Monday 9 January 2017

The official Tor browser for iOS is free to use


When Mike Tigas first created the Onion Browser app for iOS in 2012, he never expected it to become popular. He was working as a newsroom Web developer at The Spokesman-Review in Spokane, Washington, at the time, and wanted a Tor browser app for himself and his colleagues. Expecting little interest, he then put Onion Browser on the Apple App Store at just $0.99/£0.69, the lowest non-zero price that Apple allows.
Fast forward to 2016, and Tigas found himself living in New York City, working as a developer and investigative journalist at ProPublica, while earning upwards of $2,000 a month from the app—and worrying that charging for it was keeping anonymous browsing out of the hands of people who needed it.
So a few weeks ago, he made the app free. Since then, its popularity has exploded, with thousands of downloads recorded every day. The results of the recent US presidential election might have had something to do with this decision, and its impressive results, Tigas told Ars. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," he wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
Global concerns also influenced his decision. "Iran is not technically a country where you can get an iPhone, but on the grey market you can," he told Ars. "People over there can't get apps you have to pay for, because you have to have a credit card that Apple actually accepts," he added, noting that economic sanctions forbid Apple from selling to Iranian iOS users.
Onion Browser is the official Tor Project-endorsed Web browser for iOS. But it lacks some of the features available for Tor Browser (Linux, MacOS, Windows) and OrFox (Android), due to technical roadblocks peculiar to iOS.
The two biggest challenges Tor developers on iOS face, as Tigas outlined in this blog post on the Tor Project website, are Apple's requirement that all browsers use the iOS WebKit rendering engine, and the inability to run Tor as a system-wide service or daemon on iOS.
Developers have found workarounds to both problems, and iOS users can soon expect to see a new, improved Onion Browser, as well as a Tor VPN that routes all device traffic over Tor—probably in the first quarter of 2017.

Not quite as secure

Unlike the Tor or OrFox, Onion Browser is not based on the Firefox Gecko rendering engine. This is good—Onion Browser is not vulnerable to Firefox exploits—but also bad, because code cannot be reused.
A further challenge, Tigas said, is that Apple’s WebKit APIs "don’t allow a lot of control over the rendering and execution of Web pages, making a Tor Browser-style security slider very difficult to implement."
Many of iOS's multimedia features don't use the browser's network stack, making it difficult to ensure the native video player does not leak traffic outside of Tor.
"Onion Browser tries to provide some functionality to block JavaScript and multimedia, but these features aren’t yet as robust as on other platforms," Tigas wrote.
Moreover, it doesn't support tabbed browsing, and the UX is pretty basic, but Tigas is working on a rewrite based on Endless. "It adds a lot of important features over the existing Onion Browser,” he said, “like a nicer user-interface with tabbed browsing, HTTPS Everywhere, and HSTS Preloading. There’s a new version of Onion Browser in the works that’s based on Endless that will hopefully enter beta testing this month."

Welcome to the sandbox

The biggest challenge to getting Tor working seamlessly on iOS, though, is the inability to run Tor as a system-wide service or daemon, something which is trivial to accomplish with most other operating systems, but unavailable to iOS app developers. To prevent misbehaving apps from getting up to their usual mischief, Apple sandboxes apps from each other, and from the underlying OS. This means you can't install Tor on iOS, let it run in the background, and route all your device traffic over Tor.
“In iOS the moment you leave an app, the app goes to sleep,” Tigas told Ars. “With Tor Browser Bundle or OrBot on Android, other apps can use the Tor in Tor Browser Bundle, other apps can use OrBot's connection on Android.”
In fact, to get Onion Browser to work, he has to compile Tor into the app itself—as does any other iOS app developer who wishes to offer a Tor connection. But that's about to change, thanks to iCepa.

A Tor VPN for iOS

OrBot, the official Tor routing service for Android.
Enlarge / OrBot, the official Tor routing service for Android.
iCepa—from the Latin cepa for onion, and pronounced i-KAY-puh—is a Tor VPN for iOS currently under development that will enable iOS users to route all their traffic over Tor. "A lot of us had the idea simultaneously after Apple released iOS 9, which added some APIs that allowed you to talk to network traffic," iCepa developer Conrad Kramer told Ars. "It was intended for companies like OpenVPN or Cisco to build their own VPN solutions for iOS, but we realised we could build a version of Tor using this API."
"It's similar to how OrBot works," he added, "which also uses a VPN approach."
Apple-imposed memory limits had prevented Kramer from finishing work on iCepa until recently. The memory limit for packet-tunnel extensions, he explained, was 5MB—and Tor needs around 10MB to run.
Kramer said he was able to continue development work on a jailbroken iOS 9 device, but with little motivation since a jailbroken solution would not scale. An encounter with Apple engineers at the WWDC conference gave him the chance to lobby Apple engineers to raise the limit—which they did, in iOS 10, to 15MB, more than enough to get a Tor VPN working in iOS.
Kramer told Ars he had just gotten iCepa working on his test device in mid-December, and plans to share the working code in a private alpha with other Tor developers before the end of the year. He hopes to release iCepa to the public through the App Store at the end of the first quarter of 2017.
"The timeline is still uncertain," he emphasised, "but I do want to get it out as soon as possible.”

Paying for Tor development

Since making Onion Browser free in early December, Tigas says the number of downloads has jumped from around 3,000 paid downloads per month to thousands per day. He is at peace with his decision, though, convinced he has done the right thing, but worries about the loss of income.
"[The extra money] helped keep me doing investigative journalism by day," he told Ars. "If I can get to even 15 percent of where it was before, I would be really happy and amazed. I think I have like five people on Patreon right now."
Tigas has received some financial support from the Guardian Project to continue work on Onion Browser, but, he says, the money does not come close to replacing the income lost from the App Store.
“I'm still a little terrified that I've made this change,” he wrote in his blog post, “but I'm happy this day has come—and judging from the responses I've already received, so have many of you. Thanks for your support.”

