informa
News

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.
Who's now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was patched on June 25, 2013, with the release of Firefox 22 and Firefox Extended Service Release (ESR) -- which is often used by enterprises -- version 17.0.7.

"People who are on the latest supported versions of Firefox are not at risk," wrote Daniel Veditz, Mozilla's security lead, in a Sunday blog post. "Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack."

Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. "We're investigating these bugs and will fix them if we can," said Tor's Phobos.

Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozilla's Veditz countered that the bug had already been publicly disclosed and fixed. "This wasn't a 'zero day' attack, it was an exploit based on a security advisory from six weeks ago," he said. "The number of users vulnerable to this -- those who aren't up to date -- is dropping fast so the exploit is losing most of its value anyway."

The timing of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didn't go unnoticed by the hacking community. "FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty," posted "VarthDator" on a related Reddit thread.

Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques' computer, he'd been researching how to obtain a visa for Russia. Marques countered in court that he'd only been researching the issue out of curiosity, in response to news about NSA whistleblower Edward Snowden.

Recommended Reading: