[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR tried to take a snapshot of my screen



I don't know the anti-spyware tool that you used nor details about what the
tool deems a "screenshot" but I want to point out that in Windows
(especially older versions) one of the entropy sources for OpenSSL is the
screenshot of your current session[1]. So if the Tor Browser needs to
generate keys (and it usually does in your use case) it is possible that
the crypto functions are calling whatever "rand" sources are available on
your system, including first taking a screenshot of your session.

Just a theory that IMHO seems more likely that your browser package being
backedoored.

[1] https://www.openssl.org/docs/crypto/RAND_add.html#DESCRIPTION

@




On Sat, Aug 23, 2014 at 7:44 AM, <no.thing_to-hide@xxxxxxxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ok, let's try to find our what's going in here.
> I checksummed some files:
>
> - ----
> ++ The directory I found yesterday evening.
> https://www.torproject.org/dist/torbrowser/3.6.3/
>
> - -> This was the old download directory for the Torbrowser v3.6.3
> - -> Not accessible via web browser
> - -> There is no signature "torbrowser-install-3.6.3_en-US.exe.asc" in
> this directory.
>
> Files:
>
> https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
> - -> Filesize 323 b. This file is a little bit too small to be the
> Torbrowser. I did not remark that yesterday evening, sorry for the
> confusion.
>
> jacksum-hashes MD5 and SHA256 for *.exe:
> c8eb88324526d718b937b616c75d33a8
> 5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef
>
> GtkHash-hashes MD5 and SHA256 for *.exe:
> c8eb88324526d718b937b616c75d33a8
> 5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef
>
> - ----
>
> ++ The official Tor archive (thanks Lee)
> https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/
>
> Files:
>
> https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
>   Filesize 27 239 623 b
>
> https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe.asc
>   Filesize 473 b
>
> jacksum-hashes MD5 and SHA256 for *.exe:
> 9529c5a633cf0cf6201662ca12630a04
> 52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d
>
> GtkHash-hashes MD5 and SHA256 for *.exe:
> 9529c5a633cf0cf6201662ca12630a04
> 52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d
>
> - -> MD5 matches the checksum from BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY
> at bitmessage.ch and all the others.
>
> GPG Signature
> $ gpg --verify torbrowser-install-3.6.3_en-US.exe{.asc,}
> gpg: Signature made Fri 25 Jul 2014 19:19:46 CEST using RSA key ID
> 63FEE659
> gpg: Good signature from "Erinn Clark <erinn@xxxxxxxxxxxxxx>"
> gpg:                 aka "Erinn Clark <erinn@xxxxxxxxxx>"
> gpg:                 aka "Erinn Clark <erinn@xxxxxxxxxxxxxxxx>"
>
> => This is the correct old Torbrowser v3.6.3
>
> - ----
>
> There are actually two directories on torproject.org including a file
> "torbrowser-install-3.6.3_en-US.exe":
> 1) https://www.torproject.org/dist/torbrowser/3.6.3/
> and
> 2) https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/
> 1) is the old download path, but somehow a wrong file with a correct
> name remained there ??
>
> >> http //www.datafilehost com/d/dfb201d8 or https //www.sendspace
> >> com/file/6ygdl3
> >
> > Both of the files are broken or corrupted. They can't be opened as
> > an archive on my end. The first source tries to make one download
> > an .exe file. Well you can download the zip file, without it.
> >
> > How can we be sure that your upload is safe?
>
> I did not touch the files, because the whole story made me
> mistrustful. When you look at some subjects of yesterday
> "Third-parties tracking me on Tor"
> "TOR tried to take a snapshot of my screen"
> Perhaps somebody is trolling this list and tries to seed confusion.
>
> Best regards and stay wiretapped!
>
> Anton
> - --
> no.thing_to-hide at cryptopathie dot eu
> 0x30C3CDF0, RSA 2048, 24 Mar 2014
> 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
> Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC
>
>
>
> On 23/08/14 09:18, Sebastian G. <bastik.tor> wrote:
> > 22.08.2014, 23:38
> > BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@xxxxxxxxxxxxx:
> >> Hi,
> >>
> >> I have TOR 3.6.3 installed in a Windows XP computer that is used
> >> almost just for it with very few additional software installed.
> >> My understanding is that a potential attacker will test his
> >> exploit/approach against most of the security software available,
> >> but possibly will not be able to test against ALL of them, so I
> >> have a miscelaneous of popular and not popular security software
> >> installed in the same computer; among them is a not so common
> >> anti spyware called Zemana.
> >>
> >> I am using TOR browser and Zemana for years and I am familiar
> >> with the behaviour of both. The TOR I am running has just the
> >> extensions that comes with it; no additional extension was
