TOR hacked by the FBI?

[Samson]

Another aspect of the US government electronic surveillance increase that has been popping up here over the last few weeks, it now appears that they have hacked some (most?) of the servers that host TOR (a web anonymising service). They appear to be inserting malicious code into the responses, which exploits potential bugs in Firefox 17 ESR that phones home to the FBI when the victim resumes non-TOR browsing.

This really seems to be a game changer to me. Prior to this I would have said that activists could always get anonymity if they really needed it (as could the drug dealers and kiddy porn users), but now it would seem no-where online is safe from the powers that be. I have to admit to not knowing much about this, but I know it is used by a lot of people, some "goodies" and some "baddies".

Questions that seem worthy of discussion:

• Is this moral? Is the loss of a free and open line of communication to those who need it for justifiable purposes (chinese dissidents spring to mind) worth catching the perverts and drugys for?
• Is this legal? Is inserting malware on devices in this way legal in a way that doing almost exactly the same has got many people locked up?
• Are there any other options? If TOR can no longer be relied upon to be safe, is anywhere left?

Register

Spoiler :

Network anonymisation outfit TOR has posted a fascinating piece of commentary on reports that some of the anonymous servers it routes to have disappeared from its network.

“Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network,” the piece starts. “There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site”.

As it explores the rumours, the post goes on to name an entity called Freedom Hosting, and to vigorously dissociate TOR from the organisation.

Distancing TOR from Freedom seems a fine idea given numerous reports, such as this from The Irish Examiner, suggest its founder Eric Eoin Marques has been arrested because the FBI believes he facilitated the distribution of child pornography using TOR. The FBI wants to extradite Marques to the USA.

TOR's not sure if the arrest and the disappearance of some nodes is linked, but is saying “someone has exploited the software behind Freedom Hosting … in a way that it injects some sort of javascript exploit in the web pages delivered to users.” That payload results in malware reaching users' PCs, possibly thanks to “potential bugs in Firefox 17 ESR, on which our Tor Browser is based.”

TOR is “investigating these bugs and will fix them if we can”.

Various forums online, however, report that the malware has spread beyond sites hosted by Freedom. Some suggest TORmail, TOR's secure email service, may also have been compromised, or that the attack means TOR is no longer able to mask users' IP addresses.

TOR's post says it's not sure what's really happening and that it will update users once it learns more.

Slashdot

Spoiler :

"The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."

[EDIT] More Mainstream source: Guardian

Spoiler :

Freedom Hosting, linked by the FBI to child abuse images, has gone offline, as the FBI sought the extradition of a 28-year-old suspect from Ireland.

Eric Eoin Marques is the subject of a US arrest warrant for distributing and promoting child abuse material online.

He has been refused bail by the high court in Dublin, reported the Irish Independent, until the extradition request is decided. Marques, who is both a US and Irish national, will face the high court again on Thursday.

If extradited to the US, Marques faces four charges relating to images hosted on the Freedom Hosting network, including images of the torture and rape of children. He could be sentenced to 30 years in prison.

Freedom Hosting hosted sites on the The Onion Router (Tor) network, which anonymises and encrypts traffic, masking the identity of users.
Whistleblowers, journalists and dissidents too?

On Sunday, Tor's official blog posted a detailed statement confirming that a large number of "hidden service addresses", or servers anonymised using the network, had unexpectedly gone offline.

Tor was quick to distance itself from Freedom Hosting, which has been claimed to be a hub for child abuse material as well as Silk Road – the eBay of hard drugs, saying "the persons who run Freedom Hosting are in no way affiliated or connected to the Tor Project Inc, the organisation co-ordinating the development of the Tor software and research."

"Anyone can run hidden services, and many do," said the statement. "Organisations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse recovery.

"Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example."

Security blogger and former Washington Post reporter Brian Krebs wrote on Sunday that users were identified using a flaw in Firefox 17, on which the Tor browser is based.

Rik Ferguson, vice-president of security research at Trend Micro, said he was awaiting further details to be made public as Marques is brought to trial, but that the takedown and related law enforcement "is great news for the campaign against child exploitation".

"The malicious code made a 'victim machine' which visited one of the compromised hidden sites, and requested a website on the 'visible' web, via HTTP, thereby exposing its real IP address. As the exploit did not deliver any malicious code, it is highly unlikely that this was a cybercriminal operation.

"It is a legitimate concern that users of child abuse material may simply go elsewhere, and as such the individual users should continue to be targeted by law enforcement globally. However, going after the people and organisations that really enable this content to be made available at all is a much more effective strategy."

