Inside Tor’s Perverted Underworld

Apart from legitimate underground communities, the Tor network’s hidden services play host to a large number of illicit child sex abuse sites

The Tor network boasts an excess of 170, 000 active addresses, some of which have been identified as criminal hotbeds where child sex abuse masterminds thrive.

Law enforcement agents note that the main reason why Tor has become very popular is due to its support of the hidden services. Hidden services, also referred to as onion services, ensure that users and websites achieve anonymity by Tor.

Essentially, the IP addresses belonging to hidden services found on the Tor network are effectively concealed – all sets of information about the host, location and content of hidden websites are not identifiable.

Point to note, Tor itself is not a hidden service, but the online platforms hosted on the Tor network constitute the hidden services. Cybersecurity experts acknowledge the legitimate uses of the Tor network, but have also lifted the lid on rampant cases of illicit activities being supported by hidden services.

What’s the Evidence?

According to the 2019 Global Threat Assessment Report by the WeProtect Alliance (a global movement that combats online-facilitated child sex abuse), more than 2.88 million users are found across multiple child sex abuse forums hosted by Tor’s onion services.

Another empirical study on the Tor hidden services made shocking revelations about a thriving child sex abuse environment on the world’s most popular anonymity network. From a single data capture, the researchers reported that about 80 percent of traffic to Tor’s hidden services was headed to platforms supporting child sex abuse material and other forms of illicit porn.

The study also expressed how easy it was to identify the child sex abuse sites from the metadata, which points to the fact that the criminals behind these platforms have solid confidence in the anonymity promised by Tor.

http://tape6m4x7swc7lwx2n2wtyccu4lt2qyahgwinx563gqfzeedn5nb4gid.onion/inside-tors-perverted-underworld-429

#tor #hiddenservices #cp #child #sex #abuse
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - EP 101: Lotería

In 2014 the Puerto Rico Lottery was mysteriously losing money. Listen to this never before told story about what happened and who did it.

https://darknetdiaries.com/episode/101/

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Facebook seems to be struggling with major technical issues at the moment

https://facebook.com/

#DeleteFacebook #facebook #issues
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Over 120GB of Twitch website data has been leaked online (source code, encrypted passwords, streamer payouts, etc.)

CHANGE YOUR PASSWORDS AND ENABLE 2FA !!

A few hours ago, a 120GB data leak of Twitch was released online. This leak includes data such as "source code with comments for the website and various console/phone versions, references to an unreleased steam competitor, streamer payouts, encrypted passwords, etc."

https://www.reddit.com/r/Twitch/comments/q2gcq2/over_120gb_of_twitch_website_data_has_been_leaked/

https://www.videogameschronicle.com/news/the-entirety-of-twitch-has-reportedly-been-leaked/

#twitch #leak
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

From Surveillance Capitalism to “Influence Government”: Using Microtargeted Ads to “Nudge” People’s Everyday Behavior

Privacy News Online has written a number of times about “surveillance capitalism“, and its use of micro-targeted advertising to influence people’s buying decisions. But the worrying power of such highly-targeted advertising is not restricted to the world of commerce. As the Cambridge Analytica saga shows, it is also deployed in the world of politics, to encourage people to vote for candidates and to support particular policies.

Some fascinating work from the Scottish Centre for Crime and Justice Research (SCCJR), looks at how the UK government has drawn on micro-targeted advertising in order to modify the everyday behavior of certain groups of people – what the researchers call “influence government“:

https://www.privateinternetaccess.com/blog/from-surveillance-capitalism-to-influence-government-using-microtargeted-ads-to-nudge-peoples-everyday-behavior/

#surveillance #capitalism #influence #government #microtargeting #ads
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

VPN Service ‘Agrees’ to Block BitTorrent and Keep Logs to Settle Piracy Lawsuit (Updated)

VPN.ht has settled a copyright infringement lawsuit filed by a group of independent movie companies earlier this year. As part of the deal, the VPN agreed to block all BitTorrent traffic and log IP-address information on its US servers. While this a controversial order, VPN.ht says that users are still protected as the company will stop using US servers.

https://torrentfreak.com/vpn-service-will-block-bittorrent-and-keep-logs-to-settle-piracy-lawsuit-211011/

#piracy #vpn #bittorrent #lawsuit
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

IoT Hacking and Rickrolling My High School District

On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It's the second-largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students.

This story isn't one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast "Never Gonna Give You Up" in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!

In this post, I'll be explaining how I did it and how I evaded detection, as well as the aftermath when I revealed myself and didn't get into trouble.

https://whitehoodhacker.net/posts/2021-10-04-the-big-rick

⚠️ Always remember to use these techniques, instructions, or hardware only on devices whose owners or users have allowed it. Unauthorized access to other people's infrastructure is punishable by law.

#educational #iot #hacking
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Howto: Anonymous Internet Using Tor (+ Proxychains)

What proxies are and how to use them to make internet connections more anonymous/private: using Proxychains and Tor.

