Freedom Hosting etc (including Tormail) compromised

There was an update saying that the IP is not the NSA:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/

 

Ok, I just checked, and Tails 0.20-rc1 uses Iceweasel 17.0.7 (Firefox derivative) which should have been safe from the attack, and that NoScript is set to allow scripts Globally by default in the NoScript Options

I cannot fathom the rationale for making such a dumb decision. If it was to make users all look alike, then disallowing scripts Globally by default in Noscript would be the way to go and let the user decide when to temporarily allow certain scripts. Better for users to be safe by default rather than all look alike just for the sake of common anonymity.

Also, Iceweasel (Firefox derivative) is set with Javascript on (by default). Again, I cannot fathom the rationale for this.

If anyone is using Tails 0.20-rc1, I recommend they turn off Javascript under the Content tab in Iceweasel preferences, and they forbid allowing scripts Globally in Noscript. If a web page you are visiting does not render properly, then selectively temporarily allow them in Noscript, or move on to another webpage in your browsing.

-- Tom

 

If they'd blocked all javascript by default, they'd have been bombarded with complaints that sites won't work with it. It's a no win decision for them when dealing with the average user. It's not possible to make a completely secure package that works for the average user. That's the primary reason that I use my own package with Tor, so I can filter javascript instead of globally blocking or allowing it. That's also why I am particular about parent-child settings on SSM, so I can prevent a browser exploit from launching something else, including the Windows scripting host or a command shell.

If a user has to engage in activities on the web which may have very undesirable consequences, it's up to them to learn how to do it safely. If users who were caught by this incident had taken the time to learn firewall basics, the exploit couldn't have forced a direct connection by the browser. If one chooses to use a package like TBB, understand what it can and can't do, then configure the rest of your system to mitigate its limitations.

 

can someone confirm. because of the way TOR is setup for someone to get your real IP address wouldn't they have to be able to control at least 2-3 nodes in your connection chain. for example even if a middle node was run by the FBI how would they get your IP when the first bridge node is hiding your IP
address?

A bullet proof method of using TOR would be to run your own bridge node that way you can make sure the connection is secure between your pc and the bridge node, and you can rest assured that the bridge node is hiding your ip from a middle node. another bonus to this is you can control the bandwidth so you would be using a fast bridge node.

 

There's basically 2 ways an adversary could get your IP while using Tor.
1, If the proper precautions aren't in place (disabling flash and java, blocking or filtering javascript) your browser can be coerced into giving it to them.
2, The browser can be coerced to open a direct connection to a specified link in which case they can actually see your IP. As before, this is often done with javascript. If not disabled, flah and java can do it as well. When integrated with other apps, the browser can be used to open another app in which case it will connect directly if proper measures aren't in place.

 

This is why you want your browser etc in a machine (or VM) that can only access the Internet via Tor, which is running on a different machine (or VM).

Whonix does that. Qubes does that. TBB and Tails don't do that.

 

you can instead use a firewall to block your browser making connections outside of tor.

 

That would have worked for this attack. But once your machine has been compromised, local firewall rules can be changed. To be safe, apps and networking must be on separate machines, or at least on separate VMs.

 

This works if you use only TOR to connect to the internet. Otherwise, you need to change the rules in your firewall every time you want to switch TOR on and off.

 

NoScript defaults to NOT allow Scripts Globally (dangerous). This allows the user the option to do temporay allowing of websites as required to properly render webpage functionality. I have no problem doing regular browsing such as posting on this forum. When I use Tails for TOR browsing, it seems folly to reset NoScript to default allowing Scripts Globally (dangerous) for Tor use.

-- Tom

 

Well, the "S!" button in Firefox/Iceweasel does warn to "Forbid Scripts Globally (advised)". But it's a small button.

 

http://www.theguardian.com/technology/2013/aug/05/tor-deep-web-servers-offline-freedom-hosting#box

 

I'd still like confirmation that a VPN wouldn't have helped. If the VPN is active, all traffic is routed through the TAP adapter, and the "exposed" IP should be the VPN's, No?

