Tor Accuses CloudFlare Of Blocking Its Network

Content provider CloudFlare is no stranger to the spotlight, with being accused of protecting pro-ISIS by Anonymous causing it some issues. Now it would seem that they are instead on the throwing end of a claim, saying that requests they get from the Tor network (a network designed around allowing anonymous browsing on the web) are malicious 94 percent of the time. Tor accuses CloudFlare of mischaracterizing their users and blocking its network, with it going so far as to impact normal traffic.

Tor claims that its users are often getting stuck in CAPTCHA loops or outright failures, stopping them from accessing content in even the simplest of ways. In external research, Tor states that CloudFlare was found to block at least 80 percent of IP addresses from its service, with the number increasing over time. The CAPTCHA loop is caused by a measure CloudFlare has introduced that requires users of the Tor network to fill out CAPTCHA’s, but only users of the Tor network will see these.

Tor isn’t happy about this accusation and wants to see evidence regarding their 94 percent figure. Many are wondering how they reached this figure, or even how they deem if a connection is trustworthy. With so many people now using networks and systems like Tor, blocking or making the experience worse for users can’t be seen as a positive step when it comes to providing content.

TMZ Falls Victim to Malvertising Campaign

Malicious online activity in the form of hacks, malware and viruses have seen an exponential increase over the past 5 years, the rise in the number of consumers online coupled with a lax understanding concerning the dangers of the many cyber threats has led to more and more victims. Malvertising is one such example of how online advertisements could be hijacked and used to spread Malware through Malicious ads.

This technique has now found a new victim after online gossip site TMZ was found to be harbouring malicious online advertisements. For those who are unfamiliar with the site, TMZ is a hugely popular website that features expose, gossip and general breaking news concerning the world of celeb, the site pulls in over 30 million visitors a month and is a major attraction for online revenue, below is a summary of the attack.

It has been observed that the attack has the same ad chain pattern; this is from “ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers”. The latter is leveraging CloudFlare’s infrastructure with the aim of hiding the servers location as well as encrypting the advertisement delivery to consumers via the website.



The malicious ad is pretty cheap to deliver when you consider it costs “$0.19 (£0.12) for one thousand user impressions (CPM)” 

These attacks are designed to be as cheap as possible with the aim of targeting high impact traffic targets, on a side note, many websites try to discourage users from using popular ad blockers when accessing their sites, perhaps malicious advertisements leading to exploit kits is not the best deterrent.

Images courtesy of malwarebytes and nickcannon

SHA1 Ending Could Block People From Secure Websites

When you connect to websites you sometimes find yourselves on a secure site, this means that the communications between your computer and the website are encrypted. One of those encryption technologies used is called SHA1.

SHA1 is a hashing function that is designed to hide what you send online, due to its vulnerabilities though its soon to be retired. While stopping the use of old and insecure technologies is a great step, Facebook and Web security firm CloudFlare have warned that when SHA1 stops being supported around 7% of the world’s browsers can’t support the new standard being put in place, SHA256.

Both Facebook and Cloudflare have announced a new mechanism that will allow websites to connect using SHA256, but if you can’t use it their new technology will allow you to continue using SHA1.

While Facebook is rolling the new mechanism across their websites and Cloudflare to websites they host. For other companies who want to adopt the new mechanism, it will be made open source, granting the entire world access to the technology, in the hopes that the tens of millions of people who would be affected can still connect and use the internet without disruption.

While new technologies fixing the problems of the last generation is always a good thing, is the impact of cutting millions of users off from their sites worth it?

Anonymous Claims CloudFlare Protects Pro-ISIS Sites

Anonymous started a new offensive against ISIS following the terrible attacks on Paris and while we all like that part, it’s hard for me to take them serious in any way. They surely have a few talented people with skills and connections in their group, but for the most part, their skills go as far as pressing a button in a pre-built application in order to launch DDoS attacks on a specific target.

We’ve recently learned that their offensive isn’t going all that good and now they’ve come out and accused CloudFlare of protecting pro-ISIS websites. CloudFlare makes software which prevents denial of service attacks which is the preferred method of attack from the Anonymous group, so this doesn’t come as a big surprise. Terrorists might live with a stone-age mentality, but they do know how to use modern technology. CloudFlare faced similar accusation from the group back in 2013 when they launched an offensive against Al-Qaeda websites.

CloudFlare naturally defends itself against the accusation and as they say, it wouldn’t be a good business model for them. Groups like that will most likely pay with stolen credit card credentials and that is not good for a business. The company also stated that they would cooperate with any law enforcement agency when presented with a legal warrant or court order regarding any of their customers. So maybe Anonymous should forward their evidence to those instances instead of whining on social media about a normal service used by thousands of websites and that works as intended.

Chinese Devices Mount Massive DDoS Web Attack

Cyber attacks are an increasing and dangerous threat which is perpetrated by groups and countries alike, these attacks are a substantial threat to free speech, livelihoods of website operators and also the whole infrastructure of the Internet. It’s no surprise to learn that a huge DDoS attack against a target website resulted in 650,000 devices being unwittingly enrolled into a giant cyber attack which overwhelmed its target.

And where did this attack originate from? That’s right, our friends over at the democracy-suppressing Truman Show style country that is China. The attack transmitted a staggering 4.5 billion separate requests for data in one day to the target destination. Below is an image which analyses the log timeframe of HTTP requests per hour, as you can see, requests for data ramped up dramatically within only a relatively small period of time before dissipating.

Since the attack had been levelled at a client of US Company CloudFlare, they were able to “write a dedicated script and were able to further analyze 17M log lines, about 0.4% of the total requests” They found that 99.8% of the flood was originating from China while 0.2% was labelled as “Other” They were also able to determine that 80% of the requests came from mobile devices .

So, how is it possible to booby trap an amazingly high number of devices? CloudFlare security analyst Marek Majkowski speculated that an ad network might have been the root cause which was compromised and used as a distribution vector for the attack. “It seems probable that users were served advertisements containing malicious JavaScript. These ads were likely shown in iframes within mobile apps, or mobile browsers to people while they were casually browsing the internet”

Think of this speculated but plausible scenario like this, while a user was browsing the Internet or through an app, he or she was served an iframe which contained an advertisement. This ad had been requested from an ad network who then forwarded the request to a third-party that won the ad auction. This meant that either the third-party was the “attack page” or it forwarded the user to an attack page, by doing this the user was served a page containing malicious Java Script which then launched a flood of XHR requests against CloudFlare servers.

CloudFlare have declined to name the company which had their server attacked but are warning against future cyber attacks with the same level of intensity. It’s a worrying trend which has many outlets including the Darth Vader weapon of choice “The Great Cannon.” This is also not serving the long-established technique of serving ads to consumers via the Internet, if advertisements are increasingly being injected with malicious code, consumers are going to use extensions to block them.

The Internet connects the world and is seen as a necessity and therefore a human right by powerful individuals, what countries want you to see on the net, well, that’s a whole different ball game.

Thank you blog.cloudflare for providing us with this information.

Image courtesy of cloudpro

Popcorn Time Vulnerability Leaves Users Open to Attack

A security engineer has found a vulnerability in popular pirate movie application Popcorn Time that could leave users’ devices open to being hacked by a “man-in-the-middle” attacker. Antonios Chariton (aka ‘DaKnOb’), a Security Engineer & Researcher living in Greece, found the vulnerability in at least one fork of Popcorn Time’s code, and warn users that using the software in its present form could be a risky proposition.

“There are two reasons that made me look into Popcorn Time,” Charlton said. “First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.”

Popcorn Time uses Cloudflare to bypass ISP-level blocking in the UK – “a really smart” technique, according to Charlton – but the lack of layered security on top of that system is what leaves Popcorn Time open to attack.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explained. “The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

Charlton exploited this vulnerability as a proof-of-concept, performing a “content spoofing” attack which changed the name of movie Hot Pursuit to Hello World:

Using the same technique, Charlton could change any other information in Popcorn Time, but chose a method by which he could demonstrate the trick easily.

Next, he launched an XSS attack:

“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton said. “This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

So, what can be done to protect users? Nothing on the user-end, sadly, but Charlton has some advice for Popcorn Time’s developers. “HTTP is insecure,” he warned. “There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Charton adds.

Popcorn Time has responded to the threat, saying:

“This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers.

In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.”

Popcorn Time’s full statement can be found here.

