Jump to content

Search the Community

Showing results for tags 'backdoors'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 5 results

  1. Microsoft CEO believes backdoors aren't the answer Satya Nadella chooses privacy and public safety over backdoors (Image credit: Mike Moore) As Apple is once again in the midst of another fight over encryption following a recent shooting at Pensacola naval base, Microsoft CEO Satya Nadella weighed in with his thoughts on the encryption question. During a recent meeting with reporters, Nadella reiterated Microsoft's opposition to encryption backdoors while also expressing support for future legal and technical solutions, saying: “I do think backdoors are a terrible idea, that is not the way to go about this. We’ve always said we care about these two things: privacy and public safety. We need some legal and technical solution in our democracy to have both of those be priorities.” However, Microsoft's CEO also expressed support for key escrow systems which researchers have previously proposed versions of. Encryption debate The encryption systems Apple uses on its iPhones first became a point of controversy following the 2016 San Bernardino shooting. At that time, the company was urged by law enforcement agencies to help them unlock the shooter's iPhone as it may have contained valuable information. While Apple ultimately ended up not unlocking the iPhone involved in the 2016 attack, a recent shooting at a naval base in Pensacola has reopened the encryption debate. A Saudi national undergoing flight training with the US Navy killed three people and injured eight in the attack. However, two iPhones linked to the attacker are still protected via Apple's device encryption and remain inaccessible to investigators. Nadella may be against backdoors but Microsoft's CEO did not say that companies should never provide data under such circumstances. He did make the case for possible legislative solutions when it comes to encryption though, saying: “We can’t take hard positions on all sides... [but if they’re] asking me for a backdoor, I’ll say no. My hope is that in our democracy these are the things that arrive at legislative solutions.” Source: Microsoft CEO believes backdoors aren't the answer (TechRadar)
  2. Telecom kit maker points finger in the general direction of Middle Kingdom's complicated supply chain Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips. "The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device." The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216). Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset. In a statement emailed to The Register and posted online, a Huawei spokesperson said, "Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders." Huawei said all the vulnerabilities mentioned in the report reside in the application layer provided by the equipment vendors. "These vulnerabilities are not introduced by the chips and SDKs provided by HiSilicon," the Middle Kingdom giant said. CMU's CERT Coordination Center said the vulnerabilities exist in various network services running on various manufacturers' devices that use HiSilicon's parts, and are the result of software bugs, such as insufficient input validation and hardcoded credentials. The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream. Kojenov says he analyzed video encoders from URayTech, J-Tech Digital, and Pro Video Instruments, and found their devices to be vulnerable to some or all of the reported flaws. He also identified several other vendors offering products based on the same system-on-chip, and he believes they may share some or all of the flaws: this includes equipment from Network Technologies Incorporated, Oupree, MINE Technology. Blankom, ISEEVY, Orivison, WorldKast/procoder, and Digicast. Kojenov said he notified various vendors but only one, Pro Video Instruments, took the notice seriously and responded. Most vendors, he said, have not yet issued a fix for these flaws. And in the absence of a patch, he advises that network admins make sure affected devices are behind a firewall with no externally exposed ports and with rules to block untrusted access. He was able to find several hundred potentially vulnerable devices using the security-oriented search service shodan.io, and he expects these publicly exposed encoders are all exploitable over the internet. "While most vulnerabilities seem unintentional (i.e. coding mistakes), one of them stands out," said Kojenov. "The hardcoded password is a deliberate backdoor." In a message to The Register, he said all the vulnerabilities except for the telnet flaw resided in a single executable program that's part of the software on these devices. "I'm not sure the vendors who build and sell these devices have much control over it," he said. "I don't know if they have the source code for the program or it is distributed in binary form." Taking Huawei’s representations at face value, we’re left to wonder where in the complicated manufacturing supply chain things went wrong. As Kojenov suggested in his report, most of the flaws appear to be unintentional coding mistakes. The fact that it’s not clear where these problems originated or who’s responsible should be at least as concerning as the specific risks posed by the bugs themselves. Huawei maintains it wants to work toward better security. "As an important part of the supply chain of video surveillance devices, HiSilicon is willing to collaborate with downstream equipment vendors and researchers through coordinated response to cyber security risks brought by the vulnerabilities mentioned in the report and protect the interests of end users," the tech goliath concluded. Source
