TorMail completely compromised, FBI using accounts in unrelated investigations

Kelly John Rose iam at kjro.se
Mon Jan 27 09:24:04 PST 2014


Tor is a great honeypot for people who don't know tradecraft.


On Mon, Jan 27, 2014 at 12:17 PM, Rich Jones <rich at openwatch.net> wrote:

> http://www.wired.com/threatlevel/2014/01/tormail/
>
> Bonus link for y'all. Hope you used PGP. Happy monday!
>
> R
> If You Used This Secure Webmail Site, the FBI Has Your Inbox
>
>    - By Kevin Poulsen<http://www.wired.com/threatlevel/author/kevin_poulsen/>
>    - 01.27.14
>    - 6:30 AM
>
> While investigating a hosting company known for sheltering child porn last
> year the FBI incidentally seized the entire e-mail database of a popular
> anonymous webmail service called TorMail.
>
> Now the FBI is tapping that vast trove of e-mail in unrelated
> investigations.
>
> The bureau’s data windfall, seized from a company called Freedom Hosting,
> surfaced in court papers last week when prosecutors indicted a Florida man
> for allegedly selling counterfeit credit cards online. The filings show the
> FBI built its case in part by executing a search warrant on a Gmail account
> used by the counterfeiters, where they found that orders for forged cards
> were being sent to a TorMail e-mail account: “platplus at tormail.net.>
> Acting on that lead in September, the FBI obtained a search warrant for
> the TorMail account, and then accessed it from the bureau’s own copy of
> “data and information from the TorMail e-mail server, including the content
> of TorMail e-mail accounts,” according to the complaint<http://www.justice.gov/usao/nj/Press/files/pdffiles/2014/Roberson,%20Sean%20Complaint.pdf>(.pdf) sworn out by U.S. Postal Inspector Eric Malecki.
>
> The tactic suggests the FBI is adapting to the age of big-data with an
> NSA-style collect-everything approach, gathering information into a virtual
> lock box, and leaving it there until it can obtain specific authority to
> tap it later. There’s no indication that the FBI searched the trove for
> incriminating evidence before getting a warrant. But now that it has a copy
> of TorMail’s servers, the bureau can execute endless search warrants on a
> mail service that once boasted of being immune to spying.
>
> “We have no information to give you or to respond to any subpoenas or
> court orders,” read TorMail’s homepage. “Do not bother contacting us for
> information on, or to view the contents of a TorMail user inbox, you will
> be ignored.”
>
> In another e-mail case, the FBI last year won a court order compelling
> secure e-mail provider Lavabit to turn over the master encryption keys<http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/>for its website, which would have given agents the technical ability to spy
> on all of Lavabit’s 400,000 users – though the government said it was
> interested only in one. (Rather than comply, Lavabit shut down and is
> appealing the surveillance order).
>
> TorMail was the webmail provider of choice for denizens of the so-called
> Darknet <http://www.wired.com/opinion/2013/10/thompson/> of anonymous and
> encrypted websites and services, making the FBI’s cache extraordinarily
> valuable. The affair also sheds a little more light on the already-strange
> story of the FBI’s broad attack on Freedom Hosting, once a key service
> provider for untraceable websites.
>
> Freedom Hosting specialized in providing turnkey “Tor hidden service”
> sites — special sites, with addresses ending in .onion, that hide their
> geographic location behind layers of routing, and can be reached only over
> the Tor anonymity network. Tor hidden services are used by those seeking to
> evade surveillance or protect users’ privacy to an extraordinary degree –
> human rights groups and journalists as well as serious criminal elements.
>
> By some estimates, Freedom Hosting backstopped fully half of all hidden
> services at the time it was shut down last year — TorMail among them. But
> it had a reputation for tolerating child pornography on its servers. In
> July, the FBI moved on the company and had the alleged operator, Eric Eoin
> Marques, arrested at his home in Ireland. The U.S. is now seeking his
> extradition for allegedly facilitating child porn on a massive scale;
> hearings are set to begin in Dublin this week.
>
> According to the new document, the FBI obtained the data belonging to
> Freedom Hosting’s customers through a Mutual Legal Assistance request to
> France – where the company leased its servers – between July 22, 2013 and
> August 2 of last year.
>
> That’s two days before all the sites hosted by Freedom Hosting , including
> TorMail, began serving an error message with hidden code embedded in the
> page, on August 4.
>
> Security researchers dissected the code and found it exploited a security
> hole <http://www.wired.com/threatlevel/2013/08/freedom-hosting/> in
> Firefox to de-anonymize users with slightly outdated versions of Tor
> Browser Bundle, reporting back to a mysterious server in Northern Virginia.
> Though the FBI hasn’t commented (and declined to speak for this story), the
> malware’s behavior was consistent with the FBI’s spyware deployments<http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/>,
> now known as a “Network Investigative Technique.”
>
> No mass deployment of the FBI’s malware had ever before been spotted in
> the wild.
>
> The attack through TorMail alarmed many in the Darknet, including the
> underground’s most notorious figure — Dread Pirate Roberts, the operator of
> the Silk Road drug forum, who took the unusual step of posting a warning on
> the Silk Road homepage. An analysis he wrote on the associated forum now
> seems prescient.
>
> “I know that MANY people, vendors included, used TorMail<http://en.reddit.com/r/SilkRoad/comments/1jrnhx/important_security_announcement_from_dpr_himself/>,”
> he wrote. “You must think back through your TorMail usage and assume
> everything you wrote there and didn’t encrypt can be read by law
> enforcement at this point and take action accordingly. I personally did not
> use the service for anything important, and hopefully neither did any of
> you.” Two months later the FBI arrested<http://www.wired.com/threatlevel/2013/10/silk-road-raided/>San Francisco man Ross William Ulbricht as the alleged Silk Road operator.
>
> The connection, if any, between the FBI obtaining Freedom Hosting’s data
> and apparently launching the malware campaign through TorMail and the other
> sites isn’t spelled out in the new document. The bureau could have had the
> cooperation of the French hosting company that Marques leased his servers
> from. Or it might have set up its own Tor hidden services using the private
> keys obtained from the seizure, which would allow it to adopt the same
> .onion addresses used by the original sites.
>
> The French company also hasn’t been identified. But France’s largest
> hosting company, OVH, announced on July 29<http://forum.ovh.com/showthread.php?89685-Le-nouveau-contrat-de-serveur-dedie>,
> in the middle of the FBI’s then-secret Freedom Hosting seizure, that it
> would no longer allow Tor software on its servers. A spokesman for the
> company says he can’t comment on specific cases, and declined to say
> whether Freedom Hosting was a customer.
>
> “Wherever the data center is located, we conduct our activities in
> conformity with applicable laws, and as a hosting company, we obey search
> warrants or disclosure orders,” OVH spokesman Benjamin Bongoat told WIRED.
> “This is all we can say as we usually don’t make any comments on hot
> topics."
>



-- 
Kelly John Rose
Toronto, ON
Phone: +1 647 638-4104
Twitter: @kjrose
Skype: kjrose.pr
Gtalk: iam at kjro.se
MSN: msn at kjro.se

Document contents are confidential between original recipients and sender.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 8694 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140127/a776dbf3/attachment-0001.txt>


More information about the cypherpunks mailing list