http://www.bloomberg.com/news/articles/2015-09-22/russia-s-plan-to-crack-tor-crumblesThe Kremlin was willing to pay 3.9 million rubles ($59,000) to anyone able to crack Tor, a popular tool for communicating anonymously over the Internet. Now the company that won the government contract expects to spend more than twice that amount to abandon the project.
The Central Research Institute of Economics, Informatics, and Control Systems—a Moscow arm of Rostec, a state-run maker of helicopters, weapons, and other military and industrial equipment—agreed to pay 10 million rubles ($150,000) to hire a law firm tasked with negotiating a way out of the deal, according to a database of state-purchase disclosures. Lawyers from Pleshakov, Ushkalov and Partners will work with Russian officials on putting an end to the Tor research project, along with several classified contracts, the government documents say.
Last year, Russia’s Interior Ministry posted a contract seeking a group “to study the possibility of obtaining technical information on users and users’ equipment of Tor anonymous network.” A spokesman for the Interior Ministry department that placed the Tor order declined to comment on Tuesday. The Rostec research group declined to comment.
http://www.theregister.co.uk/2016/04/21/federal_judge_torpedos_tor_pedo_torpedo/A ruling by a US federal judge could unravel as many as 1,200 criminal prosecutions of alleged pedophiles by the FBI.
Massachusetts District Court Judge William Young today declared that the magistrate judge who issued a warrant authorizing the FBI to infect suspects' PCs with tracking malware lacked the proper authority to do so.
In early 2015, the Feds had used the warrant to install a so-called NIT – a Network Investigative Technique – on the computers of people who visited a website hidden in the Tor network that hosted a huge archive of photos and videos of child sex abuse.
The agents commandeered the website's server, and before shutting it down, configured it to deliver the NIT to perverts' PCs for a couple of weeks, allowing investigators to unmask and identify the website's visitors even though they were connecting via the anonymizing Tor network. Each NIT, once in place on a computer, was able to ping an outside FBI-controlled system to reveal a suspect's true public IP address, which could be traced back to their home with their ISP's help.
Hundreds of machines visiting the hidden Playpen website were infected by the FBI's NIT. However, it turns out that the warrant was invalid, and that this mass installation and monitoring was effectively an unlawful search.
http://www.theregister.co.uk/2016/05/26/judge_torpedoes_tor_pedo/A US District Court judge has tossed out evidence gathered by the FBI from Tor users, because the Feds wouldn't reveal how exactly it exploit their browsers to unmask them.
Jay Michaud, a Vancouver school administration worker, was charged with viewing a hidden service called Playpen, which hosted child abuse material, on the Tor anonymizing network. Tor works by running connections between users and servers through a large web of nodes, thus masking people's true IP addresses on the internet.
Unknown to Michaud, at the time he's accused of viewing the material, the server was already under the control of the Feds. The FBI had seized the system in February 2015 and ran it for a few weeks, adding their own server-side software to exploit a vulnerability in the Firefox-based Tor Browser and get visitors' public IP addresses and MAC addresses. The details of this vulnerability and how it was exploited by the FBI aren't known.
Michaud was arrested in July 2015.
In March of this year, the FBI refused to provide details of its “network investigative technique” (NIT) to the court, leading Michaud's lawyers to ask for the case to be dismissed.
Mozilla had backed the defence in the case, on the basis that if the FBI wouldn't reveal its techniques, browsers like its Firefox software couldn't be patched against vulnerabilities.
US District Judge Robert Bryan didn't demand the release of the exploit, but decided that the defence lawyers had a right to see it, so they could confirm that the FBI didn't breach the terms of the warrant they used to gather the data. And thus, the whole thing should be thrown out before it gets too Kafkaesque.
In an order on Wednesday [PDF], Bryan dismisses the evidence, writing: “For the reasons stated orally on the record, evidence of the N.I.T., the search warrant issued based on the N.I.T., and the fruits of that warrant should be excluded and should not be offered in evidence at trial. The court should not now order dismissal.”
The FBI's stance in this case is in contrast to the White House April 2014 assertion that government agencies aren't hoarding bugs. ®
Either inadvertently or deliberately, the court has also posted the deposition given by a security analyst working for the public defender in the case.
The filing, by Vlad Tsyrklevich, explains what the FBI refused to provide the defence.
Tsyrklevich was able to determine that the FBI worked out how to get IP address and another identifier (which might have been MAC address) from a target's machine.
However, that one component of the payload that the feds offered the defence didn't include how the payload was generated, what exploit the FBI used, or how their server collected data.
Tsyrklevich, currently identified as a security engineer for Square, says without the code for the client, he can't verify whether the FBI could be certain that it had a unique identifier for Michaud.