Proxychains allows you to string together as many proxies together as you like using a simple configuration file format.

We go into Tor Browser Preferences to help Windows users learn to configure a proxy without access to proxychains. This configuration applies to other browsers as well.

https://devtube.dev-wiki.de/videos/watch/991657ca-0f61-401d-bee0-19969271d442

#howto #guide #tor #proxys #privacy #internet #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets

Study reveals scale of data-sharing from Android mobile phones

An in-depth analysis of a range of popular Android mobile phones has revealed significant data collection and sharing, including with third parties, with no opt-out available to users.

Prof. Doug Leith at Trinity College Dublin along with Dr Paul Patras and Haoyu Liu at the University of Edinburgh examined the data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.

https://www.tcd.ie/news_events/articles/study-reveals-scale-of-data-sharing-from-android-mobile-phones/

👉🏽 PDF: https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf

#android #privacy #snooping #samsung #huawai #xiaomi #realme #lineage #eOS #study #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

[Reported] - Breach Exposed records from Brazil E-commerce platforms including MercadoLivre, amazonBR and many other.

https://canaltech.com.br/seguranca/brecha-expoe-17-bilhao-de-registros-de-plataforma-brasileira-de-e-commerce-198373/

https://nitter.pussthecat.org/hak1mlukha/status/1447889984615223297

via Twitter

#brazil #breach #MercadoLivre #amazonBR
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Adobe Uses DMCA to Nuke Project That Keeps Flash Alive, Secure & Adware Free

In January 2021, development and support for Adobe Flash was discontinued. That marked the end of an era but in reality, Flash wasn't quite dead. Flash Player is still available in China, something that was exploited by the Clean Flash project to continue making the software more widely and safely available. Adobe has now used the DMCA to shut the project down.

As far back as 2012, Adobe was planning for the eventual demise of its iconic Flash Player. Gradually superceded by new technologies, the importance Flash diminished over time and as dawn broke on 2021, Adobe ceased to develop and support it. Well, sort of.

While Adobe has indeed stopped shipping new global versions of Flash, the technology is still supported in two markets – Enterprise and China via Flash.cn – a site managed by Zhong Cheng Network, the only authorized distributor of Flash in China.

This was a significant move for local companies that still rely on Flash Player but also provided a limited opportunity to keep Flash alive, something of importance to those who don’t want historic Flash content to be rendered useless.

https://torrentfreak.com/adobe-uses-dmca-to-nuke-project-that-keeps-flash-alive-secure-adware-free-211012/

#adobe #flash #dmca
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Hacking the Furbo Dog Camera: Part I

The Furbo is a treat-tossing dog camera that originally started gaining traction on Indegogo in 2016. Its rapid success on the crowdfunding platform led to a public release later that year. Now the Furbo is widely available at Chewy and Amazon, where it has been a #1 best seller. The Furbo offers 24/7 camera access via its mobile application, streaming video and two-way audio. Other remote features include night vision, dog behavior monitoring, emergency detection, real-time notifications, and the ability to toss a treat to your dog. Given the device's vast feature set and popularity, Somerset Recon purchased several Furbos to research their security. This blog post documents a vulnerability discovered in the RTSP server running on the device. The research presented here pertains to the Furbo model: Furbo 2.

Once we got our hands on a couple of Furbos we began taking a look at the attack surface. Initially, the Furbo pairs with a mobile application on your phone via Bluetooth Low Energy (BLE), which allows the device to connect to your local WiFi network. With the Furbo on the network a port scan revealed that ports 554 and 19531 were listening. Port 554 is used for RTSP which is a network protocol commonly used for streaming video and audio. Initially the RTSP service on the Furbo required no authentication and we could remotely view the camera feed over RTSP using the VLC media player client. However, after an update and a reset the camera required authentication to access the RTSP streams.

https://www.somersetrecon.com/blog/2021/hacking-the-furbo-part-1

#hacking #furbo #camera
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Facebook Dangerous Individuals and Organizations List

https://theintercept.com/document/2021/10/12/facebook-dangerous-individuals-and-organizations-list-reproduced-snapshot/

#facebook #DeleteFacebook #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Influence government: exploring practices, ethics, and power in the use of targeted advertising by the UK state.

PDF: https://www.sccjr.ac.uk/wp-content/uploads/2021/09/SCCJR-Briefing-Paper_Influence-Government.pdf

💡 Read as well:
From Surveillance Capitalism to “Influence Government”: Using Microtargeted Ads to “Nudge” People’s Everyday Behavior
https://t.me/BlackBox_Archiv/2562

#surveillance #capitalism #influence #uk #government #microtargeting #ads #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Kim Dotcom: The Most Wanted Man Online (Cyber Crime Documentary)

A true-crime documentary, but with a cyber twist!

Tech entrepreneur and owner of the popular file-sharing site, MegaUpload, Kim Dotcom arrived in New Zealand with his family in late 2010. Seeking peace and quiet, Dotcom rented the largest mansion in the land and settled down into an extravagant, luxurious life with his family.

