Risk
8/5/2013
10:40 AM
Connect Directly
RSS
E-Mail
50%
50%

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Who's now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) -- which is often used by enterprises -- version 17.0.7.

"People who are on the latest supported versions of Firefox are not at risk," wrote Daniel Veditz, Mozilla's security lead, in a Sunday blog post. "Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack."

Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. "We're investigating these bugs and will fix them if we can," said Tor's Phobos.

Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozilla's Veditz countered that the bug had already been publicly disclosed and fixed. "This wasn't a 'zero day' attack, it was an exploit based on a security advisory from six weeks ago," he said. "The number of users vulnerable to this -- those who aren't up to date -- is dropping fast so the exploit is losing most of its value anyway."

The timing of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didn't go unnoticed by the hacking community. "FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty," posted "VarthDator" on a related Reddit thread.

Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques' computer, he'd been researching how to obtain a visa for Russia. Marques countered in court that he'd only been researching the issue out of curiosity, in response to news about NSA whistleblower Edward Snowden.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio