Preliminary analysis of Hacking Team's slides

A few weeks ago, Hacking Team was bragging publicly about a Tor Browser exploit. We've learned some details of their proposed attack from a leaked powerpoint presentation that was part of the Hacking Team dump.

The good news is that they don't appear to have any exploit on Tor or on Tor Browser. The other good news is that their proposed attack doesn't scale well. They need to put malicious hardware on the local network of their target user, which requires choosing their target, locating her, and then arranging for the hardware to arrive in the right place. So it's not really practical to launch the attack on many Tor users at once.

But they actually don't need an exploit on Tor or Tor Browser. Here's the proposed attack in a nutshell:

1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control. In effect, rather than using the Tor client that's part of Tor Browser, you'll be using their remote Tor client, so they get to intercept and watch your traffic before it enters the Tor network.

You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there.

Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Another answer is to run a system like Tails, which avoids interacting with any local resources. In this case there should be no opportunity to insert an exploit from the local network. But that's still not a complete solution: some coffeeshops, hotels, etc will demand that you interact with their local login page before you can access the Internet. Tails includes what they call their 'unsafe' browser for these situations, and you're at risk during that brief period when you use it.

Ultimately, security here comes down to having safer browsers. We continue to work on ways to make Tor Browser more resilient against attacks, but the key point here is that they'll go after the weakest link on your system — and at least in the scenarios they describe, Tor Browser isn't the weakest link.

As a final point, note that this is just a powerpoint deck (probably a funding pitch), and we've found no indication yet that they ever followed through on their idea.

We'll update you with more information if we learn anything further. Stay safe out there!

khled.8@hotmai.com

July 07, 2015

Permalink

"locating her"

You mean locating THEM? Why gender someone unknown?

Also, unlike English, many languages actually have a gender distinction in most of their speech. So, for me for example, it was not weird to read "her".

khled.8@hotmai.com

July 08, 2015

Permalink

Would running Tor Browser in Sandboxie prevent the exploit from taking over a computer, if you delete the Sandbox contents everytime you finish an internet session?

Maybe! But also maybe not -- if they break into your computer some other way (like through your Internet Explorer), then they could in theory change your Sandboxie program so it no longer does what you think it does.

well, tor browser does not help if your computer is compromized - end of game.
just as using cloud services or any other commercial hosting.

Based on how the exploit is supposed to work, you don't need to sandbox Tor Browser; you need to sandbox any other browser you use.

Also, I would rather not trust Sandboxie given that it is closed-source...

Another idea (instead of sandboxing or possibly even alongside) would be installing and configuring the Microsoft Exploit Mitigation Experience Toolkit EMET for both your unsafe browser and also the Tor Browser.

Thereby any Tor process (i.e. the browser process itself and the Tor service) and browser plugins (e.g. the Flash plugin runs as a seperate process; be aware that any Flash update creates a differently named exe file, so that EMET needs to be manually updated each time a new Flash version is installed) shall be manually added to your EMET guarded applications (or processes).

E.g. EMET enforces memory address randomizations (mitigating the success rate of buffer overflow exploits), the usage of signed operating system APIs (preventing method injections), and much more. The amount of security related features differs with your Windows operating system (i.e. there are more and betterly effective security related features supported on Windows 8.1 and 10 than with older versions of Windows). Also: EMET extends the sandboxing features of Internet Explorer over the standard sandboxing, but you need to enable these extended features inside the Internet Explorer preferences menu (after installing EMET).

EMET seems to be very effective in mitigating the effectivity of most exploits.

Apparently EMET is currently not recommended by Tor devs for some reason (possibly closed source+not updated). Could anyone explain why?

isn't microsoft in the same boat with nsa as google etc.??? seems everybody has a very short memory - aka reboot and start over again the same path.

EMET is great, but you need to keep upgrading it manually and maintaining it by adding new processes to the list and checking in all the mitigations. Not hard, but still something that most users just won't do.

Sandboxing. either with Sandboxie or with other options, is also great, though again it needs some tweeking and configuration. Generally you wan to insulate the TBB and only allow communication with the Tor daemon.

Or just use Tails, Cubes or Whonix.

Could Tor Browser be made more resilient, and end users more aware of potential shenanigans, if it warned the user at startup of deviations from the defaults in connectivity settings?

This might be a good idea, to detect if somebody did the particular proposed changes here. But in the general case, if they've broken into your computer, they could corrupt your Tor Browser to not actually do any integrity checks. This is why I said you have to stop them at the 'break into your computer' step.

Could this be prevented with AppArmor profiles? Or by running Tor Browser as a separate user?
Any info on this?

Adding extra layers of security is a good idea. For example, that's why Tails runs their 'unsafe browser' as a separate user, in a chroot. (It's not perfect, but all of those steps are useful steps towards better security.)