  3. Cybersecurity researchers have disclosed details about a new watering hole attack targeting the Korean diaspora that exploits vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes. Dubbed "Operation Earth Kitsune" by Trend Micro, the campaign involves the use of SLUB (for SLack and githUB) malware and two new backdoors — dneSpy and agfSpy — to exfiltrate system information and gain additional control of the compromised machine. The attacks were observed during the months of March, May, and September, according to the cybersecurity firm. Watering hole attacks allow a bad actor to compromise a targeted business by compromising a carefully selected website by inserting an exploit with an intention to gain access to the victim's device and infect it with malware. Operation Earth Kitsune is said to have deployed the spyware samples on websites associated with North Korea, although access to these websites is blocked for users originating from South Korean IP addresses. A Diversified Campaign Although previous operations involving SLUB used the GitHub repository platform to download malicious code snippets onto the Windows system and post the results of the execution to an attacker-controlled private Slack channel, the latest iteration of the malware has targeted Mattermost, a Slack-like open-source collaborative messaging system. "The campaign is very diversified, deploying numerous samples to the victim machines and using multiple command-and-control (C&C) servers during this operation," Trend Micro said. "In total, we found the campaign using five C&C servers, seven samples, and exploits for four N-day bugs." Designed to skip systems that have security software installed on them as a means to thwart detection, the attack weaponizes an already patched Chrome vulnerability (CVE-2019-5782) that allows an attacker to execute arbitrary code inside a sandbox via a specially-crafted HTML page. Separately, a vulnerability in Internet Explorer (CVE-2020-0674) was also used to deliver malware via the compromised websites. dneSpy and agfSpy — Fully Functional Espionage Backdoors The difference in the infection vector notwithstanding, the exploit chain proceeds through the same sequence of steps — initiate a connection with the C&C server, receive the dropper, which then checks for the presence of anti-malware solutions on the target system before proceeding to download the three backdoor samples (in ".jpg" format) and executing them. What's changed this time around is the use of Mattermost server to keep track of the deployment across multiple infected machines, in addition to creating an individual channel for each machine to retrieve the collected information from the infected host. Of the other two backdoors, dneSpy, and agfSpy, the former is engineered to amass system information, capture screenshots, and download and execute malicious commands received from the C&C server, the results of which are zipped, encrypted, and exfiltrated to the server. "One interesting aspect of dneSpy's design is its C&C pivoting behavior," Trend Micro researchers said. "The central C&C server's response is actually the next-stage C&C server's domain/IP, which dneSpy has to communicate with to receive further instructions." agfSpy, dneSpy's counterpart, comes with its own C&C server mechanism that it uses to fetch shell commands and send the execution results back. Chief among its features include the capability to enumerate directories and list, upload, download, and execute files. "Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them," the researchers concluded. "The campaign's use of new samples to avoid detection by security products is also quite notable." "From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time." Source
  4. Criminals are distributing fake VPN installers with backdoors built in Another reason to always download VPN clients directly from a provider's website (Image credit: Shutterstock) The recent shift to remote working has led users to turn to VPN services to stay secure and protect their privacy online but new research from Trend Micro has revealed that cybercriminals are now distributing fake VPN installers with backdoors. The firm's researchers discovered VPN installers for Windscribe being distributed online that also included backdoors which allow cybercriminals to gain access and control of computers remotely without the need for proper authentication. It's worth noting that the installers found by Trend Micro come from fraudulent sources and are not from Windscribe's official download center or from the Google Play Store or Apple App Store. Cybercriminals have used this same technique in the past to bundle legitimate video conferencing apps with malicious files. By using a VPN, users can secure the communication between their computers and the internet by encrypting the connection which keeps data secure and prevents spying attempts. However, as businesses and consumers alike have started using VPN services while working from home, cybercriminals have seized this opportunity to use them to distribute malware and other malicious files. Bundling malicious files with VPN installers Users who fall victim to this latest campaign likely get their VPN installer from malicious sources and are unaware they are downloading a bundled application instead of the legitimate installer by itself. According to a new report from Trend Micro, the bundled application drops three components on a user's system: the legitimate VPN installer, the malicious file (named Iscm.exe) that contains the backdoor and the application that serves as the runner of the malicious file (win.vbs). During installation, the file Iscm.exe stealthily acts in the background by downloading its payload from a website controlled by cybercriminals. This website then redirects the user to another page to download an encrypted file named Dracula.jpg. This obfuscated file needs to be decrypted before revealing the backdoor payload. The backdoor itself can perform a number of commands such as downloading, executing and updating files as well as taking screenshots of the user's screen. Additionally, it gathers information about a user's system including if they have any antivirus products installed, the machine name, the operating system and their username. To prevent falling victim to this new campaign, Trend Micro recommends that users only download applications and files from official download centers and app stores, scrutinize URLs to distinguish between spoofed domains and legitimate ones, don't download apps and files from emails sent by untrusted sources and that they do not click on any links in suspicious emails. Criminals are distributing fake VPN installers with backdoors built in
  5. Tor is still DHE 1024 (NSA crackable) After more revelations, and expert analysis, we still aren't precisely sure what crypto the NSA can break. But everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys. Assuming no "breakthroughs", the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips. The problem with Tor is that it still uses these 1024 bit keys for much of its crypto, particularly because most people are still using older versions of the software. The older 2.3 versions of Tor uses keys the NSA can crack, but few have upgraded to the newer 2.4 version with better keys. You can see this for yourself by going to a live listing of Tor servers, like http://torstatus.blutmagie.de/. Only 10% of the servers have upgraded to version 2.4. Recently, I ran a "hostile" exit node and recorded the encryption negotiated by incoming connections (the external link encryption, not the internal circuits). This tells me whether they are using the newer or older software. Only about 24% of incoming connections were using the newer software. Here's a list of the counts: 14134 -- 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 5566 -- 0xc013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 2314 -- 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 905 -- 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1 -- 0xc012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA The older software negotiates "DHE", which are 1024 bit Diffie-Hellman keys. The newer software chooses ECDHE, which are Elliptical-Curve keys. I show the raw data because I'm confused by the last entry, I'm not sure how the software might negotiate ECDHE+3DES, it seems like a lulz-worthy combination (not that it's insecure -- just odd). Those selecting DHE+3DES are also really old I think. I don't know enough about Tor, but I suspect anything using DHE+3DES is likely more than 5 years old. (By the way, I used my Ferret tool to generate this, typing "ferret suites -r ".) The reason software is out of date is because it takes a long time for repositories to be updated. If you type "apt-get install tor" on a Debian/Ubuntu computer, you get the 2.3 version. And this is what pops up as the suggestion of what you should do when you go to the Tor website. Sure, it warns you that the software might be out-of-date, but it doesn't do a good job pointing out that it's almost a year out of date, and the crypto the older version is using is believed to be crackable by the NSA. Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking. Therefore, I'd suggest that the Tor community do a better job getting people to upgrade to 2.4. Old servers with crackable crypto, combined with the likelyhood the NSA runs hostile Tor nodes, means that it's of much greater importance. by Robert Graham from Errata Security The feds pay for 60 percent of Tor’s development. Can users trust it? This week, we learned that the NSA had managed to circumvent much of the encryption that secures online financial transactions and other activities we take for granted on the Internet. How? By inserting backdoors into the very commercial software designed to keep sensitive medical records, bank files and other information private. The NSA’s sustained attempt to get around encryption calls into question many of the technologies people have come to rely on to avoid surveillance. One indispensable tool is Tor, the anonymizing service that takes a user’s Internet traffic and spits it out from some other place on the Web so that its origin is obscured. So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA. Last