Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Uncloaking Tor Browser Users on Windows With DRM-Protected Files

posted by cmn32480 on Sunday February 05 2017, @01:32PM   Printer-friendly
from the just-leave-us-alone dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Digital Rights Management (DRM)-protected media files can be used to reveal Tor Browser users' actual IP address and therefore possibly reveal their identity, HackerHouse researchers have demonstrated.

[...] Attackers who want to uncloak Windows users can encode a file and make it so that the authorization URL points to a page controlled by the attackers.

But, if they want the downloading and opening of the file to be performed without a security alert and the target having to approve the action, they must make sure that the DRM license has been signed correctly, and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile.

"The objects are used with a Microsoft license server, configured via a DRM profile, when encoding objects using an SDK," the researchers explained.

[...] The researchers made sure to point out that this attack is limited to Windows users who run Tor Browser, and that it does not take advantage of a vulnerability in the actual browser. "TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in Tails," they noted.

Source: https://www.helpnetsecurity.com/2017/02/03/uncloaking-tor-browser-users-drm-protected-files/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Uncloaking Tor Browser Users on Windows With DRM-Protected Files | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Sunday February 05 2017, @01:55PM

    by Anonymous Coward on Sunday February 05 2017, @01:55PM (#463109)

    Back when stuff like Kazaa was still big people uploaded videos with the very same trick that would open a drive-by malware installing page when people opened the video in WMP. How is this new?

    • (Score: 0) by Anonymous Coward on Sunday February 05 2017, @04:43PM

      by Anonymous Coward on Sunday February 05 2017, @04:43PM (#463133)

      Windoze still sucks. How is this new?

    • (Score: 3, Informative) by Bot on Sunday February 05 2017, @07:03PM

      by Bot (3902) on Sunday February 05 2017, @07:03PM (#463155) Journal

      That DRM protection is a potential attack vector is not new at all but it is worth reminding.

      Stallman was right again, news at 11.

      --
      Account abandoned.

  • (Score: 0) by Anonymous Coward on Sunday February 05 2017, @03:36PM

    by Anonymous Coward on Sunday February 05 2017, @03:36PM (#463126)

    login to "http://facebookcorewwwi.onion/" uncloaks identity of TOR-browser user (even when using linux).

  • (Score: 5, Insightful) by Anonymous Coward on Sunday February 05 2017, @04:57PM

    by Anonymous Coward on Sunday February 05 2017, @04:57PM (#463136)

    You should be glad for every bit of news that helps inform people of windows problems and how proprietary software can so easily be malicious. If all you've got to say is "how is this news" then you're becoming a jaded bastard who's forgotten that new humans are born all the time without magical sysadmin knowledge.

    • (Score: 0) by Anonymous Coward on Sunday February 05 2017, @06:07PM

      by Anonymous Coward on Sunday February 05 2017, @06:07PM (#463148)

      Being glad and pointing out that this is well known and has been used by malware peddlers for decades now is two different things. I'd be glad for *new information*. But security "researchers" have to continuously dig up old things and act like they made some new huge discovery nobody has ever known about.

      • (Score: 0) by Anonymous Coward on Monday February 06 2017, @06:38AM

        by Anonymous Coward on Monday February 06 2017, @06:38AM (#463339)

        Linux is just as bad.

        http://www.securityweek.com/0-day-exploits-could-wreak-havoc-linux-desktops [securityweek.com]
        That has been laying around since the mid 2000s.

        Do not mistake lack of market share with being rock solid. But in many cases it is built upon a jigsaw puzzle of libraries that have not seen updates in 10+ years. It is starting to become a more high profile target as linux is built into millions of IoT devices. Devices that will never see an update ever.

        Linux is amazing. Do not get me wrong about my above statements. But lets not delude ourselves into thinking it is superior. It works and it works well. But there are thousands of little timebombs like the SNES emu laying around in our systems. Heck in the past 4 months there have been no less than 2 different rootable exploits out there from the way the page management system works. ZLIB went for nearly 3+ years with 0 updates and now someone is actually going through and fixing things again.

        This unfortunately is more of a case of 'we did not even know'. Well guess what? The bad guys do. Sometimes they like to cross the lines and look like good guys and share. But part of that market is 'street cred'.

  • (Score: 2, Interesting) by Burz on Sunday February 05 2017, @10:07PM

    by Burz (6156) on Sunday February 05 2017, @10:07PM (#463199)

    The basic issue is that no media-handling software is going to be solid enough to avoid exploits, so on operating systems like Qubes these complex 'client' programs are run in their own separate VMs. The uplink is controlled so the only way out is through another VM that runs Tor itself.