Silk Road forums

Discussion => Security => Topic started by: flwrchlds9 on October 04, 2013, 11:41 pm

Title: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: flwrchlds9 on October 04, 2013, 11:41 pm
A lot of good info.

CLEARNET * http://www.theregister.co.uk/2013/10/04/nsa_using_firefox_flaw_to_snoop_on_tor_users/

NSA does not like tor ;)

Quote
There's also a case of diminishing returns as Tor becomes more popular. With each user acting as a transport node, the sheer scale of the system means it becomes steadily more difficult for the intelligence community to run enough nodes to be useful for tracking.

The agencies have also tried to use "quantum" cookies to track targets who are using Tor. Some cookies appear to persist after Tor sessions, the presentation notes, and the agencies are investigating if this can be developed into a working tracking system.


UPDATE ** FoxAcid and NSA auto epxloit.  CLEARNET ** http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: flwrchlds9 on October 05, 2013, 06:00 pm
This QUANTUM persistent cookie is very concerning. We need to research this.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: IForgotMyFuckingPassword on October 05, 2013, 09:57 pm
This QUANTUM persistent cookie is very concerning. We need to research this.

Good info. Thanks for posting this.

I read this shit in the news earlier today. I've been flipping out ever since. I never thought to check that before because I thought that TorBrowser was pre-configured to not accept cookies at all.

I searched my tor folder and couldn't find anything (at least not in any of the places where cookies would NORMALLY be stored).

Anyone have any information on what (or where) I should be looking for? I'm wondering if they're stored in a location not normally associated with cookies?
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: flwrchlds9 on October 06, 2013, 04:29 am
We not sure what they mean by "quantum cookie". Might not have anything to do with browser cookies. They discover some descriptor in tor that remains same between connections possible.

Have to research more what they mean because not clear. But some very concern things that need more research in that article.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: Tessellated on October 06, 2013, 06:29 am
There are a variety of ways to put sneaky cookies on a system.

One way is to send a cached image that has random pixels along one edge. In the future when you are linked to it you don't download it because of the cache so you display the old one. They then us JS to scan the pixel colors and send the info back via AJAX.

Another way is to assign a unique e-tag for a resource and when you do a cache-request you will repeat that etag.

I imagine "quantum" is just a code name for the dozens of sneaky ways to leave a cross site cookie. Using TAILS I am sure to be rid of any of these between boots.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: telefon on October 07, 2013, 06:02 pm
There are a variety of ways to put sneaky cookies on a system.

One way is to send a cached image that has random pixels along one edge. In the future when you are linked to it you don't download it because of the cache so you display the old one. They then us JS to scan the pixel colors and send the info back via AJAX.

Another way is to assign a unique e-tag for a resource and when you do a cache-request you will repeat that etag.

I imagine "quantum" is just a code name for the dozens of sneaky ways to leave a cross site cookie. Using TAILS I am sure to be rid of any of these between boots.

hi Tesselated

since all this happened to SR and as well to every1 of us, and since there have been a lot of talks about security, could you please provide a link about TAILS or explain a bit about TAILS and how to stay more safe?

thank you

Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: flwrchlds9 on October 07, 2013, 11:30 pm
https://tails.boum.org/    TAILS!

Everyone need stop using windows!
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: sourman on October 08, 2013, 03:24 am
This has been a problem for a while now. I would advise anyone not using a live OS to wipe the torbrowser folder after each browsing session, and re-extract it when necessary. It takes 30 seconds and can potentially save you from a host of browser/OS exploits as well as persistent fingerprinting techniques that rely on the browser.

Nothing beats a live OS though. Like others have said countless times, USE TAILS.

In fact, I would go one step further and obtain a completely separate PC to run TAILS. Remove all forms of persistent storage from said PC (hard drives, SSD, etc), and you just made life for any possible adversary that much more difficult.

If possible, use an old PC without flashable ROM for good measure, just in case they found a way to store tracking blobs in CMOS.

EDIT: This should be obvious, but only run TAILS off of DVDs. Do not use flash drives or anything other than read-only media.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: telefon on October 08, 2013, 01:28 pm
This has been a problem for a while now. I would advise anyone not using a live OS to wipe the torbrowser folder after each browsing session, and re-extract it when necessary. It takes 30 seconds and can potentially save you from a host of browser/OS exploits as well as persistent fingerprinting techniques that rely on the browser.

Nothing beats a live OS though. Like others have said countless times, USE TAILS.

