Risk
8/5/2013
10:40 AM
50%
50%

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Who's now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) -- which is often used by enterprises -- version 17.0.7.

"People who are on the latest supported versions of Firefox are not at risk," wrote Daniel Veditz, Mozilla's security lead, in a Sunday blog post. "Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack."

Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. "We're investigating these bugs and will fix them if we can," said Tor's Phobos.

Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozilla's Veditz countered that the bug had already been publicly disclosed and fixed. "This wasn't a 'zero day' attack, it was an exploit based on a security advisory from six weeks ago," he said. "The number of users vulnerable to this -- those who aren't up to date -- is dropping fast so the exploit is losing most of its value anyway."

The timing of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didn't go unnoticed by the hacking community. "FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty," posted "VarthDator" on a related Reddit thread.

Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques' computer, he'd been researching how to obtain a visa for Russia. Marques countered in court that he'd only been researching the issue out of curiosity, in response to news about NSA whistleblower Edward Snowden.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0845
Published: 2015-04-17
Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates.

CVE-2015-1318
Published: 2015-04-17
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).

CVE-2015-1852
Published: 2015-04-17
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-mid...

CVE-2015-1856
Published: 2015-04-17
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.

CVE-2013-4866
Published: 2015-04-16
The LIXIL Corporation My SATIS Genius Toilet application for Android has a hardcoded Bluetooth PIN, which allows physically proximate attackers to trigger physical resource consumption (water or heat) or user discomfort.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.