Risk
8/5/2013
10:40 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Who's now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) -- which is often used by enterprises -- version 17.0.7.

"People who are on the latest supported versions of Firefox are not at risk," wrote Daniel Veditz, Mozilla's security lead, in a Sunday blog post. "Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack."

Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. "We're investigating these bugs and will fix them if we can," said Tor's Phobos.

Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozilla's Veditz countered that the bug had already been publicly disclosed and fixed. "This wasn't a 'zero day' attack, it was an exploit based on a security advisory from six weeks ago," he said. "The number of users vulnerable to this -- those who aren't up to date -- is dropping fast so the exploit is losing most of its value anyway."

The timing of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didn't go unnoticed by the hacking community. "FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty," posted "VarthDator" on a related Reddit thread.

Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques' computer, he'd been researching how to obtain a visa for Russia. Marques countered in court that he'd only been researching the issue out of curiosity, in response to news about NSA whistleblower Edward Snowden.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web