Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Anonymous

August 04, 2013

Permalink

@ Anonymous

Disabling poor wittle Javascript would likely buy little additional security when dealing with something like FBI.

It's not unreasonable to assume they can develop capabilities for penetration of browsers with JS disabled, or already have such ability.

A more robust approach would be to get a goddamn Raspberry Pi and this https://github.com/grugq/PORTALofPi (assuming you have to seriously worry about FBI), and / or a really thorough VM setup (though it's not like there aren't any VM escape exploits out there, amrite? =) )

Exactly. Javascript is only one attack vector, and is usually considered safe - this was an extreme case, otherwise you'd be hearing about Javascript exploits all the time.

Even loading images can be dangerous, depending on the image-loading code. A PHP script that returns an image mimetype could be used to exploit any weakness in that code. Should we look at the entire internet in plaintext, given the possibility that there's a vulnerability in that code? How many other attack vectors have opened up recently?

Anonymous

August 04, 2013

Permalink

So:
-Evil cookies
-HTTP requests
in:
-Through Tor?
-Around Tor?
-Using desktop Firefox?

And will people be arrested for using services with no proof of anything close to borderline illegal, just for using encrypted services?

I'm using Qubes+TorVM from now on.

Anonymous

August 04, 2013

Permalink

I am shocked anyone uses Javascript with Tor. One is owned by Adobe and is used to all manner of malicious ends, while Tor is precisely the opposite.

You don't understand what people are using. Java and Javascript are different. Both are potentially bad. One version of Java is owned by Oracle although there are others. openjdk as an example of a non-Oracle Java. Then there is Javascript which is completely different technology and not owned by Oracle.

So Oracle owns a piece of OPEN SOURCE software released under the GPL? That's weird.
FYI: Oracle develops OpenJDK but it's open source so anyone can fork it, no one owns it.

Anonymous

August 04, 2013

Permalink

Guys i think this malicious code could be a hoax. They say it is on all of the sites that were on freedom hosting but I only found it on one onion site. That site claims to be hosted by freedom hosting but clearly isn't because it is still up even days after the raid on freedom hosting.

Anonymous

August 04, 2013

Permalink

Why would anyone want to shut down something like Tormail? It's a damn webmail service, if it was the FBI or anyone from the government that took FH and in extension Tormail down then the responsible persons must be fired immediately and taken to justice for abuse of power. They are doing the same they did with Megaupload, they shut everything down and everyone must suffer even if they didn't do any wrong or anything illegal. What a shame of agency, and what a waste of money giving them a single penny

They want to shut down everything they cannot control. That's all. They will not stop before absolute control of everything.

More potentially incriminating evidence that you can shake Edward Snowden at. Tormail is ostensibly shady, so it makes sense to seize the entire site rather than try to partner with it.

Think about it.

This is coming right on the heels of the Snowden NSA mass spying and data mining revelations. I myself had just decided to "go deep and dark" because of it, as I am sure millions of others have, and tens of millions more, if only they knew how.

I just opened a Tormail account that day and had sent myself one lousy test message. Now, I might have to worry about the FBI and SWAT team coming to my house, just for opening a damned anonymous and encrypted email account!

It is no coincidence that this is happening now, right when it could be easily foreseen that a great number of people would be migrating to the "deep web" to get away from the pervasive NSA spying.

This is clearly a "psy-op" to prevent that, much more than a shutting down and prosecution of those hosting illegal data, which is window dressing. After all, the U.S. government are the biggest child sex traffickers in the world, the real stuff, not just images, though that is where many of them come from. The NSA itself plants child porn on the computers of politicians and government workers in order to blackmail them and buy their obedience and their silence. It is a powerful tool of control that they do not hesitate for one second to use.

I have no doubt they will also use the IP and MAC address data to go on "fishing expeditions" against those who didn't even do anything illegal. They will use it as their "probable cause" This will allow them to tear people's houses apart looking for anything and everything they can use as evidence.

We all need to get real and get serious, because this isn't America anymore, and the stakes of forgetting that are getting very high.

This is why Tor Browser needs to come "locked down" to its highest security mode. Screw convenience. It isn't convenient living in a tyranny, and anyone who is the least bit in touch with reality knows that is where we are now at, and where we are going. No more play time! I didn't decide to go to TOR for entertainment.

On another note, I am more interested in HOW these JS exploits were put on the servers, since we know exactly how they got put on the clients.

Maybe NSA owned those servers all along.

Anonymous

August 04, 2013

Permalink

Did this exploit get installed on TorMail or any other hidden service? What hidden services had this exploit running? Is it still running there? Did anyone post the code + shellcode for the exploit?

Anonymous

August 04, 2013

Permalink

well tor is dead now , good job dipshits devlopers to include the genius idea of globally allowing scripts

Oh look! You can post a link. 'atta boy! Let me pat you on the head.

Still doesn't change, that their reasoning is bullshit. As I said in another comment, your Tor usage is identifiable anyways, because most of the Exit Nodes are well known. So anonymity is no argument at all.
And sure. For some people it may be a hard choice between losing users or putting them in danger. And danger there obviously is, as we've seen now.

If there are not enough Tor users there is a danger of being identified too. This would also defeat the purpose of Tor. It's not just a matter of the developers wanting to attract more users. Now you can argue that having javascript enabled is not worth the risks to users vs the anonymity gained from a larger user base.