In 2011, hacking collective Anonymous took down Freedom Hosting with a targeted DDos attack as part of an anti-paedophile campaign. Anonymous also published details of the accounts of 1,500 members of Lolita City, claiming Freedom Hosting was home to 100GB of child abuse material.
FBI conspiracy?

Users on the Tor sub-Reddit were suspicious about the news, dissecting the details of the vulnerability and pointing to a previous case where the FBI had taken over and maintained a site hosting child abuse material for two weeks in order to identify users.

"FBI uploads malicious code on the deep web sites while everyone is off at Defcon. Talk about paying dirty," commented VarthDaTor. Defcon is an annual event in the US for security experts and hackers.

"The situation is serious," said gmerni. "They got the owner of FH and now they're going after all of us. Half the onion sites were hosted on FH! Disable Javascript in your Tor browser for the sake of your own safety."

 

[Kyriakos]

I am of the view that the internet simply does not belong to any government. So they are not actually allowed to make such changes to it. They should just keep on playing with their toy-soldiers like that parody of Darth Vader, cause the only somewhat savory image one can have of such actions is summed up in an anodyne way in this comedic depiction.
Otherwise one might tend to view those meddling governments as far more creepy indeed.

 

[peter grimes]

Interesting article at ArsTechnica about the IP addresses the malware reported to:
They are allocated to the NSA.
http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/

The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud's discussion board wrote, "It's psyops—a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."

 

[Takhisis]

Of course, they never incldue a piece of code that says 'do not operate is computer we're infiltrating is outside US jurisdiction', so we're f*cked. The teachings of the School of the Americas live on.

 

[woody60707]

So if I scan my PC, will this virus show up, or has the FBI stop AV services from cleaning computers?

 

[Grisu]

Well, if it turns out to be true, I wouldn't exactly be surprised. TOR has long been a thorn in law enforcement's eyes and US law enforcement especially doesn't seem to care much to obey the law in order to catch law breakers :crazy:

Ironically enough, due to the whole NSA snooping, TOR has become more popular (and therefore powerful) than ever.

 

[Souron]

So if I scan my PC, will this virus show up, or has the FBI stop AV services from cleaning computers?

Probably not. It's an exploit in Firefox 17.x. The only thing it seems to leave behind after phoning home to the NSA/FBI is a cookie telling it not to exploit the same pc twice.

 

[Mise]

I think this is great news in the grand scheme of things. I think if you view the internet as a wild west kind of place where everything goes, then you have to accept that the government plays by the same (lack of) rules.

To address your concerns about e.g. the Chinese or Syrian governments using similar tactics to nail activists, you should be aware that all this happened on a Tor hidden service. These hidden services aren't necessary to an activist who wants to get his message out to the wider world. A hidden service is basically a web server that can only be accessed from within the Tor network. However, this wasn't the original purpose of Tor: the original purpose was to enable people to browse the open web anonymously. That is, they can send tweets or post on message boards or write emails to newspapers without being traced back to their original IP (well, they can but it would require, like, a massive global network, and even then it would only be probabilistic not deterministic). So an activist who wants to get their message out to the open web probably won't be affected by this. However, activists who want to communicate with each other, organise events, discuss strategies and so on in secret, without the open web knowing that they are communicating, might have a problem as the gov't can evidently hack their servers and inject malicious code that phones home on a non-Tor connection, revealing their IP. So it's kind of a problem, but not a huge major problem.

IMO it's worth it to catch the child rapists, who are sharing pictures of child rape on Tor hidden services. Not that we really have a choice in it: if there's a thing that allows activists to talk in secret then there will also be a thing that will allow paedophiles to share pictures of children being raped in secret. Various gov'ts will try to stop both things. We don't get a say in this.

 

[Grisu]

I think this is great news in the grand scheme of things. I think if you view the internet as a wild west kind of place where everything goes, then you have to accept that the government plays by the same (lack of) rules.

But it isn't...for normal citizens, this would fall under computer sabotage and would be punishable by prison. Why shouldn't this apply to law enforcement agencies if they use this? I'd understand if they target somebody specific with that (probable cause and all), but to just give them a blank cheque for such actions seems irresponsible to me.

 

[Mise]

Oh, I agree with you. It's just that there's a not insignificant minority who genuinely think that all computers are fair game for hacking. And I think a lot of those people are the kind of people who end up running Tor relays, exit nodes, and hidden services. I am perhaps overgeneralising here, but to put it bluntly, I don't have a great deal of time for hackers who complain about getting hacked.

 

[Cheezy the Wiz]

[*]Is this moral? Is the loss of a free and open line of communication to those who need it for justifiable purposes (chinese dissidents spring to mind)

And why not American dissidents?

 

[Grisu]

Oh, I agree with you. It's just that there's a not insignificant minority who genuinely think that all computers are fair game for hacking. And I think a lot of those people are the kind of people who end up running Tor relays, exit nodes, and hidden services. I am perhaps overgeneralising here, but to put it bluntly, I don't have a great deal of time for hackers who complain about getting hacked.

well, yes. though I think today the majority of TOR-users aren't in any way criminal. And let's face it, those getting hit by this probably won't be the hackers, as they are mostly capable enough to not walk into such traps. The most they will catch will probably be some script kiddies.

 

[Mise]

Well, I don't know. I think that even the most paranoid people trust JavaScript as long as it comes from the website that you're going on (i.e. 1st party scripts, but not 3rd party scripts). That's standard practice really, though I know that the Tor browser defaults to turning all js off by default. I think that this particular attack would catch even the most tech-savvy browsers - unless you literally never turn on javascript, you can't really avoid getting caught by it. I think that, perhaps, running on hidden services via Tor provides a false sense of security.

 

[Grisu]

Well, I don't know. I think that even the most paranoid people trust JavaScript as long as it comes from the website that you're going on (i.e. 1st party scripts, but not 3rd party scripts). That's standard practice really, though I know that the Tor browser defaults to turning all js off by default. I think that this particular attack would catch even the most tech-savvy browsers - unless you literally never turn on javascript, you can't really avoid getting caught by it. I think that, perhaps, running on hidden services via Tor provides a false sense of security.

maybe. but just to say, I know several guys who always have their javascript turned off (to the extent that they can't use much sites to begin with). but then I work in IT...we're a paranoid bunch

of course, the same people wouldn't use an outdated browser (ff 17), enable cookies, or use the same browser for tor and non-tor browsing.

 

[AlpsStranger]

I don't bother with the actual TOR pages ( the "deep web" or whatever) but I do use TOR to browse political blogs and such. No reason anybody needs to know which bloggers I like, damnit.

Of course now they probably do C'est la vie. We're in a crazy time when governments are apparently operating in the "what can we get by with?" mode.

And why not American dissidents?

I want to emphasize that I'm not sympathetic with your political views on the whole, but I was thinking the exact same thing. Interesting how we both had the same thought from different points of origin.

maybe. but just to say, I know several guys who always have their javascript turned off (to the extent that they can't use much sites to begin with). but then I work in IT...we're a paranoid bunch

of course, the same people wouldn't use an outdated browser (ff 17), enable cookies, or use the same browser for tor and non-tor browsing.

I try to be careful too, but the problem is that sometimes one mistake blows the whole game. I am cautious but, at the same time, I never post anything that I would be completely unwilling to own. Using both approaches together preserves my sanity on the web.

 

[peter grimes]

I don't bother with the actual TOR pages ( the "deep web" or whatever) but I do use TOR to browse political blogs and such. No reason anybody needs to know which bloggers I like, damnit.

Of course now they probably do C'est la vie. We're in a crazy time when governments are apparently operating in the "what can we get by with?" mode.

Your ISP knows what sites you go to, even when you're using TOR, from what I understand.

 

[Mise]

maybe. but just to say, I know several guys who always have their javascript turned off (to the extent that they can't use much sites to begin with). but then I work in IT...we're a paranoid bunch

of course, the same people wouldn't use an outdated browser (ff 17), enable cookies, or use the same browser for tor and non-tor browsing.

Ahh, I didn't realise the browser was an outdated version. For some reason I assumed that the latest version of the Tor browser bundle came with FF 17, whereas if I understand you correctly, the bundle uses the latest FF version but the victims of this hack were using an old version of the Tor browser bundle. In that case, yeah, it's probably not-so-techy people who got done by this...

 

[AlpsStranger]

Your ISP knows what sites you go to, even when you're using TOR, from what I understand.

Possibly. Nothing I browse is actually illegal so I'm not so worried about it.

I figure it's the most I can do, you know?

 

[Cheezy the Wiz]

I want to emphasize that I'm not sympathetic with your political views on the whole, but I was thinking the exact same thing. Interesting how we both had the same thought from different points of origin.

Regardless of our political convictions, most Americans agree that it's our civic duty to take action against a tyrannical government that steps outside the charge of its citizenry. "The blood of patriots and tyrants" and all that.

 

[Grisu]

Your ISP knows what sites you go to, even when you're using TOR, from what I understand.

no, your ISP only knows that you're using TOR. otherwise, the whole thing would be kinda moot