News – Tor
On Friday, Facebook announced that they were going to begin offering a hidden service to Tor users, at facebookcorewwwi.onion. The company intends to use SSL along with Tor, so users can still verify that the website is legitimate. Alec Muffett, a software engineer with Facebook’s security infrastructure group, stated that “Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud.” Using Facebook through Tor has long been problematic, with exit nodes often getting blocked because of malicious activity. This was generally a result of Facebook’s automatic abuse detection systems. While some activity may be considered suspicious when displayed by the average user, these same things might be normal for Tor users. Facebook admitted that their security policies have not always reflected the need for differentiation.
Tor 0.2.6.1-alpha has been released. Several bugs have been fixed, including better handling of out-of-memory conditions and improved proxy support by pluggable transports. This version of Tor does not support systems without CPU threading support. The developers noted that any systems Tor can successfully run on have threading support.
Tor Browser 4.0.1 has been released, with a few updates for embedded software, including Tor and NoScript. The update does not contain specific security updates, although a crash bug affecting many Windows users has been fixed.
News – Privacy and Security
An official post on the Android blog has revealed numerous security features planned for Android 5.0, the next version of the Android operating system. One of the most notable updates is the default use of device encryption. From the first boot of a device, data will be encrypted using a key stored locally. There are also expanded options for screen locking, including NFC verification or Bluetooth pairing. The third enhancement is increased enforcements of SELinux, or Security Enhanced Linux. SELinux Enforcing mode will now be required for all applications running on Android 5.0.
CurrentC, a major competitor to Apple Pay and Google Wallet, has experienced a security breach involving user e-mail addresses. Although the official CurrentC payment system is set to deploy in 2015, an app for consumers is already available. MCX, or Merchant Customer Exchange, made recent news after CVS and Rite-Aid both announced that they were going to pair with the company. Many criticized the company for the breach, saying that the incident highlighted the possibility for security problems with the application CurrentC.
The security team for Drupal has released a security notice after independent penetration testers identified a SQL injection vulnerability. Soon after the vulnerability was announced, widespread attacks were launched against sites running the Drupal content management system. The announcement stated that if websites had not been updated within 7 hours of the initial announcement, administrators should consider their site compromised. It is recommended that effected websites update their software to the latest version, but there are patches available as a temporary fix.