Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Encryption Government Security

The FBI Is Infecting Tor Users With Malware With Drive-By Downloads 182

Posted by timothy
from the for-the-good-of-society dept.
Advocatus Diaboli (1627651) writes For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement's knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it's also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants.
This discussion has been archived. No new comments can be posted.

The FBI Is Infecting Tor Users With Malware With Drive-By Downloads

Comments Filter:
  • by Anonymous Coward on Tuesday August 05, 2014 @05:16PM (#47609189)

    What ever happened to not breaking the law to collect evidence?

  • by MindPrison (864299) on Tuesday August 05, 2014 @05:17PM (#47609195) Journal
    ...and that's how and WHY they get away with this. This is against any human rights, but shout "won't anyone PLEASE think of the Children", and these agencies can get away with murder.

    So that said, to any whistleblower out there who doesn't have the tech savvy that we have, I'd offer a little bit of advice, read it - and don't forget it, you might just be next if you do:

    1) Download Tails. Install it preferably on a CD.
    2) Remove your hard disk connection (removing the power is enough) when you intend to boot from Tails.
    3) Shut down your WiFi. And only use WIRED connections.
    4) Boot tails, and when you start Iceweasel - make sure to turn NoScript ON for ALL sites. It's not on by default, when the SHIELD shows...it's on!
    5) Never - ever use an acronym you'd use with your normal ISP (IP address), this WILL unmask you.
    6) Do NOT use FLASH or JAVASCRIPT.
    7) Do NOT do any banking business or anything that would identify the real you using TOR. Tor is like walking into an underworld of the worst place you could imagine in a bad movie (except Darknet is very real, and can be a VERY dark place, it has freedom...but freedom is precious there, and there's someone waiting on every corner to con you, and remember - this threat is VERY REAL!), so don't be a fool. Do what you have to, but stay safe.
    8) Do NOT brag to friends that you're safe with Tor. As far as you know, you don't even know what Tor is.
    9) If you can, use Tor with a laptop that has never been used on a wired or wireless KNOWN network with you, but only used for TOR ...without a harddisk! Use it to connect with TOR on a different network, preferably in a different city than where you live. You can't get much safer than that....IF...you apply the other 8 rules above.
    10) Don't SURF TOO LONG AT ONCE - People are working to unmask TOR users all the time with Injection attacts, and they succeed often! Notice that when the chain of relays break (refreshes)...always keep looking at the NETWORK MAP...ALWAYS, DISCONNECT LIKE THE WIND and find another time to connect short sessions. Keep things brief, and as many clusters as you can.
    11) Always make sure that the TAILS CHECKSUM IS MATCHING! I've downloaded TAILS TWICE from their so called official server and had CHECKSUM MISMATCH, this could be as simple as a faulty packet...but it could also be much more serious than that, imagine the rest yourself - BE PARANOID! It's your life!

    Information is the only power we have left!
    • by anthroboy (663415) on Tuesday August 05, 2014 @05:43PM (#47609405)

      5) Never - ever use an acronym you'd use with your normal ISP (IP address), this WILL unmask you.

      ASAP, scuba, laser, Nabisco, Esso, ISP, HTTP, USB, PDF, CYA... Who knew acronyms were so dangerous?

    • by CreatureComfort (741652) on Tuesday August 05, 2014 @05:53PM (#47609485)

      9) If you can, use Tor with a laptop that has never been used on a wired or wireless KNOWN network with you, but only used for TOR ...without a harddisk! Use it to connect with TOR on a different network, preferably in a different city than where you live. You can't get much safer than that....IF...you apply the other 8 rules above.

      While this sounds ludicrous on its face, (Really? Driving to different cities just to surf anonymously?), I would have suggested connecting via a VPN, or chained VPNs depending on your paranoia and tolerance for network delay. If every time you connect you set your opposite end point to a different country each time. Especially if reconnecting frequently as noted in 10).

      12) If you have to go through this much trouble to function on the Internet, seriously reconsider your life and lifestyle. Is it really worth it?

    • by godel_56 (1287256) on Tuesday August 05, 2014 @06:57PM (#47609973)

      ...and that's how and WHY they get away with this. This is against any human rights, but shout "won't anyone PLEASE think of the Children", and these agencies can get away with murder.