He adds that the server-side code is also vital evidence, since it would verify whether the FBI was storing the data it received properly. He cited the 2013 “watering hole” attack against Freedom Hosting, which served an NIT to people who were visiting legitimate sites as well as those surfing illegal content. ®
http://www.nytimes.com/2016/07/14/technology/tor-project-a-digital-privacy-group-reboots-with-new-board.html?_r=0The new board is part of Ms. Steele’s broader restructuring as she seeks to promote the legitimacy of the Tor Project. Apart from dealing with the allegations over Mr. Appelbaum, the organization has also struggled to fend off an image as a "Dark Web" tool used by drug dealers and pedophiles. An official from the Justice Department recently incorrectly cited a statistic claiming 80 percent of traffic on the Tor network involved child pornography. That statistic, however, came from a study involving a separate service, Tor Hidden Services, which accounts for less than 2 percent of all Tor traffic.
http://www.theregister.co.uk/2016/07/26/boffins_snoop_on_snooping_tor_nodes/A pair of researchers from Northwestern University are working on a framework to let users identify misbehaving Tor nodes.
In a brief paper presented to last week's Privacy Enhancing Technologies symposium in Germany, they suggest their proof-of-concept worked, turning up 110 snooping relays on Tor. Northwestern University's Amirali Sanatinia and Guevara Noubir made the discovery on a 72-day run of their toolkit starting in February.
The problem centres around hidden services, which are meant to protect users by keeping traffic on the Tor network. That protects users against attacks that match entry-node traffic to exit-node traffic, because there's no exit node.
However, as CloudFlare-supported research found last year, the Hidden Service Directory (HSDir) then becomes an attack vector.
That's what Sanatinia and Noubir went to work on in this brief paper. They describe “honey onions” (honions) that they reckon “expose when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts”.
So as not to skew Tor's hidden service statistics, the researchers deployed 1,500 of their honions in each batch run: this was enough to cover the roughly 3,000 HSDir nodes on Tor, without concentrating honion traffic too much.
Cutting to the statistics: of the 110 malicious HSDir nodes the researchers claim existed, more than 70 per cent were hosted on cloud infrastructure like Vultr, and 25 per cent of them are configured to act as both HSDir and Exit nodes (across all of Tor only 15 per cent of HSDirs are also Exit nodes); and the top five countries for malicious HSDirs were the USA, Germany, France, the UK and the Netherlands.
The Tor Project is aware of the HSDir problem; its various mailing lists contain a lot of discussion about ways to better protect hidden service users.
https://yro.slashdot.org/story/16/08/11/2317249/tor-promises-not-to-build-backdoors-into-its-servicesTor has published what it calls a "Social Contract" comprised of promises to users and the principles the team believes in. Whatever the reason is, its social contract contains one interesting pledge: "We will never implement front doors or back doors into our projects," the team wrote. Tor's ability to keep users anonymous made it the go-to browser of people looking for drugs, illegal firearms, hitmen, child porn and other things you won't find on eBay or YouTube. If there's a browser law enforcement agencies would want a backdoor to, it's Tor, especially since its main source of funding is the U.S. government. That's right -- the famous anonymizing network gets most of its money from a government known for conducting mass surveillance on a global scale. Loudly proclaiming that it will never build a backdoor into its services might not even matter, though. The government already proved once that it's capable of infiltrating the dark web. If you'll recall, the FBI identified 1,500 users of a child porn website called "Playpen" by deploying a Tor hacking tool. It led to numerous court battles that opened up the discussion on the validity of evidence obtained without warrant through malware.
https://yro.slashdot.org/story/16/11/07/214254/unsealed-court-docs-show-fbi-used-malware-like-a-grenadeIn 2013, the FBI received permission to hack over 300 specific users of dark web email service TorMail. But now, after the warrants and their applications have finally been unsealed, experts say the agency illegally went further, and hacked perfectly legitimate users of the privacy-focused service. "That is, while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an email. T
he move comes after the ACLU pushed to unseal the case dockets in September. The Department of Justice recently decided to publish redacted versions of related documents. In 2013, the FBI seized Freedom Hosting, a service that hosted dark web sites, including a large number of child pornography sites and the privacy-focused email service TorMail. The agency then went on to deploy a network investigative technique (NIT) -- a piece of malware -- designed to obtain the real IP address of those visiting Freedom Hosting sites.
According to the new documents, the NIT was used against users of 23 separate websites. As for TorMail, officials have maintained that the government obtained a warrant to deploy the NIT against specific users of the service. Now, we do know that to be true: recently unsealed affidavits include a total of over 300 redacted TorMail accounts that the FBI wanted to target.