In fact, I would go one step further and obtain a completely separate PC to run TAILS. Remove all forms of persistent storage from said PC (hard drives, SSD, etc), and you just made life for any possible adversary that much more difficult.

If possible, use an old PC without flashable ROM for good measure, just in case they found a way to store tracking blobs in CMOS.

EDIT: This should be obvious, but only run TAILS off of DVDs. Do not use flash drives or anything other than read-only media.

forgive me my amateurish computer skills, but what if I only have windows?
Some weeks ago I bought a new laptop with windows 8 on it. I must say I dont like this windows 8 because its a lot about tracking my IP and other shit connected to the so-called war against terrorism where all those NSA and other fascists of modern world try to control all of us.
I have been even thinking to install windows xp which is pretty simple and more old school, which I hope, means more safe to use.

actually my question is: how to make a live OS? as I understand its good for safety in TOR
and also: TAILS should be recorded on a DVD and used every time I enter TOR browser. is it right?

damn, I need to learn more about security in hidden web

I really dont like how they control everything, those fascists and capitalists
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: Nightcrawler on October 08, 2013, 03:03 pm
forgive me my amateurish computer skills, but what if I only have windows?

Some of us may 'forgive' your amateurish comptuer skills, but you can bet your last dollar that the authorities won't -- they'll take full advantage of your ignorance, and exploit it to the hilt.

Some weeks ago I bought a new laptop with windows 8 on it. I must say I dont like this windows 8 because its a lot about tracking my IP and other shit connected to the so-called war against terrorism where all those NSA and other fascists of modern world try to control all of us.

Lemme guess... you've used that laptop to connect here, right?

I have been even thinking to install windows xp which is pretty simple and more old school, which I hope, means more safe to use.

Sweet Jesus!  Windows XP will be about 13 years old by next year, when it will finally be end-of-lifed by Microsoft in April 2014. Anyone idiotic enough to still be running Windows XP by then will deserve whatever they get. It's widely believed that exploits are being saved-up to use after XP is no longer supported, as it will no longer be updated to fix security flaws. Anyone running XP is going to be 0wned, big time.

actually my question is: how to make a live OS? as I understand its good for safety in TOR and also: TAILS should be recorded on a DVD and used every time I enter TOR browser. is it right?

damn, I need to learn more about security in hidden web

I'll say.  Security is a bit like religion... some things have to be taken on faith. Where security differs from religion is that security is NOT retroactive. Unlike Christianity, where you can come to Jesus, be 'saved' and have all your sins washed away, with security you can adopt Tails or PGP, and be secure from that point forward, but rest assured that your previous sins (security failings) WILL come back to haunt you and bite you in the ass. DPR is the poster child for that, right now.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: IForgotMyFuckingPassword on October 08, 2013, 08:50 pm
actually my question is: how to make a live OS? as I understand its good for safety in TOR
and also: TAILS should be recorded on a DVD and used every time I enter TOR browser. is it right?
You can use TOR with any OS, but for stuff like this, yes you should! Linux comes in many "flavors" or distributions, which are commonly referred to as disros, like TAILS for example. I'm going to give you a very detailed answer, so bear with me. I'll explain a little bit about installing Linux distros to your hard drive as your primary OS; but, to be clear, TAILS on DVD is the way to go for sites like SR/BMR/SM/etc, so I'll give you that answer first in the  paragraph below:

Download the TAILS image file (.iso file) from https://tails.boum.org/ You should also download the signing key and the signature file to verify that it's not been tampered with (Google this -- it can be done using the command-line interface in Windows -- ask if you get stuck). This is something that should be done for any OS, for TorBrowser, or for any other app that you're downloading outside of a repository; but while this is critical IMO, it's not technically necessary to make the live DVD. After you download the image, burn it on to a DVD. Restart your PC with the dvd inserted. When the first screen pops up (usually a black screen with the name of the PC manufacture displayed), press the key for boot options (usually F12). Select the DVD drive. That's it!

TAILS is not hard to use at all; a beginner should be fine with TAILS, although you may need GPG instructions. The GPG (aka PGP) is very easy in TAILS (hint: Seahorse for keys and Gedit to encrypt text), but you might need instructions (it's VERY EASY though). There is no program like GPG4WIN for Linux (you can run it, but that's more complicated and is completely unnecessary--all Linux distros have native GPG support out of the box). TAILS is great, but it's NOT designed to run on a hard drive. It's a "live OS" only, so you'll need something else for your primary OS if you decide to ditch Windows.

