Freedom Hosting etc (including Tormail) compromised

Discussion in 'privacy problems' started by mirimir, Aug 4, 2013.

Thread Status:
Not open for further replies.
  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    The Tor hidden service Freedom Hosting has been compromised, and its owner is awaiting extradition from Ireland to the US. All hosted sites, including Tormail, are apparently down. Potentially all sites on Freedom Hosting had for some time carried Javascript malware droppers. Malware dropped includes phone-home apps to deanonymize Tor users. So far, it appears that only Windows clients running Firefox were infected. But that includes TBB!

    -http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
    -http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
    -http://www.dailydot.com/news/eric-marques-tor-freedom-hosting-child-porn-arrest/
    -https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arrested
    -https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

    Edit: There's also news and comment at -http://newsiiwanaduqpre.onion BUT be careful. To be safe, only access onion sites using Tails in a VM that connects via VPN (better 2-3 nested VPNs) and reboot Tails between sites.
     
    Last edited: Aug 4, 2013
  2. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Quite honestly I think you can consider kissing TOR goodbye. There are far too many compromised nodes these days, Freedom Hosting is an incredibly huge loss, and there's just no way to prevent abuse by criminals and government alike. I'd be sticking to regular VPN services from now on and doing my research on them before I even do that.
     
  3. x942

    x942 Guest


    TOR is fine. The only issue is running insecure things like javascript. Run TAILS and No scripting. Fixed. Your VPN is easier to get records from then TOR is.

    More on the point. If you were going to fall victim to this attack the exploit would have also worked if you used a VPN. It's attacking a client-side application. It doesn't care what service your using.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I don't see this being the fault of Tor. It's exploited servers serving up malware that used javascript to get the browser to open direct connections, revealing their IP in the process. The entire process could just as easily happened with conventional sites and normal web connections. It could have been mitigated on the users end:
    1, Blocking or filtering the javascript.
    2, An outbound firewall to force the browser thru Tor instead of allowing it to connect directly.
     
  5. x942

    x942 Guest

    :thumb: My point exactly :)
     
  6. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Yeah...... I knew this was gonna happen. "Sits happily with my Lavabit account". I use TOR to poke around onion security sites. I wonder if there is any way to know if you picked up any of this malware just from running Tor. It would suck to get busted just for using Tor.. even if your not doing anything wrong with it.
     
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    It isn't the fault of TOR at all and yes, it could have and does happen every day on the clear-net. My point was that with so many of these nodes being hijacked and/or ran by authorities, TOR is quite difficult to stay safe on. This particular incident was a government operation, there's almost no way it wasn't. I never meant to convey the idea that TOR itself was the cause of the problem, it's just the uncontrolled nature of who is "in charge" of what node and the servers doing the hosting. It looks like so far that NoScript in the TBB set to block all would have stopped this attack cold, but maybe not. I doubt we have all the information just yet.
     
  8. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America

    It was an operation against FreedomHosting itself really. The users getting their covers blown was just a secondary effect and icing on the cake. Government and LEA have been after FreedomHosting for a long time. The biggest problem I have with this is that, yet again, the U.S is showing it does not care one iota about jurisdiction.
     
  9. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Yeah, but it would suck to get added to a list just because you use Tormail.... or read security blogs and guides on onion sites. I know a few of the legitimate ones must have used freedom hosting as that's the big name you hear on Tor for hosting.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Well ...

    In a recent post to the discussion at -http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ we see:

     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's no realistic way to avoid or get rid of bad, hijacked, or govt created nodes. All that can be done there is create more good nodes and lower the chances of encountering them. Besides disabling javascript, the browser component of this attack could be mitigated easily with firewall rules.
    Very true. I was opening the IRC channel for Tor about the same time. At that time, I had over 300 inbound connections to my exit node and only a couple outbound. Normal is anywhere from 5 to 30 of each at any given time. Whatever else was going on resulted in a large increase in connections to exits but with very little traffic. Another user had over 400 circuits at that time.

