The Onion Router, better known as the Tor Network, is often thought of as being the dark-side of the web. Not least as the anonymity provided by Tor meant that sites hosted on so-called hidden service servers were free to trade in just about anything from drugs and guns through to child pornography. In amongst the depravity and illegal excess, of course, were political activists and dissidents looking for an online safe haven in order to escape persecution, prosecution and potentially death. Revelations that the FBI would appear to have been behind the takedown of Freedom Hosting, apparently responsible for a bunch of hidden services which included alleged child pornography image servers, could be very bad news indeed. Not just for drug dealers, arms dealers and paedophiles but for anyone who has relied upon the multi-layered and encrypted onion network to retain their anonymity.
Reports as to the extent of the FBI operation fallout on the Tor Network vary, with some claiming as many as half of all Tor sites could have been compromised as a result. And that includes The Silk Road. This infamous site, only accessible through a Tor connection using the Tor browser, has been the online underground drugs marketplace of choice for some years now. Indeed, IT security investigative journalist Brian Krebs recently documented how cybercriminals had used The Silk Road to purchase heroin and have it sent to his home address in a failed attempt to frame him and have him jailed.
Word on the grapevine, confirmed by numerous sources during the last few days, suggests that the FBI were investigating Freedom Hosting on child pornography distribution allegations and employed a NSA security contractor to plant malware on their servers using a known Firefox vulnerability. The Tor browser client being built on a Firefox platform. The malware injected a JavaScript exploit into browsers which was able, in effect, to de-anonymise visitors to any sites hosted on Tor hidden servers. While only impacting users of an older version of the Tor Browser Bundle (an update had fixed the vulnerability issue already) and then only the Windows version, anyone who was doing so could have had identifying information sent back to an IP address belonging to the NSA.
Although I have great sympathy for those groups using Tor for much needed privacy and protection, such as domestic abuse groups as well as the political dissidents for example, as someone who has used Tor myself, and accessed The Silk Road for that matter (I exposed what happens there for a news story in the UK a year or two ago), as well as being a father of eight and grandfather of five, I can't say I am sorry to see those supposedly responsible for distributing child pornography get arrested nor their sites taken down. I am concerned, in the aftermath of the Edward Snowden revelations, as to how much data is collected and what it is being used for here though. That said, I have no sympathy for those selling drugs, guns, stolen credit card details and the like on The Silk Road. Those doing the latter, so it has been suggested to me by a number of people on both sides of the IT security industry fence this week, could find themselves getting a call from the men in black soon enough. The (unsubstantiated) rumour out there is that malware was also potentially injected into The Silk Road, thought to have been hosted by Freedom Hosting, effectively turning it into a honeypot.
A Tor Project statement reads:
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix them if we can.And the latest update, posted yesterday, says:
An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted. This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:
2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)
Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.
FBI accused of infiltrating Tor network to close child abuse host
Summary: As the FBI seeks the extradition of a man believed to be hosting child abuse material, Tor network sites owned by the accused have been subject to an exploit, leading many to believe that the agency has been infiltrating it for some time.
Summary: As the FBI seeks the extradition of a man believed to be hosting child abuse material, Tor network sites owned by the accused have been subject to an exploit, leading many to believe that the agency has been infiltrating it for some time.
An exploit targeting users of anonymous browsing network Tor is
believed to be linked to the FBI's request for extradition of Eric Eoin
Marques for child abuse material.
According to Independent.ie, the FBI is seeking the extradition of Marques — dubbed the "largest facilitator of child porn on the planet" — to charge him with four offences that could see him serve 30 years in prison if convicted.
Marques' tie-in back to the Tor network is that he allegedly owns and operates an organisation on Tor called Freedom Hosting, which in turn provides consumers with the ability to run "hidden services" designed to protect their administrators from being tracked or identified. They are often used for legitimate reasons, such as for whistleblowers or securing communications, but they can also be used to serve child abuse material.
Tor notes on its own blog that: "The design of the Tor network ensures that the user cannot know where the server is located, and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server."
However, that is exactly what appears to have happened in the latest discovery of an exploit that targets Firefox 17 ESR, the same version that was included in the Tor Browser Bundle.
Freedom Hosting noted on its wiki page that it has been taken down, and while it isn't clear who was responsible, a number of sites hosted by it had been modified to include JavaScript that attempts to steal information from users.
The JavaScript code's payload (the actual code of which has been uploaded to Mozilla's Pastebin), has been subsequently analysed by reverse engineer and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim.
The server it connects to appears to fall under the responsibility of Verizon Business, and in the US Washington DC-Virginia area.
Speculation at this point is that the FBI is behind the exploit, indicating that the agency has been able to infiltrate the Tor network and shut down Marques' network. Regarded by many as a positive step against child abuse material, it also highlights that other users could potentially be less secure than they believe.
Source: http://www.zdnet.com/fbi-accused-of-infiltrating-tor-network-to-close-child-abuse-host-7000018962/
According to Independent.ie, the FBI is seeking the extradition of Marques — dubbed the "largest facilitator of child porn on the planet" — to charge him with four offences that could see him serve 30 years in prison if convicted.
Marques' tie-in back to the Tor network is that he allegedly owns and operates an organisation on Tor called Freedom Hosting, which in turn provides consumers with the ability to run "hidden services" designed to protect their administrators from being tracked or identified. They are often used for legitimate reasons, such as for whistleblowers or securing communications, but they can also be used to serve child abuse material.
Tor notes on its own blog that: "The design of the Tor network ensures that the user cannot know where the server is located, and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server."
However, that is exactly what appears to have happened in the latest discovery of an exploit that targets Firefox 17 ESR, the same version that was included in the Tor Browser Bundle.
Freedom Hosting noted on its wiki page that it has been taken down, and while it isn't clear who was responsible, a number of sites hosted by it had been modified to include JavaScript that attempts to steal information from users.
The JavaScript code's payload (the actual code of which has been uploaded to Mozilla's Pastebin), has been subsequently analysed by reverse engineer and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim.
The server it connects to appears to fall under the responsibility of Verizon Business, and in the US Washington DC-Virginia area.
Speculation at this point is that the FBI is behind the exploit, indicating that the agency has been able to infiltrate the Tor network and shut down Marques' network. Regarded by many as a positive step against child abuse material, it also highlights that other users could potentially be less secure than they believe.
Source: http://www.zdnet.com/fbi-accused-of-infiltrating-tor-network-to-close-child-abuse-host-7000018962/