Risk
8/5/2013
10:40 AM
Connect Directly
RSS
E-Mail
50%
50%

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?

While details are still emerging, that's one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isn't affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service.

The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.

[ How deep can the feds' surveillance really go? For example, Can The NSA Really Track Turned-Off Cellphones? ]

During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being "the largest facilitator of child porn on the planet," Ireland's Independent newspaper reported Saturday.

According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of Ireland-based service provider Host Ultra Limited. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorney's Office in Maryland, contacted by phone, wasn't immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.

Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.

In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA and not by blackhats," according to an analysis posted by reverse-engineering expert Vlad Tsrklevich.

Tor's hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.

"The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user," said "Phobos," a Tor project blogger, in a "Hidden Services, Current Events and Freedom Hosting" blog post. "The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

Hidden services offer anonymity to people such as whistleblowers and dissidents. But the feature has also gained notoriety by being used by services such as activists, as well as by services such as Silk Road -- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.