Android banking Trojan malware disguises itself as Super Mario Run

super-mario-run.png
Cybercriminals are taking advantage of Android users who are desperate to play Nintendo's wildly popular Super Mario Run mobile game, in order to spread the notorious Marcher banking Trojan malware.
Nintendo's iconic plumber made his much anticipated debut on mobile devices in December and is currently exclusive to Apple iOS users, who can download the game via the App Store.
But some desperate users are looking for ways to gain access to it on Android by attempting to download versions from third-party websites. And, much like they did when Android users wanted to download Pokemon Go before it was available, attackers are actively looking to exploit that demand by tricking users into downloading the bank information stealing Marcher Trojan.

The Marcher malware has been around since March 2013, and has repeatedly evolved in order dupe unsuspecting victims into installing it, even posing as an Android firmware update, then tricking users into entering their banking details into a fake overlay page which hands them directly to the attackers.
Now, cybersecurity researchers at Zscaler have warned that the Trojan is disguising itself as Super Mario Run in a new effort to steal financial account details and credit card numbers from those most desperate to download the game on Android by bypassing the official Google Play store.
From fake websites advertising the availability of an Android version of Super Mario Run, users are invited to download a phony version of the app, which demands the user grant it various permissions including administrative rights to the device.
By providing administrative access to the infected systems, users are enabling the gang behind Marcher to monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
Due to the constantly evolving nature of the malware, Zscaler researchers have previously dubbed Marcher "the most prevalent threat to the Android devices" and the malware attacks all versions of Google's mobile operating system.
Marcher first originated on Russian underground forums but has since become a global threat, with the Trojan targeting bank customers around the world.
The best way for Android users to avoid falling victim to Marcher is to only download applications from trusted application stores such as Google Play, and not downloading anything from unknown sources.

VNC server library gets security fix


An important fix for libvncserver has landed in Debian and on the library's GitHub page.
Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.
As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.
Clients could be attacked either for denial-of-service, or potentially for remote code execution.
The folks at libvncserver pushed out their own patch on December 30 – so if you're a dev using the library, get it and start patching. It's the first new libvncserver code release since October 2014.
Debian's other recent security patches include Tomcat 7 and Tomcat 8 security updates, to close CVE-2016-8745: “incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure”.

St. Jude Medical Patches Vulnerable Cardiac Devices

 Image result for medical devices
St. Jude Medical today released an update for the Merlin@home Transmitter medical device that includes a patch for vulnerabilities made public last year in a controversial disclosure by research company MedSec Holdings and private equity firm Muddy Waters.
In a paper published last August, Muddy Waters said that vulnerabilities in the remote transmitter used to communicate with St. Jude Medical’s implantable cardiac devices left defibrillators and pacemakers exposed to attack and put patients’ physical safety at risk.
The disclosure was compounded by a short position Muddy Waters held on St. Jude Medical stock that allowed it and MedSec to profit should St. Jude stock drop in value. Muddy Waters said it expected close to half of St. Jude Medical revenue to drop as a result of the disclosure and that remediation would take close to two years. St. Jude Medical, which has since been acquired by Abbott Laboratories, is trading at $80.82 today, up from $77.82 on Aug. 25.
Muddy Waters today called the patches a “long-overdue acknowledgement” and alleged again that St. Jude Medical prioritizes profits over patients.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” said Carson Block, Muddy Waters CEO, in a statement provided to Threatpost. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
Justine Bone, CEO of MedSec, echoed what Block said regarding the remaining vulnerabilities.
“We acknowledge St. Jude Medical’s effort in the remediation of this vulnerability which was rated as High severity by the Department of Homeland Security,” Bone said. “We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device. MedSec remains available to assist Abbott Laboratories during this process.”
In October, research outfit Bishop Fox said in a legal filing on behalf of Muddy Waters and MedSec countering a suit filed by St. Jude Medical, that a universal key, or backdoor, could be exploited to send commands from the Merlin@home transmitter to the implanted device. Bishop Fox said it developed an attack that could issue an emergency shock command to the implanted device. Bishop Fox also described two other attacks in its report that could deliver dangerous shocks to patients, as well as wireless protocol vulnerabilities that it had found.
The U.S. Food and Drug Administration, meanwhile, partnered with St. Jude Medical on today’s announcement, and recommended that providers and patients continue to use the affected devices.
“The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the FDA said in a statement. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”
Today’s update will be automatically pushed to Merlin@home devices, and patients are advised to ensure the remote monitoring tool is connected to the Merlin.net network in order to pull down the patch.
The initial Muddy Waters report said it saw two demonstrations of attacks against implantable cardiac devices through the Merlin@home Transmitter. Should an attacker gain access to the device, they could change configurations and cause a device to malfunction and either alter pacing to dangerous rates, or deliver harmful shocks. Attackers could also cause the battery to drain. The attacks, the report said, are within reach of relatively unskilled hackers.
Muddy Waters and MedSec said in August that the communication protocols for Merlin@home Transmitters lacked encryption and authentication mechanisms and were compromised.
“As a result, an attacker can impersonate a Merlin@Home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework,” Muddy Waters’ report said.
The decision to publicly disclose the vulnerabilities to capitalize on the short position drew opened a new front in the disclosure debate, and resurrected a number of conversations around the ethics of where and when to report vulnerabilities in software and devices.
The FDA, which along with the Department of Homeland Security, opened an investigation in September, said today that it will continue to assess any new information around St. Jude device security and alter its recommendations if need be.
“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA said. “The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”