Risk
8/5/2013
10:40 AM
50%
50%

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?

While details are still emerging, that's one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isn't affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service.

The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.

[ How deep can the feds' surveillance really go? For example, Can The NSA Really Track Turned-Off Cellphones? ]

During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being "the largest facilitator of child porn on the planet," Ireland's Independent newspaper reported Saturday.

According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of Ireland-based service provider Host Ultra Limited. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorney's Office in Maryland, contacted by phone, wasn't immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.

Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.

In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA and not by blackhats," according to an analysis posted by reverse-engineering expert Vlad Tsrklevich.

Tor's hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.

"The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user," said "Phobos," a Tor project blogger, in a "Hidden Services, Current Events and Freedom Hosting" blog post. "The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

Hidden services offer anonymity to people such as whistleblowers and dissidents. But the feature has also gained notoriety by being used by services such as activists, as well as by services such as Silk Road -- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!