Security
GUADEC: Imagining Tor built-in to GNOME
Jacob Appelbaum of the Tor project delivered the opening keynote at GUADEC 2012 in A Coruña, Spain, tackling better anonymity on the desktop. Appelbaum outlined the design of Tor, discussed statistics about the Tor network, and spoke about its future. One of his more interesting suggestions was that GNOME and other user environments could build in Tor support as a standard networking option. That would make Tor easier to use, and would provide the user with several peripheral benefits.
Tor, anonymity, and you
Tor is widely known these days, but Appelbaum gave a brief overview of the system's protocol and network design, highlighting some frequently-overlooked facets of the project. First, he said, Tor is larger than most people realize. It employs more than a dozen developers and receives additional help from around 100 volunteer coders. The developer-power is critical to Tor's success, he said, as almost any bug in the code turns into a security bug. At a given moment, it averages around 3,000 active relays, 400,000 users, and handles 1.2 GiB/s of traffic. Tor is a non-profit organization, and may be unique in that it receives funding from both the Electronic Frontier Foundation (EFF) and the U.S. Department of Defense.
![[Appelbaum]](https://static.lwn.net/images/2012/08-guadec-tor-sm.jpg)
Tor's mission is often misunderstood, too. Although it provides a
means of securing communication channels, its primary function is as
an anonymity tool. Anonymity comes in a variety of types, he said,
but the core idea is "trying to be free from surveillance and
censorship
". Tor gives you one thing off the bat, he said: an
anonymous IP address. Everything else is your choice from there.
The WiFi at the venue blocked SSH connections, Appelbaum said, so he
needed to tunnel over Tor to connect to his servers. That represents
one type of anonymity: freedom from network administrators inspecting
your traffic.
A different type of anonymity might be signing in to GMail over Tor in order to hide your geographic location. In that case, you still authenticate to Google, so the company knows who you are, but you do not have to reveal where you are simultaneously. The US government asserts that individuals have no reasonable expectation of privacy when voluntarily interacting with a business, including increasingly common web tracking techniques. Appelbaum showed an EFF diagram illustrating privacy risks from numerous angles, including "black hat" hackers, system administrators, lawyers, law enforcement, and even government agencies.
For each of those potential privacy foes, there are times when an
activity that would be innocuous otherwise becomes risky because
someone is monitoring your communication. The question for a project
like GNOME, he said, is "how free is your desktop if you're not able to
freely interact with others?
" Although some assume that online
anonymity is only the concern of "bad people
", he said,
that is "
a bit of a white privilege issue
". Censorship
is quite widespread and in practice it affects "good" people as much
as anyone else, a fact he illustrated with a collection of error page
screenshots from government and private networks that block access to
Tor project sites.
The Tor project's solution is to build a network that offers
"privacy by design
" rather than by policy. Policies are
hard to enforce and are subject to human error and bad actors. Tor
makes network connections private in a number of ways. Once every
hour, the project's trusted directory relays re-map the entire
network. Clients retrieve the latest version of the map (thus
limiting the potential time window of a widespread attack). Once
every ten minutes, clients select a new route through the Tor network for
their traffic channels (thus helping to protect them against analysis from
within the network). Each route through the Tor network is encrypted
separately between each pair of nodes along the route (so that the
first node knows the originating address but not the destination, the
exit node knows the destination but not the origin, and the
intermediary nodes know neither).
A censor could attempt to block all access to Tor by retrieving the network directory and blocking the entry points by IP address, so the project also runs hidden "bridge relays" that are unlisted. Users can fetch a short list of bridge relays via email or through a CAPTCHA-protected web form. The email method requires using an address from gmail.com or yahoo.com, which the project says helps make it more difficult for attackers to discover a significant number of bridges.
Tor statistics
Tor's pervasive anonymity makes it difficult to profile or monitor the network as a whole, Appelbaum said, but the project uses data mining to take snapshots and keep an eye on performance. Tor's total bandwidth and latency have improved significantly since 2010, he said. Back then, the median time to complete a request was approximately 25 seconds. In 2012, it is down to 2.5 seconds. Total maximum bandwidth has increased in the same time period from 500 to 2500 MiB/s.
