Tor Anonymity Cracked; FBI Porn Investigation Role Questioned

  /     /     /  
Publicated : 22/11/2024   Category : security

Tor Anonymity Cracked; FBI Porn Investigation Role Questioned


Some security experts ask whether an FBI sting operation exploited a vulnerability in Firefox to disable the anonymity offered by the Tor network.


Did an FBI sting operation exploit a vulnerability in Firefox to disable the anonymity offered by the Tor network, for the purposes of cataloging the Internet protocol (IP) addresses of visitors to sites that distribute child pornography?
While details are still emerging, thats one thesis being advanced by information security experts, after Freedom Hosting -- which offers anonymous Tor software services, but isnt affiliated with The Tor Project itself -- went dark, sometime before midnight Sunday. The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the
anonymous Tor Mail service
.
The Freedom Hosting takedown may be tied to the arrest of 28-year-old Eric Eoin Marques in Dublin last Monday, following a reportedly year-long attempt by the FBI to identify and locate him. A warrant for his arrest on child pornography distribution charges was issued July 29 by the U.S. attorney general in Maryland. The charges carry a maximum prison sentence of 30 years.
[ How deep can the feds surveillance really go? For example,
Can The NSA Really Track Turned-Off Cellphones?
]
During a related extradition hearing in Ireland last week, an FBI special agent characterized Marques as being
the largest facilitator of child porn on the planet,
Irelands
Independent
newspaper reported Saturday.
According to public records, Marques -- who holds dual Irish and American citizenship -- is one of two directors of
Ireland-based service provider Host Ultra Limited
. Multiple news reports have also suggested that Marques is the operator of Freedom Hosting. But a spokeswoman for the U.S. Attorneys Office in Maryland, contacted by phone, wasnt immediately able to confirm the details of the arrest warrant, including whether Marques has been accused of running Freedom Hosting.
Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tors hidden services. Based on a
teardown of the malware
, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a targets computer. Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID, the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore
track down the Tor user
. David said he believed the hack attack and takedown were tied to Marques arrest.
In fact multiple security researchers have said the relative non-maliciousness of the attack suggests that it may have been the work of a law enforcement agency (LEA) such as the FBI. Because this payload does not download or execute any secondary backdoor or commands its very likely that this is being operated by an LEA and not by blackhats, according to an
analysis posted by reverse-engineering expert Vlad Tsrklevich
.
Tors hidden services, which are denoted by a dot-onion (.onion) domain name -- always randomly generated -- are a lesser-known feature of Tor, which can be used to make a website reachable only via the Tor network.
The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user, said Phobos, a Tor project blogger, in a
Hidden Services, Current Events and Freedom Hosting
blog post. The design of the Tor network ensures that the user cannot know where the server is located and the server cannot find out the IP address of the user, except by intentional malicious means like hidden tracking code embedded in the Web pages delivered by the server.
Hidden services offer anonymity to people such as
whistleblowers
and dissidents. But the feature has also gained notoriety by being used by services such as
activists
, as well as by services such as
Silk Road
-- an online marketplace known for facilitating the buying and selling of illegal drugs -- and for distributing child pornography. Whos now at risk from the Firefox flaw exploited by the injection script? In fact, the vulnerability was
patched on June 25, 2013
, with the release of Firefox 22 and Firefox Extended Service Release (ESR) --
which is often used by enterprises
-- version 17.0.7.
People who are on the latest supported versions of Firefox are not at risk, wrote Daniel Veditz, Mozillas security lead, in a Sunday
blog post
. Although the vulnerability affects users of Firefox 21 and below, the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services, presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.
Anyone still using a vulnerable version of the TBB can mitigate the vulnerability by deactivating JavaScript in their Firefox browser. Were investigating these bugs and will fix them if we can, said Tors Phobos.
Responding to criticism that a zero-day vulnerability in Firefox had been used to compromise Tor users, Mozillas Veditz countered that the bug had already been publicly disclosed and fixed. This wasnt a zero day attack, it was an exploit based on a security advisory from six weeks ago, he said. The number of users vulnerable to this -- those who arent up to date -- is dropping fast so the exploit is losing most of its value anyway.
The
timing
of the apparent Freedom Hosting takedown and bust of Marques -- which happened the same week as the annual Black Hat and DEF CON conventions -- didnt go unnoticed by the hacking community. FBI uploads malicious code on the deep websites while everyone is off at DEF CON. Talk about playing dirty, posted VarthDator on a
related Reddit thread
.
Marques, meanwhile, remains incarcerated in Ireland, following his request for bail having been denied, after a judge classified him as a flight risk. That was based on testimony that Marques had routed large amounts of money from his bank accounts to accounts based in Romania. Authorities also said that based on a digital forensic examination of Marques computer, hed been researching how to obtain a visa for Russia. Marques countered in court that hed only been researching the issue out of curiosity, in response to
news about NSA whistleblower Edward Snowden
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Tor Anonymity Cracked; FBI Porn Investigation Role Questioned