Aug 23, 2013, 11:00 am EST
Security researchers found a malicious script that takes advantage of a Firefox Zero-day to identify some users of the Tor anonymity network.
My readers know very well Tor network and the capability of the system to remain anonymous under specific conditions. We have used terms such as Deep Web, Dark web and hidden web to remark the impossibility to track users in this obscure part of the Internet, but there are some exceptions.
Tor network is a precious resource for freedom of expression, thanks to its system hacktivists, dissidents and whistleblowers could spread their voice to the international community, but it is also true that this network are abused by cyber criminals and intelligence agencies.
As I presented in one of my research the contents on drugs, child pornography and on many other illegal activities are the principal resources available in the Tor network, we are facing with a market characterized by impressive figures, and websites such as SilkRoad are just the tip of the iceberg.
FBI is exploiting a Firefox Zero-day for Firefox 17 version to track Tor users, be aware the Bureau didn’t compromise the Tor system but it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted users through a specific external server.
Mozilla declared that it has been announced the presence of a potential security vulnerability in Firefox 17 (MFSA 2013-53) , which is currently the extended support release (ESR) version of Firefox.
“Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.”
The Exploit code posted by Mozilla and Deobfuscated JS used by the Tor Browser exploit posted on Google Code.
“Briefly, this payload connects to 220.127.116.11:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.”
If Tsrklevich is right, the code could be considered as the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.
“Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.” reported Wired post.
Recently in Ireland it has been arrested Eric Eoin Marques, the young man believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network and he is accused of favoring the dissemination activities of child pornography.
Marques was being arrested on a Maryland warrant after around a year of intense investigation, he faced four charges relating to alleged child pornography offenses with a total of 30 years jail. The accusers are severe, the FBI considers the man as “the largest facilitator of child porn on the planet.”
In 2011, the collective Anonymous attacked Freedom Hosting with a denial-of-service after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.
With Marques arrest many popular websites on the DeepWeb went down including services like Tor Mail, HackBB and the Hidden Wiki that are all hosted on Freedom Hosting. The concerning news is that in reality many other Tor hidden services may be compromised using a browser exploit.
For massive distribution of the malicious script FBI has used Freedom Hosting platform injecting its HTML code within page visited by victims. The script first checks the version of the user’s browser and if it recognizes that he is using Firefox 17 then it collects the above information.
FBI or NSA?
Despite initially the researchers accused FBI for the design of the malicious script, it appears that the IP address found in the script belongs to the National Security Agency (NSA). This revelation has been done by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud.
“Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia. Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers. “One researcher contacted us and said, ‘Here’s the Robotex info. Forget that you heard it from me,'” a member of Baneki who requested he not be identified told Ars.” revealed a post published on ArsTechnica
Does Mozilla work for US government?
The consequence could be dramatic for a huge quantity of hacktivist and dissidents, the exploits of Firefox Zero-day may have favored regime and the tracking of innocent user opposed to Governments censorship.
Meantime … if you are a Windows user Update your Tor Browser Bundle to new version 3.0 alpha2 released today.
(Source: CDM, Pierluigi Paganini, Editor and Chief )