> >> installed; no plug-in is installed.
> >>
> >> I have proper licenses to run all the software, including Zemana,
> >> so no crack or other suspicious tool was ever used. Zemana is a
> >> quiet software and I can not remember about any single fake
> >> alert.
> >>
> >>
> >> Few days ago, while browsing with TOR, I got a shocking alert
> >> from Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.
> >
> > Was it a website you trusted you browsed to? Did the software
> > attempt to do anything without a website loaded?
> >
> >> As Zemana allow me, I did block such screen capture and TOR
> >> crashed immediatly. By this crash I understand that TOR really
> >> tried to capture my screen.
> >>
> >> I restarted TOR with a new identity, changed the identity many
> >> times but TOR repeated the same behaviour a number of times with
> >> the screen capture try-Zemana block-TOR crash. Change the
> >> identity just does not works for such attacker.
> >>
> >> The script funcions were always blocked by NoScript 2.6.8.36.
> >>
> >> On the following days I used TOR again, without any change in my
> >> system or software, accessing the same web sites but the attack
> >> no longer took place.
> >
> > Looks, like the website(s) did something.
> >
> > Maybe trying to access canvas, what the TorBrowser tried to
> > prevent. Maybe this triggered the alert.
> >
> >>
> >> I verified the MD5 signature for the TOR browser (firefox.exe)
> >> and it is unchanged, i.e, it is as distributed by torproject.org
> >>
> >> The TOR 3.6.3 was downloaded from the TOR project web site, and
> >> not from other servers. The install package
> >> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
> >> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files
> >> for any forensic work.
> >>
> >> I am sending some screens with the Zemana log, where is possible
> >> to see the TOR MD5 signature (firefox.exe;
> >> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour
> >> ("screenlogger"), the TOR version, TOR button and the Zemana
> >> version screens, and the extensions and plug-ins existing in my
> >> TOR install (just to confirm that nothing strange is there). They
> >> are available to download here:
> >> http://www.datafilehost.com/d/dfb201d8 or
> >> https://www.sendspace.com/file/6ygdl3
> >
> > Both of the files are broken or corrupted. They can't be opened as
> > an archive on my end. The first source tries to make one download
> > an .exe file. Well you can download the zip file, without it.
> >
> > How can we be sure that your upload is safe?
> >
> >
> >> Seems that TOR has hidden server capabilities, a back door that
> >> allow a remote operator take snap shot of the screen and possible
> >> perform other actions (record mic, turn on the webcam, ...).
> >
> > I'm unaware of Firefox being able to activate the mic, Chrome can
> > do that. Both can access the webcam. Firefox will eventfully be
> > able to activate the mic.
> >
> > It has to be ensured that those are not accessed without the users
> > permission.
> >
> > The remote operator claim would require evidence of some sort.
> >
> > Considerably attackers want to get into systems worth getting
> > into.
> >
> >> I think TOR can protect the users from many enemies, but at the
> >> same time it is a perfect tool to attract, identify and log very
> >> specific (users) targets. This may explain also the, until now,
> >> unclear role and objectives of the US goverment by funding the
> >> TOR Project.
> >
> > I think they use Tor for many purposes themselves.
> >
> >> Seems that hardly will be possible to identify suck attacker as
> >> it probably comes from the TOR network itself, but I am
> >> considering a trap/honney pot just in case this repeats.
> >>
> >>
> >> I am an entusiast of privacy tools and TOR is not used for any
> >> kind of unlawful purposes, is unlikely that I will attract
> >> attention from public authorities and I am not worried with any
> >> data such attacker eventually may have had access.
> >
> > If someone would exploit against the TorBrowser he might be trying
> > to get as many hits as possible to see if someone is a target.
> >
> >> Hope this information may help to improve the TOR community
> >> security and in some point in the future we will able to find a
> >> solution for this back door.
> >>
> >
> > I hope this can be resolved.
> >
> > Regards, Sebastian G.
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT+H6yAAoJEMwm4aUww83w7hcH/04HitX6mZ4i3qaXJHeDvAUU
> lBxtplQeSwky+jH+W5Ykf8JPpcFsBd/MUfwMCsjbUqkU3tToCg7P+k2C+7HDKSxJ
> YogC/5AdgXfGJ9HYwgm+PpjuxS0g7sC84cGu1RuwVhetH3L45TXFF6YYDEppUFAN
> 0U5TSHV8xgCMTERJ8VtCyz93DbvKGUN5kUvNuGQk/G13rndKMHmfw+UGW9fdCQU7
> ypL0/LQxVkZw5/aYPCcRe0krXz2xyCJMr9xs5gQU1Mi+UBUSF9zzxen/Ls+B+sdV
> jGp6Q9JyXAQ46YbnIZWNv7BLrxK5BSrOyVhrSoy+lnihnoPJu6dJq/ZyCnreAOg=
> =r5p5
> -----END PGP SIGNATURE-----
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk