Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 05, 2016, 10:43:55 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: BREAKING: Half of TOR sites compromised, including TORMail.  (Read 9138 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
BREAKING: Half of TOR sites compromised, including TORMail.
« on: August 04, 2013, 05:42:06 PM »
(from TwitLonger)

Quote
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

http://www.independe...planet-29469402.html

This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.

If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.

Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.

http://www.solocheck...Ultra-Limited-399806
http://www.hostultra.com/

He has an account at WebHosting Talk forums.

http://www.webhostin...wthread.php?t=157698

A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.

http://postimg.org/image/ltj1j1j6v/

"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."

If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.

An iframe is injected into FH-hosted sites:

TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV

Which leads to this obfuscated code:

Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374

FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb

FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5

Who's affected Time scales:

Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that's the earliest possible date.

"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"

http://www.ieee-secu.../papers/4977a080.pdf

The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/w...hole-weeks-510247728

http://postimg.org/image/o4qaep8pz/

On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.

The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.

The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to...something. It only attempts to exploit Firefox (17 and up) on Windows NT. There's definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven't been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.

I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.

Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.

UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.

http://pastebin.mozilla.org/2777139

The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.

http://postimg.org/image/mb66vvjsh/

Logical outcomes from this?

1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor

2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)

3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.

I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #1 on: August 04, 2013, 06:26:18 PM »
So boys and girls and all you hip cyber types out there...

Are we still so convinced that big government is clueless and without the resources to get its message across about exactly who owns the web?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #2 on: August 04, 2013, 07:49:41 PM »
Oh... I don't think that anyone who knows anything would say that after Stuxnet.  I just wish they'd use their superpowers for good instead of evil.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #3 on: August 04, 2013, 07:50:59 PM »
^Well said! :Thmbsup:

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,550
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #4 on: August 04, 2013, 10:58:07 PM »
So boys and girls and all you hip cyber types out there...

Are we still so convinced that big government is clueless and without the resources to get its message across about exactly who owns the web?

They didn't used to. It took them a real long while. Slashdot used to be pretty snarky about "you clueless newbie, set up Tor instead". Well, if they bust the Tor network, then that advice won't work so well!

These are "low tech" actions - "arrest website/node owner, blah blah". So whether the "right people" showed up in the "right departments", all this stuff is accelerating.





Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #5 on: August 05, 2013, 12:46:16 AM »
So boys and girls and all you hip cyber types out there...

Are we still so convinced that big government is clueless and without the resources to get its message across about exactly who owns the web?

Hey 40hz, did I mention how much I really, Really, REALLY hate it when you're right about these things?

Just in case...

I really, Really, REALLY hate it when you're right about these things. Really.

Still, it looks like a hosts/clients compromised, and not the protocol itself, which is a consolation, if small.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #6 on: August 05, 2013, 05:56:53 AM »
@Ren - I get that a lot. :)

And just for the record, I REALLY hate it too.

Things like this I want to be completely wrong about. Seriously.

And since I'm in predictive mode, the next steps will be something like this:

After a great deal of fulminating and managed debate, most of the public will knuckle under and accept broad and highly intrusive albeit mostly invisible (by design) regulation and monitoring of any and all web traffic. At which point the Internet will enter it's second incarnation that I think of as The Overnet (i.e. an internet with overlords).

In response, you'll have the usual protocol battles to attempt to wring some level of anonymity and privacy out of government/corporate owned and operated networks. Broad and vaguely worded laws will be eventually passed to make such attempts illegal. And draconian fines and penalties will be handed down on a certain token number of highly publicized cases. Those charged will be thoroughly demonized (i.e. kiddie-porn, terrorism, drug dealing, human trafficking, organized crime) - in some cases with justification - but also at times without. These cases will form the basis for talking points which will be repeated ad nauseum in order to control the scope and terms of any ongoing debate about the subject of web monitoring.

In the meantime, efforts will continue to develop methodologies to evade government monitoring. Most will be unsuccessful and mainly serve as unsuspecting R&D and 'quality control' for government monitoring efforts. Knowing full well that anything which doesn't kill us serves to make us stronger, governments will deliberately act stupider than they are in order to encourage such activities and identify those involved in it.

Some (very few) of the less talented will be periodically arrested and charged. But it will be purely for token effect.

The truly talented will be offered government jobs in exchange for a waiver of prosecution. Those rare individuals who pose a genuine threat however, will simply be apprehended, bled dry of what they know, and either 'rehabilitated' into some government occupation, or quietly disposed of - with no need for a trial or anyone being made the wiser.

Eventually a series of protocols will emerge that do provide genuine anonymity and privacy and the The Undernet will be born. This will be addressed by the creation of new laws (with even harsher penalties) for any caught using these technologies.

