Security
Internet censorship and OONI
Internet "censorship" is often associated with repressive governments filtering the traffic of their citizens, but it goes well beyond that. Internet service providers sometimes filter—or alter—the traffic that they carry, companies restrict employees based on keywords and URLs, courts naïvely order certain URLs to be blocked, and so on. But it is difficult for any particular internet user to know just what it is they can't get at. That problem is what the Tor Open Observatory of Network Interference (OONI) project is hoping to help solve.
The overall goal for the OONI project is "to collect data which shows
an accurate representation of network interference on the Filternet we call
the internet
", according to the web site. One obvious, though time
consuming, way to do that is to gather information from multiple different
"locations" on the internet, and that is what OONI has set out to do. Of
course, the OONI project itself can only reach out so far, so the intent is
to enlist other participants—essentially "crowdsourcing" the data
collection.
There are other internet censorship tracking projects—Google's Transparency Report and Herdict for example—but the OONI project's README notes that other efforts either use a closed methodology or closed software. As befits a Tor project, though, OONI is fully open source. No top-level LICENSE file for OONI is present at the moment, but one would guess it will be similar to Tor's permissive license.
The core piece (ooni-probe) is written as a framework in Python, with an eye toward contributions of additional tests (called "plugoos") and reports. "Tests" are meant to detect censorship events by comparing the results obtained locally with some kind of experimental control. That control could be obtained via the Tor network, for example, or via some other means. The tests can use various kinds of "assets", which might include lists of URLs, IP addresses and ports, or keywords, as their input. Current tests include checking that Tor bridges are functioning, determining whether HTTP "Host" field filtering is occurring, checking for DNS tampering, doing address and port scans, detecting Squid proxies, and so on.
While there are plenty of tests that could be added, seemingly the area needing the most attention right now is the "reports". Currently, test failures are essentially just written to an unstructured text log file, which can be stored locally or uploaded to a server. Tools to interpret the data and to provide higher-level visualizations of the types and locations of internet censorship are planned.
While the OONI code is under heavy development, the project can
already claim some successes. ooni-probe was used to detect eight
blocked web sites for internet users in Bethlehem, West Bank. The
probe scanned more than one million sites and found that users are blocked
from eight news sites "whose reporting is critical of
[Palestinian Authority] President Mahmoud Abbas
".
In addition,
ooni-probe found that T-Mobile USA's Web Guard "feature" blocks
access to much more than the advertised categories. In particular,
sites for Tor, the Internet Archive WaybackMachine, Chinese sports news,
French economics and financial news, a Japanese URL shortener, and many
others, were blocked though they didn't fall into any of the listed categories: "Alcohol,
Mature Content, Violence, Drugs, Pornography, Weapons, Gambling, Suicide,
Guns, Hate, Tobacco, Ammunition
".
OONI is just getting started, but it is clearly a welcome addition to the
internet landscape. In order for John Gilmore's famous quote ("The
Net interprets censorship as damage and routes around
it
"—which seems to be an informal slogan for OONI) to be
true, the internet, or really its users and operators, must be aware of
where that censorship is occurring and how it is being applied. With tools
like OONI (and the others, though it's unclear why they aren't more
transparent), routing around that censorship will be easier. The free flow
of information on the internet depends on being able to do so.
Brief items
Security quotes of the week
Yes and no. It correctly detects that your /sbin/init is something hideous and nasty, but fails to realise that it's something hideous and nasty that Fedora ships 8)
An important PHP security update
PHP 5.3.12 and 5.4.2 have been released to fix a nasty security hole that was disclosed somewhat sooner than planned. Essentially, it allows any remote attacker to pass command-line arguments to the PHP interpreter behind a web page—but only in the (hopefully rare) setups where PHP is invoked via the CGI mechanism. "If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not."
Linux Format censored over 'Learn to Hack' feature (bit-tech)
Bit-tech reports that Barnes & Noble pulled the last issue of Linux Format magazine because of an article featuring hacking techniques. "Issue 154 of Linux Format magazine had as its cover feature a piece entitled 'Learn to Hack,' walking readers through the use of the Metasploit Framework exploitation toolkit to gain access to computer systems running a variety of operating systems. The article also covered password cracking, network sniffing, and man-in-the-middle attacks over encrypted protocols. More importantly, the guide also covered how best to protect your systems from the self-same attacks, providing readers with information that the publication hoped would help keep them safe from the ne'er-do-wells inhabiting the seedier sides of the net." Future, Linux Format's parent company, has made the article available online.
New vulnerabilities
argyllcms: code execution
| Package(s): | argyllcms | CVE #(s): | CVE-2012-1616 | ||||||||
| Created: | May 7, 2012 | Updated: | June 19, 2012 | ||||||||
| Description: | From the Red Hat bugzilla:
A Use-after-free vulnerability was found in the way icclib, a library used for reading and writing of color profile files that conform to the International Color Consortium (ICC) Profile Format Specification, processed certain crafted ICC profile files. The ICC Profile Format is a cross-platform device profile format that can be used to translate color data created on one device into another device's native color space. A remote attacker could provide a specially crafted file and trick a local user into opening it, which could lead to arbitrary code execution with the privileges of the user running an application linked against icclib. | ||||||||||
| Alerts: |
| ||||||||||
asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2012-2416 | ||||||||||||
| Created: | May 4, 2012 | Updated: | May 9, 2012 | ||||||||||||
| Description: | From the CVE entry:
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel. | ||||||||||||||
| Alerts: |
| ||||||||||||||
flash-player: code execution
| Package(s): | flash-player | CVE #(s): | CVE-2012-0779 | ||||||||||||||||||||
| Created: | May 7, 2012 | Updated: | May 23, 2012 | ||||||||||||||||||||
| Description: | From the SUSE advisory:
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
horizon: multiple vulnerabilities
| Package(s): | horizon | CVE #(s): | CVE-2012-2094 CVE-2012-2144 | ||||
| Created: | May 7, 2012 | Updated: | May 9, 2012 | ||||
| Description: | From the
Matthias Weckbecker discovered a cross-site scripting (XSS) vulnerability in Horizon via the log viewer refrash mechanism. If a user were tricked into viewing a specially crafted log message, a remote attacker could exploit this to modify the contents or steal confidential data within the same domain. (CVE-2012-2094) Thomas Biege discovered a session fixation vulnerability in Horizon. An attacker could exploit this to potentially allow access to unauthorized information and capabilities. (CVE-2012-2144) | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | linux | CVE #(s): | CVE-2012-2100 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2012 | Updated: | December 19, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
A flaw was found in the Linux kernel's ext4 file system when mounting a corrupt filesystem. A user-assisted remote attacker could exploit this flaw to cause a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mahara: insecure default/privilege escalation
| Package(s): | mahara | CVE #(s): | |||||
| Created: | May 9, 2012 | Updated: | May 9, 2012 | ||||
| Description: | From the Debian advisory: It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's. | ||||||
| Alerts: |
| ||||||
mozilla-https-everywhere: no SSL switch for some URLs
| Package(s): | mozilla-https-everywhere | CVE #(s): | |||||||||
| Created: | May 3, 2012 | Updated: | May 9, 2012 | ||||||||
| Description: | From the Tor bug entry: If you go to a URL such as http://www.google.com./ HTTPS-Everywhere will *not* switch to HTTPS. This is a legal DNS value, technically but not practically distinct from http://www.google.com/ and as such, it should be handled similarly. [...] (it would allow an active attacker to perform Firesheep-style cookie stealing accounts against sites that HTTPS Everywhere protects with domain-wide redirects, if the ruleset does not also have a <securecookie> directive) | ||||||||||
| Alerts: |
| ||||||||||
openconnect: denial of service
| Package(s): | openconnect | CVE #(s): | |||||||||
| Created: | May 7, 2012 | Updated: | May 9, 2012 | ||||||||
| Description: | Version 3.18 of openconnect, a client for Cisco's "AnyConnect" VPN, fixes a potential buffer overrun when handling the greeting banner from the server. Also this update fixes a potential crash when processing libproxy results. | ||||||||||
| Alerts: |
| ||||||||||
php: code execution
| Package(s): | php5 | CVE #(s): | CVE-2012-2311 CVE-2012-1823 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 7, 2012 | Updated: | July 2, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python3: multiple vulnerabilities
| Package(s): | python3 | CVE #(s): | CVE-2012-1150 CVE-2012-0845 CVE-2011-3389 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 3, 2012 | Updated: | November 12, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory: Bug #750555 - CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003) https://bugzilla.redhat.com/show_bug.cgi?id=750555 Bug #789790 - CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request https://bugzilla.redhat.com/show_bug.cgi?id=789790 Bug #812068 - python: SSL CBC IV vulnerability (CVE-2011-3389, BEAST) https://bugzilla.redhat.com/show_bug.cgi?id=812068 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>