BTW: -http://www.dailymail.co.uk/news/article-2381145/FBI-child-prostitution-bust-reveals-scores-teen-sex-slaves-worked-Super-Bowl-Atlantic-City.html-

PD

 

For this attack, a VPN would have helped. The VPN's exit IP would have been exposed, rather than the user's ISP-assigned IP address. However, using a VPN wouldn't have prevented a Windows machine from reporting its MAC address.

Even so, going from Tor-level "anonymity" to VPN-level is a major hit, especially when the attacker is the NSA

Also, this attack used a known Firefox bug, and only deanonymized Tor on machines running Windows. It would have been trivial to add exploits for Linux or OSX, or exploits that deanonymized VPNs.

With your networking stuff and apps in separate VMs, an attacker needs to work harder.

 

I'm willing to bet this attack wouldn't of caught very many child porn downloaders due to the fact that most of them would have java script disabled. Only a small handful at best.

 

Default TOR has Javacsript enabled, so I'd actually bet the majority of them use the default.

 

Yea but child porn viewers would be the most Paranoid groups of people on the internet, one would assume they would all make sure java script is disabled.

 

Thanks. The MAC thing is bad, but without an IP... Unless there is a master list of all MACs sold to whom out there? I just bought an Intel NIC off Amazon, I wonder if Amazon knows the MAC they sent me...and forwarded it to Intel...who forwarded it to...

Totally agree on TBB's decision to allow all scripts...Bad. We have a notional attack by browser fingerprinting, .vs an actual attack because of JS.

Anyone know of a link for the best settings to put back on TBB's NoScript? I just re-checked almost all of the boxes on a whim.

PD

 

The MAC doesn't have to be bad. Its not that tough to change the windows MAC anymore. Ever since it was discovered that the bridge network uses 02 as the first octet. It is so simple to install software that changes all the MAC addy's for the various connections. You can have a new MAC as often as you want or even auto change on boot every single day. Even on tough machines like ThinkPads, HP, etc... the MACs are now changeable. A couple of years ago I could not change a MAC and always had to buy a USB dongle like an Alfa to ge it done. Not anymore!

Even launching the command prompt in Admin mode and running an ipconfg/all will only show the MAC you set and NEVER the original. No sense in using an original MAC anymore.

 

You mean like MADMAC? I thought this just tricked the router into seeing a different MAC. Does it actually change it? If it doesn't really change it but instead tricks the router into seeing something else, wouldn't the javascript attack, giving the attacker access to your real computer, see the true MAC addy?

 

what about the mac address on your Router?

 

In face of scrutiny, researchers back off NSA “Torsploit” claim.

-- Tom

 

Caspian,

I have not thoroughly examined this code (its over my head), but I don't think it would report something that even a command prompt in Admin mode (ipconfig/all) doesn't show. Every server and open wifi I have ever examined only shows my changed MAC. As an Admin at certain sites I have rear server access.



Arran,

I was approaching TOR only via open wifi and after a VPN tunnel was first established. I think my laptop payloads are well "packaged" so nothing gets out of the pipe. Maybe I am wrong. So even in a home use scenario as configured above I don't see how the code would be able to pull anything from anyplace but my laptop. In my case this code would not have processed anyway, but if it did I don't see how the router MAC would have been discovered since the payloads between the machine and my raw ISP are totally "packaged".

I am open to being wrong and if so I want to learn and to know about it.

 

This has to be a contract job, plain and simple. NSA wouldn't blow their cover of how they analyze and capture TOR traffic and FBI, well I doubt it was them. Cash has traded hands here, and a lot of ip's are going to be investigated.

On the exploit Ho Hum Diddle Um. Very nice if I do say so myself.

I don't give two ***** about pedo's but in general this was always going to happen with the way the TOR project has outlined it's goal for the browser bundle. Now they must act and turn on No-Script by default. Besides Applebaum I really do wonder about the TOR project sometimes. Time to step it up boys, you deserve a kick in the nuts.

And on TORMAIL if you used consider yourself an idiot because they would have the database by now in their hot little hands, and I bet people didn't use PGP thinking TOR would save them. Anyway it's the second time TORMAIL has been compromised, remember that server switch to .RU? Never used the service myself, it screamed "setup by unkown intelligence organisation"