Silk Road forums

Discussion => Security => Topic started by: chevelle on September 14, 2013, 02:18 am

Title: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 02:18 am
I ran across an article on Hacker news that explain what is what. Please read and update.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: dolmio on September 14, 2013, 02:32 am
 

found this:

The IP address hardcoded into the 0-day Firefox javascript, used to compromise the Tor network via a version of Tor bundle, has been traced back to Science Applications International Corp (a company investigated by Blue Cabinet) which has worked with former Edward Snowden employer Booz Allen Hamilton, is an NSA contractor, has supplied communications technology to the Assad regime, and also developed a tool for the NSA called – wait for it – PRISM.

It is alleged the FBI with Verizon are behind this attack but CryptoCloud points out that this may be a ruse and that the real culprit is probably the NSA, who regularly contract out to SAIC and who are basically waging war – overt and covert, using any means at its disposal, against all-comers – in this case, using O-day browser malware. See below for more, plus CryptoCloud via aforementioned link…

The IP address in question is 65.222.202.%. C block. See http://www.domaintools.com/research/ip-explorer/?ip=65.222.202.53 for more on this. Note: according to Baneki Privacy the whole C Block is nsa.gov though Wired reckons the block is shared by several US Government agencies.

UPDATE: Tor advises that the attack was specifically aimed at Windows users and was fixed via June and July upgrades of Tor.

A. The hacking attack

According to Hacker News … “The FBI appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

“The Openwatch reported that the execution of malicious JavaScript inside the Tor Browser Bundle, perhaps the most commonly used Tor client, comes as a surprise to many users. Previously, the browser disabled JavaScript execution by default for security purposes, however this change was recently reverted by developers in order to make the product more useful for average internet users. As a result, however, the applications have become vastly more vulnerable to attacks such as this.

The JavaScript code’s payload analyzed by reverse engineering and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim. “Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname gethostname) and the MAC address of the local host (via calling SendARP on gethostbyname gethostbyname ->h_addr_list). After that it cleans up the state and appears to deliberately crash.”

Microsoft used to provide the US government with an early start on its security vulnerabilities, which was reportedly used to aid its cyber espionage programs. But here no idea at this point, that Mozilla worked with the government in this case.”
Title: Re: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 02:41 am
I'm not an IT guy so I don't know if this is anything we didn't know beyond the JavaScript flaw. Please explain so us idiots can understand. Thx.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: dolmio on September 14, 2013, 02:55 am
heres some links explaining it:

http://securityaffairs.co/wordpress/16924/cyber-crime/firefox-zero-day-exploited-against-tor-anonymity.html

http://thehackernews.com/

http://www.majorgeeks.com/news/story/fbi_breaches_tor_browser_via_zero_day_exploit_in_firefox_17.html

http://darkernet.in/hacking-attack-on-tor-allegedly-linked-to-saic/

Title: Re: FBI BEHIND TOR ATTACKS
Post by: SpaceAce on September 14, 2013, 03:04 am
yes this is old news they were behing the javascript attack.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 03:20 am
Yes. I've read most of that.

Can I make these assumptions if I used the windows browser bundle in june-july with JavaScript enabled an no MAC protection.

1) The feds know someone using my computer visits SR.

2) The feds know who I am.My name is on a hot sheet.

3)My address is burnt.

4) Despite changes in my security(tails, change my MAC software) I am at increased risk because of my previous behavoir.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 03:30 am
@ space ace...this isn't old news. The attacks were supposed to originate in Russia, not northern virginia. The client increase in tor wasn't attributed to the government.Now its fact.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: SpaceAce on September 14, 2013, 03:38 am
@ space ace...this isn't old news. The attacks were supposed to originate in Russia, not northern virginia. The client increase in tor wasn't attributed to the government.Now its fact.

