Freedom Hosting Owner Arrested, Tormail Compromised, Malicious JS Discovered
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste... Owner arrested in Ireland, FBI makes extradition request, malicious JavaScript discovered on a number of important hidden services. What happened?Eric Eoin Marques, the 28 year old owner and operator of the Tor-based internet host 'Freedom Hosting' has been arrested in Ireland and charged with distributing and promoting child pornography on the internet, reports<http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html> the Independent. Since the arrest, internet users have reported<http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/> noticing malicious JavaScript <http://pastebin.com/pmGEj9bV> designed to compromise their identities inserted into pages hosted by Freedom Hosting, including the 'Tormail' service, as well as a number of pedophile messageboards. Why?'Freedom Hosting' provides hosting for anonymous 'hidden services' on the Tor network. These services can range from everything from anonymous email and library services, to online marketplaces for drug distribution and the production and exchange of child pornography. As this is part of an ongoing FBI investigation, there is no conclusive evidence that the injection of this JavaScript is the result of a government operation, however, this does fall under a known pattern of FBI behavior<http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728> related to child porn sting operations. It is possible that the attack, which delivers a weaponized exploit to Firefox users running Windows systems, is the work of non-government cyber criminals, although the timing of the arrest and the appearance of this code on a number of hidden services hosted by Freedom Hosting does seem to imply a government operation. The execution of malicious JavaScript inside the Tor Browser Bundle, perhaps the most commonly used Tor client, comes as a surprise to many users. Previously, the browser disabled JavaScript execution by default for security purposes, however this change was recently reverted by developers in order to make the product more useful for average internet users. As a result, however, the applications has become vastly more vulnerable to attacks such as this*. * What's going to happen next?Although it is difficult to gauge the size of the anonymous internet, Freedom Hosting did seem to be perhaps the largest anonymous web host, and its compromise will have serious implications for the future of Tor hidden services. We expect there will be a deeper technical analysis of the malware in the coming days as security researchers examine it in greater detail. Since the attack was designed at Firefox for Windows, which the Tor Browser Bundle is based upon, it seems likely that this is not a random occurance, and that the malware is designed specifically designed to compromise the identities of anonymous internet users. Although this would be a victory for the FBI against child pornographers who use the Tor network, it could also mean a serious security breach for international activists and internet users living in repressive states who use the services to practice online free speech. OpenWatch has been in the early stages of designing a new alternative to Freedom Hosting, calledOnionCloud <https://github.com/Miserlou/OnionCloud>, to allow anonymous Heroku-like application hosting. Developers interested in this idea and other OpenWatch technologies are invited to join the discussion by joining the openwatch-dev mailing list by sending an email to openwatch-dev+subscribe@googlegroups.com
Rich Jones <rich@openwatch.net> wrote:
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste...
A more detailed analysis of what's going on with the JS exploit: http://www.twitlonger.com/show/n_1rlo0uu Hits a vulnerability in the FF17 Javascript implementation. Notable because FF17 is the long-term support version, and it's the one included in the TOR bundle (though JS is off by default in the bundle). This business with the FBI spraying JS hijacks around the web is more than a little troubling. Is this the first widely-publicized case of the feds indiscriminately deploying an exploit on this scale? -=rsw
Dnia niedziela, 4 sierpnia 2013 14:12:53 Rich Jones pisze:
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste d
Well, dang. Also: "We have analyzed the security properties of Tor hidden services and shown that attacks to deanonymize hidden services at a large scale are practically possible with only a moderate amount of resources. We have demonstrated that collecting the descriptors of all Tor hidden services is possible in approximately 2 days by spending less than USD 100 in Amazon EC2 resources. Running one or more guard nodes then allows an attacker to correlate hidden services to IP addresses using a primitive traffic analysis attack. Furthermore, we have shown that attackers can impact the availability and sample the popularity of arbitrary hidden services not under their control by selectively becoming their hidden service directories." http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf This is even more troubling, as apparently does not require any exploits. -- Pozdr rysiek
On Aug 11, 2013, at 6:44 PM, rysiek <rysiek@hackerspace.pl> wrote:
Dnia niedziela, 4 sierpnia 2013 14:12:53 Rich Jones pisze:
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste d
Well, dang.
