Subscribe

Feds rip lid off Tor darknet

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 08 Aug 2013
Authorities launched a surprise attack against anonymous users trading illicit material in the "deep Web".
Authorities launched a surprise attack against anonymous users trading illicit material in the "deep Web".

On 4 August, Freedom Hosting and its customer sites went down, permanently. At the same time, users reported seeing foreign JavaScript embedded in pages they had received from those sites, suggesting a security breach. And shortly thereafter, Eric Eoin Marques was arrested in Ireland and held for possible extradition to the US, where he has outstanding arrest warrants for distributing child pornography.

That sounds like just another successful law enforcement operation against illicit online material, but this time there was a difference: Freedom Hosting and its customers were hidden, operating within the Tor network - an anonymous, encrypted subset of the Internet - to thwart the authorities. Users of the sites felt themselves invulnerable - they were using an encryption layer specifically designed to evade the spying eyes of state surveillance, among a thriving community of drug dealers, weapons sellers and porn traders. In 2011, Freedom Hosting was subjected to a denial-of-service attack in an Anonymous-led campaign dubbed Operation Darknet, but the outage was short-lived and the sites were back in business in short order, until the feds dropped the bomb this week.

This marks the first known instance of a government agency successfully targeting a host in the "deep Web". And while we cheer at the downfall of a community trafficking in child abuse, there are deeper implications for many other players too.

The authorities have been beefing up and flexing their online muscle in recent times, demonstrating that the illusion of anonymity is often only that: an illusion. In early 2012, it was revealed that Hector "Sabu" Monsegur, a senior member of Anon and Lulzsec, had been turned and was working as an FBI informant for nearly a year, giving the agency access to the inner workings of both groups and leading to high-level arrests. The FBI has also developed a track record of taking over Web sites dealing in illicit material, then allowing them to continue operation for a time, allowing users to be identified for future investigations and prosecution - most recently, the feds ran a captured child porn site for a fortnight, until its 5 000-strong user base had been sufficiently analysed, but this was far from an isolated case.

The attack against Freedom Hosting comprised several stages, and while the main objectives appear to be complete, mopping up will likely take months or years. Details are scanty, but the background can be pieced together from what is known.

Finding the unfindable

The first problem for the authorities was finding who to attack. Freedom Hosting was hidden deep within the encrypted Tor network, inaccessible from the public Internet (see "Inside Tor and the deep Web" sidebar). But it was a Web hosting service, and like any hosting service, its various layers of operating software were open to attack. It appears the authorities, operating through Tor connections of their own, identified a vulnerability in Freedom Hosting's software, and compromised the servers, escalating their control to a point where customer Web sites could be taken over as well.

At some point in this time-frame, the site owner was identified as one Eric Eoin Marques - an American citizen living in Ireland. Marques could have already been under investigation, or identified through the attack on the hosting service - we may never know. But warrants for his arrest were granted in the US, and Irish authorities picked him up. At the time of publication, he has been denied bail as a flight risk, and is awaiting an extradition hearing.

With the sites under the control of the authorities, and the man described as the "largest child porn dealer on the planet" behind bars, the initial goals of the campaign would be met. But the agencies prefer to take these cases a step further; identifying the users and gathering evidence against them while they are unaware their porn dealer has turned honeypot.

Most users will feel a moment's alarm, then go right back to browsing insecurely.

In this case, though, that would again be complicated by the sites' presence within Tor. Users, accessing the same encrypted network, could by definition not be identified or located. The answer lay in a clever JavaScript exploit.

Well planned, but rushed?

Many Tor users access the service through a particular piece of software, known as the Tor Browser Bundle (TBB). TBB provides the connectivity and encryption software, as well as a preconfigured Web browser which includes a number of privacy safeguards. Two fatal flaws were identified in the TBB. It was built using a specific version of the Firefox Web browser, one which included a memory overflow vulnerability. And although the browser came with the NoScript add-on preinstalled, its ability to block JavaScript was in fact disabled by default.

Inside Tor and the deep Web

Tor ("The Onion Router") is a private, anonymous, encrypted network. To gain access to the Tor network, a computer must run encryption software which then routes Internet traffic through the Tor connection. On the global Tor network, nodes then forward the traffic through multiple hops (the multi-layered "onion"), until it is forwarded back on to the Internet by an "exit node". This gives Tor users anonymity and protection from the spying eyes of employers or government agencies.

In addition to the encrypted proxies, there are Web servers (known as "hidden services"), which are only accessible from within the Tor network. These sites, with addresses ending in ".onion", cannot be geographically identified or shut down, and therefore are popular services among journalists, political dissidents, and criminals. The Silk Road is a popular e-commerce site in the Tor network, where drugs, weapons and other illegal materials can be purchased. Lolita City, one of the largest child porn sites online and a target of this recent attack, operated a hidden service on the Tor network.

The authorities crafted JavaScript exploit code, which would attack that particular version of Firefox, and configured the compromised sites to embed the code in pages they served. The code itself was simple: it established an Internet connection (ie, bypassing the Tor proxy), to ping a remote server with a unique ID code. That server has since been identified as operating under the control of the NSA, although further research has questioned this finding.

The authorities now have a unique code and a real-world IP address to match the encrypted Tor connection to a real user.

The injected JavaScript was quickly identified by the community, hastily analysed and its implications were obvious: the game was up. But it was too late - within a matter of hours, Marque would be in custody and the sites went down for good.

Because of the speed of the final act, many observers have reacted to this incident as if the Freedom Hosting compromise was an overnight attack - this is unlikely. Chances are the site was compromised some time ago, as part of a long and well thought-out campaign. On the other hand, the final stage was clumsy enough to lend weight to the idea that the denouement could have been accelerated. The NSA could have done a great deal more to conceal its involvement, such as using a backdoor Trojan (raising the possibility that the hack was malicious), routing beacon traffic through a commercial hosting provider, and so on.

What now...

The attack itself made for fascinating watching as it unfolded, but the "what now" questions are where it gets interesting, because so many players are involved, from the criminals and the authorities, as well as legitimate Tor users, the network itself, and more.

...for the criminals

For the criminals, and the authorities, the slow-turning wheels of justice will grind on, but whether further investigations will be forthcoming is questionable. Operation Ore and Operation Avalanche in 1999 yielded many thousands of leads into potential child porn users, but resulted in relatively few prosecutions.

Anon's #OpPedoChat and #OpDarkNet turned over many IP addresses of users (of the very sites the FBI has targeted now) but resulted in no direct action (though it is possible the FBI got a leg up through Anon's efforts). However, the ability to concretely link an anonymous Tor user to an IP address accessing illegal material is among the best evidence a prosecutor could ask for, so we can hope that further investigations will be more extensive this time.

If they aren't, the material will likely resurface in short order. Although this attack may scare some users into inactivity for a while, the fundamentals of Tor (and other anonymous networks) remain solid, and there are other sites trading in illicit material anyway. Just as spam levels dip briefly when a profligate spammer is arrested, but then return to normal, we can probably expect similar results here. Supply and demand is a very real phenomenon in the black market, after all.

It is also likely that some criminal syndicates may be driven further underground, joining the tight-knit, closed communities where the phrase "dark net" truly does apply.

...for law enforcement

This episode has provided a blueprint for successfully conducting a campaign against Tor, and against sites hosted behind its layers of encryption and privacy. Take control of a site through conventional exploit means, then lead the users to establish Internet connections. The first part could vary, from takeovers like Freedom Hosting, or sites under the control of authorities from the outset (it would not be surprising to find political forums operated by national spy agencies, for example). The second part could be more JavaScript attacks, but could just as easily be conventional malware delivered via social engineering, or exploits against other Web technologies.

Just because you are hosting within a secretive network doesn't protect you from the usual exploits.

My money would be on more persistent malware than was used in this case - already, software packages are circulating which block all non-Tor traffic, so something which can survive until a regular Internet connection is available might have a better chance of success. More secure bundles are available, usually involving entire replacement operating systems or virtual machines to isolate network connections, but these are probably too complicated for the average user. The average user, after all, forgot to disable JavaScript this time.

...for Tor

The Tor network itself was unharmed in the making of this saga - the encryption, and the connection strategies, are still assumed to be whole and secure. The project organisers moved quickly to distance themselves from the incident, and to reassure users that the network was still secure.

The authorities have been flexing their online muscle, demonstrating the illusion of anonymity is often only that: an illusion.
The authorities have been flexing their online muscle, demonstrating the illusion of anonymity is often only that: an illusion.

The Tor project has come under fire for shipping an older version of Firefox in the TBB, but that criticism is largely unfounded - it makes the mistake of assuming that a newer version wouldn't be attacked the same way. Since government agencies are widely assumed to be sitting on stockpiles of zero-day exploits for most modern software, including Web browsers, it is not unlikely that a different version of Firefox would simply have been met with a different exploit, but the end result would likely have been the same.

Where Tor does deserve criticism is in its decision to leave JavaScript enabled. The decision to disable that feature of NoScript was taken consciously: Tor developers feared that browsers with scripting disabled (and selectively enabled for some sites) would reduce privacy by helping attackers "fingerprint" the browser, as well as degrading their Web experience This is true, but it was a privacy decision which opened the huge attack surface of JavaScript to exploit, with the rather predictable end result of end-users being compromised. Since the attack, suggestions have been floated to provide a "sliding scale" of security, including disabling JavaScript, or simply providing visual feedback to users to alert them when they are browsing insecurely - at this point, the project co-ordinators have not commented on what, if any, improvements will be forthcoming.

...for other Tor users?

Like any big Web exploit, this should be a wake-up call for users, but probably won't. Most users will feel a moment's alarm, then go right back to browsing insecurely. The next time a similar exploit is conducted, as it surely will, it will also succeed. We can only hope that it is targeted against as deserving a community as the child pornographers, rather than legitimate whistleblowers or political activists.

Best practice and the best technologies are a powerful combination. But, as one law enforcement officer explained it to me: Criminals are stupid.

Some users of Tor - including the many individuals protecting their privacy from prying eyes to do good (a debatable grey area in itself) - will be spurred to take the additional steps required to use Tor effectively. As a privacy tool, the network is still highly valuable, but some assembly is required to fully realise the safety it can offer. Unfortunately, some criminals will take these steps too - this is the inevitable nature of security technology.

...for .onion operators

For other .onion site operators, hosting hidden services within the Tor network or elsewhere, this is a wake-up call. Just because you are hosting within a secretive network doesn't protect you from the usual exploits. And, whether you're operating a bulletin board for dissidents or hosting illegal material, chances are you are in the sights of someone in authority, who may well have access to an arsenal of exploit code. Take the appropriate steps.

The problem with Tor's .onion sites is finding them - you have to know their address. They aren't indexed by Google, or listed anywhere public. The truly secret sites are jealously guarded and shared among close communities, but inevitably information leaks, as sites become more popular and their users forget the first rule of Fight Club. For example, the Hidden Wiki, a community information portal within the Tor network, lists many of the illicit sites including their private .onion addresses.

...for privacy in general

For some time now, the Tor project has been high on the list of technologies held up to demonstrate how security tech can be used to thwart authorities. The last few months have demonstrated that the authorities have kept pace, developing their technologies and skills to attack anonymous networks, crack encryption, and effect surveillance deep within the online services we use every day.

Best practice and the best technologies are a powerful combination. But, as one law enforcement officer explained it to me: "Criminals are stupid." Most users eventually make basic mistakes, leaving gaps for authorities to penetrate. And these campaigns demonstrate one thing clearly: the authorities are very, very patient.

So expect more attacks against online communities like this. Lolita City was a high-value target for the feds - Silk Road may well be next (and if that goes, watch out for BitCoinageddon - the virtual currency operates in a close symbiosis with the underground marketplace). Political activists and journalists are also likely candidates. We're in for interesting times.

Share