Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

In a situation like this the best course of action is probably to dispose of the PC, media, printer, anything else which might be connected (eletronic or otherwise), etc far far away and before a raid happens. It would also probably be good to destroy parts/materials/etc. Then get familiar with your rights. Have a lawyer ready (investigate). Write the number on your body (and memorize it if you can)! When the raid happens don't provide anything other than your full name name and address. You probably shouldn't answer the door and you may want to be lying down after your door is broken down. Best to be lying down with your hands behind your head (ideally to avoid excuses they will give for force). As an answer to questions asked state that you'd prefer to remain silent, ask for a lawyer, and every so often ask if you may leave now. Take notes if possible and memorize names, badge #s, etc. As soon as your released or otherwise able write down whatever you can remember about the raid. It may help in your defense.

Just because you have accessed a web site does not mean you have broken any laws. It's up to the lawyers, prosecutors, and judge/jury to decide your fate and the best thing you can do is avoid giving the prosecutor/judge/jury/etc any reason to think you might possibly be guilty of a crime. The prosecutors going to make it out that you are a criminal of some sort regardless of the facts. Don't get upset. Let your lawyer do his job and never ever insist on getting up on stand or try defending yourself (in court, to judges, prosecutors, cops, or anybody else, just answer you have been advised not to speak without your lawyer).

That is your best chance at reducing your risk.

tl;dr: If he has done anything illegal, which is not apparent from his post.

The exploit itself seems not to install itself on or modify the system in anyway, even if it is successfully executes. All it does is completely deanonymizing the current Tor Browser session. This means that there is no action required to get rid of it. But to be safe, reinstall Tor Browser Bundle completely.

1 use vm
2 use freebsd fulldisk geli
2a (add some magic w/ last sector)
3 load freebsd to memory (by pxe)
4 enter manual password (add some magic w/ keyfiles)
5 (rc.d magic) - shutdown freebsd.

After 4 you have disk with you data, after 5 you have disk with random data!

Do you ever think they CAN and WILL falsify you data or connections?
Do you believe in lawyers? Just think in what state you live...

There is apparently no malware involved, but your IP/hostname and MAC address have been logged.
The only thing you could do is buying a new network card to change the MAC address permanently and wiping your hard drive to dispose of any evidence you migh have.

captcha contorl

August 04, 2013

Permalink

Man, you people sure like to pontificate and ramble on about nothing. Do some research, read the exploit code, and learn the facts.

https://blog.mozilla.org/security/2013/08/04/investigating-security-vul…

Current versions of tor browser are not affected because they are based on Firefox 17.0.7 ESR. The exploit was probably for people who do not update, or a specific person who did not update their tor browser.

As of this comment, there is no proof this Irish American guy is the hoster of Freedom Hosting.

As of this comment, there is no proof this attack has anything to do with the FBI.

All rumor and hearsay. The attack is real and incompetent.

Except the exploit code (shown in pastebin.mozilla.org/2777139) in function b() specifically launches if Firefox version is >=17 and < 18.

So? There is Firefox ESR 17.0.2, 17.03, 17.04, 17.05...
The useragent does not reveal the exact build. So the exploit code just had to target all of them.

It runs. But does it SUCCEED on all versions?
Look at the comments below and the remark from Daniel Verditz. This exploit might have been fixed in 17.07.

If your ESR build is 17.0.7, it runs, but does it run successfully? Would they be sloppy enough to include an if clause that checks for vulnerable versions, and that still runs on a known patched version?

If useragent doesn't reveal the exact build, why don't they just check for version 17.

Shouldn't it read:

if( version == 17 )
var12 = 0xE8;
return ;

instead of :

if( version >=17 && version <18 )
var12 = 0xE8;
return ;

Because the useragent looks like this
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0

It only includes the major and minor version, but not the the build. There is no way to target specific builds.

You may be right, but how do you know that the exploit referenced in your link is the same as the one used against Freedom Hosting?

According to the description in your link, the exploit must crash the browser in order to execute?

A crash is relative, i suspect an exploitation of an exception handler to execute the payload (shell code). If done correctly ff won't crash because the "exception handler" handled (i.e. phoned to papa and gave you a nice cookie) the exception and continued the normal execution.

No, it means the exploit COULD cause a crash OR EVEN execute arbitrary code, which can probably be specially crafted so it doesn't crash the target process.
Still: Daniel Verditz may be right. But did he really test it, or did he just suppose it was the same exploit, because it worked in a similar manner?
So, still waiting for confirmation from different independent researchers.

That's what I was about to ask.

To be sure, someone would need to test the exploit in version 17.0.7. This would be easy to do, I would think, but less easy to fully test without accidentally having your IP broadcast to who knows whom.

If the attack requires people to be running javascript and cookies on an outdated browser with a flashing "!" telling you to update, then it's a pretty weak one, and not nearly as big a deal as everyone is making it out to be.

Mozilla did test the exploit against ESR 17.0.7 Firefox. It did not run. It did with 17.0.6, as Dan says on the Mozilla blog post in the comments.

It says the crash is exploitable, the rest just seems to be ineffective action. It might be the security fix affects it anyway, but there is a difference in the wording. (But maybe there even is a crash in those cases?)

You can't get rid of it. It just sends your IP adress, MAC-Address and hostname to a clearnet server and then exits. There is nothing to get rid of. The damage is: you have possibly been decloaked, when you ran an exploitable version and visited a freedom-hosting site.

It's not on your computer. This is not a virus. If you go to one of the infected sites (apparently only some kiddie porn sites hosted by Freedom Hosting), your real IP gets sent to a government or hacker's computer. If you don't go to one of their kiddie porn sites, nothing happens and you are perfectly okay.

That is technically impossible. The only thing you could try at this point is make that piece of equipment a present to your worst enemy or eat a cookie.

Classic isn't it? TL;DR?
delete your cookies

captcha contorl

August 04, 2013

Permalink

Hey Guys... I'm not english native speaker so, sorry by misspelling things. But I do have some knoledg about crisis and it's exacly what's happening now.

I use tor because I belive it's important have a tool (or asset) who you can trust at all costs. This said, javascript by default it's a huge flaw. Blindness trust is too.

But NOW, I thing tha the most important thing it's put things in perspective and create a plan to overcome this issue.

Fisrt a FAQ about the problema, and a post like "WHAT TO DO NOW". I belive that's a lot of people freaking out right now. And create "solutions, information, orientation" for these people, have to be the first thing to do right?

Hope you guys can create a quick and easy, What to do NOW. Cause the news are getting more and more hot.

Luck for you guys. Sorry I cant help with the details.

What to do NOW:

This situation only affects people going to child pornography sites hosted by Freedom Host.

If you do not go to child pornography sites, you are okay.

If you visited those child pornography sites, the government now has your identity (IP address).

It is that simple.

Apparently this exploit was on every site hosted by Freedom Host, including Tormail, so many non-pedos may have received the exploit.

It's not that simple. There going to be performing raids on people and if history has anything to show for it many of the people raided will have committed no crime. However your going to see a lot of suicides from the unjustified raids and poor tactics used by law enforcement. Convictions will be obtained through non-existent "evidence" (flawed for various reasons) and the burden to which one would have to prove it flawed,wrong, etc. When your facing the potential of life in prison or a few years in jail for a plead of guilty it's suicide (not to mention parents, friends, family, etc who will have all turned on you) or death by prison gang members. They don't go easy in prisons on people convicted of crimes against children. Every person who has used Tor recently needs to be concerned.

People should be rioting in the streets about this... not sitting in there homes waiting to be arrested for a crime they probably didn't commit.

United Shits of America won't care. All they care is that you're seeking privacy and automatically categorize you as a child porn watcher and/or terrorist.
Yes, I'm the same commenter as the Whonix and Qubes guy.

captcha contorl

August 04, 2013

Permalink

would there be some evidence on my computer that I got this exploit? like a cookie or something? this is the first time i've been on Tor since Aug. 2nd.

There are some asking the same. People seem to think it's beneath their notice to point out. Not knowing what the traces might be myself, I would surmise deleting and downloading a new Tor Browser and deactivating Java would be the safest option.

Hopefully... (hopefully) the latest version of Tor Browser Bundle is protected against this particular bug.
If you use normal Firefox with Tor, instead of TorBrowser... You deserve it. That is one of the dumbest things privacy-related you could do.

The exploit does leave a cookie, but it expires after 30 minutes.

Really this whole thing targets kiddie porn viewers. If you visited a kiddie porn site in the past week, your real IP is probably logged. If you didn't, you're okay and carry on as usual.

The US government and FBI are not well known for being specific where it relates to these attacks on pedophiles. Everybody has something to worry about regardless of there use of Tor for such activities. Even if your not using Tor you should be concerned. For instance using a generic picture upload site might get you targeted for a raid even if you have never uploaded pornographic material or anything illegal. That will ruin you, as employers, family, friends, and others will put as much distance and shun your “actions” (which aren't even true) based on the raid and negative media publicity.

Operation Avalanche (from wikipedia):

"Although US prosecutions were made on the basis of other evidence, later reconstruction of the Landslide site and review of the computer hard drives in the UK identified flaws in the police forensic procedures used and contradicted evidence on the website given at the Reedys' trial. Specifically, investigation of the Landslide data indicated many names listed were victims of credit card fraud, and that there was no link on the Landslide front page to take the user to child pornography sites as stated in sworn trial testimony.”

captcha contorl

August 04, 2013

Permalink

There are a bunch of other (non cp) compromised .onion sites that have sent your ip to the feds, like Tormail.

That's what pisses me off, tarred with the same brush just for using a mail service.

captcha contorl

August 04, 2013

Permalink

Does it affect users who had JS disabled via No script but had it enabled in settings?

captcha contorl

August 04, 2013

Permalink

oh wow see what i read is this also got a hold of TorMail so not just those site.

captcha contorl

August 04, 2013

Permalink

So, the illegal code doesn't need to crash the browser in order to run? It doesn't crash the browser after running either? It works on all windows NT computers?

It would be nice if the Tor developers provided some useful information after having royally fucked their users.

The articles are wrong about Tor and misleading. The Tor Browser Bundle has always had javascript enabled as far as my recollection goes and it was definitely not a recent thing that they changed. This has been an ongoing debate (to disable or not) for a long time. Tor's developers had to weigh the actions of insufficient users which would break anonymity to that of security where the program would be too difficult to use and then not have the user base it needed in order to protect people.

I do think changes need to be made. However there decisions are not as simple as you make them sound. If it was disabled the authorities might have just gone about identifying users using another attack vector that took advantage of an insufficient user base.