Security discover

Freedom Hosting and 'torsploit': Troubles on the Onion router

The arrest of the Freedom Hosting CEO has set in motion a crisis for TOR and unleashed a java exploit designed to expose Freedom Hosting users.

What started as an arrest in Ireland pertaining to a case of child pornography took an international twist this past weekend, and brought doubts on the security and privacy of Tor, the popular anonymizing network. It all started with Eric Marques, the CEO of Freedom Hosting, a small hosting company that provides accounts to anyone who wants one. Eric became infamous in the underground of the web because of his willingness to turn a blind eye on any activity that went on inside the network of Freedom Hosting. This included potential child pornography sites, along with other illicit activities. In October of 2011, the activist group Anonymous had learned about this company and launched a denial of service attack against its servers, claiming that those servers hosted the vast majority of child pornography sites on the web, many of them being provided as Tor hidden services.

That last point, the fact that many sites on Freedom Hosting were provided as Tor hidden services, is where things become more complicated. Most people know of Tor as a simple software package that you can download and then use to anonymize your Internet connection, which I've written about recently. Your browser connects to various hops along the way before going to your destination, providing privacy against spies, either governmental or criminal, who would want to track you down.

But Tor also introduced the concept of a hidden service. This is a website which uses the same technology in order to be completely anonymous. That means if you go to a special web URL, such as http://tnysbtbxsf356hiy.onion or one of thousands of other sites, then you can connect to a website, which remains anonymous. This particular address is StrongBox, a legitimate privacy service from The New Yorker. There is also TOR Mail, which is a popular anonymous email system, but also a lot of potentially illegal sites, such as the famous Silk Road which provides drugs and weapons for sale, child pornography sites, crime gangs, and so on. These make up part of the Deep Web, available only through Tor.

The problem is that Freedom Hosting happened to host quite a bit of these hidden websites, including TOR Mail, and other popular destinations. So when the Ireland authorities arrested Eric, they all went offline. But the story doesn't end there. The sites are actually still available, but with a blank page saying the service is down for maintenance. However, that maintenance page is also serving a JavaScript exploit. This exploit is especially targeted at Firefox 17, the version included in the Tor browser bundle. So it's more than likely that it was created especially to infect Tor users. But what does this exploit do? It simply reports your IP and MAC address to a server in Virginia. It didn't take long after this exploit was found for people to make the link between the FBI-sponsored Irish arrest, Tor, and a certain-Virginia based US government agency. While there is no way to be sure, it seems plausible that the exploit was planted by US authorities in order to make a list of all Tor users.

The Tor project itself was quick to distance itself, saying that Tor has nothing to do with Freedom Hosting, and the project itself is still intact. Technically that's true, but the problem here is complacency. While anyone can run a hidden service, a large majority selected the same company as hosting provider, so when that one point of failure goes down, it appears as if most of the network is also down. No doubt that this was a wake up call for anyone operating in the Deep Web. The other problem is the JavaScript exploit, and within a day the Tor project released a patch to fix it.

Whether Eric Marques is truly guilty of hosting child pornography is debatable, and something the courts will have to decide; however, the whole event is interesting for many more reasons. The fact that even popular hidden services like TOR Mail went offline because of this one arrest places some doubt on Tor itself, especially since all the major news outlets picked up the story. Also, while this is hardly the first time that US authorities have used computer exploits to try and hack into suspects' machines, this JavaScript exploit could end up being the most widespread one. It's likely that thousands of people who happened to go on one of the many offline sites have had their address sent to Virginia by now, and if this is indeed the work of the authorities, this information was likely linked with PRISM data.

It's interesting to note that just this past week, General Alexander, the head of the NSA, was speaking at Black Hat trying to reassure the tech crowd on how lawful the spying operation is, and how no abuse is being done. Meanwhile, leaks keep coming out, like the recent Reuters report about how the DEA uses data to target suspects, before agents are directed to cover up where the information came from. Meanwhile, this #torsploit story, as it's been nicknamed on social networks, is still being heavily looked into. There seems to be little doubt in some people's minds that the IP address in question is owned by the NSA, which would hint at yet another instance of data spillage going on. One thing seems certain, we're far from done hearing about these secret Internet spying programs.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

5 comments
joshuaabrams
joshuaabrams

What a bunch of baloney. 

Tor provided thousands of individuals the ability to communicate without the fear of tyranny and oppression.
Here is what Tor is right off of their website;
https://www.torproject.org/
Many individuals know about the new "Pirate Browser" which is really just tor with a cute pirate shell on top.

What is Tor?

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

Accordingly this story is another example of how completely gun hoe and out of place the American government really is.
To put this into perspective, this man Eric, pretty much created a "go-daddy" of the "deep-web", aka, tor. He sold his hosting services to any who would buy it, just like go-daddy, or any other hosting provider.

What the customers or individuals do with their privately own server space is their own business.
Furthermore any kind of blame that would be attributed to this Eric person would be like one individual buying hosting from go-daddy, putting child pornography on it, and instead of arresting the individual who actually is guilty of a crime they go after go-daddy cause they're frustrated that the criminals of today's are evolving faster than they can keep up with.

This is a sick story of the American Government trying to make an example out of an innocent man just to instill fear in the hearts of millions around.

If you or anyone else you know are in trouble because of the U.S. Government is exaggerating, fabricating, or otherwise corrupting law and due process please contact me immediately.

cb760
cb760

It's a shame that Freedom Hosting had so many clients that used their servers for illegal activities, but based on everything I'm reading... Freedom Hosting didn't do a single thing that was illegal themselves.  Under CDA Section 230 (which was also re-affirmed by the US Supreme Court in Reno v. ACLU - 1997), ISP's and Content Providers (servers) can't be held responsible for the content and activities of their users.  In other words, if I own a server called "Bobs Web Hosting", and a user pays me 20 dollars a month for 100GB of space on my server and uploads something illegal to their account, the government can't send *me* to jail because of what Joe Shmoe uploaded to his account.  If CEO's could be held responsible for what their users have uploaded, the CEO's of every user-content driven website on the planet would be in jail right now.  

This case was only filed against Freedom Hosting the moment the Feds realized they could harvest IP addresses of the visitors to Freedom Hosting's servers (through the bug in Firefox).  So that tells me that they targeted Freedom Hosting, not because of specific wrongdoing on Freedom Hosting's part (otherwise they would have filed the case long ago), but because Freedom Hosting is the largest content provider servicing darknet, giving them the widest reach to harvest as many IP's in as short a time as possible.

Sanders Kaufman Jr.
Sanders Kaufman Jr.

These freaks are right to be ashamed of who they are, and of the things they do on the Internet. I'm just glad that they're also too stupid to do it for long without being caught.

Anonymous Cow
Anonymous Cow

Versions of Tor updated at least a month before these events were never vulnerable. The Tor blog post you linked to indicates that an underlying Firefox vulnerability in older versions of Tor was being exploited if users were running Windows. The post then recommended that users make sure they were running the version available since June. Tor did not "release a patch" in response to these events since Tor did not need fixing.