[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR tried to take a snapshot of my screen



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, let's try to find our what's going in here.
I checksummed some files:

- ----
++ The directory I found yesterday evening.
https://www.torproject.org/dist/torbrowser/3.6.3/

- -> This was the old download directory for the Torbrowser v3.6.3
- -> Not accessible via web browser
- -> There is no signature "torbrowser-install-3.6.3_en-US.exe.asc" in
this directory.

Files:
https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
- -> Filesize 323 b. This file is a little bit too small to be the
Torbrowser. I did not remark that yesterday evening, sorry for the
confusion.

jacksum-hashes MD5 and SHA256 for *.exe:
c8eb88324526d718b937b616c75d33a8
5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef

GtkHash-hashes MD5 and SHA256 for *.exe:
c8eb88324526d718b937b616c75d33a8
5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef

- ----

++ The official Tor archive (thanks Lee)
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/

Files:
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
  Filesize 27 239 623 b
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe.asc
  Filesize 473 b

jacksum-hashes MD5 and SHA256 for *.exe:
9529c5a633cf0cf6201662ca12630a04
52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d

GtkHash-hashes MD5 and SHA256 for *.exe:
9529c5a633cf0cf6201662ca12630a04
52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d

- -> MD5 matches the checksum from BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY
at bitmessage.ch and all the others.

GPG Signature
$ gpg --verify torbrowser-install-3.6.3_en-US.exe{.asc,}
gpg: Signature made Fri 25 Jul 2014 19:19:46 CEST using RSA key ID
63FEE659
gpg: Good signature from "Erinn Clark <erinn@xxxxxxxxxxxxxx>"
gpg:                 aka "Erinn Clark <erinn@xxxxxxxxxx>"
gpg:                 aka "Erinn Clark <erinn@xxxxxxxxxxxxxxxx>"

=> This is the correct old Torbrowser v3.6.3

- ----

There are actually two directories on torproject.org including a file
"torbrowser-install-3.6.3_en-US.exe":
1) https://www.torproject.org/dist/torbrowser/3.6.3/
and
2) https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/
1) is the old download path, but somehow a wrong file with a correct
name remained there ??

>> http //www.datafilehost com/d/dfb201d8 or https //www.sendspace
>> com/file/6ygdl3
> 
> Both of the files are broken or corrupted. They can't be opened as
> an archive on my end. The first source tries to make one download
> an .exe file. Well you can download the zip file, without it.
> 
> How can we be sure that your upload is safe?

I did not touch the files, because the whole story made me
mistrustful. When you look at some subjects of yesterday
"Third-parties tracking me on Tor"
"TOR tried to take a snapshot of my screen"
Perhaps somebody is trolling this list and tries to seed confusion.

Best regards and stay wiretapped!

