Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb

I also saw one cookie, under Torbutton cookie Protections, but it was maybe 2 or 3 weeks ago. I was checking everything in settings and so I saw one cookie there and I moved it. But... I was FOR SURE using 17.0.7 the latest 2.3.25-10 release when this happen, I am using that after it was available. I know that for sure by from the file modified date of when I extract it and checked the version.

Is it normal there ever be a cookie under the Torbutton cookie protections? In fixed version does the exploit only make the cookie but not send it?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I have two questions for arma:
-If I downloaded my browser mid-late June, early July, would I still be vulnerable?
-If I only ever visited websites hidden service addresses, and only ever clicked on images on those sites, would I still be vulnerable?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

You should obviously have Javascript disabled by default in Tor browser.
I thought Security > Functionality was the obvious priority for Tor browser.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Does anyone know when the freedom hosting sites were infected?

I know that before the time frame was a few days ago, but I wasnt sure if there had been any developments.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

What to do if you think you were hacked by the LEA
Time for DAMAGE LIMITATION advice - I suggest add any advice you have and post wide and far!

So the LEA have got 1000's of MAC codes and IP addresses of PCs that visited onion sites that contain illegal material. It will take time to process all that information and get court orders for addresses of IPs etc - so I should think everyone who was compromised has at least a week before their door is busted down and all their computer equipment seized. Probably months. USE THAT TIME WISELY

First, your IP address by itself is not worth much as evidence - could have come from someone using your WiFi or a visitor to your house. The MAC address is more compromising - your PC is the only one in the World with that MAC address and proves that the site access came from that particular PC. So first, change your PC and don't keep that one in your house. If you use a network card or network USB dongle on that PC, get rid of those also (they have unique MAC addresses).

Deleted files can be recovered. If you have *ever* had illegal material on your HDD, get rid of that HDD or, if you know what you are doing, wipe it. Any compromising files you *really* want to keep, copy to an encrypted container on a new, separate HDD (e.g. Truecrypt), unless your country can force you to give up the key (e.g. the UK).

The raid will still happen, but if the computer with the compromised MAC is not found and there is no illegal material found, there is no case against you and you will eventually get all your stuff back with no action taken (though it will probably take a year or so).

Finally and most importantly, if you are questioned by LEA, there is only one answer you MUST give to *every single* question. "NO COMMENT". Do not believe anyone who tells you that saying anything different will be better. It won't.

Nobody is going to get busted because he attempted to visit the front page of some kinky website. FBI is most likely going to distribute the collected list of IPs to local police departments for further surveillance. You will receive your knock years later and nobody is going to even mention this TorSploit then.

Agree, this is the most likely couse of action here. If you think you were infected, disposing of PC and evidence won't help you. You need to change your habits and be very careful what you say or do online and IRL from now till.. forever.

I disagree. It is sufficient to get a search warrant, same as happened with the Landslide bust. The LEA then hope to find a good percentage who have illegal material on their PCs - which is what they prosecute over. If you are right but take the precaution you have lost very little except time, if you are wrong and don't take the precaution it could be a life-changing event.

Contrary to what you say, I cannot see that any LEA is going to spend the resources on setting up years of surveillance on the probably thousands of households who were caught by the sting.

But in Landslide the feds had records of what the customers purchased and downloaded. Here all they know is the person went to the website, but not what they downloaded or looked at. It would seem similar to "this person was observed leaving a house of a known drug dealer." Is that probable cause to search that person's vehicle or house? Reasonable suspicion to stop and question them maybe, but enough probable cause to get a search warrant?

>>but enough probable cause to get a search warrant?

I would suggest yes. If they know (for instance) that you accessed a cp site, that would be a strong suggestion that you would have cp on your computer (after all, why would you be accessing the cp website if not to get cp?). Present that to a judge and I can't see any reason why a warrant/order wouldn't be issued.