I have been even thinking to install windows xp which is pretty simple and more old school, which I hope, means more safe to use.
Security-wise, if I had to pick my poison, Windows 8 is far more secure than XP or even Windows 7. And as Nightcrawler points out though, XP is at the end of it's life. While Windows XP is considered a stable OS, it's far from more secure. It's at the end of it's life and in 6 months, Microsoft is going to stop supporting it altogether.

I would NOT run Windows AT ALL, especially if you feel as strongly about government snooping as your post suggests. I ditched Windows 2 years ago and don't regret it a bit. To me, it seems clear that MS is in bed with the NSA. I occasionally run W8 in a VM, and it's OK for the average user (I'd use it if it weren't made by MS. I'm not sure what all the fuss is about).

For a beginner, I'd recommend trying Ubuntu or Linux Mint (Cinnamon or MATE edition)as your primary OS. Both offer a Windows-like experience, and both can be operated almost entirely using the GUI. These two distros specifically include all the non-free media codecs that you need to use for media/dvd playing pre-installed. Give them a try on a live thumb at least.

Cinnamon, MATE, Unity (Ubuntu), Gnome, KDE, etc. are called Desktop Environments or DEs and are basically your GUI -- you can install any DE on just about any distro, but when your starting out, it's easier to just download the pre-packaged versions. Once you get the hang of Linux, you can install any DE that you like.

Backup your files (just your libraries, not the entire HDD) and install Linux Mint MATE/Cinnamon or Ubuntu. The process is the same as the instructions for TAILS, but in this case, it's OK to use a thumb drive. You'll have the option of installing the OS or testing it. You should test any OS to make sure the hardware you need to use is supported before installing.

For the installation, select LVM with whole-disk encryption, choose a password and select the option to overwrite all empty space. Encrypt your home folder with a different password than the one you chose for whole-disk encryption (make sure BOTH are STRONG -- and DO NOT use the automatic log in option). Then you can transfer your documents, music, photos, etc. to your HDD.

Both Linux Mint 15 and Ubuntu 13.04 support almost all modern PC hardware (webcams--although I wouldn't enable mine--printers, mice, thumbs, USB hubs, etc. and support USB 3.0 and Bluetooth 4.0). Linux is NOT impenetrable/infallible. Users can very easily compromise a Linux machine. Scan any thumbs from other machines with something like Clam AV before opening the files.

The reason that I suggest these 2 particularly is that they are 100% usable for Windows users/Linux newbies out of the box.  You'd also be fine with Fedora or Debian Stable, but these have a bit more of a learning curve The downside is that while these two OSs both have long-term support releases that are released every 2 years (currently Ubuntu 12.04 and Mint 13 -- supported for 5 years), their other releases are released every 6 months (13.04 and 15 -- supported for 9 months). Ubuntu 13.10 and Linux Mint 16 will both be released in the next month or two, so you may want to hold off or choose LTS versions (if all hardware is supported).

When you want to use TOR or any other activity that depends on having anonymity, you can reboot and follow the above instructions to run a "live" TAILS disk. It's fine to run TOR on Linux with your primary OS, but I wouldn't recommend that if privacy is essential. Like Sourman said, having a read-only media for your live OS prevents files (NSA persistent cookies for example) from being written to your PC.

damn, I need to learn more about security in hidden web
Indeed. But you need to need to learn more about security generally, not just for the hidden web. I hope you're not using IE for your clearnet browsing.

I want to add that NO OS that is connected to a network is ever 100% secure.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: flwrchlds9 on October 13, 2013, 05:01 am
OP Updated to add 2007 NSA Paper on tor vulnerabilities released from Snowden archives.

FoxAcid
Quote
The FoxAcid system

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag [LINK REMOVED] is given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.

According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.

The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.

In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.

FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them.

FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.
Title: Re: Operation "EgotisticalGiraffe" TBB Exploit used on FH takedown. Persist Cookies!
Post by: jpinkman on October 13, 2013, 05:43 am
My understanding is that Quantum was used to describe the program and machine name used for MITM attacks. Quantum was was given because they used a Quantum computer to create the race condition wired into a backbone provider that could deliver faster requests than the machine hosting the bundling software. The race condition allows it to intercept your requests when you're downloading the latest TOR bundle which instead downloads their malware infested TOR bundle.

While malware is owning you it also manipulates your TOR browser useragent ID for them to easily know and track who they've compromised and who they haven't. It's good to make sure your useragent ID is the one it's supposed to be and to scrutinize it carefully hitting a site like whatsmyuseragent.com