Risk
8/5/2013
10:40 AM
Connect Directly
RSS
E-Mail
50%
50%

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?

While details are still emerging, that's one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isn't affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service.

The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.

[ How deep can the feds' surveillance really go? For example, Can The NSA Really Track Turned-Off Cellphones? ]

During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being "the largest facilitator of child porn on the planet," Ireland's Independent newspaper reported Saturday.

According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of Ireland-based service provider Host Ultra Limited. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorney's Office in Maryland, contacted by phone, wasn't immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.

Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.

In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA and not by blackhats," according to an analysis posted by reverse-engineering expert Vlad Tsrklevich.

Tor's hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.

"The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user," said "Phobos," a Tor project blogger, in a "Hidden Services, Current Events and Freedom Hosting" blog post. "The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

Hidden services offer anonymity to people such as whistleblowers and dissidents. But the feature has also gained notoriety by being used by services such as activists, as well as by services such as Silk Road -- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.