Re: Supercookies
> Uuups, it seems BetterPrivacy allows remote code execution: Easily defeated: http://objection.mozdev.org/ - ferg
Re: Undeciperable message...
Replying to a couple of messages here, but: No, I never made any manual changes to my local Tor config at all. This was a "dynamic" event. I'm running: Vidalia: 0.0.14 Tor: 0.1.2.17 Usually works great, was just curious about this one message. Thanks, - ferg -- Roger Dingledine <[EMAIL PROTECTED]> wrote: On Wed, May 14, 2008 at 06:00:53AM +, Paul Ferguson wrote: > May 13 22:50:34.247 [Warning] You specified a server "gpfTOR1" by name, but > this name is not registered, so it could be used by any server, not just the > one you meant. To make sure you get the same server in the future, refer to > it by key, as "$CFB88AC652AE0388D1F483A065E12A0BEDB868E8". > > I recieved it tonight on start-up... If you ever wrote that node down specifically, e.g. in your torrc file, then it means what Karsten N just described. You can't specify a node just by its nickname and expect it to be unique. If you haven't ever touched your config file and you're wondering why this message came out of the blue, it may be the recurrence of an old bug we had with Vidalia doing lookups on Tor servers in the background. Please let us know which it is. :) --Roger
Undeciperable message...
Can anyone explain to me exactly what this message means: [snip] May 13 22:50:34.247 [Warning] You specified a server "gpfTOR1" by name, but this name is not registered, so it could be used by any server, not just the one you meant. To make sure you get the same server in the future, refer to it by key, as "$CFB88AC652AE0388D1F483A065E12A0BEDB868E8". [snip] I recieved it tonight on start-up... Thanks, - ferg
Re: another unusual connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Dominik Schaefer <[EMAIL PROTECTED]> wrote: >> For what it's worth, we (Trend Micro) have identified several Tor >> nodes which have malicious intent -- this one among them. > >Could you give us some more information about this? ;-) I would assume, >the reported behaviour could be very well caused by some unusually >configured or misconfigured node and not malicious intent itself. Actually, it appears that the hosts that are triggering alarms for us have already been identified previously as hosting malicious content -- not flagged explicitly for being a Tor node. For example, a host that may have been previously identified as hosting an MPack exploit engine may also now be used as a Tor node. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHr0o3q1pz9mNUZTMRAlmAAJ9kIG1X7UYBw0wJHXrmGmN52bL+EwCdGGv0 pOfGiCAuQW9StPguQD1JBoI= =Asxa -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: another unusual connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Scott Bennett <[EMAIL PROTECTED]> wrote: >Is there some reason we should believe that you represent Trend >Micro? Believe what you like. Just trying to be helpful. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHr0jzq1pz9mNUZTMRAiqcAKDmRMa3TNLjx04cuni0dKIgVqJHIgCfVEbZ gOzf1jOqhYhzaYBlHaF8FmQ= =QvDD -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: another unusual connection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Scott Bennett <[EMAIL PROTECTED]> wrote: > > $ telnet 212.112.242.159 80 > Trying 212.112.242.159... > Connected to 212.112.242.159. > Escape character is '^]'. > GET /tor/ HTTP/1.0 > For what it's worth, we (Trend Micro) have identified several Tor nodes which have malicious intent -- this one among them. Be very careful. Tor is being actively exploited. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHrq2aq1pz9mNUZTMRAg+wAKD2UGj0ERDIXRkErBextOu+1jujmACeIaIc Nq3OTLTbdWw373H12ds+7dg= =NnJN -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: The use of malicious botnets to disrupt The Onion Router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Ron Wireman" <[EMAIL PROTECTED]> wrote: >It seems to me, however, that even this gracious act of charity may be no >match for the types of attacks we may be faced with as we become more >popular and, as a result, more of a target. The number of users running >tor nodes pales in comparison to the number of computers that may be in >any one of the many individual botnets, which are groups of hijacked >computers controlled in unison by a single entity. The largest of these >botnets ever discovered had over 1,000 times the number of nodes that tor >does. What happens when one of these botnets are commanded to join tor >all at once and begin harvesting private data that people naively did not >encrypt or, worse, replacing all pictures requested with goatse.jpg? >These and other malicious acts could easily take place, perhaps even >perpetrated by a malevolent government entity, and would cause significant >disruption to our router. > What? You think it hasn't already happened? It has -- unscrupulous bot masters have already used the Tor network in attempts to cloak their activities. The main concern here should be how to prohibit it from happening in the future, or at least detect it/deal with it -- or else the entire Tor infrastructure will be threatened from forces larger tha you can imagine. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHpBarq1pz9mNUZTMRAlenAJ4/fUnCrODoc1Lnl7LtiSzPsaNqagCg5nsT Wkm+5TxS977YaWFt5AmE1J8= =9cnF -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Swedish Police Swoop on Dan Egerstad
