Information Security News
Unmasking hidden Tor service users is too easy, say infosec bods
Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.
by Sean Gallagher
It looks like North Korea's "hermit nation" status has paid off in at least one way: the US was unable to infect the systems controlling centrifuges for North Korea's nuclear program, even after using a variant of the Stuxnet virus designed specifically for Korean systems. According to an exclusive report by Reuters, the National Security Agency led an effort in parallel to the one that went after Iran's nuclear program, but the agency failed to get its malware into North Korea's nuclear labs because they were so isolated—both in a geographic and communications sense.
Reuters' Joseph Menn cites an unnamed US intelligence official as saying the same team that developed Stuxnet—which was reportedly a joint US-Israeli development effort called "Olympic Games"—also developed a similar set of malware that would activate itself only when it encountered Korean language settings on the computers it infected.
Like Iran, North Korea used centrifuges obtained from the Pakistani scientist, A.Q. Khan, who led his own country's nuclear weapons effort. The P-2 centrifuges used by Iran were controlled by supervisory control and data acquisition (SCADA) systems from Siemens, with control software running on the Windows operating system. It was believed that North Korea used similar software because of the similarity between the two research efforts, so the STUXNET malware could in theory be used with minor modifications.
Blockchain, one of the Internet's most widely used Bitcoin wallets, has rushed out an update for its Android app after discovering critical cryptographic and programming flaws that can cause users to send digital coins to the wrong people with no warning.
The vulnerabilities affect a subset of people who run Blockchain for Android on versions 4.1 or older of the mobile OS, according to an advisory published Thursday. The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.
"To our knowledge, this bug resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users," Thursday's advisory stated.