware To Downloads

Posted by Soulskill on from the at-least-it's-anonymous-malware dept.

Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services. Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack.

What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code. In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators. "SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted," he said via email.

6 of 126 comments (clear)

  1. I'm accessing this article through TOR by i+kan+reed · · Score: 5, Funny

    And I'm glad the article says everything is just fine and there are no problems. What a relief.

  2. SSL/TLS may not help if you use Cloudflare by Animats · · Score: 4, Interesting

    Cloudflare offers a fake SSL service called "Flexible SSL". Cloudfront gets a cert generated with a long list of domains. Users connect to Cloudfront, Cloudflare sets up a secure connection from the user's browser to Cloudflare, acts as a man-in-the-middle, and makes an unencrypted connection to the destination host.

    And, of course, there's an exploit for this.

    Even if you buy Cloudflare'ss "most secure" option, and have SSL to your own server using your own certificate, you have to give Clouldflare your SSL cert's private keys. Does Clouldflare take responsiblity for the security of your private keys? No.

    So do not use Cloudflare for sites which handle any valuable data, such as credit card numbers.

  3. Re:Checksums by thieh · · Score: 3, Interesting

    What assurances do you have that they are not patching the checksum as well?

  4. Re:Defaults by lgw · · Score: 4, Informative

    Sorry, "HTTPS everywhere", not "-only" - it tries HTTPS first, which helps with a bunch of sites so you don't have to bookmark the https version specifically, but still falls back to HTTP when needed.

    Everyone should use that plugin in normal browsing IMO - it will drive traffic to HTTPS, and really there's no reason for non-HTTPS sites anymore Slashdot are you listening, you HTTP-only weenies?

    --
    Socialism: a lie told by totalitarians and believed by fools.
  5. Re:Checksums by bug1 · · Score: 3, Insightful

    What you need is a digital signature instead.

    And make sure its signed by a large well known company that works at the government level. Then you are really safe !!!

  6. Re:Bitcoin users also MITM by exit nodes recently by NotInHere · · Score: 5, Insightful

    if you
    1) use an online wallet
    2) accept bad certs
    you certainly live a risky life.