Also:
"We have analyzed the security properties of Tor hidden services and shown that attacks to deanonymize hidden services at a large scale are practically possible with only a moderate amount of resources. We have demonstrated that collecting the descriptors of all Tor hidden services is possible in approximately 2 days by spending less than USD 100 in Amazon EC2 resources. Running one or more guard nodes then allows an attacker to correlate hidden services to IP addresses using a primitive traffic analysis attack. Furthermore, we have shown that attackers can impact the availability and sample the popularity of arbitrary hidden services not under their control by selectively becoming their hidden service directories."
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
This is even more troubling, as apparently does not require any exploits.
While I'm certainly not saying "I don't buy it", how does this reconcile with the reality of The Silk Road still being in existance. One would think that governments would use these techniques against the site if for nothing more than to catch/punish them for all the tax evasion going on. If this paper is true, the only reason I could think of why TSR is still alive is because it is some kind of government front, though there is no evidence of that at all. CryptoFreak
Dnia poniedziałek, 12 sierpnia 2013 00:24:34 CryptoFreak pisze:
On Aug 11, 2013, at 6:44 PM, rysiek <rysiek@hackerspace.pl> wrote:
Dnia niedziela, 4 sierpnia 2013 14:12:53 Rich Jones pisze:
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arre ste d
Well, dang.
Also:
"We have analyzed the security properties of Tor hidden services and shown that attacks to deanonymize hidden services at a large scale are practically possible with only a moderate amount of resources. We have demonstrated that collecting the descriptors of all Tor hidden services is possible in approximately 2 days by spending less than USD 100 in Amazon EC2 resources. Running one or more guard nodes then allows an attacker to correlate hidden services to IP addresses using a primitive traffic analysis attack. Furthermore, we have shown that attackers can impact the availability and sample the popularity of arbitrary hidden services not under their control by selectively becoming their hidden service directories."
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
This is even more troubling, as apparently does not require any exploits.
While I'm certainly not saying "I don't buy it", how does this reconcile with the reality of The Silk Road still being in existance. One would think that governments would use these techniques against the site if for nothing more than to catch/punish them for all the tax evasion going on.
Yeah, that's a conundrum.
If this paper is true, the only reason I could think of why TSR is still alive is because it is some kind of government front, though there is no evidence of that at all.
Well, it can also simply be *used* as a government front. If they can monitor it without SR's consent (or knowledge), they do not need it to control it, do they... -- Pozdr rysiek
On Mon, 2013-08-12 at 10:30 +0200, rysiek wrote:
While I'm certainly not saying "I don't buy it", how does this reconcile with the reality of The Silk Road still being in existance. One would think that governments would use these techniques against the site if for nothing more than to catch/punish them for all the tax evasion going on.
Yeah, that's a conundrum.
No it isn't. The government agencies that could potentially attack Tor to bust the Silk Road would *never* care about the level of drugs moved through it. They care about the people multiple levels above TSR, drastically higher up in the supply chain. Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care. -- Sent from Ubuntu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2013 02:06 PM, Ted Smith wrote:
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
The NSA? Probably not, no. The DEA? Most definitely. Trafficking and shipping of drugs from point 'a' to points elsewhere are a part of their mission. I just thought of something: It's just come out that NSA intel is being given to other agencies, and classes are being held to launder that intel so that it looks like it came from somewhere else. How likely could it be that the DEA is one of those agencies? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "This time we're using four times the Kevlar." -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlILu4wACgkQO9j/K4B7F8Fj3QCeKOvFHKDbp4OcYlLF8eRI3vLX msIAnRcuGDKIc9m7YOhUCb/0fP/g6egL =NRGZ -----END PGP SIGNATURE-----
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
All estimates point to tens of millions of dollars in business per year. Do you think the estimates are off or that that's still too low? On Wed, Aug 14, 2013 at 1:17 PM, The Doctor <drwho@virtadpt.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/12/2013 02:06 PM, Ted Smith wrote:
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
The NSA? Probably not, no. The DEA? Most definitely. Trafficking and shipping of drugs from point 'a' to points elsewhere are a part of their mission.
I just thought of something: It's just come out that NSA intel is being given to other agencies, and classes are being held to launder that intel so that it looks like it came from somewhere else. How likely could it be that the DEA is one of those agencies?
- -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/
"This time we're using four times the Kevlar."