Thank you TorrentFreak for providing us with this information.

Image courtesy of GeekZine.

Nintendo Takes Down Super Mario 64 Unity Remake

In a move that will shock no one, Nintendo has issued a copyright infringement notice against the remake of Super Mario 64 built by a fan using the Unity game engine. The remake, which was playable within an internet browser, was only one level and available for free, but Nintendo obviously don’t like being shown up.

Nintendo’s lawyers send the copyright notice to Cloudflare, which had been hosting the game. The notice reads:

“The copyrighted work at issue is Nintendo’s Super Mario 64 video game (U.S. Copyright Reg. No. PA0000788138), including but not limited to the audiovisual work, computer program, music, and fictional character depictions. The web site at displays, and allows users to play, an electronic game that makes unauthorized use of copyright-protected features of Nintendo’s Super Mario 64 video game. Nintendo requests that CloudFlare, Inc. immediately disable public access to”

Though Cloudflare has pulled the game, it seems that, with a bit of searching, it can still be found for download from “other providers”, as is the enhanced version we reported on a few days ago.

Source: The Next Web

Hong Kong Media Sites Hit by Largest DDoS Attack Ever

Trouble on the streets has become trouble online: following the Occupy Central protest rallies in Hong Kong, the largest cyber attack in history has been launched against Hong Kong’s independent media sites, according to content delivery network Cloudflare.

Distributed Denial of Service (DDoS) attacks have hit news site Apple Daily and voting protest group PopVote, who organised an unofficial election for Hong Kong Chief Executive; the Occupy Central protesters are lobbying for the right to hold an open election for the country’s Chief Executive.

The DDoS attacks hit the sites with 500gbps of traffic, causing them to crash. Previously, the highest recorded cyber-attack directed 400gbps at an unknown website in Europe, back in February. Before that, the Spamhaus attack hit multiple targets with 300gbps.

CloudFlare’s CEO, Matthew Prince, called the cyber strike “larger than any attack we’ve ever seen, and we’ve seen some of the biggest attacks the Internet has seen.”

Source: Forbes

Reddit Launches Full-Site HTTPS Support

Reddit now offers its users full HTTPS support via CloudFlare, a popular CDN and DNS provider. However, there are a couple of catches to obtain this extra security feature; you must be signed into the site to use HTTPS and you need to opt-in as the option is off by default.

The extra security will no doubt be a welcome addition to the site for many of the readers, especially in light of modern hacking and privacy concerns. Reddit have integrated a new security tab to make sure you’re up to speed with the feature and to guide people through the simple process of enabling HTTPS features.

  • It ensures your browser communicates with Reddit over a secure channel when logged in.
  • It disables the “display links with a reddit toolbar” preference.
  • Some third-party apps may not support it.
  • Changing it will log you out of reddit on other devices, and will invalidate your old private RSS feeds.

If it proves successful and Reddit can work out issues with points two and three, they may even roll out the HTTPS by default for everyone.

Thank you TheNextWeb for providing us with information.

WordPress Powered Websites Under By Brute-Force By Bot-Nets

It has been reporting by hosting companies like HostGator and even CDN service ‘CloudFlare’ that there are unknown people behind highly distributed global attacks via brute force attempts using more than 90,000 IP addressing trying to crack in websites using content management software WordPress’s default or commonly used administrative credentials.

One of the hosting companies that have put up a warning about such attacks have warned that attackers are planning to build botnets using infected computers, even said that it will be stronger and more destructive than the attacks been done till now.

Matthew Prince, CEO of CloudFlare said in the company’s blog,”These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

CloudFlare even added that the brute force botnet forces itself through the administrative login port of the WordPress powered website using names such as ‘admin’ and commonly used passwords. Attacks originate from thousands of IP addresses. Hostgator till now found more than 900,000 IP addresses being used to such a high scale brute force attack.

As of now, WordPress has made series of advice for having a strong enough password, but companies like Hostgator suggest a better way for securing WordPress powered websites.

Even during October last year, six of the largest U.S. banks had their web servers compromised as they’ve been attacked by having their sites flooded with above average web traffic hits. It was then identified that the botnet ‘itsoknoproblembro’ and ‘Brobot’ have been using.

Source: Ars Technica