What are you talking about? not saying it isn't possible but I haven't seen anything  that prooves the botnet is controlled by the government.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 03:44 am
OK gman. Let me ask you this...do you get paid per post here or by the hour?
Title: Re: FBI BEHIND TOR ATTACKS
Post by: Jack N Hoff on September 14, 2013, 03:46 am
This is old news and has nothing to do with then botnet.  This is about the FBI seizing the Freedom Hosting server and putting a shitty javascript exploit on many of the websites hosted on that server.  I repeat, this has nothing to do with the botnet. ::)
Title: Re: FBI BEHIND TOR ATTACKS
Post by: illmotions on September 14, 2013, 03:51 am
So those of us that read how to use tor safely and disable java-script should be all good as far as this thread is concerned right? I dunno it seems too that there are so many user of the silk road that only buy (not sure on numbers if anyone could tell me) its kinda like them arresting and prosecuting you for illegal download of pirated software and videos/music. So would it be safe to say that the odds of you coming under their radar is pretty slim and even if you did your info should be somewhat safe right?
Title: Re: FBI BEHIND TOR ATTACKS
Post by: ECC_ROT13 on September 14, 2013, 04:46 am
Can I make these assumptions if I used the windows browser bundle in june-july with JavaScript enabled an no MAC protection.
1) The feds know someone using my computer visits SR.
2) The feds know who I am.My name is on a hot sheet.
3)My address is burnt.
4) Despite changes in my security(tails, change my MAC software) I am at increased risk because of my previous behavoir.

Unless you were surfing CP during that time period, I think you can probably calm down a little.

Neither Silk Road, nor Silk Road forums, was hosted with FH.

If you were using a vulnerable browser bundle with JS enabled during that time window, *and* you were visiting FH-hosted sites (Tormail, etc) during that time period, they likely saw your source IP address and your MAC address, and can match it up with which FH-hosted site you were visiting.  i.e.  Your IP address tried to connect to Tormail.

If the exploit was in place *before* the "Down for maintenance" message went up (when everyone found it), and I haven't seen any evidence that it was, they *might* be able to make a vague guess as to which Tormail user you were based on logfiles from the Tormail HTTP server.  But it's going to be a guess, not Exhibit A in a trial (there's nothing illegal about just using Tormail, so what trial?).   

If you were viewing CP on FH sites during that time period using the same vulnerable software, then what they have is evidence that you were either *trying* to connect to a CP site (if the exploit was only delivered with the down-for-maint page) or that you probably *were* viewing CP (if the exploit was delivered earlier, AND they can correlate the logfiles with the ping from the malware).  I know that some folks here have given examples of people clicking cleartext CP links and getting arrested for the *intent* to download it.    I'm not sure that clicking a link for lskdjflksjdlfkjslkdfjlksjdflksdjfsd.onion is the same as showme-the-cp.com links.    And I'm guessing those arrests had context (they sent someone a unique link, advertising CP, and he clicked it).  Everybody who has ever used Tor to view hidden sites has clicked some .onion link to see where it went and screamed "Holy Jesus! Where's the back button?".  You just can't tell from a .onion address what kind of site you're going to.

Everyone who got deanonymized going to CP sites has to be on a list.  If they're not making a list, why deliver the exploit?  Maybe folks going to carder sites, like HackBB or TCF, but even that's a big stretch.  Nobody should give much of a shit about whatever list they built for Tormail, because it's just people trying to connect to an anonymous email provider.   

I think LE correlating HTTP logfiles with the malware ping response they received (to say that "this malware ping here belongs to User X on this FH site) is a dead end from an evidence perspective, unless they have some massive "for this entire hour, there was only one client, and we got a single ping from the malware in that hour" coincidence.  The source address in the logfiles is not going to be the same as the malware-reported real IP.   No way somebody drags that complicated mess to a jury as the key evidence.

Aside from any people who were viewing CP, the major risk that people here probably face is whatever was in Tormail mailboxes.   If that mailbox ties you to a criminal act in a personally-identifiable way, you have a problem. 

If not, chill out, make sure you've learned something about ways to improve your own security, and move on.

Title: Re: FBI BEHIND TOR ATTACKS
Post by: chevelle on September 14, 2013, 05:42 am
My apologies to all who read this thread. Its now obvious that I was trolled by someone who posted an "article" that was based on an actual article from Wired magazine.

 I especially want to say sorry to spaceman for calling him/her a fed. I realize that is the ultimate insult and once again, I'm sorry.

The good news news is that if the assholes in power are stooping to this level, it must mean we are fairly safe. Or they wouldn't bother with these tactics. At least that's what I'm going to take away from it.

Once again....I'm sorry.  I will be more careful from now on.
Title: Re: FBI BEHIND TOR ATTACKS
Post by: comsec on September 15, 2013, 10:38 am
I don't think they went after him for CP, Snowden's lavabit account was probably communicating with a tormail address or Snowden himself was using it, and they wanted the server. Anyways, that was the real target, the CP hosting charge was just some scraps for the FBI after the NSA was finished grabbing that mail server.