Ultimately, advances in computing machinery (i.e. quantum computers etc.) and mathematic theory will lead to the government cracking the Undernet protocols. But rather than shut it down, government will by now realize it provides them with the ultimate sandbox to contain those wishing to operate outside the law. So other than the prosecution of more serious criminals, plus the occasional token victim (just to let everybody know your government still "on it"), the Undernet will continue to be unofficially tolerated. But only under the ever watchful eye of government in order to serve as a technology containment and societal pressure relief mechanism.

At which point human society will enter into a completely new phase of it's existence which might as well be called The Panopticon Age since universal surveillance will be the dominant shaping technology of that era.

***

So there you have it: Internet begets Overnet begets Undernet begets Panopticon. Sounds almost biblical doesn't it? ;D

Figure this will all likely come to pass within the next 25-30 years. But definitely before the end of this century. (And once again, I sincerely hope I'm wrong. :o)
« Last Edit: August 05, 2013, 07:10:19 AM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #7 on: August 05, 2013, 06:43:49 AM »
Still, it looks like a hosts/clients compromised, and not the protocol itself, which is a consolation, if small.

What's that old adage about feet of clay? It's really not a consolation at all, and considering I highly doubt the pedo angle is anything other than a BS excuse for muscle flexing ... I'd say this is nothing more than a nuclear class warning shot.

Oh, Yeah...and +1 for hating it when 40 is right ... Damn you prophet boy.  :D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #8 on: August 05, 2013, 07:14:19 AM »
Damn you prophet boy.  :D

Not a prophet by any means. Just an avid student of history and human psychology who read The Foundation Trilogy when still a young and highly impressionable child. :(

 ;D

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #9 on: August 05, 2013, 07:53:53 AM »
They didn't used to. It took them a real long while. Slashdot used to be pretty snarky about "you clueless newbie, set up Tor instead". Well, if they bust the Tor network, then that advice won't work so well!

These are "low tech" actions - "arrest website/node owner, blah blah". So whether the "right people" showed up in the "right departments", all this stuff is accelerating.

I can tell you, with a certainty, when they were being snarky, they were being played.  This isn't a recent development.  It's just a recently known development.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #10 on: August 05, 2013, 07:55:54 AM »
Still, it looks like a hosts/clients compromised, and not the protocol itself, which is a consolation, if small.

A chain is only as strong as the weakest link.  So instead of trying to cut the strongest... you go after the weakest.  People are always the weakest link.  It's not even the hosts/clients that they compromised- but the people being stupid mixing secure and non-secure browsing.  All for a bit of javascript.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #11 on: August 05, 2013, 09:48:01 AM »
And since I'm in predictive mode, the next steps will be something like this:

I think you're bang on or close enough for it not to matter about any details.

I think we will see a similarly dismal future for "law" enforcement, food, over-criminalization, and a host of other things best left out of the Living Room.

Do you read any alternative media?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #12 on: August 05, 2013, 10:00:59 AM »
governments will deliberately act stupider than they are in order to encourage such activities and identify those involved in it.

That's been going on for a while.  Back in the 80s, you might have legitimately been able to say that they had not kept up, and weren't effective.  That's what the MO was- to use that perception to hide their proficiency and scout their opposition.  They've become surprisingly blatant and/or lazy as of late.  An operation like this shouldn't have been revealed.  I'm not sure if everyone is catching up, and it's becoming harder, or if it's truly that they think there's no need to hide.  If it's the first, then that's a start.  If it's the latter... well, then I hope that pride is going before the fall.  But it's really looking like they're right... and that they can come in from the cold.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #13 on: August 05, 2013, 11:52:51 AM »
Do you read any alternative media?

Seldom. Or at least not deliberately/

I just read. A lot. Of anything I can get my hands on. I'm sort of with Charles Forte who suggested we need to look at everything - and not just throw out the stuff that doesn't fit in with what we either "know" or believe to be possible. "Catalog everything. Then file it away for future review and correlation." he used to say.

Do that long enough and patterns and connections start emerging. Patterns and connections that often get confirmed as being accurate by the events which follow. In time it becomes crystal clear what forces are at work for what ends. After that, it gets very depressing. ;)

So no, I don't consciously seek out alternative reporting. I just read. And I ignore conspiracy theories and simply wait for the wheels within wheels to reveal themselves.

(Note: I got nothing against conspiracy theories per se. It's just that I can spin far more creative and scarier conspiracy theories than any I've ever be told. So if I feel the need for one, I'll just come up with one on my own. >:D)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #14 on: August 05, 2013, 12:26:43 PM »
Do you read any alternative media?

