OnionShare is a tool that emerged in 2014 and, according to experts in ethical hacking, in principle only fulfilled the function of sending files anonymously and securely. This tool compresses the files, starts a local server on the user’s machine that includes a link to the compressed file, converts the website into a Tor onion service, and displays the web server URL. The user sends this .onion URL, loading it into the Tor browser to finally download the compressed file. When the file is downloaded, OnionShare closes this service.

Since its launch, OnionShare has grown and evolved. Now you can not only share files privately, but it always works the same way, hosting an anonymous website locally. Recently, a team of experts has tried to host real websites using OnionShare, making some interesting findings.

According to ethical hacking experts, OnionShare has implemented the new “Publish Website” feature. Simply put, OnionShare will launch a server to host a static website and provide an .onion URL. The site created in this way will only be accessible through the Tor network; in addition, visitors will not have access to data such as location, identity or IP address, so the website will not be subject to censorship.

When you share something that is not public, OnionShare uses basic HTTP authentication. In this way, the URLs shared in this way appear in a format similar to: http://onionshare: [password]@[address].onion. When the URL is loaded in the Tor browser, the user will be asked if they want to sign in first, as shown below:

When you click OK, the URL in the address bar does not contain the OnionShare part: [password], which makes it look like a conventional website.

In addition, in the website settings menu, it is possible to enable “Public Mode” so that any user has access to the website without the URL displaying the username and password.

On the other hand, if the user wants to use the OnionShare service to publish a website that will remain online for a long time, they should remember that the computer is acting as a web server, so if the computer is turned off or goes inactive, the website will be closed, mention the specialists in ethical hacking.

To prevent this from happening, it is preferable to use a computer dedicated specifically to this work. Another way to keep this service active is to go to the OnionShare settings and choose the “Use Persistent Address” option. In case the computer shuts down or suspends, the next time you use the service the URL will remain the same. Otherwise, each URL generated by OnionShare will be temporary and non-reusable.

One of the new features of OnionShare is the ability to collect all requests that visitors make on one of these websites. For example, below is a website hosted on OnionShare scanned with the Nikto web vulnerability analysis tool.

Finally, the International Institute of Cyber Security (IICS) ethical hacking specialists mentioned that you can browse through the lists of folders shared by OnionShare so that anyone can see exactly what files will be downloaded before the process begins.

In addition, by visiting OnionShare settings and disabling the “Stop Sharing after File Send” feature, people will also be able to download shared files individually instead of downloading them all on one occasion.

The post How to easily launch your startup in dark web in 3 minutes appeared first on Information Security Newspaper | Hacking News.

A notorious startup is offering up to $1 million in rewards to security researchers who can find bugs and develop techniques to exploit the anonymous web surfing tool the Tor Browser.

On Wednesday, Zerodium, a US-based company that buys exploits from researchers and sells them exclusively to government customers, announced the new bounty. The highest bounty is $250,000 for an exploit that allows the attacker to hack a target who’s using the Tor Browser with high security settings on Linux Tails and Windows, giving the attacker the highest kind of privileges on the target’s computer. Other bounties range between $75,000 (for exploits that only work for either Windows or Tails, and work only with Javascript allowed, for example, making them easier to develop) and $200,000.

“We need many exploits as we have many customers with many ongoing operations against illegal activities undertaken on Tor,” Chaouki Bekrar, the CEO and founder of Zerodium, told Motherboard in an online chat. “We have a higher demand for Tor exploits from our government customers as they are facing higher illegal activities on Tor and they must take action.”

A table showing the different Tor Browser bounties. Image: Zerodium

In the announcement, Zerodium specifically pointed to “drug trafficking or child abuse” as examples of how “ugly people” use Tor. The bounty is open until November 30 unless payouts reach $1 million before then, the company said. Usually, bug bounty programs don’t have an expiration date.

Zerodium has gained notoriety for offering high payouts and bounties for targets such as the iPhone. In 2015, shortly after its launch, Zerodium offered $1 million for anyone who could develop a technique to hack an iPhone remotely. When the challenged ended, the company claimed that a team of hackers was able to claim the bounty. Zerodium always declines to discuss the identities of its customers or the researches it deals with.

Undoubtedly, there’s demand among intelligence and law enforcement agencies for such exploits. Last year, European cops hacked users of a child pornography website called The GiftBox Exchange using an unknown Firefox vulnerability—or zero-day. But some believe that Zerodium’s headline-grabbing prices are just a marketing stunt.

“I don’t think [the prices] are accurate reflections of Tor Browser as a secure system,” a security researcher with knowledge of the exploit market, who asked to remain anonymous, told Motherboard. “Those prices are marketing.”

Last month, when Zerodium announced new rates and bounties, offering the same amount of money ($100,000) for similar Tor Browser and Chrome exploits, Tor developer and cryptographer Isis Lovecruft told Motherboard that “maybe this is all a PR stunt to get people like us to pay attention to their silly 0day-hoarding startup :).”

In response to this criticism, Bekrar said that the “prices are high as exploitation without JavaScript is difficult and [Local Privilege Escalation] is required for the highest payouts.”

“Hard research work = big bounty,” he told me.

A spokesperson for the Tor Project, which develops and maintains the Tor Browser, said that “the amount of the bounty is a testament to the security we provide.”

“We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty,” Stephanie Whited said in an email, referring to Tor’s own bug bounty, which offers up to $4,000 in rewards. “Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”

Source:https://motherboard.vice.com/en_us/article/7xkp8q/startup-that-sells-zero-days-to-governments-is-offering-dollar1-million-for-tor-hacks

The post Startup That Sells Zero-Days to Governments Is Offering $1 Million For Tor Hacks appeared first on Information Security Newspaper | Hacking News.