According the Wikipedia, a Federal investigation into Texas based Landslide Productions yielded a user database with 300,00 names of which 35,000 were U.S residents. Of the 35,000, a portion were selected to receive invitations to purchase illegal material by mail. The results of this subsequent sting yielded 144 search warrants and 100 arrests. Note that the DOJ did not seek warrants based on the mere presence of names in the subscriber database, but only after the subsequent sting operated by ICAC and USPIS.

It would seem that an IP and MAC address are slight evidence when compared with the credit card and business records found in the Landslide investigations.

I think this server-side hack would be illegal so the FBI couldn't use it as a basis for anything. It would be like the FBI installing a hidden camera inside a suspected drug dealer's house to record everybody who entered, without a warrant. (On the other hand, is this exploit something a U.S. court could authorize? I'm not a lawyer).

I am a US lawyer (at least by education and historical avocation). First, forget the FBI if the server was outside the US. The NSA can (and does) intercept all international traffic. That's its legitimate job. Outside the US, you don't have any US constitutional protections; that's what international borders are about. We have a constitution in our country (the US), but outside the US different countries are organized under different rules. And, international communications are essentially subject to no rules.

It gets worse. Since the NSA can gather whatever it wants outside the US (German Enigma and Japanse JN-25 codes during WWII, Russian codes for traffic between the US and Moscow under project Venona, Russian codes generally under Project TICOM, etc.), it can do whatever it wants with the information, including giving it to the FBI. If they give information lawfully collected in an international communication to the FBI, the FBI can use it against you. Why would they need a warrant?

Earlier in this thread somebody mentioned WiFi. Are you nuts? Anything you put out using WiFi or other frequencies of the electomagnetic spectrum - including use of your cell phone and its geolocation - is fair game. While the FBI or NSA might go to the FISA court (you'll never know) for a warrant just to be sure, I can make a very strong argument that they don't have to, and shouldn't be required to.

The long-standing principle is that "the airwaves belong to the people" (codified in the Communications Act of 1934). And, you may remember a famous speech in US history about our government being "of the people, by the people, and for the people."

Thus, the government "of the people" should be able to listen to anything on the airwaves they own. [I oppose the legislation that prohibits ordinary citizens from listening to cell phone conversations on scanners. Sounds strange, huh?] If "the people" - which includes the government - cannot listen to WiFi (BTW: Every version of Fedora ships with an application that hacks it.) or the government is required to get a warrant (that is, conditional permission) to listen to your cell phone conversations, it is a very short step to general prohibitions on citizens listening to the BBC or programs the government determines might include information that is "dangerous" or potentially valuable to terrorists.

This is very different from breaking into the house of a suspect to install a surveillance device. That does require a warrant because the Fourth Amendment protects "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" without a warrant. An off-shore server is not the "house, papers or effects" of a US citizen or a citizen then-subject to US law. (Try moving to Russia and setting up a server hosting comments critical of Vladimir Putin. See how far your protest for a US warrant gets you.)

Gnovalis

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Hi Arma,
Thanks for your replies.
You are amazing for replying so quickly in these trying times for privacy and anonymity.

Has TOR thought of adopting more advanced header analysis and inbuilt firewall system, that will actively parse and analyze for hack attempts.

Have you thought of upgrading the TOR Browser bundle so that it will act also as a comprehensive firewall like Comodo firewall?

ALSO is TOR safe from ICMP and IGMP exploits???

TOR does NOT Protect you from IGMP or ICMP!
You need to block this in your firewall!
If there is a IGMP Hack someday, even with TOR you are busted!

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Does this mean that if we have a tormail email account are emails can now be read. Will tor email ever be back?

You have to assume that all emails on Tormail are now in the hands of LEA. It could have been the primary target and all the sloppy CP bust exploit could be just a coverup. If that's the case, it worked perfectly. Nobody talks about Tormail - the real issue here, but everyone talks about a few busted pedos.

'Busted the biggest hoster of CP on the planet?" Bullshit, FH didn't host much, the biggest onion CP hosting site is still up and running and most of the CP allegedly hosted on FH were just links to files hosted on clearnet hosts, such as rapidshare, sendspace, mega.. these are the biggest CP hosters in the world.