The primary reason for the increase has been a significant uptick in the number of volunteers serving as Tor nodes — a change that has corresponded with the "Arab spring" upheavals in the Middle East. Based on analysis of the Tor network, the events in the Middle East have been followed quickly by a spike in new participants, and the network does not taper back down to its pre-spike size.
Which is not to say that there are never incidents of downticks in the Tor network. The project can detect sudden acts of censorship by examining metrics of the Tor network as well as traffic to its own domain. For example, in February 2012, Kazakhstan deployed protocol inspection and began blocking access to Tor. It was without doubt an expensive operation, Appelbaum said, even though the total number of users in the country was around 1200.
Nevertheless, the project is actively working on ways to circumvent such censorship actions. There is already an "obfuscated bridge" option, in which the bridge relay and the Tor client fake what appears to be a standard Firefox-to-Apache handshake. There are other options still in development, including steganographic handshakes. But outright censorship is probably not the wave of the future, Appelbaum said. The government in Syria has learned that it is more effective to watch who accesses sites that it finds objectionable than it is to block access to them across the board, and the U.S. government prefers to use U.S. law to suppress people over any purely technological measures.
The onion gnome?
The Tor network is healthy, Appelbaum said, but the tools to access it still need some work. Tor's own Vidalia application may have a dreadful UI, he said, but it is much better than it was five years ago. He highlighted several excellent projects, such as the Pidgin IM client (which has built-in support for Tor) and the TorBirdy extension for Mozilla Thunderbird, but argued that it would be better for the user if the functionality to use Tor was built into the operating system itself. After all, that option would require solving the anonymity problem once, rather than 50 times.
The option for GNOME would be to add support for Tor as a transport in Network Manager, much like VPNs are offered today. It might also be useful if an application could request a "private mode," which would activate the Tor connection and otherwise sandbox the process (both to protect against malicious content coming in, and to prevent the application from intentionally or accidentally leaking information about the local system over the connection). This would take some work to implement, he said, because Network Manager today does not "fail closed" — a fact that can be illustrated by its current VPN support. Applications using the VPN connection continue to function even when the VPN goes down, because Network Manager simply routes traffic through the existing network.
Built-in Tor functionality would come in handy in other ways, too, he said, such as with GNOME's "guest sessions." As it is now, anything a guest does while running in a guest session can be traced back to the computer — and the user needs to ask if that is something that he or she wants. It would be better if Tor automatically anonymized guest sessions for the user's protection.
He mentioned several other changes that GNOME could make to offer a more complete privacy-respecting environment for its users. One was allowing the user control over the Zeitgeist activity logger, which he said amounted to spyware if the user has not agreed to it. At the very least it should be encrypted and subject to user control. Zeitgeist developer Seif Lotfy is currently working on a "privacy panel" for GNOME, which Appelbaum suggested would be a good fit.
Appelbaum surveyed friends and colleagues about what to tell GUADEC attendees, and they provided three other suggestions. First, implement off-the-record (OTR) messaging in Empathy. Second, implement a fake-MAC-address generator, to keep a machine's real MAC address safe from monitoring on guest networks. Third, implement a Tor-based file transfer method in Telepathy.
Despite the list of feature requests, Appelbaum had plenty of good things to say about GNOME as well, in part because it has formed the basis for several good outside projects that offer anonymity and privacy tools. One example is the Tails live CD distribution, which is configured to use Tor for Internet connections out-of-the-box.
It remains to be seen whether GNOME will actually implement Tor as a Network Manager transport — it is clearly too late for inclusion in the 3.6 release currently in development. But over the course of the week, several GUADEC attendees were still discussing the idea, and it was mentioned in numerous personal blog posts about the event on Planet GNOME. Appelbaum certainly succeeded in raising the question of built-in privacy with the crowd, which could impact GNOME (and other open source projects) further down the line.
[The author would like to thank the GNOME Foundation for travel assistance to A Coruña for GUADEC.]
Brief items
Security quotes of the week
Walsh: SELinux Apache Security Study
On his blog, Dan Walsh writes about a study done by Kirill Ermakov about SELinux as applied to a vulnerable Apache web server. The study found that even with SELinux protections, an attacker could still read /etc/passwd. Walsh: "This points out what most people do not understand about SELinux. SELinux does not necessarily block errors in applications from happening. SELinux will just contain them. If you are able to subvert the Apache application then you can become the Apache application and will have the rights allowed to the apache application. In his examples he was able to take over the Apache server and do what an apache server needs to do, including reading the /etc/passwd file." Walsh goes on to list several other things that could have been tested as they would be blocked by the SELinux rules (e.g. connecting to the mail port, reading random user files). In addition, he points out some ways that administrators could increase the SELinux containment of a web server.
