Freedom Hosting etc (including Tormail) compromised

The Tor hidden service Freedom Hosting has been compromised, and its owner is awaiting extradition from Ireland to the US. All hosted sites, including Tormail, are apparently down. Potentially all sites on Freedom Hosting had for some time carried Javascript malware droppers. Malware dropped includes phone-home apps to deanonymize Tor users. So far, it appears that only Windows clients running Firefox were infected. But that includes TBB!

-http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
-http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
-http://www.dailydot.com/news/eric-marques-tor-freedom-hosting-child-porn-arrest/
-https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arrested
-https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

Edit: There's also news and comment at -http://newsiiwanaduqpre.onion BUT be careful. To be safe, only access onion sites using Tails in a VM that connects via VPN (better 2-3 nested VPNs) and reboot Tails between sites.

 

Quite honestly I think you can consider kissing TOR goodbye. There are far too many compromised nodes these days, Freedom Hosting is an incredibly huge loss, and there's just no way to prevent abuse by criminals and government alike. I'd be sticking to regular VPN services from now on and doing my research on them before I even do that.

 

TOR is fine. The only issue is running insecure things like javascript. Run TAILS and No scripting. Fixed. Your VPN is easier to get records from then TOR is.

More on the point. If you were going to fall victim to this attack the exploit would have also worked if you used a VPN. It's attacking a client-side application. It doesn't care what service your using.

 

I don't see this being the fault of Tor. It's exploited servers serving up malware that used javascript to get the browser to open direct connections, revealing their IP in the process. The entire process could just as easily happened with conventional sites and normal web connections. It could have been mitigated on the users end:
1, Blocking or filtering the javascript.
2, An outbound firewall to force the browser thru Tor instead of allowing it to connect directly.

 

My point exactly

 

Yeah...... I knew this was gonna happen. "Sits happily with my Lavabit account". I use TOR to poke around onion security sites. I wonder if there is any way to know if you picked up any of this malware just from running Tor. It would suck to get busted just for using Tor.. even if your not doing anything wrong with it.

 

It isn't the fault of TOR at all and yes, it could have and does happen every day on the clear-net. My point was that with so many of these nodes being hijacked and/or ran by authorities, TOR is quite difficult to stay safe on. This particular incident was a government operation, there's almost no way it wasn't. I never meant to convey the idea that TOR itself was the cause of the problem, it's just the uncontrolled nature of who is "in charge" of what node and the servers doing the hosting. It looks like so far that NoScript in the TBB set to block all would have stopped this attack cold, but maybe not. I doubt we have all the information just yet.

 

It was an operation against FreedomHosting itself really. The users getting their covers blown was just a secondary effect and icing on the cake. Government and LEA have been after FreedomHosting for a long time. The biggest problem I have with this is that, yet again, the U.S is showing it does not care one iota about jurisdiction.

 

Yeah, but it would suck to get added to a list just because you use Tormail.... or read security blogs and guides on onion sites. I know a few of the legitimate ones must have used freedom hosting as that's the big name you hear on Tor for hosting.

 

Well ...

In a recent post to the discussion at -http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ we see:

 

There's no realistic way to avoid or get rid of bad, hijacked, or govt created nodes. All that can be done there is create more good nodes and lower the chances of encountering them. Besides disabling javascript, the browser component of this attack could be mitigated easily with firewall rules.

Very true. I was opening the IRC channel for Tor about the same time. At that time, I had over 300 inbound connections to my exit node and only a couple outbound. Normal is anywhere from 5 to 30 of each at any given time. Whatever else was going on resulted in a large increase in connections to exits but with very little traffic. Another user had over 400 circuits at that time.

From what I was seeing there, the primary targets were Silk Road and the child porn hosting/users, and the rest appeared to be collateral damage. If I understood correctly from the chat at the time, the FireFox component of TBB was targeted. This incident does drive home another point. The Tor Browser Bundles might make it easier for the average user to run Tor, but it does not assure that you're safe. It needs help from the rest of the system. It doesn't matter if it uses NoScript and Tor. It's still built around a common browser, one that IMO is causing many of it's own problems with rapid updating.

 

I wonder if we'll see some leaps forward in privacy and security within the Tor network. Usually, major hits like this kick innovation into high gear. People tend to get lazy when they feel safe, but once they feel that unexpected kick in the nuts, they put on their game faces again. I'm not happy about the way that this whole thing went down, but I am looking forward to improvements in technology as a result.

All this stuff about the NSA, FBI, etc. lately has brought a lot of people into the privacy/security community. I'm one of them and I'm recruiting everyone I know. Things are a lot worse than I ever imagined.

 

Here are two useful bits from -https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting:

... and ...

Edit: Make that three.

This is a rude reminder that NoScript in TBB (and Tails and Whonix) by default enables all scripts !!!

 

This is all terrible news.

It looks to me like anyone using Whonix or Tails is safe from this exploit?

A stern reminder that you are never safe out there.

 

Is this statement true:
The exploit would have worked if you were using VPN, but the IP address returned by the exploit would have been that of your VPN. If you use a VPN that has no logs or information stored on you, then you would be safe.

 

Yes, Whonix would not let the malware bypass Tor.

I'm not sure about Tails.

 

TBB, Tails and Whonix all run stock Tor-modified Firefox/Seamonkey. Although NoScript is installed, scripting is enabled globally by default.

The Tor Project wants all users to look the same. And they know that too much of the Internet is broken without Javascript. So they figure that it's best for all Tor users to run Javascript. Oops

They also caution hidden service sites to avoid Javascript I guess that the attackers didn't get that memo

 

https://krebsonsecurity.com/

 

https://blog.mozilla.org/security/2...ability-report/comment-page-1/#comment-111200

 

Can anyone say, definitively, if this vulnerability is windows only?

 

I am not aware that Scripts Globally Allowed in NoScript is enabled in Tails as this is regarded as dangerous to NoScript - I think not, but will check and confirm. Last I checked, as Tails uses the Firefox derivative named Iceweasel browser, it does in fact (by default) enable JavaScript however.

JavaScript is the first thing I turn off after the Iceweasel browser boots.

-- Tom

 

Check the Tor Project Security advisory.

-- Tom

 

From what we know, Having No-script Enabled at default settings mitigates this attack? VPN's also because it returns your VPN's IP and not your real one?

 

Yes.

-http://tsyrklevich.net/tbb_payload.txt-

While this doesn't completely tie you to them It does leak information. Remember VPN's are easier to tap up stream then TOR is. PRISM(XKEYSCORE) Even targets VPN's specifically upstream if we are to believe the documents that are leaked.

Also since the exploit used shellcode it could really do anything really. They easily could have dropped a persistent backdoor.

No I mean NO Scripting not noscript. It works like this: Block everything, temporary allow trusted sites.

This could also have all been mitigated if people would harden the kernel. TAILS alone should be using GRSecurity and PaX. Windows should just not be used for privacy. Use TAILS if you don't like linux. At least you can spoof you maccaddy their too.

 

Researchers say Tor-targeted malware phoned home to NSA.

-- Tom