What they really bust is Tormail, used by whistle blowers and activists. That's the real story here! They want to get to those who are anti government and pro people, like wiki-leaks supporters. Taking down a few CP sites that only had links and have already been partially restored on safe servers, is just a media attention catcher.

Yes the primary target of the NSA was tormail. This cannot be repeated enough! The purpose of that is to collect data on as many whistle blowers/leaks as possible. Of course there is the chance to find out lots of other potentially useful info that could come from nation actors of every nation who might happen to use tormail.

The secondary target was fear. They have aimed for some time (though using various stories of busts where TOR was not actually the determining factor) to scare people away from TOR and any other anonymous network. Projects like TOR are quite useful to their own people (and probably even more useful to the CIA) yet to them it is extremely dangerous in the hands of the average citizen (or a whistle-blower). Their position/mentality is that they should maintain total control while TOR is an obstacle to this end.

With this operation - they have achieved both major goals. Going after pedophiles is not and never was the NSA's mission. Much like the MPAA/RIAA - they do not care one bit about CP right up to the point it becomes useful to them as a cover to do whatever they want.

Just so everyone is clear - TOR isn't bulletproof but TOR works... and it is for this reason that the NSA would very much like you to believe otherwise.

Everybody talks about NSA, FBI and CP, when in fact it could be anybody. The U.S. intelligence community (I.C.) has a company, In-Q-Tel in Reston, Va. It is a venture capital company that funds start-up technology companies developing technology of value to intelligence gathering. Two things to keep in mind:

1. In-Q-Tel is NOT the only company in the venture capital world that invests in the information technology surveillance space. There are plenty of others.

2. I know this is hard to believe, but start-up enterprises desperate for sales are not terribly discerning about whom their customers are. They'll basically sell their products to anybody - in government or the private sector - who has the money.

[There are private companies will geolocate your cell phone for anybody with the money. They index every word you write and develop "personality profiles" on you that they'll sell to anybody (like 90% of hiring managers). If you have a Facebook account, why would you ever use Tor? You've already prostituted your mind to innumerable Johns.]

Tor mail was the target. I used it to communicate with my daughter studying last semester in ROK during the tension with PDRK. ROK censors the Internet, and censors the news. Except for information she received from me (some of which was classified and identified as such with instructions not to distribute it further), she knew very little. The international student organization that sponsored her study there was also kept apprised (with the classified intel left out).

[For those who are curious, no, the PDRK does not have any deliverable nuclear weapons, China is working very closely with the U.S. (closer than you could ever imagine), and Russia has essentially broken diplomatic relations with PDRK. There were a few hairy days. But, fortunately, they passed uneventfully.]

[BTW: I also use Tor mail to communicate with a troubled youth who does not want to be found. It would be nice to be able to confirm that she is safe.]

So, I am less worried about NSA than KCIA, which I'm sure has access to the same software and the same information. KCIA will want to get me, again. [Can't tell you about the first time. It's still classified.] Then there's the Chinese, the Libyans (also pissed at me for reasons I can't discuss), and my dear friends at Mossad. Show up at my door, you'd better be well-armed. I don't have visitors. Ever.

My NCIC is "unavailable," I can't get a passport, I can't get a job (if FBI won't acknowledge that you exist, you are unemployable), my $90K Jaguar disappeared (according to the insurance company, there was no record of it having been titled or registered in any jurisdiction, and no documentation that it was lawfully imported). As I recommended in an earlier message, if you are going to play in exciting games, know how the FBI "triple threat" surveillance program works IN ADVANCE. What I've described is the "managed aggression" component.

NSA and FBI would likely ignore my tor mail message traffic. But, KCIA will be pissed and demand that FBI turn up the heat again. I expect them any time. But, NSA, DEA, FBI, CIA are not my primary concerns. I have nothing to do with CP; wouldn't know where to find it (because I haven't made any effort to look). As for DEA, I used to hold a DEA registration, and I purchase all of my controlled substances legally.

