Contact Us Athena System Login

Athena Forensics - Computer Forensics News

Click here to return to our News index

Tor user privacy compromised after large-scale child porn ring arrests

Tor user privacy compromised after large-scale child porn ring arrests

Older versions of the Firefox web browser - included within Tor Browser Bundle, which enables users to run the anonymity network on Windows, Mac OS X or Linux without the need to install any software - may not be giving users the protected web browsing experience they expect.

Many are pointing to U.S. law enforcement as the culprits behind malware being nicknamed Torsploit, which is exposing the location of Tor users and sending that information back to a single IP address - defying the private web browsing services that make Tor a go-to for its vast number of users.

The Tor network directs traffic through thousands of relays, making internet tracking nearly impossible. Users download the Tor Browser Bundle, which contains a modified version of Firefox, for use over the Tor network.

But a new vulnerability can enable the collection of the hostnames and MAC addresses of victim computers, Tor developer Roger Dingledine, said in post on Monday.

The vulnerability was exposed after an FBI extradition request for 28-year-old Eric Marques, according to an Irish news report. He been charged with heading up Freedom Hosting on the Tor network - a group said to be involved in a large-scale child pornography distribution ring.

Many observers believe that the warrant issued for Marques' arrest and the revelations of the vulnerability is no coincidence, as it's believed the feds infected a large number of Freedom Hosting sites to track down his identity. The Freedom Hosting operation, however, is not connected Tor's developers, known as the Tor Project.

A quick finger was directed toward American authorities, including the FBI and National Security Agency (NSA), after users discovered that malware introduced into the Tor network via the vulnerability could gather locations of users and forward that information to an IP address belonging to a Verizon business in Virginia.

The security team at Cryptocloud, a VPN service, has been engaging discussion on its forums and posted recent findings from Baneki Privacy Labs, an activist project. Baneki traced the IP space used in the exploit back to the National Security Agency's (NSA) Autonomous Systems.

Is this PRISM, the NSA's mass data collection apparatus, at work? That is a popular theory right now.

"Because this payload does not download or execute any secondary backdoor or commands, it's very likely that this is being operated by a [law enforcement agency] and not by black hats [malicious hackers]," Vlad Tsyrklevich, a reverse engineer based in New York, wrote in a post. He later tweeted that "it only sends back hostname/MAC address/UUID [to identify which site you visited]."

The attack code - which is Windows-specific and is said not to affect Linux or OS X users - exploits a Firefox vulnerability in JavaScript that was fixed in Firefox 17.0.7 ESR, Dingledine said.

All users of earlier Tor Browser Bundles may be vulnerable to arbitrary code execution that could take over their computer, Dingledine warned. He does not believe the attack modifies anything on the victim's computer, but said "it's reasonable to conclude that the attacker now has a list of vulnerable

Tor users who visited those hidden [Tor] services."

ACLU security and privacy researcher Chris Soghoian blamed an out-of-date package with the exploit.

"It looks like the exploit has been taking advantage of a vulnerability that was fixed in the June release of the Tor Browser Bundle, if this is indeed the case, it suggests that the root problem here is a failure of the Tor Project to deliver automatic security updates to users of the Tor Browser Bundle."

Users receive notifications when there is an upgrade to the Tor Browser Bundle, and Dingledine suggested users always update promptly. To avoid these types of problems in the future, he said users could try disabling JavaScript or switch away from Windows entirely.

The FBI declined to comment on any malware. "An individual has been arrested as part of an ongoing criminal investigation, because this matter is ongoing, we are unable to provide further comment."

Frequent calls to the Tor phone number listed on the website could not be completed due to high call volume. Emails to the Tor media account were not immediately returned

Source: SC Magazine

6th August 2013
By Athena Forensics - © 2018          Company No. 06682013          Sitemap
We Provide National Coverage Computer Evidence And Investigations Confidentiality And Discretion Is Assured Forensic Recovery Of Files Within Private Or Court Proceedings Mobile Phone Forensic Analysis Corporate, Private & LSC Work Undertaken Computer Evidence And Investigations We Provide National Coverage Confidentiality And Discretion Is Assured Mobile Phone Forensic Analysis Corporate, Private & LSC Work Undertaken Compuer Evidence And Investigations Mobile Phone Forensic Analysis