Seldom. Or at least not deliberately/

I just read. A lot. Of anything I can get my hands on. I'm sort of with Charles Forte who suggested we need to look at everything - and not just throw out the stuff that doesn't fit in with what we either "know" or believe to be possible. "Catalog everything. Then file it away for future review and correlation." he used to say.

Do that long enough and patterns and connections start emerging. Patterns and connections that often get confirmed as being accurate by the events which follow. In time it becomes crystal clear what forces are at work for what ends. After that, it gets very depressing. ;)

So no, I don't consciously seek out alternative reporting. I just read. And I ignore conspiracy theories and simply wait for the wheels within wheels to reveal themselves.

(Note: I got nothing against conspiracy theories per se. It's just that I can spin far more creative and scarier conspiracy theories than any I've ever be told. So if I feel the need for one, I'll just come up with one on my own. >:D)

You really should try more alternative media. You might be surprised at what you read/find.

The vast majority of alternative media is just reporting that short tidbit you get in the MSM on page 47. A lot have extensive commentary. You will find few "conspiracy theories" in alternative media.

What's really messed up is you have these guys pointing out basic facts available to anyone, and a MASSIVE number of people screaming about how they are lunatics. At the end of the day, it's just that kid saying, "The Emperor has no clothes." But, somehow that's still taboo. (What's really messed up is how the people screaming at the "conspiracy theorists" are the same ones praising how beautiful the Emperor's clothes are.)

Now, if *I* were to spin out a conspiracy theory, you'd better bet for damn sure that it would involve elder gods better left unnamed that are entering our universe though dedicated minions spread throughout the globe and that some of them have spawned with human beings, and now walk among us...

Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!

We will wake the great sleeper, and you will feel his slumber break...

http://goo.gl/maps/iSaOn

http://vigilantcitiz...seen-in-google-maps/

Iä! Shub-Niggurath!

You will know the Black Goat of the Woods!

;D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #15 on: August 05, 2013, 05:16:00 PM »
And in the I'm-not-surprised department:

Researchers say Tor-targeted malware phoned home to NSA

I still say that what I'm surprised about is that it was this easy to track.  Unlike what people may thing, this isn't a good sign.

And I'm not the only one that thinks so.  From the article:

Quote
The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud's discussion board wrote, "It's psyops—a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."

And a very cynical, very devious comment:
Quote
Considering the target was suspected to be outside the US, the NSA would be the correct spying agency to use. They and the FBI refer things back and forth all the time. They also have all the hardware required to do this kind of thing.

Making everyone think twice about using a more secure system is a nasty psyop move. But if you have access to the raw traffic data, watching how the stream of packets from a single IP changes over time can be a good way to flag individuals as "suspect" and move to deeper surveillance techniques. If this announcement made you change your behavior, you're now a suspect. Congrats.

And another very devious angle:
Quote
Whistleblowers are NSA's (and its friends) biggest threats. This will cause potential whistleblowers shying away from leaking (not all whistleblowers are ready to forsake anonymity.) I often suspect there are even more damaging stuff waiting to be leaked than what has been leaked so far.
« Last Edit: August 05, 2013, 05:21:27 PM by wraith808 »

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,550
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #16 on: August 05, 2013, 06:48:34 PM »
Damn you prophet boy.  :D

Not a prophet by any means. Just an avid student of history and human psychology who read The Foundation Trilogy when still a young and highly impressionable child. :(

 ;D

So where is the Mule to blow this all to hell and free us?
8)

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 677
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #17 on: August 05, 2013, 06:54:17 PM »
So where is the Mule to blow this all to hell and free us?
Doesn't matter, a few hundred years and we'll be back on track... :D
vi vi vi - editor of the beast

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #18 on: August 05, 2013, 06:55:47 PM »
I guess I'm cynical.

I don't see the revelation as an oversight or screw up.

I think a very pointed message is being sent to the cyber-counterculture and digital separatists.

The message is: We own your ass, kiddies. And we can collect on it any time we feel like.


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #19 on: August 05, 2013, 06:57:40 PM »
So where is the Mule to blow this all to hell and free us?
Doesn't matter, a few hundred years and we'll be back on track... :D

Yup. When the stars are right and the Great Old Ones return.  ;D :Thmbsup:

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,405
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: BREAKING: Half of TOR sites compromised, including TORMail.
« Reply #20 on: August 05, 2013, 07:47:15 PM »
I guess I'm cynical.

I don't see the revelation as an oversight or screw up.

I think a very pointed message is being sent to the cyber-counterculture and digital separatists.

The message is: We own your ass, kiddies. And we can collect on it any time we feel like.



That's not the cynical part.  The cynical part is that they're playing games within games.  They already have your traffic... those that go to something else, now we have you specifically.  And then also to let the whistleblowers know that Snowden was lucky.  All of the ways you think that you have to cover up your tracks... we have them covered.  And we're watching.