The loss of tor mail is tragic. It does have legitimate uses.
Gnovalis

Yeah, maybe it does, but I stick with my assessment from tor-talk today:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029320.html

"While I don't really have an opinion on whether this service should stay
dormant, I do hope they leave the TorMail name behind. Too many users got
confused about whether it was an official Tor service (it wasn't). And I
can't help but conclude that this confusion was intentional and welcome
on the part of the service operators -- which I confess makes me have
little sympathy for them disappearing."

>>You have to assume that all emails on Tormail are now in the hands of LEA.

Why? What evidence is there LEA is in possession of the FH servers?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

So I downloaded the TBB like 3 hours ago, with Javascript enabled... I shouldn't worry about anything right?

Anything at all? :)

You should worry about everything that you should normally worry about on the Internet. Most of the recommendations in the advisory still apply, now and in the future.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Well tor is totally safe anymore. Who knows whats next on the javascript exploits list? You guys wouldn't have even known there was an exploit if it wasn't for the arrest of the FH admin and the sites hosted by FH going down. Best couple it with VPN's or VPS, exploits get nastier by the day. In the meantime, any alternatives to tormail are welcome, since tormail wont come back up anytime soon. Is the tor mail data center compromised now and is a LEA looking through those mails already?

There are some steps you can take to protect yourself even more from similar attacks, but a typical VPN service or a proxy is not one of those steps.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I'm pretty sure this script ignores your VPN entirely, because it's executed in your browser and gathers info locally. So it obtains your real IP/MAC - before any info even leaves your PC - and only then sends it over your VPN connection to the target port. So the FBI would see the incoming data coming from your VPN but the data would contain your real, naked IP/MAC. Am I correct?

Incorrect, the exploit code itself doesn't get your IP because the kernel functions the code can call only know your network adapter's IP which is pretty useless (i.e. if you're behind a router like most are it's probably a generic 192.168.x.x or similar). The server on their end gets the IP because your router strips the LAN IP and adds its WAN IP to the packet (your "real" IP). However if you're going through a VPN the VPN then strips that and adds its own. So the server would only know the VPN's IP. They would get your MAC address even through the VPN but that's no use to them without also knowing your real IP.

Wrong:

user machine -> tor proxy -> onion land / clearnet => SAVE
EXPLOIT WOULD YIELD AN EXITNODE IP

user machine -> vpn -> tor -> onion land / clearnet => SAVE
EXPLOIT WOULD YIELD A VPN EXTERNAL IP

Wrong, see post above. The script executes and collects data before it's obfuscated by VPN or TOR.

I fixed your diagram:

user machine (collected real IP) -> tor proxy -> onion land / clearnet => BUSTED
EXPLOIT WOULD YIELD YOUR REAL IP

user machine (collected real IP) -> vpn -> tor -> onion land / clearnet => BUSTED
EXPLOIT WOULD YIELD YOUR REAL IP

That is not how it works. If you have a dedicated tor proxy which only allows traffic to go over the tor network then there is no way that the script could have circumvented that. Same situation if you setup a vpn the api called respects the routing table and therefore would have used the vpn connection.

WTF guys, You don't realize or what?? Exploit reads Your adapters h_addr_list structure, all available IP's including tun/tap interface in case of VPN. So whatever You use VPN, Tor, spacecraft, lasergun or bla-bla-bla, this info package is delivered and stored in DB by adding Your uniq case UUID.

It reads it from Windows network stack, then sends it over browser-independent connection. If you use VPN, transparent Tor, etc it is just a communication channel for delivery. Like a raindrop, no matter how many clouds are in way, it reaches the ground.
Lucky people who used internal LAN/VM, and non ISP DHCP networks, then they got only 192.168.*,10.*,172.16.* for hunting.

CP, drug deals and financial fraud are only covers. They don't give a damn about any of it unless it suits their larger goals. Like catching whistleblowers who reveal their secret plans and illegal schemes. Like Snowden did with PRISM. They wanted access to Tormail, because it's likely that other heroes like Snowden were using it, and could be caught by reading the emails.

It's an attack on your freedom, don't let them fool you that it's all done to protect you. It's only protecting the interest of the government and those behind it, to stay in power.

