Freedom Hosting Owner Arrested, Tormail Compromised, Malicious JS Discovered

4 Aug 2013

      https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste...

 Owner arrested in Ireland, FBI makes extradition request, malicious
JavaScript discovered on a number of important hidden services.
 What happened?Eric Eoin Marques, the 28 year old owner and operator of the
Tor-based internet host 'Freedom Hosting' has been arrested in Ireland and
charged with distributing and promoting child pornography on the internet,
reportshttp://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-ch...
 the Independent.
Since the arrest, internet users have
reportedhttp://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hostin...
 noticing malicious JavaScript http://pastebin.com/pmGEj9bV designed to
compromise their identities inserted into pages hosted by Freedom Hosting,
including the 'Tormail' service, as well as a number of pedophile
messageboards.
Why?'Freedom Hosting' provides hosting for anonymous 'hidden services' on
the Tor network. These services can range from everything from anonymous
email and library services, to online marketplaces for drug distribution
and the production and exchange of child pornography.
As this is part of an ongoing FBI investigation, there is no conclusive
evidence that the injection of this JavaScript is the result of a
government operation, however, this does fall under a known pattern of FBI
behaviorhttp://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510...
 related to child porn sting operations. It is possible that the attack,
which delivers a weaponized exploit to Firefox users running Windows
systems, is the work of non-government cyber criminals, although the timing
of the arrest and the appearance of this code on a number of hidden
services hosted by Freedom Hosting does seem to imply a government
operation.

The execution of malicious JavaScript inside the Tor Browser Bundle,
perhaps the most commonly used Tor client, comes as a surprise to many
users. Previously, the browser disabled JavaScript execution by default for
security purposes, however this change was recently reverted by developers
in order to make the product more useful for average internet users. As a
result, however, the applications has become vastly more vulnerable to
attacks such as this*. *

What's going to happen next?Although it is difficult to gauge the size of
the anonymous internet, Freedom Hosting did seem to be perhaps the largest
anonymous web host, and its compromise will have serious implications for
the future of Tor hidden services.

We expect there will be a deeper technical analysis of the malware in the
coming days as security researchers examine it in greater detail. Since the
attack was designed at Firefox for Windows, which the Tor Browser Bundle is
based upon, it seems likely that this is not a random occurance, and that
the malware is designed specifically designed to compromise the identities
of anonymous internet users. Although this would be a victory for the FBI
against child pornographers who use the Tor network, it could also mean a
serious security breach for international activists and internet users
living in repressive states who use the services to practice online free
speech.

OpenWatch has been in the early stages of designing a new alternative to
Freedom Hosting, calledOnionCloud https://github.com/Miserlou/OnionCloud,
to allow anonymous Heroku-like application hosting. Developers interested
in this idea and other OpenWatch technologies are invited to join the
discussion by joining the openwatch-dev mailing list by sending an email to
openwatch-dev+subscribe@googlegroups.com

Rich Jones

Riad S. Wahby

rysiek

CryptoFreak

rysiek

Ted Smith

The Doctor

Patrick

Ted Smith

rysiek

Bill Stewart

The Doctor

Randall Webmail

David

tags

participants (10)