But remember that the lesson here is about whatever the weakest link is -- so securing your Tor Browser more, while also still running your normal browser with e.g. Flash enabled, is not going to fix the underlying issue.

Well, installing a backdoor is not smart... even if its name is Flash :-P
Of course I meant using apparmor in a secure system, with Free Software only, running a hardened linux kernel, firewall in place...

Yes, the more secure all your applications are, the better off you are.

I find a basic piece of security is simply to watch your modem lights when you are not doing anything on line. If they start flashing when not using the internet then either some program is auto updating or someone is trying to hack or has hacked. I am staggered at the number of people who let programs auto update and don't have a clue what is being sent. I block all updates and only allow them when I want to do it.

That does not apply of course while you are actually using the net.
John

classic old scool behavior vs modern 'i want to know noting so do something for me'

Yes I would like to put a Linux system on my network to monitor internet traffic in a hack resistant manner.

Fact is there are many 0-day exploits, and the longer the time frame to update the more time you're vulnerable.

I still update manually, but i'm aware that the elderly woman across the street is probably closing those 0-day faster than me...

The article says, "You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there." But that's only true if your OS doesn't properly isolate the local browser, the Tor browser, and the Tor client from one another.

Qubes OS already solves this problem by having the netvm be different from the torvm. If an attacker exploits your netvm from your local network, he can't get into your torvm (where the Tor client runs) or your torbrowsevm (where the Tor browser runs).

Qubes also solves a related problem: the risk of a malicious web server exploiting your Tor browser to break into your computer, and then steal your data, reconfigure your Tor client, etc. The standard Tor Browser Bundle is vulnerable to this kind of attack, but Qubes isn't, because it has the torvm be separate from the torbrowsevm.

That means Qubes prevents attacks from both directions. To get control of the torvm without exploiting a vulnerability in the Tor client itself or something else in the torvm's software stack, the attacker would have to break Xen--a far more difficult task than breaking weaker isolators such as Sandboxie or the Linux kernel.

Or you know..just use tails.

Yes, I agree.

Though if you run a great thing safely inside a VM and also an Internet Explorer alongside it, then things can still go poorly for you. Isolation is a great start but you need good opsec too, and whatever you do least well is the easiest way in.

Also, isolation by itself doesn't resolve the need for the local 'unsafe browser' equivalent in the captive portal situation.

These are related topics but not quite the same topics.

I was also thinking Qubes prevents this attack, if you know what you're doing and use Qubes properly. Which is easier said than done for most people, as arma rightly points out.

Tails is easier to use for most people. Though a chrooted browser in Tails is a far cry from the hardware and software isolation Qubes offers. On the flip side, the usability and learning curve of Qubes is a far cry from the ease and simplicity of Tails. ;)

I am not using the Tor service on the same machine where I have installed the Tor Browser. In my basement the Tor service directly runs on my gateway. The packet filter on my gateway only allows outgoing internet access originating from my gateway (i.e. only the Tor service can make outbound connections; and also a squid proxy can do so which handles my non-Tor traffic). The packet filter only allows connections from my PC to my gateway (Tor and squid proxy) but disallows any forwarding (i.e. internet access bypassing my proxies). With my Tor Browser running on my PC I have to use either the Tor or squid proxy both with my gateway address in order to successfully connect to the internet. Thus if anyone would change these proxy settings, then my gateway would not allow internet access from my PC at all and therefore this kind of targeted attack would not work for me.

How safe is TOR at this time? Would I (or anybody else) be a target if I just casually browse the internet/hellhole with TOR?

This is the Tor blog discussing the Tor project. We are not here to discuss any other t0r, tOr, t0R, ToR, T0R, toR, tor, TOR projects that may or may not exist.

ha, do you forget to to use case-insensitive key in you seach engine?
any human can understand "t0r, tOr, t0R, ToR, T0R, toR, tor, TOR" !

you should use it ALL the time! Then nobody(?) can say when you connect to google/microsoft/... or somewhere else. More peeple use tor more safer you are! and anyway you can say i got a cool browser and do not care how it connect to my favoryte site. But do not mark you connections by using TOR casually. It's like cry "Hi, I am going to send my spy reports to China gov, so please get me".

Part #1 of 3

arma wrote: 1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

What exactly did you mean by "inside your ISP"? Can you elaborate please?

Can you give specific examples of "attacking hardware"?

Attacking hardware is a computer that routes your traffic and performs attacks like MITM. It is insider your ISP because then they can be sure to be able to route all of your traffic and being able to try and break things in the first place.

Attacker installs or programs hardware at isp level, they use that to drop a trojan by hijacking your connection and redirecting you to an infected website. Isps can and have hijacked sessions but for maliciousness purposes. So they drop whatever you were trying to connect to and instead send you to their MITM page.

Part #2 of 3

arma wrote: 2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

I am using Debian with Iceweasel as my only browser.

Have you known of any such exploits that have taken place on Iceweasel? If yes, please elaborate.

Yes, I know of hundreds of such exploits that have taken place on Iceweasel. I will take this time to remind the general community that generally speaking Iceweasel is nothing but a version of Firefox that has all of the non-free items removed from it (... in this case, the non-free items in the Firefox source code, is, funnily enough, the trademarks).

The Firefox (and other Mozilla) apps specifically via the Mozilla Foundation have the ownership of the trademark "Firefox". As a trademark holder, Firefox must be a protected trademark. Mozilla does this by using it's ability to deny the use of the name and other trademarks to unofficial builds.

This is why Firefox is not Firefox in Debian, because Firefox is not an official build, and the Debian team feels like it should stick to it's guns with the Debian Free Software Guidelines.

The artwork in Firefox had a proprietary copyright license which was not compatible with the Debian Free Software Guidelines, hence the rename of the product.

Don't fool yourself into thinking that because you are using Iceweasel you are not vulnerable to Firefox issues -- because I would hate to break it to you, Iceweasel is not any less insecure then Firefox.

And that is only the potential remote code execution vulnerabilities that have been publicly released in the last three months. I can tell you of many hundreds of issues such as these that only ever get discussed privately inside the Mozilla bug trackers.

it show how bad firefox desined. nothing wrong with clones. is there any bug added in iceweasel?

Part #3 of 3

arma wrote: 3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control.

Thanks for mentioning the above point.

I wish to check my Tor Browser now for possible hacks.

Where is socks proxy option in Tor Browser? What values should socks proxy take? 0, 1, 2 or something else?

Why is there so little traffic in the Tor Forums? That's a bit scary.

"Tor Forums"? Are you getting suckered into some website that's unrelated to Tor?

But why they need hardware?

The amount of code just by Fabio is mind-blowing. I ended up learning how to use even more C APIs by his projects. Most of his projects https://ht.transparencytoolkit.org/rcs-dev%5Cshare/HOME/Fabio/ are nested in many folders.

By no means he was the most talented.

I'd be careful using any source code from the leak. Because
(1) Such code will create patterns that anti-virus companies are more than likely looking for, and
(2) The hackers may take legal action, in which case you would have to point out all the warez in the Fileserver folders.

His was the first code I looked at (not even the git). So yes. But I also agree not to trust it. :)

arma, many thanks for your brief.

The sequence of events you describe sounds exactly like what happened to me the same week that the Belgian cryptographer Quisquater was reportedly attacked. My government is one of the those mentioned in the leaked documents as a particularly enthusiastic consumer of Hacking Team's "product". After I suspected my computers had been compromised I immediately stopped using them and have kept them untouched since then. I'd love to somehow get Citizen Labs experts to examine them, but have had difficulty making an encrypted connection with them. Any suggestions?

These days I use Tails on a different computer and hopefully I am a bit more secure. And yes, I am attempting to start using whonix or Qubes. It's an arms race: all of us (the citizens) versus all of them (the governments cited in the client lists of HackingTeam, Gamma, Nice...).

What is our plan if the FBI succeeds in outlawing strong citizen encryption? In outlawing Tor? Will the project move to Iceland?

> Why is there so little traffic in the Tor Forums? That's a bit scary.

Do you mean the #tor chat room? If so, oftc banned Tor users six months ago, so Tails users can't visit anymore.

> I find a basic piece of security is simply to watch your modem lights when you are not doing anything on line. If they start flashing when not using the internet then either some program is auto updating or someone is trying to hack or has hacked.

At least some state-sponsored malware seems to make an effort to stop the LEDs from blinking during "exfiltration". Also, some of Snowden leaked documents stress that key exfiltration can occur very quickly when NSA/TAO successfully targets a vulnerable browser which uses openssl. Then the bad guys can copy your encrypted data stream for decryption at leisure. I hope and believe that Perfect Forward Secrecy should make this much harder, if you are using TBB.

> Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Agreed. But as Citizen Lab and other groups have documented, HackingTeam clients such as the government of Morocco have targeted human rights activists. This habit has led Human Rights Watch to label HackingTeam an "Enemy of the Internet".

Someone could be targeted because of a conversation in Germany with a visiting reporter who works in UAE. Or because they have contributed to HRW. Some governments don't want anyone anywhere to engage in human rights activism. For example, GCHQ has admitted that it targeted Amnesty International.

It is important to understand that if you are alive and kicking, you could very easily be targeted by some government. Maybe not even because of anything you have done, but simply because of someone you know. Maybe your uncle is a telco network engineer. Or your cousin teaches at MIT, and knows a student from Syria.

There is no law of human nature which holds that Government G's reason for attacking you must be comprehensible to you or me. It only has to make sense to Government G. And if the bad guys decide they have a reason to target you, well, they have the capability too. Thanks to companies like Gamma and HackingTeam.