New vulnerabilities
auditlog-keeper: information disclosure
| Package(s): | auditlog-keeper | CVE #(s): | CVE-2012-0421 | ||||
| Created: | August 7, 2012 | Updated: | August 8, 2012 | ||||
| Description: | From the SUSE advisory:
/etc/auditlog-keeper.conf was world-readable and contains various passwords. | ||||||
| Alerts: |
| ||||||
bind-dyndb-ldap: named assertion failure
| Package(s): | bind-dyndb-ldap | CVE #(s): | CVE-2012-3429 | ||||||||||||||||||||||||
| Created: | August 3, 2012 | Updated: | August 17, 2012 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way bind-dyndb-ldap performed the escaping of names from DNS requests for use in LDAP queries. A remote attacker able to send DNS queries to a named server that is configured to use bind-dyndb-ldap could use this flaw to cause named to exit unexpectedly with an assertion failure. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dhcp: denial of service
| Package(s): | dhcp | CVE #(s): | CVE-2012-3570 | ||||||||||||||||||||
| Created: | August 2, 2012 | Updated: | August 8, 2012 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: An unexpected client identifier parameter can cause the ISC DHCP daemon to segmentation fault when running in DHCPv6 mode, resulting in a denial of service to further client requests. In order to exploit this condition, an attacker must be able to send requests to the DHCP server. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
ecryptfs-utils: privilege escalation
| Package(s): | ecryptfs-utils | CVE #(s): | CVE-2012-3409 | ||||||||
| Created: | August 3, 2012 | Updated: | August 8, 2012 | ||||||||
| Description: | From the Red Hat bugzilla:
It was reported that the private ecryptfs mount helper (/sbin/mount.ecryptfs_private), which is setuid-root, could allow an unprivileged local user to mount user-controlled ecryptfs shares on the local system. Because the ecryptfs helper does not mount filesystems with the "nosuid" and "nodev" flags, it would be possible for a user to mount a filesystem containing setuid-root binaries and/or device files that could lead to the escalation of their privileges. This could be done via a USB device, if the user had physical access to the system. | ||||||||||
| Alerts: |
| ||||||||||
fckeditor: cross-site scripting
| Package(s): | fckeditor | CVE #(s): | CVE-2012-4000 | ||||||||
| Created: | August 6, 2012 | Updated: | November 24, 2015 | ||||||||
| Description: | From the Debian advisory:
Emilio Pinna discovered a cross site scripting vulnerability in the spellchecker.php page of FCKeditor, a popular html/text editor for the web. | ||||||||||
| Alerts: |
| ||||||||||
globus-gridftp-server: privilege escalation
| Package(s): | globus-gridftp-server | CVE #(s): | CVE-2012-3292 | ||||
| Created: | August 7, 2012 | Updated: | August 8, 2012 | ||||
| Description: | From the Debian advisory:
It was discovered that the GridFTP component from the Globus Toolkit, a toolkit used for building Grid systems and applications performed insufficient validation of a name lookup, which could lead to privilege escalation. | ||||||
| Alerts: |
| ||||||
glpi: multiple vulnerabilities
| Package(s): | glpi | CVE #(s): | |||||||||||||||||
| Created: | August 6, 2012 | Updated: | August 8, 2012 | ||||||||||||||||
| Description: | GLPI 0.83.4 fixes several issues. See the glpi changelog for details. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
graphicsmagick: unspecified vulnerability
| Package(s): | graphicsmagick | CVE #(s): | |||||
| Created: | August 3, 2012 | Updated: | August 8, 2012 | ||||
| Description: | From the Mageia advisory:
This update fixes a security issue in the SetImageAttribute function in magick/attribute.c related to translating comment and label attributes when loading images. It was fixed upstream in GraphicsMagick 1.3.16. | ||||||
| Alerts: |
| ||||||
icinga: unintended database access
| Package(s): | icinga | CVE #(s): | CVE-2012-3441 | ||||
| Created: | August 8, 2012 | Updated: | August 8, 2012 | ||||
| Description: | From the openSUSE advisory:
icinga-create_mysqldb.sh granted icinga access to all dbs - so please check the permissions of your mysql icinga user | ||||||
| Alerts: |
| ||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2012-3430 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 6, 2012 | Updated: | October 3, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Two similar issues: 1) Reported by Jay Fenlason and Doug Ledford: recvfrom() on an RDS socket can disclose sizeof(struct sockaddr_storage)-sizeof(struct sockaddr_in) bytes of kernel stack to userspace when receiving a datagram. 2) Reported by Jay Fenlason: recv{from,msg}() on an RDS socket can disclose sizeof(struct sockaddr_storage) bytes of kernel stack to userspace when other code paths are taken. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libreoffice: code execution
| Package(s): | libreoffice | CVE #(s): | CVE-2012-2665 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 2, 2012 | Updated: | August 14, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple heap-based buffer overflow flaws were found in the way LibreOffice processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially-crafted OpenDocument Format file that, when opened in a LibreOffice application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
moodle: many vulnerabilites
| Package(s): | moodle | CVE #(s): | CVE-2012-3387 CVE-2012-3388 CVE-2012-3389 CVE-2012-3390 CVE-2012-3391 CVE-2012-3392 CVE-2012-3393 CVE-2012-3394 CVE-2012-3395 CVE-2012-3396 CVE-2012-3397 CVE-2012-3398 | ||||||||
| Created: | August 2, 2012 | Updated: | August 8, 2012 | ||||||||
| Description: | From the Red Hat bugzilla entry: CVE-2012-3387 Moodle: MSA-12-0039: File upload validation issue CVE-2012-3388 Moodle: MSA-12-0040: Capabilities issue through caching CVE-2012-3389 Moodle: MSA-12-0041: XSS issue in LTI module CVE-2012-3390 Moodle: MSA-12-0042: File access issue in blocks CVE-2012-3391 Moodle: MSA-12-0043: Early information access issue in forum CVE-2012-3392 Moodle: MSA-12-0044: Capability check issue in forum subscriptions CVE-2012-3393 Moodle: MSA-12-0045: Injection potential in admin for repositories CVE-2012-3394 Moodle: MSA-12-0046: Insecure protocol redirection in LDAP authentication CVE-2012-3395 Moodle: MSA-12-0047: SQL injection potential in Feedback module CVE-2012-3396 Moodle: MSA-12-0048: Possible XSS in cohort administration CVE-2012-3397 Moodle: MSA-12-0049: Group restricted activity displayed to all users CVE-2012-3398 Moodle: MSA-12-0050: Potential DOS attack through database activity | ||||||||||
| Alerts: |
| ||||||||||
python-django: multiple vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2012-3442 CVE-2012-3443 CVE-2012-3444 | ||||||||||||||||||||||||||||||||
| Created: | August 8, 2012 | Updated: | December 20, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL. (CVE-2012-3442) The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file. (CVE-2012-3443) The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image. (CVE-2012-3444) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
sudo: symlink attack
| Package(s): | sudo | CVE #(s): | CVE-2012-3440 | ||||||||||||||||
| Created: | August 8, 2012 | Updated: | August 9, 2012 | ||||||||||||||||
| Description: | From the Red Hat advisory:
An insecure temporary file use flaw was found in the sudo package's post-uninstall script. A local attacker could possibly use this flaw to overwrite an arbitrary file via a symbolic link attack, or modify the contents of the "/etc/nsswitch.conf" file during the upgrade or removal of the sudo package. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
xen: denial of service
| Package(s): | xen | CVE #(s): | CVE-2012-3432 | ||||||||||||||||||||||||||||||||
| Created: | August 6, 2012 | Updated: | September 14, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Internal data of the emulator for MMIO operations may, under certain rare conditions, at the end of one emulation cycle be left in a state affecting a subsequent emulation such that this second emulation would fail, causing an exception to be reported to the guest kernel where none is expected. Guest mode unprivileged (user) code, which has been granted the privilege to access MMIO regions, may leverage that access to crash the whole guest. Only HVM guests exposing MMIO ranges to unprivileged (user) mode are vulnerable to this issue. PV guests are not. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>