
The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users - dnetesn
http://www.wired.com/2014/12/fbi-metasploit-tor/
======
meowface
This article is talking about 2 different things.

If you write a simple Flash program that opens a socket to a remote server,
you can embed that on a site and use it to identify certain people running
through Tor or any other SOCKS/HTTP proxy. It will only catch people who have
configured their proxy very poorly. This has been known for well over a decade
and it just catches the low-hanging fruit; it's really not an innovative
tactic, you can find it on all sorts of sites. If you use the Tor Browser
Bundle, it will route Flash through Tor so you're immune.

However, during Operation Torpedo, the FBI deployed an "implant" on Freedom
Hosting's servers which was an exploit for CVE-2013-1690, a vulnerability in
Firefox. Wasn't a 0-day, but a lot of people using TBB had not patched yet.
This was just some Javascript which executed a small bit of Windows shellcode,
sending each victim's IP address, MAC address, and a serial number to an FBI-
controlled server. The only way to be safe from this was with an updated
Firefox version, and/or running NoScript.

~~~
smtddr
_> >It will only catch people who have configured their proxy very poorly._

To add to this, in Firefox if you use this:
[http://i.imgur.com/ajT98xC.png](http://i.imgur.com/ajT98xC.png) , Flash does
not obey it. I kinda think Mozilla should put some kind of warning-text on
this dialog window to warn uses that it doesn't apply to flash, silverlight or
any plugins. This surprised me at first but it makes sense if you think about
it. You really have to do a system-wide VPN type thing. Something like this:
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)
will actually tunnel everything on your PC.

~~~
alex_duf
Careful, sshuttle doesn't route UDP, and by default does not route DNS
requests either.

For Firefox, I don't think they should bother anyway, the world is killing
flash, if you want to be anonymous on the internet use noscript and don't
install flash in the first place.

~~~
smtddr
Oh wow! Thanks for this heads up!

------
plethora99
This kind of scares me. I don't know much about the case, but the guy is an IT
worker, and it's hard for me to believe he'd have such terrible opsec, and he
says it wasn't him. I'm all for catching pedophiles and everything, but how
did we know it was actually him behind the computer at the time the flash file
was loaded? What if it were a friend at the house (maybe even someone
intending to frame him), or a virus on a computer in his home using his
computer like a VPN, or router malware, or even a passerby or neighbor
hijacking his wifi? I give out my wifi password to guests all the time and
never change it and might have to change that policy if you can be thrown in
prison for years (not to mention irreversible reputational damage) if a
request from your home IP hits the wrong server.

~~~
darkarmani
> This kind of scares me. I don't know much about the case, but the guy is an
> IT worker, and it's hard for me to believe he'd have such terrible opsec

There is a wide range of "IT workers". I would guess that 50% of them could
easily make this mistake. Security is hard. Maintaining a bunch of computers
with poor security is easy (ask sony).

~~~
ritonlajoie
to be fair, the attack surface on sony is much larger than my home computer's.

------
rday
> Like any encryption or privacy system, Tor is popular with criminals.

Out of curiosity, what is the bar for "popular"? Are the majority of criminals
using Tor?

I expect Public Defenders are much more popular with criminals. I also expect
saying "Public Defenders are popular with criminals" would sound like I'm
trying to discredit those people...

~~~
cbd1984
You know what else is popular with criminals?

Walls.

Mailing using envelopes instead of postcards, especially those envelopes with
the ink patterns that make it harder to see through them.

 _Not_ yelling things into a cell phone at top volume when you're out in the
street.

The First, Fourth, and Fifth Amendments to the American Constitution, and
equivalents elsewhere in the world.

~~~
sp332
Cash! Dollar bills are like anonymous physical bitcoins!

~~~
Crito
Bitcoin but without the audit trail! Now who could possibly want such a thing
besides criminals...

------
Sniperfish
Nothing within that suggests Tor has been cracked but highlights that
enforcement agencies do not need to crack Tor if other elements of the
infrastructure (Flash, Firefox) have vulnerabilities.

~~~
ultramancool
There are of course simple ways around that sort of issue. You can create a 2
VM system:

\- proxy VM - 2 NICs, one public, one internal to VMs only, runs Tor, exposes
only Tor SOCKS5 port to internal network, firewalls everything else

\- main VM - 1 NIC, internal only, connects only to other VM on Tor SOCKS5
port. Preventing any application from being able to connect. This VM needs to
be somewhat locked down from the host at minimum though, no VM file sharing,
probably best to avoid other VM services too.

The only way to break this scheme would be to exploit the Tor proxy port
itself to break into the proxy VM from the main VM or to break out of the VM
itself. Likely harder than a large codebase like Firefox/Java/Flash. Of
course, remember to snapshot and restore once you're configured to avoid any
risk of persistent malware.

~~~
lambada
The scheme you propose is exactly what Whonix provides.
[https://www.whonix.org/wiki/Main_Page](https://www.whonix.org/wiki/Main_Page)

------
thefreeman
A 2013 in the title might be warranted. And the article is actually about an
exploit to decloak Tor users which was originally released in 2006, and one of
the original reasons for the Tor Browser Bundle

------
lotsofcows
Apparently it's a surprise to Wired that a group that engages in hacking uses
a tool commonly used for hacking.

~~~
pbhjpbhj
The surprise is surely that a group expected to use complex and highly
technical exploits which come from the minds of top government crackers
instead uses years old hacks distributed with a tool known, rightly or
wrongly, as the preserve of script-kiddies everywhere?

~~~
PhantomGremlin
Who exactly are the "top government crackers"? Probably not the FBI. It's
unlikely that the CIA or NSA would give the FBI the time of day, let along
give them access to the latest exploits. Many reports have highlighted the
lack of cooperation between government agencies. E.g. [1]

    
    
       agency cultures resistant to change and
       new ideas; inappropriate incentives for
       promotion; and a lack of cooperation
       between the FBI, CIA and the rest of
       the United States Intelligence Community.
       ...
       FBI personnel practices continue to treat
       all staff other than special agents as
       support staff, classifying intelligence
       analysts alongside the FBI's auto mechanics
       and janitors
    

Who knows if any of that is true anymore, but it's unlikely that giant
organizations (especially government bureaucracies) can change their stripes
in timeframes shorter than decades.

[1]
[https://en.wikipedia.org/wiki/Federal_Bureau_of_Investigatio...](https://en.wikipedia.org/wiki/Federal_Bureau_of_Investigation#September_11th_attacks)

~~~
pbhjpbhj
> _Who exactly are the "top government crackers"?_ //

I was saying that was the _expectation_ , that one _perceives_ that the
government has the best people on the job, the brightest minds in the pen
community. I'm open to that not being true but surely with their financial
clout the US Gov has some such people at hand whether that be in the NSA/FBI
or [other] armed forces?

------
pakled_engineer
A separate BSD firewall box to prevent any connections outside Tor would've
prevented this, or thegrugqs p.o.r.t.a.l. box. These attacks will only get
better, FF 0day isn't all that expensive so simply disabling JavaScript won't
be an option in the future, which prevented the second attack where a custom
exploit was used by the FBI.

What's the legal defense if a random .onion address is posted claiming it's
leaked juicy Sony emails and scripts and it turns out to be an illegal porn
site full of FBI snitchware? How do they draw a legal distinction between a
pervert and an idiot who clicks a link?

~~~
rjaco31
>FF 0day isn't all that expensive so simply disabling JavaScript won't be an
option in the future

Do you have any example of exploit that would no require javascript? AFAIK
they are usually about javascript memory handling in order to evade the
sandbox

~~~
pakled_engineer
Just go through FF CVEs and look for vulnerabilities that enable remote code
execution without .js like .cpp malformed text rendering.

Doesn't seem to me that the FBI cares about hiding the fact your browser has
been exploited as their last known attempt (freedom hosting) didn't try very
hard to cover it's tracks.

------
wcummings
>Now Metasploit has a new and surprising fan: the FBI. WIRED has let
Metasploit side project called the “Decloaking Engine” to stage its first
known effort to successfully identify a multitude of suspects hiding behind
the Tor anonymity network.

Looks like this is vanilla proxy piercing with flash. This would only work
against misconfigured tor clients.

[https://www.torproject.org/docs/faq.html.en#TBBFlash](https://www.torproject.org/docs/faq.html.en#TBBFlash)

------
secfirstmd
Possible...Though it could also be an example of "parallel reconstruction,"
with the real method of exposure actually something else. NSA etc.

------
textphone
Every one of these threads, here and on Reddit, ends up packed with accounts
demanding "proof" of vulnerability or saying it's a silly conspiracy to say
that the typical Tor install provides very weak protection.

~~~
watty
Why does this surprise you? The internet is made up all of all sorts of
fabricated content, proof should be required.

~~~
coldtea
People always demanding hard proof seem to have an inability to draw
conclusions for themselves.

Are there are missing facts and figures? Yes.

Welcome to real life, where you have to make up your mind with what you have
available. People have to learn to use and correlate the information they
have, historical information, precedent etc, and make up a model for what's
going on, instead of demaning some sanctious data to be passed upon them, like
a Holy Book.

As Alan Kay said, "a point of view is worth 80 IQ points"

(Not to mention that the "hard facts" they tend to accept (government
statements, reports etc) could as well be fabricated, and historically have
more often than not been).

~~~
cbd1984
> People always demanding hard proof seem to have an inability to draw
> conclusions for themselves.

I shall notify the scientific journals of this conclusion forthwith.

Next up: "The abstract is just TL;DR culture which is killing literacy. If you
want to know what's in a paper, _read it._ "

~~~
coldtea
> _I shall notify the scientific journals of this conclusion forthwith._

No, you should just re-read the part that says:

> _Welcome to real life, where you have to make up your mind with what you
> have available. People have to learn to use and correlate the information
> they have, historical information, precedent etc, and make up a model for
> what 's going on, instead of demanding some sanctious data to be passed upon
> them, like a Holy Book._

And then you must have to learn to consider the context when replying -- which
was not scientific research.

If you expect peer reviewed hard data handed down from the likes of the FBI
before you make up your mind, you're obviously not paying attention.

~~~
cbd1984
This contributes nothing to the discussion and is jerkish besides.

