If you write a simple Flash program that opens a socket to a remote server, you can embed that on a site and use it to identify certain people running through Tor or any other SOCKS/HTTP proxy. It will only catch people who have configured their proxy very poorly. This has been known for well over a decade and it just catches the low-hanging fruit; it's really not an innovative tactic, you can find it on all sorts of sites. If you use the Tor Browser Bundle, it will route Flash through Tor so you're immune.
However, during Operation Torpedo, the FBI deployed an "implant" on Freedom Hosting's servers which was an exploit for CVE-2013-1690, a vulnerability in Firefox. Wasn't a 0-day, but a lot of people using TBB had not patched yet. This was just some Javascript which executed a small bit of Windows shellcode, sending each victim's IP address, MAC address, and a serial number to an FBI-controlled server. The only way to be safe from this was with an updated Firefox version, and/or running NoScript.
>>It will only catch people who have configured their proxy very poorly.
To add to this, in Firefox if you use this: http://i.imgur.com/ajT98xC.png , Flash does not obey it. I kinda think Mozilla should put some kind of warning-text on this dialog window to warn uses that it doesn't apply to flash, silverlight or any plugins. This surprised me at first but it makes sense if you think about it. You really have to do a system-wide VPN type thing. Something like this: https://github.com/apenwarr/sshuttle will actually tunnel everything on your PC.
Careful, sshuttle doesn't route UDP, and by default does not route DNS requests either.
For Firefox, I don't think they should bother anyway, the world is killing flash, if you want to be anonymous on the internet use noscript and don't install flash in the first place.
Hmmmmmm..... So from what I gather here, if the ActionScript is using the regular getURL[1] that call is passed to the browser and will be proxied. But if flash tries to open up a raw socket[2] on its own, it won't know about the proxy and will just fail(or reveal your true IP)
Interesting to me though is that that article seems to imply that if you are after an Onion server you only need one "idiot" using it in order to unmask it. By compromising that user, their compromised system will get you information about the server. Or did I mis-read what they were implying?
You're misreading it. They already had a guy at the web hotel. The injected code unmasked the visitors, allowing the FBI to go out and arrest them along with taking down the site itself.
According to the article, Operation Torpedo happened one year earlier than the Freedom Hosting hack. I don't think we have seen the results of the latter yet.
The Freedom Hosting event was over 1.5 years ago. I'm starting to wonder if there was some procedural / legal issue with that operation. I don't know what would delay the investigation this long otherwise.
This kind of scares me. I don't know much about the case, but the guy is an IT worker, and it's hard for me to believe he'd have such terrible opsec, and he says it wasn't him. I'm all for catching pedophiles and everything, but how did we know it was actually him behind the computer at the time the flash file was loaded? What if it were a friend at the house (maybe even someone intending to frame him), or a virus on a computer in his home using his computer like a VPN, or router malware, or even a passerby or neighbor hijacking his wifi? I give out my wifi password to guests all the time and never change it and might have to change that policy if you can be thrown in prison for years (not to mention irreversible reputational damage) if a request from your home IP hits the wrong server.
Regarding an IT worker making this mistake. The delta of one mistake separates a good opsec plan from one functionally identical to nothing. Even people who have a pretty good idea of what it takes to pull off opsec on the google-searchable web aren't necessarily interested in all of the hoop jumping to stay anonymous. Convenience is one hell of a sumbitch.
> This kind of scares me. I don't know much about the case, but the guy is an IT worker, and it's hard for me to believe he'd have such terrible opsec
There is a wide range of "IT workers". I would guess that 50% of them could easily make this mistake. Security is hard. Maintaining a bunch of computers with poor security is easy (ask sony).
I was wondering about this as well. Couldn't a nefarious Tor user install some sort of outgoing packet-cleaner, which would spoof their outgoing I.P. address for all packets unrelated to Tor?
I.e: because the flash exploit didn't establish two-way clearnet communication with the target computer, how can they prove that the outgoing clearnet I.P. was not spoofed?
EDIT: Nevermind, I was assuming too much about the operation of the exploit. More details, for those who are interested, can be found here:
>I.e: because the flash exploit didn't establish two-way clearnet communication with the target computer, how can they prove that the outgoing clearnet I.P. was not spoofed?
I'd assume that the flash snippet establishes a TCP connection, so it has to complete a handshake first. Those are fairly hard to spoof.
The exploit sent his MAC address to them; so barring the use of a VM or macchanger (doubtful if he was loading Flash against all advise) that would at very least identify the traffic as coming from his computer.
Whether that proves who was at the keyboard or not is an entirely different debate.
No, it didn't. Re-read the article. The sending of MAC addresses occurred in a different, later operation with a new method (custom Firefox exploit code), rather than the Flash based IP-only method that is the focus of this article.
> Like any encryption or privacy system, Tor is popular with criminals.
Out of curiosity, what is the bar for "popular"? Are the majority of criminals using Tor?
I expect Public Defenders are much more popular with criminals. I also expect saying "Public Defenders are popular with criminals" would sound like I'm trying to discredit those people...
Nothing within that suggests Tor has been cracked but highlights that enforcement agencies do not need to crack Tor if other elements of the infrastructure (Flash, Firefox) have vulnerabilities.
There are of course simple ways around that sort of issue. You can create a 2 VM system:
- proxy VM - 2 NICs, one public, one internal to VMs only, runs Tor, exposes only Tor SOCKS5 port to internal network, firewalls everything else
- main VM - 1 NIC, internal only, connects only to other VM on Tor SOCKS5 port. Preventing any application from being able to connect. This VM needs to be somewhat locked down from the host at minimum though, no VM file sharing, probably best to avoid other VM services too.
The only way to break this scheme would be to exploit the Tor proxy port itself to break into the proxy VM from the main VM or to break out of the VM itself. Likely harder than a large codebase like Firefox/Java/Flash. Of course, remember to snapshot and restore once you're configured to avoid any risk of persistent malware.
A 2013 in the title might be warranted. And the article is actually about an exploit to decloak Tor users which was originally released in 2006, and one of the original reasons for the Tor Browser Bundle
The surprise is surely that a group expected to use complex and highly technical exploits which come from the minds of top government crackers instead uses years old hacks distributed with a tool known, rightly or wrongly, as the preserve of script-kiddies everywhere?
Who exactly are the "top government crackers"? Probably not the FBI. It's unlikely that the CIA or NSA would give the FBI the time of day, let along give them access to the latest exploits. Many reports have highlighted the lack of cooperation between government agencies. E.g. [1]
agency cultures resistant to change and
new ideas; inappropriate incentives for
promotion; and a lack of cooperation
between the FBI, CIA and the rest of
the United States Intelligence Community.
...
FBI personnel practices continue to treat
all staff other than special agents as
support staff, classifying intelligence
analysts alongside the FBI's auto mechanics
and janitors
Who knows if any of that is true anymore, but it's unlikely that giant organizations (especially government bureaucracies) can change their stripes in timeframes shorter than decades.
>Who exactly are the "top government crackers"? //
I was saying that was the expectation, that one perceives that the government has the best people on the job, the brightest minds in the pen community. I'm open to that not being true but surely with their financial clout the US Gov has some such people at hand whether that be in the NSA/FBI or [other] armed forces?
Why would they use their own tools and risk revealing them to the public when they can use a recognized existing tool and mask their full capabilities?
A separate BSD firewall box to prevent any connections outside Tor would've prevented this, or thegrugqs p.o.r.t.a.l. box. These attacks will only get better, FF 0day isn't all that expensive so simply disabling JavaScript won't be an option in the future, which prevented the second attack where a custom exploit was used by the FBI.
What's the legal defense if a random .onion address is posted claiming it's leaked juicy Sony emails and scripts and it turns out to be an illegal porn site full of FBI snitchware? How do they draw a legal distinction between a pervert and an idiot who clicks a link?
> "How do they draw a legal distinction between a pervert and an idiot who clicks a link?"
Much of child porn law centers around "intent" -- it's not illegal to see child porn (and be like "oh nasty, don't want that, alt-f4"), it's illegal to intentionally produce, procure, possess, or distribute it.
If the FBI controls the server, they can monitor connections and behavior. Did the user open the site and then immediately leave? Did they scroll around? Did they click images or videos? Did they access multiple pages which are clearly identified as perv material rather than leaked juicy Sony e-mails? Loading the site and then immediately leaving doesn't show intent, but loading the site and then digging around on it does. (There's also the next level -- once the FBI identifies a potential perv-or-idiot and seizes their box, they can check for additional evidence, like whether someone has accumulated a collection of child porn.)
The legal defense concept that would apply is called an "affirmative defense". It basically says yes, you did the thing in question, but explains that there was no criminal intent. Like, yes, I clicked on a link that took me to a website with illegal content, but I was misled, as you can see from my behavior of immediately hitting the "back" button. (Likewise, if you find in your large porn collection that a few images are actually illegal, you can safely delete them or turn them over to police -- the fact that your main collection is legal, and that you acted to get rid of the illegal content, shows that you did not have criminal intent.)
>FF 0day isn't all that expensive so simply disabling JavaScript won't be an option in the future
Do you have any example of exploit that would no require javascript? AFAIK they are usually about javascript memory handling in order to evade the sandbox
Just go through FF CVEs and look for vulnerabilities that enable remote code execution without .js like .cpp malformed text rendering.
Doesn't seem to me that the FBI cares about hiding the fact your browser has been exploited as their last known attempt (freedom hosting) didn't try very hard to cover it's tracks.
I'm not too sure about Firefox specifically but I know there were some vulnerabilities in image format handling etc. that could be exploited without JS; this is the most prominent one that comes to mind:
However, to evade detection and frustrate any reverse-engineering attempts, even these sorts of exploits are usually "packaged" in an obfuscated JS wrapper, so they would still require it enabled to work.
>Now Metasploit has a new and surprising fan: the FBI. WIRED has let Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.
Looks like this is vanilla proxy piercing with flash. This would only work against misconfigured tor clients.
Every one of these threads, here and on Reddit, ends up packed with accounts demanding "proof" of vulnerability or saying it's a silly conspiracy to say that the typical Tor install provides very weak protection.
People always demanding hard proof seem to have an inability to draw conclusions for themselves.
Are there are missing facts and figures? Yes.
Welcome to real life, where you have to make up your mind with what you have available. People have to learn to use and correlate the information they have, historical information, precedent etc, and make up a model for what's going on, instead of demaning some sanctious data to be passed upon them, like a Holy Book.
As Alan Kay said, "a point of view is worth 80 IQ points"
(Not to mention that the "hard facts" they tend to accept (government statements, reports etc) could as well be fabricated, and historically have more often than not been).
>I shall notify the scientific journals of this conclusion forthwith.
No, you should just re-read the part that says:
>Welcome to real life, where you have to make up your mind with what you have available. People have to learn to use and correlate the information they have, historical information, precedent etc, and make up a model for what's going on, instead of demanding some sanctious data to be passed upon them, like a Holy Book.
And then you must have to learn to consider the context when replying -- which was not scientific research.
If you expect peer reviewed hard data handed down from the likes of the FBI before you make up your mind, you're obviously not paying attention.
This post is now 12 hours old, and I can't see a single response along those lines, let alone a comment section packed with such things. You may want to rethink your prejudice...
If you write a simple Flash program that opens a socket to a remote server, you can embed that on a site and use it to identify certain people running through Tor or any other SOCKS/HTTP proxy. It will only catch people who have configured their proxy very poorly. This has been known for well over a decade and it just catches the low-hanging fruit; it's really not an innovative tactic, you can find it on all sorts of sites. If you use the Tor Browser Bundle, it will route Flash through Tor so you're immune.
However, during Operation Torpedo, the FBI deployed an "implant" on Freedom Hosting's servers which was an exploit for CVE-2013-1690, a vulnerability in Firefox. Wasn't a 0-day, but a lot of people using TBB had not patched yet. This was just some Javascript which executed a small bit of Windows shellcode, sending each victim's IP address, MAC address, and a serial number to an FBI-controlled server. The only way to be safe from this was with an updated Firefox version, and/or running NoScript.