Auteur Sujet: Half of Tor Sites Compromised, Including TORMail  (Lu 7267 fois)

0 Membres et 1 Invité sur ce sujet

ka9yhd

  • Invité
Half of Tor Sites Compromised, Including TORMail
« le: 05 août 2013 à 02:00:13 »
"The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."

http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail

djohnston

  • Invité
Re : Half of Tor Sites Compromised, Including TORMail
« Réponse #1 le: 05 août 2013 à 20:05:11 »
Feds Are Suspects in New Malware That Attacks Tor Anonymity

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.

The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.”

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.

Freedom Hosting is a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion — that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network.

Tor hidden services are ideal for websites that need to evade surveillance or protect users’ privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements.

Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail.

Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser.

Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network.

“The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.”

The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target.

The heart of the malicious Javascript is a tiny Windows executable (emphasis added) hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.

But the Magneto code doesn’t download anything. It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.

“The attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.

The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?

Update 8.5.13 12:50: According to Domaintools, the malware’s command-and-control IP address in Virginia is allocated to Science Applications International Corporation. SAIC is a major technology contractor for defense and intelligence agencies, including the FBI.


djohnston

  • Invité
Re : Half of Tor Sites Compromised, Including TORMail
« Réponse #2 le: 07 août 2013 à 00:55:01 »
NSA's Cyber Army Attacks the Navy's Tor Network, Gives Spoils to the FBI

Eric Blair

It was reported earlier this week that the FBI won a great victory by stopping the largest child porn distributor on the Internet. The FBI's victory lap was cut short when some of the details of how they did it were more closely examined.

What the FBI actually did was seize a hosting service on the hidden TOR Network.  The owner of the hosting service Freedom Hosting was not directly involved in the production or distribution of child porn, he just provided anonymous hosting used by pedophile pornographers.

The bigger question became how the FBI penetrated the supposedly anonymous TOR Network. That's where the story gets interesting.

TOR, short for The Onion Router, was originally developed by the Navy Research Laboratory to provide an anonymous secondary internetwork for the government to use.  Supposedly the project was abandoned by the Navy only to be picked up by open-source volunteers who now run the Tor Project.

Despite its beginnings as a government project, most believe TOR to be the best current option for online anonymity.  But does this recent compromise of TOR reveal that it's also part of the surveillance grid?  The long answer is complicated, but the short answer is no.

First, the NSA has been identified as the source of the malware bomb used to take down Freedom Hosting - not the FBI who claimed victory in the investigation and apprehension.

Arstechnica writes:

    Malware planted on the servers of Freedom Hosting—the "hidden service" hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).

Continued from Arstechnica:

    Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.

    Further analysis using a DNS record tool from Robtex found that the address was actually part of several blocks of IP addresses allocated by SAIC to the NSA. This immediately spooked the researchers.

Two things are important to note about this revelation: First, it should be telling that the NSA had to resort to using a malware weapon instead of how they normally collect and decode Internet traffic -- which still can't be done on TOR; and, second, the open-source nature of TOR provided clear evidence of the breach and who caused it.

The TOR Project identified the specific problem and suggested that people who desire privacy must get the patched version of the TOR Browser Bundle, stop using Windows, and disable Javascript.  If your Windows OS is compromised, which it clearly is, it doesn't much matter how you sign in to the Internet.  And, according to TOR, Javascript was used by the NSA to breach an older version of the TOR Browser Bundle.

Some feel this entire attack is more about scaring people away from using privacy tools such as TOR than it is about fighting child porn because no actual pornographers were caught.  They remained anonymous. TOR is still considered secure if used properly.

But just as it was announced that the Drug Enforcement Agency was using warrantless NSA data to "investigate" drug crimes, it's clear from this case that the FBI used NSA's preemptive cyber attack on TOR for their own "investigation".

Does anyone see a pattern of abuse forming yet? The government is illegally collecting, sharing and using our private data to drum up suspicion of criminal activity, and then acting on it.

They're hoping headlines like "taking down the world's largest child porn dealer" will justify crushing Internet freedom and privacy. Expect more victory laps by the FBI or DEA, and the NSA catching more "credible threats". Keeping us safe, one privacy breach at a time.