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not good. Via TheAge.com.au. [snip] The Swedish hacker who perpetrated the so-called hack of the year has been arrested in a dramatic raid on his apartment, during which he was taken in for questioning and several of his computers confiscated. Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails. After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline. The hack required little more than tools freely available on the internet, and Egerstad maintains he broke no laws. In fact, he is confident the email accounts he gained access to were already compromised by other hackers, so his efforts in fact prevented them from continuing their spying. [snip] More: http://www.theage.com.au/news/security/hacker-of-year-arrest/2007/11/15/119 4766821481.html Background: http://www.infoworld.com/article/07/09/10/Security-researcher-intercepts-em bassy-passwords_1.html http://www.pcworld.com/article/id,136630-c,onlinesecurity/article.html http://blog.wired.com/27bstroke6/2007/08/embassy-e-mail-.html - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHO60aq1pz9mNUZTMRAnqMAKD/OG+oVoFOUfnmAVoXJHxgbNCLGwCfZLeu AqffLgbQ4KvrDWx1RJ0RzLs= =c5MK -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Tor < 0.1.2.16 ControlPort Remote Rewrite Exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A Proof-of-Concept exploit is now circulating: http://www.milw0rm.com/exploits/4468 Needless to say, people are encourage to run 0.1.2.17 or better. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG/sLSq1pz9mNUZTMRAjLzAJ9keMavFeEB0nDmvL1uhNBdrmAvpgCfSUdS ybz+X1lVZKtkTtFVTCBUzk4= =Qz2y -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Odd tor spam - Storm Worm
Hi Dave. :-) My favorite quote of the day: "But the interesting point is this: if Tor is worth targeting for your Trojans, then Tor has entered popular culture. Which rocks." http://www.links.org/?p=251 Cheers, - ferg -- Dave Jevans <[EMAIL PROTECTED]> wrote: Good write-up of the Tor storm worm variant at f-secure blog http://www.f-secure.com/weblog/#1272 For those not tracking the storm worm... this has been one of the most prolific worms of recent months. It's the same thing behind the fake youtube emails, e-greeting card infections and the various "account confirmation" attacks (eg online gambling account confirmation) , etc. More about storm http://en.wikipedia.org/wiki/Storm_Worm http://it.slashdot.org/it/07/08/26/1558245.shtml > hi all, I've just received a really odd spam which try to "educate" to the use of tor as an attack vector. Here's the body of the mail (turn off javascript before trying to visit that link ;-) ): -8<-8<-8<- Do you trade files online? Then they will come after you. Read the news on RIAA and what they are doing to everyone they find. Tor will keep them from finding you. Keep the internet private and down load our program for free. http://69.255.111.145/";>Download Tor -8<-8<-8<- A quick "strings" on their version of tor.exe shows something like "RealShellExecuteA" and similar stuff.
Re: Fwd: Careful, you.re being watched.
Yet another Storm social-engineering maneuver. - ferg -- loki der quaeler <[EMAIL PROTECTED]> wrote: new trojan mask variant: (105% evil) Begin forwarded message: > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 18515 invoked from network); 6 Sep 2007 05:49:08 > -0700 > Received: from 103-134-124-91.pool.ukrtel.net (91.124.134.103) > by www.weltschmerz.org with SMTP; 6 Sep 2007 05:49:08 -0700 > Received: from zbcdphd by 103-134-124-91.pool.ukrtel.net with local > (Exim 4.66 (FreeBSD)) > id 1ITH-000LCI-41 > for [EMAIL PROTECTED]; Thu, 6 Sep 2007 15:48:54 +0300 > To: <[EMAIL PROTECTED]> > Subject: Careful, you.re being watched. > From: <[EMAIL PROTECTED]> > Content-Type: text/html;charset=iso-8859-1 > Content-Transfer-Encoding: 7BIT > Message-Id: <[EMAIL PROTECTED]> > Sender: User zbcdphd <[EMAIL PROTECTED]> > Date: Thu, 6 Sep 2007 15:48:54 +0300 > > > > > Everyone who is doing file trading is at risk. Read the news on > RIAA and what they are doing to everyone they find. Your privacy > can be safe again with our new technology. Save yourself from an > attack and use this free software now. Download Tor > > >