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlILu4wACgkQO9j/K4B7F8Fj3QCeKOvFHKDbp4OcYlLF8eRI3vLX msIAnRcuGDKIc9m7YOhUCb/0fP/g6egL =NRGZ -----END PGP SIGNATURE-----
On Wed, 2013-08-14 at 13:27 -0400, Patrick wrote:
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
All estimates point to tens of millions of dollars in business per year. Do you think the estimates are off or that that's still too low?
That's distributed over all the users. The site is making a killing, but the individual deals and dealers are all way too small-fry for any three-letter agency to care.
On Wed, Aug 14, 2013 at 1:17 PM, The Doctor <drwho@virtadpt.net> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/12/2013 02:06 PM, Ted Smith wrote:
> Remember, TSR sends drugs *through the mail*. You can't > successfully *mail* enough drugs for the NSA/DEA to care.
The NSA? Probably not, no. The DEA? Most definitely. Trafficking and shipping of drugs from point 'a' to points elsewhere are a part of their mission.
I just thought of something: It's just come out that NSA intel is being given to other agencies, and classes are being held to launder that intel so that it looks like it came from somewhere else. How likely could it be that the DEA is one of those agencies?
- -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/
"This time we're using four times the Kevlar."
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlILu4wACgkQO9j/K4B7F8Fj3QCeKOvFHKDbp4OcYlLF8eRI3vLX msIAnRcuGDKIc9m7YOhUCb/0fP/g6egL =NRGZ -----END PGP SIGNATURE-----
-- Sent from Ubuntu
Dnia środa, 14 sierpnia 2013 13:17:00 The Doctor pisze:
On 08/12/2013 02:06 PM, Ted Smith wrote:
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
The NSA? Probably not, no. The DEA? Most definitely. Trafficking and shipping of drugs from point 'a' to points elsewhere are a part of their mission.
I like the idea of DEA's mission being traficking of drugs, well played, Sir. ;) -- Pozdr rysiek
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
The NSA? Probably not, no. The DEA? Most definitely. Trafficking and shipping of drugs from point 'a' to points elsewhere are a part of their mission.
I like the idea of DEA's mission being traficking of drugs, well played, Sir. ;)
No, no, no, trafficking the drugs has traditionally been a CIA job.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/19/2013 10:59 AM, rysiek wrote:
I like the idea of DEA's mission being traficking of drugs, well played, Sir.
<facepalm> Yeah, I'm definitely not computing with all 64 bits right now.. at least it was a funny typo. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Meeble! Meeble meeble meeble! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIU6j8ACgkQO9j/K4B7F8F5vgCg0+dIBmVbKiuPZM/swx1AHODf NmEAnisKUTQrBqHhvXBwFayugMD1wD3P =sZaA -----END PGP SIGNATURE-----
From: "Ted Smith" <tedks@riseup.net> To: cypherpunks@cpunks.org Sent: Monday, August 12, 2013 11:06:41 AM Subject: Re: Freedom Hosting Owner Arrested, Tormail Compromised, Malicious JS Discovered On Mon, 2013-08-12 at 10:30 +0200, rysiek wrote:
While I'm certainly not saying "I don't buy it", how does this reconcile with the reality of The Silk Road still being in existance. One would think that governments would use these techniques against the site if for nothing more than to catch/punish them for all the tax evasion going on.
Yeah, that's a conundrum.
No it isn't. The government agencies that could potentially attack Tor to bust the Silk Road would *never* care about the level of drugs moved through it. They care about the people multiple levels above TSR, drastically higher up in the supply chain.
Is there any evidence of this? From all appearances, they care about nothing so much as preserving and expanding their funding.
Remember, TSR sends drugs *through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
NSA surely doesn't want the publicity, but the DEA is always in search of positive press. If they have to listen to 100K conversations in order to bust one kid, picking up a few hundred Oxycodone pills at the Post Office, is there any reason to suspect they wouldn't do so?
On 8/12/13 2:06 PM, Ted Smith wrote:
Remember, TSR sends drugs*through the mail*. You can't successfully *mail* enough drugs for the NSA/DEA to care.
Ask Mayor Cheye Calvo of Berwyn Heights: <http://reason.com/blog/2008/07/31/mayors-dogs-killed-in-drug-raid>
participants (10)
-
Bill Stewart -
CryptoFreak -
David -
Patrick -
Randall Webmail -
Riad S. Wahby -
Rich Jones -
rysiek -
Ted Smith -
The Doctor