year, DoD funding accounted for more than 40 percent of the Tor Project’s $2 million budget. Other major donors include the U.S. State Department, which has an interest in promoting Internet freedom globally, and the National Science Foundation. Add up all those sources, and the government covers 60 percent of the costs of Tor’s development. Tor Executive Director Andrew Lewman wrote in an e-mail to users that just because the project accepts federal funding does not mean it collaborated with the NSA to unmask people’s online identities. “The parts of the U.S. and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman wrote. “Don’t assume that ‘the government’ is one coherent entity with one mindset.” And Roger Dingledine, a founder of the Tor Project, says that the Defense Department money is much more like a research grant than a procurement contract. “They aren’t ‘buying products’ from us,” Dingledine tells me. “They’re funding general research and development on better anonymity, better performance and scalability and better blocking-resistance. Everything we do we publish in the open.” Dingledine acknowledges that “bad guys” could conceivably introduce vulnerabilities into Tor’s open-source code. But one of the major advantages of open-source software is that the product can be inspected by anyone for defects, which raises its security somewhat. There’d only be a problem if the NSA were somehow able to insert malicious code that nobody recognized. The NSA didn’t immediately respond to a request for comment Friday afternoon. Update: Roger Dingledine writes in to explain why the government has never asked the Tor Project to install a backdoor: I think this is mainly due to two reasons: A) We’ve had that faq entry up for a long time, including the part where we say we’ll fight it and that we have lots of lawyers who will help us fight it. So they know it won’t be easy. B ) I do a lot of outreach to various law enforcement groups to try to teach them how Tor works and why they need it to be safe. See e.g. the first two paragraphs of this: I think ‘A’ used to be a sufficient reason by itself, but now we’re reading about more and more companies and services that have tried to fight such a request and given up. The architecture of the Tor network makes it more complex (there’s no easy place in the deployed network to stick a backdoor), but that doesn’t mean they won’t try. I guess we rely on ‘B’ for now, and see how things go. Source Large botnet cause of recent Tor network overload Recently, Roger Dingledine described a sudden increase in Tor users on the Tor Talk mailinglist. To date there has been a large amount of speculation as to why this may have happened. A large number of articles seem to suggest this to be the result of the recent global espionage events, the evasion of the Pirate Bay blockades using the PirateBrowser or the Syrian civil war. At the time of writing, the amount of Tor clients actually appears to have more than quintupled already. The graph shows no signs of a decline in growth, as seen below: An alternative recurring explanation is the increased usage of botnets using Tor, based on the assertion that the increase appears to consist of mostly new users to Tor that apparently are not doing much given the limited impact on Tor exit performance. In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators. Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase. Thus one important thing to note is that this was an already existing botnet of massive scale, even prior to the conversion to using Tor and .onion as command and control channel. As pointed out in the Tor weekly news, the version of Tor that is used by the new Tor clients must be 0.2.3.x, due to the fact that they do not use the new Tor handshake method. Based on the code we can confirm that the version of Tor that is used is The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based). Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale. We have however no compelling evidence that this is true, so this assumption is merely based on a combination of small hints. It does however originate from a Russian spoken region, and is likely motivated by direct or indirect financial related crime. This specific version of the malware, which includes the Tor functionality, will install itself in: %SYSTEM%\config\systemprofile\Local Settings\Application Data\Windows Internet Name System\wins.exeAdditionally, it will install a Tor component in: %PROGRAMFILES%\Tor\Tor.exeThis location is regularly updated with new versions. Related md5 hashes: 2eee286587f76a09f34f345fd4e00113 (August 2013)c11c83a7d9e7fa0efaf90cebd49fbd0b (September 2013)Related md5 hashes from non-Tor version: 4841b5508e43d1797f31b6cdb83956a3 (December 2012)4773a00879134a9365e127e2989f4844 (January 2013)9fcddc45ae35d5cdc06e8666d249d250 (February 2013)b939f6ef3bd292996f97aa5786757870 (March 2013)47c8b85a4c82ed71487deab68de196ba (March 2013)3e6eb9f8d81161db44b4c4b17763c46a (April 2013)a0343241bf53576d18e9c1329e6a5e7e (April 2013)Source New Tor packages There's a new Tor to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know. https://www.torproject.org/projects/torbrowser.html.en#downloads Tor Browser Bundle (2.4.17-beta-1) Update Tor to Update NoScript to Update HTTPS Everywhere to 4.0development.11 Source
  • Create New...