Anton
- -- 
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC



On 23/08/14 09:18, Sebastian G. <bastik.tor> wrote:
> 22.08.2014, 23:38
> BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@xxxxxxxxxxxxx:
>> Hi,
>> 
>> I have TOR 3.6.3 installed in a Windows XP computer that is used
>> almost just for it with very few additional software installed. 
>> My understanding is that a potential attacker will test his 
>> exploit/approach against most of the security software available,
>> but possibly will not be able to test against ALL of them, so I
>> have a miscelaneous of popular and not popular security software
>> installed in the same computer; among them is a not so common
>> anti spyware called Zemana.
>> 
>> I am using TOR browser and Zemana for years and I am familiar
>> with the behaviour of both. The TOR I am running has just the
>> extensions that comes with it; no additional extension was
>> installed; no plug-in is installed.
>> 
>> I have proper licenses to run all the software, including Zemana,
>> so no crack or other suspicious tool was ever used. Zemana is a
>> quiet software and I can not remember about any single fake 
>> alert.
>> 
>> 
>> Few days ago, while browsing with TOR, I got a shocking alert
>> from Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.
> 
> Was it a website you trusted you browsed to? Did the software
> attempt to do anything without a website loaded?
> 
>> As Zemana allow me, I did block such screen capture and TOR
>> crashed immediatly. By this crash I understand that TOR really
>> tried to capture my screen.
>> 
>> I restarted TOR with a new identity, changed the identity many
>> times but TOR repeated the same behaviour a number of times with
>> the screen capture try-Zemana block-TOR crash. Change the
>> identity just does not works for such attacker.
>> 
>> The script funcions were always blocked by NoScript 2.6.8.36.
>> 
>> On the following days I used TOR again, without any change in my
>> system or software, accessing the same web sites but the attack
>> no longer took place.
> 
> Looks, like the website(s) did something.
> 
> Maybe trying to access canvas, what the TorBrowser tried to
> prevent. Maybe this triggered the alert.
> 
>> 
>> I verified the MD5 signature for the TOR browser (firefox.exe)
>> and it is unchanged, i.e, it is as distributed by torproject.org
>> 
>> The TOR 3.6.3 was downloaded from the TOR project web site, and
>> not from other servers. The install package
>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
>> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files
>> for any forensic work.
>> 
>> I am sending some screens with the Zemana log, where is possible
>> to see the TOR MD5 signature (firefox.exe;
>> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour
>> ("screenlogger"), the TOR version, TOR button and the Zemana
>> version screens, and the extensions and plug-ins existing in my
>> TOR install (just to confirm that nothing strange is there). They
>> are available to download here: 
>> http://www.datafilehost.com/d/dfb201d8 or 
>> https://www.sendspace.com/file/6ygdl3
> 
> Both of the files are broken or corrupted. They can't be opened as
> an archive on my end. The first source tries to make one download
> an .exe file. Well you can download the zip file, without it.
> 
> How can we be sure that your upload is safe?
> 
> 
>> Seems that TOR has hidden server capabilities, a back door that
>> allow a remote operator take snap shot of the screen and possible
>> perform other actions (record mic, turn on the webcam, ...).
> 
> I'm unaware of Firefox being able to activate the mic, Chrome can
> do that. Both can access the webcam. Firefox will eventfully be
> able to activate the mic.
> 
> It has to be ensured that those are not accessed without the users 
> permission.
> 
> The remote operator claim would require evidence of some sort.
> 
> Considerably attackers want to get into systems worth getting
> into.
> 
>> I think TOR can protect the users from many enemies, but at the
>> same time it is a perfect tool to attract, identify and log very
>> specific (users) targets. This may explain also the, until now,
>> unclear role and objectives of the US goverment by funding the
>> TOR Project.
> 
> I think they use Tor for many purposes themselves.
> 
>> Seems that hardly will be possible to identify suck attacker as
>> it probably comes from the TOR network itself, but I am
>> considering a trap/honney pot just in case this repeats.
>> 
>> 
>> I am an entusiast of privacy tools and TOR is not used for any
>> kind of unlawful purposes, is unlikely that I will attract
>> attention from public authorities and I am not worried with any
>> data such attacker eventually may have had access.
> 
> If someone would exploit against the TorBrowser he might be trying
> to get as many hits as possible to see if someone is a target.
> 
>> Hope this information may help to improve the TOR community
>> security and in some point in the future we will able to find a
>> solution for this back door.
>> 
> 
> I hope this can be resolved.
> 
> Regards, Sebastian G.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJT+H6yAAoJEMwm4aUww83w7hcH/04HitX6mZ4i3qaXJHeDvAUU
lBxtplQeSwky+jH+W5Ykf8JPpcFsBd/MUfwMCsjbUqkU3tToCg7P+k2C+7HDKSxJ
YogC/5AdgXfGJ9HYwgm+PpjuxS0g7sC84cGu1RuwVhetH3L45TXFF6YYDEppUFAN
0U5TSHV8xgCMTERJ8VtCyz93DbvKGUN5kUvNuGQk/G13rndKMHmfw+UGW9fdCQU7
ypL0/LQxVkZw5/aYPCcRe0krXz2xyCJMr9xs5gQU1Mi+UBUSF9zzxen/Ls+B+sdV
jGp6Q9JyXAQ46YbnIZWNv7BLrxK5BSrOyVhrSoy+lnihnoPJu6dJq/ZyCnreAOg=
=r5p5
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk