[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR tried to take a snapshot of my screen

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] TOR tried to take a snapshot of my screen
From: "Sebastian G. <bastik.tor>" <bastik.tor@xxxxxxxxxxxxxx>
Date: Sat, 23 Aug 2014 09:18:33 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 23 Aug 2014 03:18:48 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=iQI4fRZnvDZ++dHvZ2I6kmoizTfMZvMVxEpektQeE5U=; b=ju/t5eyfj0zJ1xEvTaghSW7zjxuXnpif46Ms1KQQTXOmjWf0sOKxMaHF3cjrCTk/te fflqeABUPTWbjTz0gKu7I8z5gN/RLIXnKvlOOZdvoMW/sacj4qS7rvbeZol0Dz7Tg2IM nByMvGaKpoSAs+hGNmSsZIxLnfKwwlHRiyBAD1KhJXgBLmHLVGywmPZfwa53X8ZwbBdj yMSfZ/BH33bZlQpXmQQk/qULH2nl1aciFm/MePGNyQFZgOdzO2tZfw7dXDtozG/3jKD5 xrXatIEl+Ay4Kdn18rEVKYthzSqgzotvWNA9wUiXQymBeueA5m5FBhE5V+tses3+NCJ9 /e+A==
In-reply-to: <2fb56adafa60595fc1fd9d473a3c5012.squirrel@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <2fb56adafa60595fc1fd9d473a3c5012.squirrel@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0

22.08.2014, 23:38 BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@xxxxxxxxxxxxx:
> Hi,
> 
> I have TOR 3.6.3 installed in a Windows XP computer that is used almost
> just for it with very few additional software installed.
> My understanding is that a potential attacker will test his
> exploit/approach against most of the security software available, but
> possibly will not be able to test against ALL of them, so I have a
> miscelaneous of popular and not popular security software installed in the
> same computer; among them is a not so common anti spyware called Zemana.
> 
> I am using TOR browser and Zemana for years and I am familiar with the
> behaviour of both.
> The TOR I am running has just the extensions that comes with it; no
> additional extension was installed; no plug-in is installed.
> 
> I have proper licenses to run all the software, including Zemana, so no
> crack or other suspicious tool was ever used.
> Zemana is a quiet software and I can not remember about any single fake
> alert.
> 
> 
> Few days ago, while browsing with TOR, I got a shocking alert from Zemana:
> TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.

Was it a website you trusted you browsed to? Did the software attempt to
do anything without a website loaded?

> As Zemana allow me, I did block such screen capture and TOR crashed
> immediatly.
> By this crash I understand that TOR really tried to capture my screen.
> 
> I restarted TOR with a new identity, changed the identity many times but
> TOR repeated the same behaviour a number of times with the screen capture
> try-Zemana block-TOR crash. Change the identity just does not works for
> such attacker.
> 
> The script funcions were always blocked by NoScript 2.6.8.36.
> 
> On the following days I used TOR again, without any change in my system or
> software, accessing the same web sites but the attack no longer took
> place.

Looks, like the website(s) did something.

Maybe trying to access canvas, what the TorBrowser tried to prevent.
Maybe this triggered the alert.

> 
> I verified the MD5 signature for the TOR browser (firefox.exe) and it is
> unchanged, i.e, it is as distributed by torproject.org
> 
> The TOR 3.6.3 was downloaded from the TOR project web site, and not from
> other servers.
> The install package torbrowser-install-3.6.3_en-US.exe has the MD5
> signature: 9529C5A633CF0CF6201662CA12630A04
> I have the installer in my files for any forensic work.
> 
> I am sending some screens with the Zemana log, where is possible to see
> the TOR MD5 signature (firefox.exe; FC19E4AFB0E68BD4D25745A57AE14047) and
> the logged behaviour ("screenlogger"), the TOR version, TOR button and the
> Zemana version screens, and the extensions and plug-ins existing in my TOR
> install (just to confirm that nothing strange is there). They are
> available to download here:
> http://www.datafilehost.com/d/dfb201d8
> or
> https://www.sendspace.com/file/6ygdl3

Both of the files are broken or corrupted. They can't be opened as an
archive on my end. The first source tries to make one download an .exe
file. Well you can download the zip file, without it.

How can we be sure that your upload is safe?


> Seems that TOR has hidden server capabilities, a back door that allow a
> remote operator take snap shot of the screen and possible perform other
> actions (record mic, turn on the webcam, ...).

I'm unaware of Firefox being able to activate the mic, Chrome can do
that. Both can access the webcam. Firefox will eventfully be able to
activate the mic.

It has to be ensured that those are not accessed without the users
permission.

The remote operator claim would require evidence of some sort.

Considerably attackers want to get into systems worth getting into.

> I think TOR can protect the users from many enemies, but at the same time
> it is a perfect tool to attract, identify and log very specific (users)
> targets.
> This may explain also the, until now, unclear role and objectives of the
> US goverment by funding the TOR Project.

I think they use Tor for many purposes themselves.

> Seems that hardly will be possible to identify suck attacker as it
> probably comes from the TOR network itself, but I am considering a
> trap/honney pot just in case this repeats.
> 
> 
> I am an entusiast of privacy tools and TOR is not used for any kind of
> unlawful purposes, is unlikely that I will attract attention from public
> authorities and I am not worried with any data such attacker eventually
> may have had access.

If someone would exploit against the TorBrowser he might be trying to
get as many hits as possible to see if someone is a target.

> Hope this information may help to improve the TOR community security and
> in some point in the future we will able to find a solution for this back
> door.
> 

I hope this can be resolved.

Regards,
Sebastian G.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] TOR tried to take a snapshot of my screen
  - From: no . thing_to-hide

References:
- [tor-talk] TOR tried to take a snapshot of my screen
  - From: BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY

Prev by Author: Re: [tor-talk] TOR tried to take a snapshot of my screen
Next by Author: [tor-talk] The Tor network doesn't support Named relays anymore
Previous by thread: Re: [tor-talk] TOR tried to take a snapshot of my screen
Next by thread: Re: [tor-talk] TOR tried to take a snapshot of my screen
Index(es):
- Author
- Thread