      So that said, to any whistleblower out there who doesn't have the tech savvy that we have, I'd offer a little bit of advice, read it - and don't forget it, you might just be next if you do:

      1) Download Tails. Install it preferably on a CD.
      2) Remove your hard disk connection (removing the power is enough) when you intend to boot from Tails.
      3) Shut down your WiFi. And only use WIRED connections.
      4) Boot tails, and when you start Iceweasel - make sure to turn NoScript ON for ALL sites. It's not on by default, when the SHIELD shows...it's on!

      Stuff deleted

      If you really need to be anonymous, use a computer that you bought for cash, that is ONLY used for communicating over Tor with Tails, preferably using somebody else's Wi-Fi. Even if the Feds do manage to plant a beacon on this computer, it will only show up when you are communicating anonymously. Your secure computer should be air gapped from your main work/internet computer.

    • by lister king of smeg (2481612) on Wednesday August 06, 2014 @02:33AM (#47612007)

      I would also change my mac address regularly just to make it harder to track your physical location You could always just use a random mac or if you want to be a real pain in the ass you could start mac cloning and find other people mac and copy them so when you go browse porn ^H^H^H^H the darkwebs it looks like the hipster with his macbook pro that just finished his mocha and left the coffee shop you happen to be sitting in.

  • From the article, it sounds like we know they used it to identify computers browsing child porn sites. They had warrants. Okay, I'm not too upset about that. MAYBE they also did it to all sites hosted by Freedom Hosting. THAT would be a problem.

  • by Anonymous Coward on Tuesday August 05, 2014 @05:26PM (#47609277)

    In the article, they mention that one of the drive by malware installations by the FBI hit the servers of a webmail service called Tormail in the process of going after a site that was believed to be hosting child porn. Presumably, they used the malware to search PCs, including those of Tormail users who had committed no crime. Wouldn't this be a massive violation of the fourth amendment?

  • by BitterOak (537666) on Tuesday August 05, 2014 @05:26PM (#47609279)
    I know this won't be a popular position here, but the problem here isn't with what the FBI is doing, but rather the fact that they can do it. The problem is with the technology: it just isn't as secure as it's supposed to be. When a hacker finds a vulnerability in a security system, most people on Slashdot say don't blame the hacker, but rather fix the underlying vulnerabilities in the system. Instead of pointing the finger at the FBI for using vulnerabilities in TOR, web browsers, and/or operating systems, we should be glad that they're making this public, so the vulnerabilities can be fixed. After all, if the FBI can do this, so can criminals, governments hostile to free speech, and many other malicious parties. Let's learn from what the FBI is doing and harden the systems, to make legitimate users of Tor and similar services safer.
    • by Anonymous Coward on Tuesday August 05, 2014 @05:37PM (#47609347)

      > we should be glad that they're making this public

      That's the problem, they are working as hard as possible to prevent the information from becoming public.

      While this is the FBI we are talking about here, I would be sooooo onboard with the NSA if they amended their charter to simply shoring up vulnerabilities rather than exploiting them for their own opaque purposes.

    • Absolutely wrong (Score:4, Interesting)

      by s.petry (762400) on Tuesday August 05, 2014 @10:29PM (#47611263)

      On the surface this sounds valid, but you completely miss the obvious. The FBI, as well as other 3 letter agencies, are _creating_ software for the purpose of hacking into people's computers _illegally_. The FBI is not taking over some criminal botnet to harvest data, they are not intercepting malware C&C data to find things, they are creating their own malware for the purposes of performing illegal activities.

      That fact alone should exemplify how wrong this is, since they are not only breaking laws regarding Constitutional issues. They are also breaking US and International law covering hacking, wire tapping, and computer espionage. You know, the same shit they were trying to slap Aran Schwarts with 70 years in prison for laws.

      To use a drug analogy, the FBI can not start producing cocaine to find and arrest buyers. That is illegal, and repeatedly been reinforced as illegal.

      Computer vulnerabilities don't exist by nature, people must create methods of making computers vulnerable. A program with a buffer overflow exploit would not be vulnerable without the code to exploit the program deficiency. If you truly believe computers should be fair game, then you should also believe that it's perfectly fine for someone to steal your car because locks are imperfect and can be bypassed. (Had to throw in the tried and tested car analogy also..)

    • by jeIIomizer (3670945) on Wednesday August 06, 2014 @12:55AM (#47611801)

      but the problem here isn't with what the FBI is doing, but rather the fact that they can do it.

      The problem is both.

  • Smart (Score:5, Insightful)

    by TheCarp (96830) <sjc&carpanet,net> on Tuesday August 05, 2014 @05:40PM (#47609383) Homepage

    I hate to say it, but this is pretty smart. They seem to have realized that using their new techniques against child porn is the best way forward for them because the issue has stigma to spare that can help quell dissent, then, once the practice is firmly established, they can quietly expand it to everything else they desire.

  • by jcochran (309950) on Tuesday August 05, 2014 @05:47PM (#47609437)

    In a nutshell, they simply had any computer that contacted the web site send back the computer's real IP address and its MAC address. The actual security of the Tor wasn't affected. Just that compromising information was sent through the Tor network. Just as any other data would be sent through the Tor network.

    Now I suspect the MAC address was sent so that they could identify the actual computer when they seized it via a warrant. That way the suspect couldn't claim that it wasn't their computer since the IP address was on the other side of a NAT and there were multiple computers using NAT. And the IP address was simply to make identifying the physical location easier.

    Which raises an interesting question....
    What if someone alters their MAC address and then enters the Tor network via a public wifi hotspot?
    The connection is encrypted so the fact that the hotspot is publicly accessible shouldn't be a problem.
    And when the computer is turned off, the MAC spoofing goes away so even if the computer is seized, they don't have a matching MAC address to prove it's the computer they hacked. And of course, since access was via an open hot spot, there's plenty of computers that could have been connected. Proving which one would be rather ... difficult ... without that MAC address.

    • by BitterOak (537666) on Tuesday August 05, 2014 @06:00PM (#47609561)

      In a nutshell, they simply had any computer that contacted the web site send back the computer's real IP address and its MAC address. The actual security of the Tor wasn't affected.

      Ummm, the whole purpose of Tor is to make it impossible for the web host to determine your real IP address, so if it is so easy to get the browser to send that information back to the server then they've COMPLETELY disabled the security of the Tor network, so I really don't understand your statement that the "security of Tor wasn't affected."

    • by fisted (2295862) on Tuesday August 05, 2014 @07:38PM (#47610175)
      TOR doesn't operate at the MAC level, your MAC address doesn't make it past your gateway.
      So the only way to leak your MAC address is actually transmitting it as whatever kind of application layer payload, or if your TOR entry node happens to be right on your local network...
    • by Bite The Pillow (3087109) on Tuesday August 05, 2014 @10:08PM (#47611135)

      They only need the MAC address to confirm it was your computer in the event you use something like TAILS and profess to not have done anything wrong.

      Meanwhile, they have an IP address, a subscriber to John Doe, a correlated subscriber provided by the ISP, a commercial location to surveil, a video showing your vehicle, a warrant, and a full car/house search. And if they don't find anything, they start taking apart furniture and walls looking for the stuff they are convinced you have.

      If you saved anything, MAC is irrelevant and you're just as screwed. If you saved nothing, but they found your TAILS disc, a jury is going to convict you without a VERY good lawyer.

      Police are not there to find truth - they are there to find someone to arrest. The judge is not there to find truth - they are there to decide if applicable law finds you guilty.

      Your clever horseshit thought experiment is not going to save you when it matters. You have to avoid the same things that would get you into trouble if you ignored your MAC completely. And be assured that the judge and jury will not understand why everything but the MAC says you are guilty but you plead innocent. They will not go easy on you once the prosecution expert witness describes that MAC spoofing is "trivial".

      Were you expecting them to turn on the computer, see the MAC, decide that's clearly not the one they were looking for, then power it off without at least seeing what's in the CD tray?

    • by gweihir (88907) on Tuesday August 05, 2014 @10:16PM (#47611191)

      Tails routinely alters the computer's MAC address. At least the Freedom-Hosting malware was not able to detect that.