In January 2012, it all came crashing down. At the FBI's behest, 70 heavily armed officers stormed the mansion, arresting Dotcom and his coders on a range of charges relating to alleged copyright infringement by MegaUpload.

https://devtube.dev-wiki.de/videos/watch/7548c758-a752-4e80-9c72-6d90e82353a6

#truecrime #cybercrime #dotcom #MegaUpload #docu #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.

A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.

Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity is currently trying to confirm if the issue has been fixed or not.

The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).

SafetyDetectives could not confirm the total number of those affected due to the size of the trove and the potential for duplicate email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” it claimed.

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach.”

These include phishing and social engineering attempts built around legitimate user and business details, tax rebate and returns scams using CPF information, and even theft of items from the homes of customers who ordered high-value goods.

https://www.infosecurity-magazine.com/news/ecommerce-player-leaks-billion/

💡 Read as well:
[Reported] - Breach Exposed records from Brazil E-commerce platforms including MercadoLivre, amazonBR and many other.
https://t.me/BlackBox_Archiv/2567

#brazil #breach #MercadoLivre #amazonBR #hariexpress
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

redact: tool for building decentralized, end-to-end encrypted websites

Hello Rust community! I'm very excited to show off for the first time a passion project a friend and I have been working on for about 4 months now, called Redact.

Redact is a tool for building end-to-end encrypted, zero-trust websites. By end-to-end encrypted we mean that not only is your connection to the website server protected by TLS, but each individual input field, and any user-submitted data displayed on the page, is a black-box inaccessible by either the host's server or the host's client-side Javascript. Websites that use Redact will store references to data in their databases, place those references in their HTML, and the user's device fills in the blank in an opaque way when the page loads. We do this with no Javascript and no in-browser encryption. We're like Signal/Telegram but for entire websites instead of just messaging. This is paired with a CRUD-only, encrypted storage provider that can be either third-party owned, or for the technically savvy, run solely by the user.

This project was initially motivated as a response to the large number of data breaches and data privacy concerns that have arisen in the last few years. The fundamental question we wanted to answer was: how can we keep the utility and rich content experience of a website in a modern browser, while at the same time assuring that a user's data cannot be stolen or unethically used? Our proposed solution is Redact.

We believe this project fits squarely within the "web3" space. Although we don't use blockchains, our project assumes zero-trust, decentralizes the storage of user data, and allows users to be self-sovereign by giving them ownership and control of their data

What we're looking for now is to see if anyone else sees this as a valuable idea, get feedback as to our architecture, and hear out any criticisms (some of which we already anticipate).

💡 You can find more information about how it works here: https://redact.ws/how-it-works

And if you're feeling brave, you can try connecting to the first ever "redacted" website by following our getting started docs here: https://docs.redact.ws/en/latest/getting-started.html

💡 Codebases:

— Local client: https://github.com/pauwels-labs/redact-client.git

— Storage server: https://github.com/pauwels-labs/redact-store.git

— Library that allows us to fluidly serialize, deserialize, and CRUD encrypted data: https://github.com/pauwels-labs/redact-crypto.git

https://old.reddit.com/r/rust/comments/q79grm/redact_tool_for_building_decentralized_endtoend/

#redact #encryption #websites
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Darknet Diaries - EP 102: Money Maker

Frank Bourassa had an idea. He was going to make money. Literally. Listen to the story of a master counterfeiter.

https://darknetdiaries.com/episode/102/

💡 Read as well:
On Master Counterfeiter Frank Bourassa
https://www.loyalnana.com/stories-1/2019/2/25/on-master-counterfeiter-frank-bourassa

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Restor is a science-based open data platform to support and connect the global restoration movement

Restor is accelerating the global restoration movement by connecting everyone, everywhere to local restoration. Restor connects people to scientific data, supply chains, funding, and each other to increase the impact, scale, and sustainability of restoration efforts. We believe that anyone can be a restoration champion, including you.

https://www.restor.eco/

#restor #nature #restoration #movement #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Unique on Facebook: Formulation and Evidence of (Nano)targeting Individual Users with non-PII Data

The privacy of an individual is bounded by the ability of a third party to reveal their identity. Certain data items such as a passport ID or a mobile phone number may be used to uniquely identify a person. These are referred to as Personal Identifiable Information (PII) items.

Previous literature has also reported that, in datasets including millions of users, a combination of several non-PII items (which alone are not enough to identify an individual) can uniquely identify an individual within the dataset. In this paper, we define a data-driven model to quantify the number of interests from a user that make them unique on Facebook.

https://arxiv.org/abs/2110.06636

#facebook #DeleteFacebook #nanotargeting #targeting #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

If you need another reason to switch to Tor Browser, check out @arthuredelstein's http://privacytests.org, an open-source tool using rigorous automated privacy tests to find out what kind of data different browsers leak.

https://nitter.pussthecat.org/torproject/status/1448411718749593604

via Twitter

https://privacytests.org/

#browser #privacy #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv