With all of the NSA related diaries on the site recently, I have seen folks mention the use of TOR (an acronym for "the onion router") as a means to do things on the web anonymously. Personally, I don't use TOR because I don't see the need and I am inherently skeptical of "we can hide you" services such as this. Over the last couple of days the service, and the browser and network which support it have been in the news - this piqued my curiosity. Please read on if you are curious too.
So what is TOR? According to their website:
Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
In addition to providing anonymous access to internet services, the network also allows for anonymous or hidden web site hosting as well. These hidden websites (which are accessible only through TOR), allow not only the users to be anonymous but
the servers as well:
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
According to
TOR, this allows the service to:
protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Anonymous web hosting can also be used for nefarious purposes, as is the case with the examples below.
TOR's recent controversy began with the arrest of a man in Ireland named Eric Eoin Marques. The FBI alleges that the 28 year old Mr. Marques is "the largest facilitator of child porn on the planet." Mr. Marques is also "believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network".
According to The Verge:
Freedom Hosting is the largest and best-known hidden service provider, hosting a number of prominent darknet destinations, including well-known child pornography sites as well as [site name redacted by the diarist], an online marketplace for drugs and other illegal merchandise. Its high profile as a safe haven for child porn earned it the ire of internet activist collective Anonymous, which used DDoS attacks to temporarily take it offline in 2011. Marques is scheduled to appear in Ireland’s High Court on Thursday, reports The Independent.
In all fairness to TOR, they released
a statement:
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.
So, the Freedom Hosting servers are now down (along with the child porn it was serving) and Mr. Marques is in jail awaiting extradition to Maryland to face the FBI charges. But the story doesn't end here, it just gets more interesting.
Apparently, to make TOR easier to use, the TOR team created a package called the TOR Browser Bundle (TBB). The TBB is based on a modified version of a Firefox release, named Firefox 17 ESR. According to TOR:
The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
An exploit of TBB allowed
this to occur:
Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.
Not only were web sites impacted, but according to
InformationWeek:
"The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service."
In short, anyone accessing Freedom Hosting servers was not anonymous if they were using anything other than the latest, patched, version of TBB. It is not clear to me if users of the other affected TOR services were compromised. It should also be noted that
this was not a 0 day exploit, a bug had been opened in June with Mozilla (the organization which develops Firefox) against the vulnerability which allowed this exploit to occur. According to Mozilla the bug has been fixed and a new version of Firefox ESR has been released. The TOR project did release a rather interesting statement related to this issue, when it said
yesterday (August 4):
We're investigating these bugs and will fix them if we can.
Whether this means that the TOR team has more to do to fix this exploit is unclear to me.
In the interest of full disclosure about this exploit, according to Wired.com:
“The attackers pent [sic] a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.
The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.
In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.
But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?
Before anyone goes on a tear about Wired's speculation, imagine what would happen if the person writing the malware was not writing code which was not the "embodiment of a carefully crafted court order". In short, you'd be seriously hosed. Secondly, I would hope that we all can agree that catching people who traffic in or consume child pornography is the right thing to do.
So what are the takeaways from this?
- There is no shortcut to protecting yourself on the internet. If anyone actually reads this, and there are comments which recommend solutions - don't just start using them, do some research first!
- Understand the technology you are introducing into your lives - whether it's TOR, a cell phone or a smart tv.
- If you do decide to use TOR to access the secret sites it hosts, do your best to make sure you understand the organization hosting the site. Since everything is anonymous I have no idea how you would do that.
- Keep your anti-virus definitions up to date and make sure you are protected by a firewall
- Keep the applications on your computer up to date too
- It can't be stressed enough, do your research!