[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Wed, 13 Aug 2014 18:02:52 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 13 Aug 2014 20:03:06 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1407974575; bh=oCxIg7S6yHPa0OGabClgWW02m5dbxvqKZzvavKfUZ7o=; h=Date:From:To:Subject:References:In-Reply-To:From; b=ImYAX8V91Axq9dLH4+0Sqb6tv5aLMwYqkPn9Ns+Vn+PVLmV49rFEc5KBG9sOY6mHV hUzdyURpjjJKqFZhgyj97g8YF21qNxvEL0goTzqGk7x3mu/jnw9mgdlJczBKBFvTzU tualfZtg6XxY2dim4kjLK4ws+LeTyQk3klqyrjFw=
In-reply-to: <CAKkunMats8JoVc8wqYrMtWE4f0gTA7RVVWirhuJz6t9sA5dDQQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4dbf80e1a3ae8b182a15ea2af6fa10dc@xxxxxxxxxxxxxxx> <CAKkunMats8JoVc8wqYrMtWE4f0gTA7RVVWirhuJz6t9sA5dDQQ@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0

On 08/13/2014 03:01 PM, Anders Andersson wrote:
> On Wed, Aug 13, 2014 at 12:06 PM,  <blobby@xxxxxxxxxxxxxxx> wrote:

<SNIP>

>> How, in this case, was it possible for the FBI to learn the IP
>> addresses of visitors to this hidden service? The Tor hidden server
>> page states that "In general, the complete connection between
>> client and hidden service consists of 6 relays: 3 of them were
>> picked by the client with the third being the rendezvous point and
>> the other 3 were picked by the hidden service."
>> 
>> Can someone knowledgeable please explain how visitors to a Tor
>> hidden service can have their real IPs detected?
> 
> AFAIK the malware used javascript to break the users' browsers. As 
> someone who argues against using javascript in any context, I can
> only say "told you so", but that doesn't really help anyone. :)
> 
> Because they managed to get in to the client browser, they could
> learn the real IP address and MAC address, they didn't learn this
> through Tor.

This is an old story. Here is an explanation from Wired[0]:

> The heart of the malicious Javascript was a tiny Windows executable
> hidden in a variable named “Magneto.” A traditional virus would use
> that executable to download and install a full-featured backdoor, so
> the hacker could come in later and steal passwords, enlist the
> computer in a DDoS botnet, and generally do all the other nasty
> things that happen to a hacked Windows box.
> 
> But the Magneto code didn’t download anything. It looked up the
> victim’s MAC address — a unique hardware identifier for the
> computer’s network or Wi-Fi card — and the victim’s Windows hostname.
> Then it sent it to a server in Northern Virginia server, bypassing
> Tor, to expose the user’s real IP address, coding the transmission as
> a standard HTTP web request.
> 
> “The attackers spent a reasonable amount of time writing a reliable
> exploit, and a fairly customized payload, and it doesn’t allow them
> to download a backdoor or conduct any secondary activity,” said Vlad
> Tsyrklevich, who reverse-engineered the Magneto code, at the time.
> 
> The malware also sent a serial number that likely ties the target to
> his or her visit to the hacked Freedom Hosting-hosted website.

They didn't get the "real" IP address through the browser. Magneto just
sent information to the FBI's server directly, rather than through Tor.
Also, Magneto is a Windows executable ;)

Proper firewall rules would have prevented that leak. Those using Whonix
weren't affected, because nothing in the workspace knows the "real" IP
address (and also because it's Debian, not Windows).

[0] http://www.wired.com/2013/09/freedom-hosting-fbi/
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Wired Story on Uncovering Users of Hidden Services.
  - From: blobby
- Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
  - From: Anders Andersson

Prev by Author: Re: [tor-talk] Police arrest
Next by Author: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
Previous by thread: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
Next by thread: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
Index(es):
- Author
- Thread