[tor-talk] TOR tried to take a snapshot of my screen
Paolo Palmieri
palmaway at gmx.it
Sat Aug 23 02:58:28 UTC 2014
MD5 is not collision resistant, and as such it shouldn't be used for verifying file integrity against tampering. A tampered file might be computed in order to have the same MD5 checksum of the original with a relatively small effort. See for instance
http://eprint.iacr.org/2013/170.pdf
Attacks are particularly effective against .tar.gz, as they allow for arbitrary binary content to be added.
Use cryptographic signatures or, at the very least, a modern hash function like SHA-2/3.
Paolo
On 23 agosto 2014 08:33:56 GMT+09:00, Lee <ler762 at gmail.com> wrote:
>On 8/22/14, no.thing_to-hide at cryptopathie.eu
><no.thing_to-hide at cryptopathie.eu> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I just downloaded the old version 3.6.3, the download link on
>> http://www.neowin.net/news/tor-browser-bundle-363
>> still works and leads to the file
>>
>https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
>>
>> When I use jacksum on this file, the result is
>>
>> c8eb88324526d718b937b616c75d33a8 torbrowser-install-3.6.3_en-US.exe
>
>which does not match what I get
>
>> This is another MD5 checksum than from the mentioned installer
>package
>>
>> 9529C5A633CF0CF6201662CA12630A04
>
>which is what I get:
>C:\temp\2do>md5 torbrowser-install-3.6.3_en-US.exe
>9529C5A633CF0CF6201662CA12630A04 torbrowser-install-3.6.3_en-US.exe
>
>which matches what the OP got
>>> The install package
>>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
>>> 9529C5A633CF0CF6201662CA12630A04
>
>> I was not able to download the PGP signature of the file to verify
>its
>> integrity.
>
>I did:
>/cygdrive/c/temp/2do
>$ gpg --verify torbrowser-install-3.6.3_en-US.exe.asc
>gpg: WARNING: using insecure memory!
>gpg: please see http://www.gnupg.org/documentation/faqs.html for more
>information
>gpg: Signature made Fri Jul 25 13:19:46 2014 EDT using RSA key ID
>63FEE659
>gpg: Good signature from "Erinn Clark <erinn at torproject.org>"
>gpg: aka "Erinn Clark <erinn at debian.org>"
>gpg: aka "Erinn Clark <erinn at double-helix.org>"
>gpg: WARNING: This key is not certified with a trusted signature!
>gpg: There is no indication that the signature belongs to the
>owner.
>Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE
>E659
>
>
>> One of us downloaded a wrong Tor installer package ...
>
>Looks like it was you..
>
>Regards,
>Lee
>
>>
>> Best regards
>>
>> Anton
>> - --
>> no.thing_to-hide at cryptopathie dot eu
>> 0x30C3CDF0, RSA 2048, 24 Mar 2014
>> 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
>> Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC
>>
>>
>>
>> On 22/08/14 23:38,
>BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY at bitmessage.ch
>> wrote:
>>> Hi,
>>>
>>> I have TOR 3.6.3 installed in a Windows XP computer that is used
>>> almost just for it with very few additional software installed. My
>>> understanding is that a potential attacker will test his
>>> exploit/approach against most of the security software available,
>>> but possibly will not be able to test against ALL of them, so I
>>> have a miscelaneous of popular and not popular security software
>>> installed in the same computer; among them is a not so common anti
>>> spyware called Zemana.
>>>
>>> I am using TOR browser and Zemana for years and I am familiar with
>>> the behaviour of both. The TOR I am running has just the extensions
>>> that comes with it; no additional extension was installed; no
>>> plug-in is installed.
>>>
>>> I have proper licenses to run all the software, including Zemana,
>>> so no crack or other suspicious tool was ever used. Zemana is a
>>> quiet software and I can not remember about any single fake alert.
>>>
>>>
>>> Few days ago, while browsing with TOR, I got a shocking alert from
>>> Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.
>>>
>>>
>>> As Zemana allow me, I did block such screen capture and TOR
>>> crashed immediatly. By this crash I understand that TOR really
>>> tried to capture my screen.
>>>
>>> I restarted TOR with a new identity, changed the identity many
>>> times but TOR repeated the same behaviour a number of times with
>>> the screen capture try-Zemana block-TOR crash. Change the identity
>>> just does not works for such attacker.
>>>
>>> The script funcions were always blocked by NoScript 2.6.8.36.
>>>
>>> On the following days I used TOR again, without any change in my
>>> system or software, accessing the same web sites but the attack no
>>> longer took place.
>>>
>>>
>>> I verified the MD5 signature for the TOR browser (firefox.exe) and
>>> it is unchanged, i.e, it is as distributed by torproject.org
>>>
>>> The TOR 3.6.3 was downloaded from the TOR project web site, and not
>>> from other servers. The install package
>>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
>>> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files
>>> for any forensic work.
>>>
>>> I am sending some screens with the Zemana log, where is possible to
>>> see the TOR MD5 signature (firefox.exe;
>>> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour
>>> ("screenlogger"), the TOR version, TOR button and the Zemana
>>> version screens, and the extensions and plug-ins existing in my
>>> TOR install (just to confirm that nothing strange is there). They
>>> are available to download here:
>>> http://www.datafilehost.com/d/dfb201d8 or
>>> https://www.sendspace.com/file/6ygdl3
>>>
>>>
>>>
>>> Seems that TOR has hidden server capabilities, a back door that
>>> allow a remote operator take snap shot of the screen and possible
>>> perform other actions (record mic, turn on the webcam, ...).
>>>
>>>
>>> I think TOR can protect the users from many enemies, but at the
>>> same time it is a perfect tool to attract, identify and log very
>>> specific (users) targets. This may explain also the, until now,
>>> unclear role and objectives of the US goverment by funding the TOR
>>> Project.
>>>
>>> Seems that hardly will be possible to identify suck attacker as it
>>> probably comes from the TOR network itself, but I am considering a
>>> trap/honney pot just in case this repeats.
>>>
>>>
>>> I am an entusiast of privacy tools and TOR is not used for any kind
>>> of unlawful purposes, is unlikely that I will attract attention
>>> from public authorities and I am not worried with any data such
>>> attacker eventually may have had access.
>>>
>>>
>>> Hope this information may help to improve the TOR community
>>> security and in some point in the future we will able to find a
>>> solution for this back door.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJT98FZAAoJEMwm4aUww83w+xUH/iUhYY2HTDWDmUEbK4H5T75G
>> Zhb66G6i+fYslT1WxFT6nSi2Ks4j1uonpB6l0ZIa8kwBrNU7jT9OhyLqYgnRrMT3
>> jCld59B8VDJxrBNrjw8N9I/zQ7aHBYzla5v5daqa5d1gMBG0h7OBm/F4t46ZHtu/
>> NyssqaTh9p0SbbgunevjCNJUELUH9/i9Os4VsOlvoA4mKl6mNH4Conck7fFoCtKn
>> dHW9hFSTM82lUXVo34IUqtMI4COiEosSBiyzErk0YWurQXIeF9IEQB1dGXWftY9/
>> 35ecqy8gxqt4Q/pQBFkKAb11fip5zqaWL82HaeEyeIFOP1rxzCjWvzN6Yyvf9VI=
>> =mEfz
>> -----END PGP SIGNATURE-----
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
More information about the tor-talk
mailing list