    • The way around this is Whonix. You can't be totally sure there are no zero-days in your web browser, so you browse in a VM that's only connected to the Internet through ANOTHER VM and THAT VM is running Tor. So, the VM the web browser is running in doesn't know your MAC address and doesn't know your IP and has no way to get it.

      Then, when you're done, you reset the entire VM to a known state ("snapshot") so that any virus they managed to installed can't stick around and probe for ways out of the VM jail.

      This isn't perfect. Nothing is. They could find a 0-day in the Tor project software, or they could find a way to break out of the VM after they compromised Firefox, but this is still REALLY good protection.

      And I have no problem with the FBI using malware to catch bad guys. Like others have said, the problem is (was?) with the Tor Browser, not with the FBI. They're just doing their job, and I applaud them for using all tools they have available.

      Now, they "blew their cover" with this tool by using it, so this particular vulnerability won't ever work again. I hope it was worth it.

      The endgame, of course, is going to be that the FBI doesn't have tools like this. Whonix, software like Whonix, and just plain better security practices in coding will make exploits like this rarer and rarer. Is that a good thing? I guess we'll see. If organized crime starts flourishing because of Internet anonymity, then I guess it's not a good thing. If not, it probably is. But, as long as law enforcement has a tool, it's their job to use it.

    • by allo (1728082) on Wednesday August 06, 2014 @09:12AM (#47613229)

      You can change the MAC, so you cannot see the real one in your ethernet frames. But a software can read the real MAC from your NIC without any problem.

  • Low standards (Score:3, Insightful)

    by king neckbeard (1801738) on Tuesday August 05, 2014 @05:47PM (#47609441)
    They consider finding out about a dozen alleged USERS of child porn sites a big win?
    • by Anonymous Coward on Tuesday August 05, 2014 @09:10PM (#47610867)

      Yes. More specifically, a big PR win.

    • by gweihir (88907) on Tuesday August 05, 2014 @10:23PM (#47611227)

      Well, in comparison to the completely unimportant detail that they probably attacked millions of people with malware, sure these dozen users justify anything and everything!

      Seriously, they probably know what they are doing is deeply unethical, but it gets them more power, brings the surveillance and police state that they crave and the average person stops being rational when this type of material is mentioned. Most even think CP automatically means that children have been abused, completely ignoring drawings and pictures underage teenagers made of themselves.

  • by sasparillascott (1267058) on Tuesday August 05, 2014 @05:49PM (#47609453)
    I wouldn't be surprised a bit to learn they are related:

    https://firstlook.org/theinter... [firstlook.org]

    Snowden docs, exceptional description of the Turbine program that seeds malware to non-targeted individuals - goal by the NSA (then) was millions of infections.

    The logical extension of this is, in the end, to compromise all personal and business computer systems - so anything is available when needed.
  • It would be a shame if hackers retaliated with drive by hacks of autopiloted cars using small RC vehicles mounting range extended telecom connectors.

    But, those who live by the unconstitutional spying on their own citizens deserve what blowback they get.

    If you don't have anything to hide, you don't understand what metadata is.

  • by mtthwbrnd (1608651) on Tuesday August 05, 2014 @09:01PM (#47610823)

    Are there any statistics about the usage or contents on TOR? It seems from all of the press that I have read that it is mainly a Child Porn network.

    Who else is actually using the technology? Please do not reply with "theoretical uses" such as "somebody in China *could* use it to communicate information which the government does not want to be transmitted", unless you can actually back it up with an actual occurrence of it.

    What I want is not really individual cases but to know if anybody has done a statistical analysis of the actual content types and usage.

  • by ruir (2709173) on Wednesday August 06, 2014 @05:53AM (#47612505) Homepage
    Come again, what was that political propaganda posts about cyber attacks coming from China and the Middle east?
  • by ruir (2709173) on Wednesday August 06, 2014 @05:59AM (#47612513) Homepage
    It does not has any advantage to run Tor or Linux with Tor enabled if you then use it to access your personalised gmail or facebook account. No need for "hacking" by the FBI at ALL.
  • by LifesABeach (234436) on Wednesday August 06, 2014 @01:15PM (#47615185)
    This could only be Intrapment?

Too much of everything is just enough. -- Bob Wier

Working...