Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.

Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?

While details are still emerging, that's one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isn't affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service.

The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.

[ How deep can the feds' surveillance really go? For example, Can The NSA Really Track Turned-Off Cellphones? ]

During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being "the largest facilitator of child porn on the planet," Ireland's Independent newspaper reported Saturday.

According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of Ireland-based service provider Host Ultra Limited. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorney's Office in Maryland, contacted by phone, wasn't immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.

Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.

In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA and not by blackhats," according to an analysis posted by reverse-engineering expert Vlad Tsrklevich.

Tor's hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.

"The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user," said "Phobos," a Tor project blogger, in a "Hidden Services, Current Events and Freedom Hosting" blog post. "The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server."

Hidden services offer anonymity to people such as whistleblowers and dissidents. But the feature has also gained notoriety by being used by services such as activists, as well as by services such as Silk Road -- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/6/2013 | 7:26:23 AM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
Thanks for the comment. The assertion that the IP address traces directly to the NSA has been refuted by Wired. In a nutshell, the IP address has been misread, although it does trace to an upstream Verizon provider that serves a number of government agencies (including the public-facing NSA.gov site) as well as government contractors.

Also, The TOR Project announced Monday that anyone who's installed the latest Tor Browser Bundle -- released June 26, 2013 -- is protected against the Firefox exploit. Note that TBB doesn't (yet) auto-update.
MohitK590
50%
50%
MohitK590,
User Rank: Apprentice
8/5/2013 | 5:14:15 PM
re: Tor Anonymity Cracked; FBI Porn Investigation Role Questioned
According to 'The Hacker News' , the IP address mentioned in the Firefox exploit belongs to NSA's contractor and they used it to hack TOR network to uncloak anonymous users including hackers, protesters | More details : http://thehackernews.com/2013/...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.