All of these accounts were allegedly linked to child pornography-related crimes, according to court documents. Importantly, the affidavits say that the NIT would only be used to "investigate any user who logs into any of the TARGET ACCOUNTS by entering a username and password." But, according to sources who used TorMail and previous reporting, the NIT was deployed before the TorMail login page was even displayed, raising the question of how the FBI could have possibly targeted specific accounts.
https://yro.slashdot.org/story/16/11/30/2156218/firefox-zero-day-can-be-used-to-unmask-tor-browser-usersA Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch."
On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows."
Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post."
He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.
http://www.theregister.co.uk/2016/11/30/efforts_to_stop_rule_41_fail/Three last-ditch legislative efforts to block the changes to Rule 41 of the Federal Rules of Criminal Procedure have failed, and from tomorrow the Feds will find hacking your PC a lot less of a hassle.
The rule change was introduced by the Supreme Court in April. It will allow the FBI and police to apply for a warrant to a nearby US judge to hack any suspect who's using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find the target's true location.
Normally, if agents want to hack a suspect's PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the location is obscured by technology. With the changes to Rule 41 in place, investigators can get a warrant from any handy judge to deploy malware to find out where the suspect is based – which could be anywhere in America or the world.
Also, when agents are investigating a crime that spans five or more different judicial districts in the US, the new Rule 41 will allow them to go to just one judge for a warrant, rather than all the courts in all the involved jurisdictions. And it allows the Feds, with a search warrant, to poke around in people's malware-infected computers to, in the words of the US Department of Justice, "liberate" devices.
This extension of law enforcement hacking powers has occurred with no Congressional debate or vote, simply by an administrative change. But some law makers have been fighting to stop the change – today was their Waterloo, and sadly they got Napoleon's role.
Shortly after the April decision, Senators Ron Wyden (D-OR) and Rand Paul (R-KY) introduced the Stopping Mass Hacking (SMH) Act, but it remained stalled in Congress. Wyden made a last plea for the Senate to act on Wednesday but it was rejected.
"By sitting here and doing nothing, the Senate has given consent to this expansion of government hacking and surveillance," Wyden said. "Law-abiding Americans are going to ask 'what were you guys thinking?' when the FBI starts hacking victims of a botnet hack. Or when a mass hack goes awry and breaks their device, or an entire hospital system, and puts lives at risk."
Next it was the turn of Senator Chris Coons (D-DE) to ask for unanimous consent to pass his Review the Rule Act, which would have extended the deadline for the rule change by six months. This was denied.
"These changes to Rule 41 will go into effect tomorrow without any hearing or markup to consider and evaluate the impact of the changes," he said. "While the proposed changes are not necessarily bad or good, they are serious, and they present significant privacy concerns that warrant careful consideration and debate."
Lastly Wyden tried again, asking Congress to sign off on his Stalling Mass Damaging Hacking Act, which would have extended the deadline by just three months. Republican leaders refused to support the bill and so as of tomorrow, the rules come into effect. ®
https://motherboard.vice.com/en_us/article/the-fbi-is-classifying-its-tor-browser-exploitDefense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over.
Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI.
"The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.
"The FBI is arguing that the tool and exploit are not simply sensitive law enforcement information, but that they actually constitute information which must be classified in the interests of national security," Steven Aftergood from the Federation of American Scientists told Motherboard in an email. To be successfully classified, the exploit must fall into one of several categories listed in Executive Order 13526.
"Which of these categories would apply here? Intelligence sources and methods? Technological activities related to the national security?" Aftergood added. "At first glance, all of them seem like a stretch. It will be interesting to see how FBI defends the move—and whether the court is persuaded."
According to the Department of Justice, the government has a record of mistakenly and inappropriately invoking classification controls. Aftergood pointed to the DOJ's Office of the Inspector General's 2013 report, which read "we found several documents in which unclassified information was inappropriately identified as being classified."
Mark Rumold, senior staff attorney at the Electronic Frontier Foundation told Motherboard in a phone call, "The government is never shy about asserting its classification authority as broadly as it wants to."
So, why now? Why classify the exploit and other information when myriad cases have already made their way through the courts?
"Either the classified information was originally designated by another agency and the FBI only just found out, or the FBI was the original classification authority, and the designation was overlooked in error at some point down the information supply chain. This could have been due to a lack of organization, technical capabilities, or both," Ahmed Ghappour, visiting assistant professor at UC Hastings, College of the Law told Motherboard in an email.
http://www.theregister.co.uk/2017/07/29/tor_dark_web/A Tor Project grandee sought to correct some misconceptions about the anonymizing network during a presentation at the DEF CON hacking convention in Las Vegas on Friday.
Roger Dingledine, one of the three founders of the Tor Project, castigated journos for mischaracterizing the pro-privacy system as a bolthole exclusively used by drug dealers and pedophiles to hide from the authorities.
In fact, he said, only three per cent of Tor users connect to hidden services, suggesting the vast majority of folks on the network are using it to anonymously browse public websites for completely legit purposes. In other words, netizens – from journalists to activists to normal peeps – use Tor to mask their identities from website owners, and it's not just underworld villains.
Dingledine even went as far as saying the dark web – a landscape of websites concealed within networks like Tor – is so insignificant, it can be discounted.
“There is basically no dark web. It doesn’t exist,” he told his DEF CON audience. “It’s only a very few webpages.”
The most popular website visited by Tor users was Facebook, Dingledine said. In 2014 the ad giant embraced Tor, setting up a hidden service as a portal to its social network. Now over a million people log into Mark Zuckerberg's empire using the anonymizing network. It’s a tiny percentage of Facebook’s billion-plus user base, but very significant for a project like Tor, Dingledine said.
http://www.theregister.co.uk/2017/08/09/fbis_spywareladen_videos_claim_another_scalp_as_suspect_sextortionist_charged/The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims.
As we learned from previous investigations, the Feds have a network investigative technique (NIT) up their sleeve that can potentially identify folks using the anonymizing system Tor.
The NIT involves a specially crafted video file – such as this one – that when downloaded and opened causes the media player to ping an FBI-controlled server somewhere on the internet. If this happens, and if the surreptitious connection does not go through the Tor network, it will leak the public IP address of the user to the Feds. This information can be used to identify the person's ISP and, with a subpoena, the subscriber's identity, leading to their arrest.
In this case, the tool was used against Buster Hernandez, 26, who was charged [PDF] on Friday with multiple counts of sexual exploitation of a child, threats to use an explosive device, and threats to injure.
On June 9, 2017, the Feds got a judge’s permission to deploy the NIT. Kil had ordered one of his victims to send him pictures and videos of herself and given her the address of a private Dropbox account to upload them to, so the NIT-laden video file was sent by the g-men to his cloud account.
The NIT reported the public IP address of Kil shortly afterwards, and an emergency subpoena was sent to the ISP Bright House Networks, who found it was registered to a woman in Bakersfield, California. Hernandez was registered as an occupant of the property.
On June 12, the FBI were authorized by another judge to put a tap on the internet connection for the house and it found that Tor was being accessed regularly from the property using the Bright House Networks pipe.
The agents got another court order on June 17, requesting surveillance of communications from the suspect's IP address. This showed an occupant was regularly accessing 4chan and looking at pornography on the picture sharing site Imgur, and they also intercepted images of some of the victims.
On July 19, the Feds installed a camera on top of a telegraph pole outside the house. A review of the footage four days later showed a woman leaving the home every morning at 7am and coming back at around 7pm. Hernandez was also spotted entering and leaving the house.
A review of the bugging records showed that the Tor internet sessions started almost as soon as the woman left the house. Once they had collected all the data, the Feds moved in and made their arrest. Hernandez was, as we said, charged this month.
“This was a unique and complex investigation that highlights the tenacity, perseverance, expertise and dedication of the FBI Indianapolis’ Crimes Against Children Task Force and was a top priority. Innovative techniques were utilized, solutions to roadblocks created and partnerships with key private sector partners were developed,” said Jay Abbott, Special Agent in Charge of the FBI’s Indianapolis Division.
“I stood in front of concerned parents and community members and told them we would find the person who had been victimizing these young girls and, with the tireless work of our agents and partners, we never gave up.”
If convicted, Hernandez is facing a mandatory minimum sentence of 15 years in prison, with a maximum of 30 years inside.
LinkkiThe US Attorney General has set up a task force of FBI agents and tech nerds to further smoke out online peddlers of illegal opioids.
The team, dubbed the Joint Criminal Opioid Darknet Enforcement, aka J-CODE, will be sent out to a dozen American cities that have hotspots of opioid abuse to work out where the gear is coming from. The force will then try to identify the sources online, and shut them down, as the Trump administration reignites America's war on drugs.
Announcing the policy in a speech on Monday, Attorney General Jeff Sessions talked tough on crooks lurking within the darknet – which are anonymizing networks, such as Tor, that can be used for good, and can also be used by drug traffickers to evade the cops and Feds.
The FBI has tricks up its sleeve to potentially unmask some Tor users, and has found other ways to take over darknet websites, usually by seizing servers.
“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.
“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimat