Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Tags
hidden services
tor network
freedom hosting
facts
hidservs

Freedom is dirty business.

It is not sanitary, never has been, never will be, and any misguided attempt to make it so will destroy it. History has proven this repeatedly.

Also, collective punishment is not justice, because it punishes the innocent along with the guilty.

Whatever happened to the bedrock American principle that it was better to let 10 guilty go free, than for one innocent to be wrongly punished?

Freedom demands that we tolerate a certain degree of unsavory messiness in life, as the attempt to eliminate it eliminates freedom itself.

Anon

Anonymous (not verified) said:

August 04, 2013

Permalink

What was the purpose of including NoScript in the bundle and then globally allowing scripts, flash, silverlight, font-face etc?

Why on earth would you enable javascript by default?

These are not the settings TBB used to have.

I'm guessing because they figure most Tor users just want to visit mainstream clearnet sites anonymously, and most mainstream sites use the simpler functions in javascript. So it makes sense to allow javascript, but also use NoScript to also block out any potentially dangerous parts (like iframe).

The default settings in NoScript on the tor BB block nothing. "Allow Scripts Globally" and all browser plugins are allowed. It literally does nothing to keep you safe from a malicious attack when used in the default settings, which Vidalia seems to tout so much.

Not all Javascript is allowed, the Tor Browser have some patches against the real version of Firefox that blocks or modifies some known dangerous Javascript. Also, most (all?) external plugins should be blocked by a patch too.

Now, after seeing that real exploits against Firefox over and over again uses Javascript, I believe blocking Javascript by default is something the Tor developers should consider.

I'm not sure which is more baffling and disturbing:

a) The fact that neither you (arma*) nor any of your colleagues have addressed the glaring, utter CONTRADICTION between what you have been posting here regarding JavaScript and what is stated at
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled,
or,
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)

https://trac.torproject.org/projects/tor/ticket/9387

I skimmed and did a Ctrl-f for "faq". Nothing.

Incredible. Absolutely incredible.

*BTW, I apologize for referring to you in the feminine in previous posts. I had you confused with a female colleague.

Even with scripts allowed globally, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks.

(Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript.)

Anon

Anonymous (not verified) said:

August 04, 2013

Permalink

Why the fuck have you delivered TOR Browser Bundle with NoScript and JS enabled by default? Stupid motherfuckers!

I guess the NSA is operating the TOR shit and if not: Congratulations, you have ruined its reputation!

How long have YOU worked for the NSA comrade?

It's probably too late once you got it, but what would you have to do to make sure it's not still infecting your system? Just delete cookies?!

Disable Javascript -- in TorBrowser click bug orange TorBrowser button at top-left, then Options, Options, click "Content" button at top, and uncheck "Enable Javascript"

Or better, click the blue S (beside the green onion) and select to disallow scripts globally.

I used your text in the advisory (see next blog post). Thanks!

What systems did the shellcode execute on? Windows? Linux?

I noticed the names of two windows DLLs in the shellcode so I assume it runs on windows. Who knows if it can run on any other operating systems.

Windows only, the exploit only runs if it finds "Windows NT" in the userAgent property.

TBB identifies as Windows NT. Even on Linux machines.
The question is rather if the payload would work on Linux as well.

I can't imagine this could affect anything in Linux. The exploit looks like a buffer overrun that messes up the memory heap which is handled completely different between Windows and Linux. It is targeted to Windows.

Windows.

Good timing FBI. Just when Tor was going mainstream.

All press is good press. This will just raise the profile of Tor more.

Precisely why they did it.

Unfortunately, they also screwed their own agents that use Tor every day, but that's a small price to pay for keeping those damned net.nerds in line.

Lol wut? What are you people whining about the dev's? Half of the torproject website deals with how to correctly use TOR. If you do not take the time to read it then you would be caught by one of the other methods available. There is not a single statement which says: "Download the TOR Browser Bundle and feel save!" but quite the opposite of that. BTW the exploit did not break TOR it just tried to find away around TOR. If you were affected then it is probably already too late.

The exploit does indeed break the Tor Browser Bundle.

If the exploit now worked at all, haven't seen any definite report of that yet...

The REAL question, which NO ONE seems to want to address, is how supposedly "hidden" servers could be identified, targeted, and then infected with the exploit.

If no "hidden" services are really "hidden", then none are safe.

It's not that hard, just make sure to have javascript disabled by installing noscript.

that it wasnt on by default speaks volumes about how obivious it is that tor is basically a nsa honeypot

Nope. Javascript cannot be exploited if implemented properly, so there isn't much reason to block Javascript at all if you think that way. And javascript does greatly improve the web experience.

Now, it have turned out over and over again that javascript is not implemented properly, and this time it might have been a real exploit against the Tor Browser. Maybe time to reconsider a few possible bad design choices.

No, it doesn't. They have explained NUMEROUS times why Javascript is on by default in TBB, because Javascript being DISABLED breaks too damned many sites.