What else can we use now to communicate without being spied upon? Tormail was the place to go.. now were redirected to gmail and other compromised email providers, that we know now are logged and read by the NSA.. welcome to the police state.

Today it's TOR. Soon they will call you a pedophile or terrorist, if you use PGP or any sort of encryption at all. We are loosing the War For Freedom, and even small victories like Wikileaks and Snowden don't seem to matter, because most of the population is spoonfed whatever lies the government wants them to swallow.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

TorMail is an interesting issue here. The almost certain fact is that existing accounts are in the hands of FBI. Also, AFAIK, TorMail is an enterprise not related to FreedomHosting, they merely rented a server there. So technically, TorMail could resume as soon as they find a new service provider. They could continue under the name of TorMail, or they could use any other name, in order to not be associated with the compromised old accounts. Now, FBI could launch their own little TorMail. Or FBI could start their own anonymous mail service under a different name.

Whatever. The crucial point is that we will have no way to tell which is true. In fact, I don't think that we even need to worry about that - when one uses someone else's service without seeing where it hides its brain, one should always assume that all his actions may be monitored by some hostile agent. TorMail could have been hostile, bribed, or hacked. Same about FH. Or, no matter how good were the intentions of TorMail and Freedom Hosting, there was always a chance that somebody would accidentally stumble upon the servers and read everyone's correspondence. Or knock the server owner against his head and then read everyone's correspondence.

So if (or rather, when) TorMail or something similar returns, we won't really know whether it's FBI or the original thing (unless they give back your old account, in which case it can only be FBI). But it doesn't really matter. As long as you stay in character, you can as well use the feds' servers for your shadowy actions. If you let your real-world id slip, you are doomed either way.

+1 for the Rowling. The fact that hidden services was constructed specifically to hide the identity of both ends of the connection makes it amazing that Torproject did not take steps to protect users from malicious hidden services by disabling javascript by default on onion domains. I keep looking for logical justifications for NoScript not being enabled, and it always comes back to the 'usability' nonsense. Privacy SHOULD trump usability, in this environment.

It should give more than a few people pause to consider that both torproject and TAILS, by default, do not enable javascript blocking AND both software suites direct the browser on load to a page that could be compromised in the exact same manner as site on FreedomHosting were. I understand that to a certain extent you must trust the project developers not to backdoor your software, but I see no reason why every time I load the software I am asked to trust their website.

No, NSA gathers electronic intel -- mostly tracking terrorists. Knowing the real users of TorMail would be of great interest to the NSA (presumably it's used by terrorists as well) and exactly the kind of intel they gather. This exploit would have allowed that if it weren't discovered. They wouldn't want it to be discovered because I'm sure they'd rather have terrorists think they're anonymous and safe and communicate openly rather than think they're being watched.

I'll believe the affiliation claims when somebody comes forward to claim responsibility.

IP-to-whatever databases are notorious for being inaccurate. I haven't seen anything at all to convince us that it's the NSA, or the FBI, or really anybody at all.

It was FBI or NSA. There is no doubt about that now. If it were hackers, they would announce it on day 1. They would also inject a virus with the payload.

But the government agencies don't have to announce anything. They can keep the collected data for years to come, watch the suspects, and strike at any time they see fit.

Especially if Tormail was the primary target, they will not issue any official announcements and everyone will forget about it. And they have a contingency in case the talk about this doesn't fade - they can simply raid the collected IP addresses and again shift all attention from their actual target.

All because the public is dumb enough to fall for one of two cliched reasons:

'We are the government and we can do what we want to you and your rights because... Child Porn!"

and

'We are the government and we can do what we want to you and your rights because... Terrorists!"

And the dumb populations says: "Oh that's right, noble goals, do what you have to!"

And here we are.

I wouldn't let them hack our computers even if Bin Laden and his ilk took down random two towers in the US each bloody week. It's not worth it in the long run. How about instead of treating everyone as a suspect, stop invading other countries and kill their children? Maybe that would reduce the amount of hate and terror aimed at you, 'Merica.

It's easy Obama, just tell your soldiers to move out and come home. It really is that simple. And stop spying on the world.