    From what I was seeing there, the primary targets were Silk Road and the child porn hosting/users, and the rest appeared to be collateral damage. If I understood correctly from the chat at the time, the FireFox component of TBB was targeted. This incident does drive home another point. The Tor Browser Bundles might make it easier for the average user to run Tor, but it does not assure that you're safe. It needs help from the rest of the system. It doesn't matter if it uses NoScript and Tor. It's still built around a common browser, one that IMO is causing many of it's own problems with rapid updating.
     
  12. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    I wonder if we'll see some leaps forward in privacy and security within the Tor network. Usually, major hits like this kick innovation into high gear. People tend to get lazy when they feel safe, but once they feel that unexpected kick in the nuts, they put on their game faces again. I'm not happy about the way that this whole thing went down, but I am looking forward to improvements in technology as a result.

    All this stuff about the NSA, FBI, etc. lately has brought a lot of people into the privacy/security community. I'm one of them and I'm recruiting everyone I know. Things are a lot worse than I ever imagined.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Here are two useful bits from -https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting:

    ... and ...

    Edit: Make that three.

    This is a rude reminder that NoScript in TBB (and Tails and Whonix) by default enables all scripts !!!

     
    Last edited: Aug 5, 2013
  14. Stifflersmom

    Stifflersmom Registered Member

    Joined:
    Jan 3, 2013
    Posts:
    45
    This is all terrible news.

    It looks to me like anyone using Whonix or Tails is safe from this exploit?

    A stern reminder that you are never safe out there.
     
  15. Stifflersmom

    Stifflersmom Registered Member

    Joined:
    Jan 3, 2013
    Posts:
    45
    Is this statement true:
    The exploit would have worked if you were using VPN, but the IP address returned by the exploit would have been that of your VPN. If you use a VPN that has no logs or information stored on you, then you would be safe.
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Yes, Whonix would not let the malware bypass Tor.

    I'm not sure about Tails.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    TBB, Tails and Whonix all run stock Tor-modified Firefox/Seamonkey. Although NoScript is installed, scripting is enabled globally by default.

    The Tor Project wants all users to look the same. And they know that too much of the Internet is broken without Javascript. So they figure that it's best for all Tor users to run Javascript. Oops :(

    They also caution hidden service sites to avoid Javascript ;) I guess that the attackers didn't get that memo :(
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    https://krebsonsecurity.com/
     
    Last edited: Aug 5, 2013
  19. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    https://blog.mozilla.org/security/2...ability-report/comment-page-1/#comment-111200
     
  20. Stifflersmom

    Stifflersmom Registered Member

    Joined:
    Jan 3, 2013
    Posts:
    45
    Can anyone say, definitively, if this vulnerability is windows only?
     
  21. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    I am not aware that Scripts Globally Allowed in NoScript is enabled in Tails as this is regarded as dangerous to NoScript - I think not, but will check and confirm. Last I checked, as Tails uses the Firefox derivative named Iceweasel browser, it does in fact (by default) enable JavaScript however.

    JavaScript is the first thing I turn off after the Iceweasel browser boots.

    -- Tom
     
  22. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Check the Tor Project Security advisory.

    -- Tom
     
  23. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    From what we know, Having No-script Enabled at default settings mitigates this attack? VPN's also because it returns your VPN's IP and not your real one?
     
  24. x942

    x942 Guest

    Yes.

    -http://tsyrklevich.net/tbb_payload.txt-

    While this doesn't completely tie you to them It does leak information. Remember VPN's are easier to tap up stream then TOR is. PRISM(XKEYSCORE) Even targets VPN's specifically upstream if we are to believe the documents that are leaked.

    Also since the exploit used shellcode it could really do anything really. They easily could have dropped a persistent backdoor.



    No I mean NO Scripting not noscript. It works like this: Block everything, temporary allow trusted sites.

    This could also have all been mitigated if people would harden the kernel. TAILS alone should be using GRSecurity and PaX. Windows should just not be used for privacy. Use TAILS if you don't like linux. At least you can spoof you maccaddy their too. :thumb:
     
    Last edited by a moderator: Aug 5, 2013
  25. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
Thread Status:
Not open for further replies.