NoScript is already installed. It is the blue S beside the green onion.

>Javascript is enabled for anonymity

If I read the FAQ correctly, it seems to say that if script were disabled by default for everyone again, then it would improve anonymity? It seems to be saying that it was only enabled because some users wouldn't be able to figure out how to enable it. I agree that it was a bad idea to enable script by default.

>Javascript is owned by Adobe

That's incorrect... Are you thinking of Flash?

>Not an infection, just for revealing your IP

If an attacker only wanted your IP, couldn't they have just injected an image instead?

agreed, using an exploit simply to reveal your IP sounds like an overkill, but an injected image or anything that runs in-browser wouldn't work, so the exploit may well be the minimum effort path.

No, they can't inject an image, because the browser would retrieve it using the Tor IP. The exploit uses OS system calls to get your IP, i.e bypassing the browser bundle entirely.

No, the exploit does not need to query the computer IP address - which would be pointless about 99 % of the time when the computer does not even have an Internet address.

The exploit just opens a TCP connection to some external host using the OS connect call (not through the browser network engine).

Help how i tell if i have this this shit i was just looking at Tor a few days ago first time using it and was browsing the .onion i ran into a few wired sites and not sure what they were. and i went to Tor mail as well. dose this only effect Tor browser or dose it effect whole system?. I seen some pretty dodgy shit and i did not like what i saw so i deleted Tor. but how do i know if i deleted this as well if i got it?.

If there is evidence of a crime on the computer and a raid happens chances are your life is over. The only way you might be able to avoid this is by getting rid of the system before they raid.

If he did anything illegal at all, which is not apparent from his post.

A crime of information (computer crime), a crime dealing with speech or images, means your life is over.

This world belief system that the USA has foisted upon the world is disgusting.
And if you don't obey it's system, as a country, you get invaded and bombed.
As an individual you get sent to their rape jails.

I hate them.

First of, Tor can be used for so much more than .onion sites. It is (if used properly) an anonymous way to reach the whole internet, the very same internet you use your normal non-anonymous web browser for today.

About the exploit, from the reports seen, it seems to not install itself or modify your system in any way, so you should not have to worry about it still being there, if you got infected at all.

Exploits like this happen all software that uses the internet, expecially web browsers. In a few weeks at the worst a fix will have been released, and Tor Browser will be safe to use again. You are welcome back then.

So I wonder what makes a modern, security friendly website? Could be a new best seller.. But seriously, I'd like to have a site that was available in secure and anonymous ways, and that didn't rely on js for client side code or on other insecure things, but on some other tech that was more user friendly . Maybe we need to work on a secure js subset or something we can accept or checksum against??! Maybe a mozilla or chromium plugin is the way forward for a proper site/web app with onion or i2p counterparts then?

html only, all ports closed, build from sources with each release of nginx, no php or javascript, read only file system and NO SWAP. Hosting a .onion site is risky, but if done right, the chances of having your ass handed to you are near nil. Also, never have physical access to the server or have any identifying information on said box that can be linked to you (this includeds pushing stuff remotely).

" that didn't rely on js for client side code or on other insecure things, "

JS is not "insecure".

" Maybe we need to work on a secure js subset "

There is such thing as an insecure JS feature.

There are security bugs in BROWSERS.
Not in JS.

Excuse me, but yes, this is a bug or unnecessary function in JavaScript that shouldn't have been included in the first place.

I'm coming to the opinion that JavaScript should be exceptionally limited in TBB and perhaps it's time for an extension that 'blocks' some of the more insane functions in Javascript.

NoScript is fine, however it only blocks EVERYTHING on a site and doesn't block some of the more dangerous functions in JavaScript if you allow a website to use JavaScript, which on a lot of sites on the internet today you HAVE to allow JavaScript or the sites don't work correctly.

https://twitter.com/VUPEN/status/364129838426107904

TOR Browser 0day in the wild exploits a use-after-free in JavaScript module & bypasses ASLR with advanced heap manipulation!

http://www.twitlonger.com/show/n_1rlo0uu <------------ this guy pulled the exploit apart

If this dude is correct, TOR stands to live another day. It appears they didn't penetrate the TOR network at all (if he is correct).

If I understand him correctly, it was on the target site. The user would have infected their own system, not the FBI piercing the TOR shell.

In this case, good job FBI, good job TOR.

Didn't penetrate the Tor network?

You don't think targeting and infecting a broad swath of supposedly "hidden" Tor servers is a "penetration"?

If that isn't a "penetration", I don't know what is. It appears to me that any "hidden" service can be targeted and infected at any time, so what is the point of even using them?

Speaking of policing ourselves, hopefully it was "anonymous" again:

http://www.pcmag.com/article2/0,2817,2395171,00.asp

Remember?

OK so how do i ride my PC of this if i got it anyone? from Tor mail?