There might be or have been a solution to reduce the significance of this problem. The Tor project could expect onion operators to be more cautious and not use javascript while allowing non-onion sites to use javascript. This would ensure every Tor Browser Bundle setup remained the same and at the same time allowed non-tech savvy users to visit non-onion sites easily that are dependent on javascript.

Another feature that might be worth adding is something which alerts users to possible dangers. For instance while there may not have been a fix to the problem it might have been possible to cause all Tor Browser Bundle sessions to pop up a warning that notified the user of a possible unfix compromise in Tor/Tor Browser Bundle/etc. This way there would have only been a small number of people (those on between 6am and whenever the issue became known).

I have to agree with the individual who posted the link. He provided a relevant link for those who would like to learn why javascript is enabled by default — to encourage users to consider TOR. If websites don't work with TOR browser then no one would use it.

You are certainly geek enough to know this.

Would you please kindly consider the fact that there were, in the past, exploits that ran arbitrary code from a goddamn .jpeg image?

So, what makes you think that there are no other .jpeg / gif / png exploits out there?

Besides, the exploit used in FH attack is OLD. O - L - D. Not a 0day. Latest tor browser bundles were IMMUNE.

So the only dipshits are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles.

"So the only [fools] are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles."

Whether or not they are the only ones, people who fail to update certainly are fools.

And what about the "genius idea" of using an OUTDATED, DEPRECATED version of TBB, with known vulns, that had been REPLACED OVER A MONTH AGO?

(Not that I'm saying that allowing scripts globally was a good idea.)

Anonymous

August 07, 2013

In reply to by Anonymous (not verified)

Permalink

look up magic lantern!
Norton and McAfee install it it tunles thru fire walls to report to the NSA

Anonymous

August 09, 2013

In reply to by Anonymous (not verified)

Permalink

+100

Anonymous

August 04, 2013

Permalink

How to tell if you got infected by this i was poking around tor a few days ago just to see what it was all about. know i here about this WTF how can i tell if i got this shit bug?. needless to say fuck i'm glad i deleted Tor as it was to slow for me. But know i might have a fucking bug in my system because i used it.

I wouldn't worry. It doesn't appear to be an infection, it's just code that's run in your browser if you visit certain hidden sites, which sends your real IP to a server near Washington, DC. It appears the hackers/government were targeting child porn sites only, which were hosted by Freedom Hosting, to try to gather the real IP's of anybody going to those sites.

Yea- it doesn't matter who the victims are. This attack effects every Tor user. You can't say we don't like party x and are glad they're gone because then its on to the next victim and that victim is you.

Regardless of OS? I use Linux, I do not care about being exposed for using TorMail for non illegal purposes, but I do not like the idea that they can continue to download more malware and code.
Do you think I should format my Linux box?

TorMail wasn't even a child porn site! It had nothing at all to do with them.

I had just opened an account there, sent myself one lousy test message, and now TorMail is gone, and the friggin FBI and NSA could have my IP and probably MAC address too.

These days, with government tyranny and paranoia at an all time high, just being a known user of anonymous and encrypted services is enough to get you branded by NSA/DHS/FBI as a "domestic terrorist", or worse. That makes this some serious shit.

I can't tell you how angry and resentful this is making me.

There HAS to be a better way. If not, this country is DEAD.

As I understand it there is two reasons the exploit as published will not work on Linux (Tails):

1. The web browsers is compiled with a different compilers, with different compilerflags, against different system libraries and syscalls. An exploit made to inject shellcode in one compiled version of the browser most likely will not work in another. This published code tries to inject the shellcode in some version of Firefox 17 compiled for Windows.

2. The shellcode itself will use library calls or syscalls for the Windows NT platform. The library calls and syscalls differs between Windows and Linux, for the same reason you usually cannot run Windows exe files on Linux. The shellcode should fail to execute.

In addition to this the Iceweasel browser in Tails is compiled with stack smash protection and other 0-day exploit prevention measures. But of course it might still be possible to make a new version of the exploit that works in Tails and other Linuxes as well, the source of the problem is in Firefox 17 ESR (and maybe other versions too) after all.

Anonymous

August 04, 2013

Permalink

The US gov finances 80% of TOR development costs. Who'd you think would know how it works - and doesn't?

Everyone who is legitimately using TOR for non-criminal privacy reasons is being hurt because of the actions of a few. If you invite The Wrath you can expect to get smacked.

For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination.

This is based on info from page 6 of the Tor Project Annual Report (income):

https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.p…

Another thing to note is that the project is aware of the fact a large part of its funding is coming from a single source. There have been efforts to raise money and diversify the projects sources of income.

"The Tor Project's diversity of users means we have a diversity of funding sources too — and we're eager to diversify even further!"

https://www.torproject.org/about/sponsors.html.en

I forget (or maybe it isn't up any more) where the page is that documents this campaign. It met its target goals for this year or last year which would explain it's lack of prevalence on the front page, etc.

"For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination."

So, at most, only 73% of the Tor Project's funding comes from Uncle Sam and maybe even as little as 60%?

Well, that makes all the difference now, doesn't it?

I feel completely reassured now.