Hack Tor for Cash

306px-Tor-logo-2011-flat.svg

As anticipated, law enforcement agencies and intelligence all over the world are investing to de-anonymize users in the deepweb, and in particular on Tor networks. Hacking Tor is a goal for many Intelligence agencies as demonstrated also by the collection of documents leaked by Edward Snowden, that explicitly refers to a project named ‘Tor Stinks’ which has the scope to track Tor users.

Russia’s Interior Ministry (MVD) has posted a tender to recruit companies and organization which are interested to “study the possibility of obtaining technical information about users (user equipment) TOR anonymous network”. The Russian Government is offering almost 4 million rubles, approximately $111,000, for the development of technology to decrypt data sent over the Tor and identify Tor users.

The tender, titled “Perform research, code ‘TOR’ (Navy),” was posted on July 11th on the official procurement website.

 

Tor hacking Russian Government

 

The competition is arranged by the Russian Government “in order to ensure the country’s defense and security.

I asked a collegue to help me to translate the original tender, the spelling of “TOP” comes from that original document (all-caps, Russian transliteration). The tender is about the Tor indeed. The term “Scientific Production Association” (Научно -производственное Объединение) is a Soviet/Russian cover word for a military or a KGB/FSB R&D outlet. The one in question belongs to the Interior Ministry which is in charge of police and penitentiary.

The tender requires active security clearance specifically in the LI (though I wonder if “legal” is applicable to Russia at all) and a general high level security clearance.

The tender reports that companies that intend to take part in the competition have  to pay a 195,000 ruble (about $5,555) application fee. The Russian Government wants to break the encryption used to anonymize the users’ web experience in Tor Network,Russian Government is aware that foreign Intelligence agencies are working to similar projects and ordinarily use the popular network.

The Tor network is widely used by digital activists and individuals in critical areas of the planet to avoid censorship operated by governments like Iran and China, today the project is managed by a nonprofit group, that is also financed by the US Government, and counts 2,5M users worldwide as reported in the graph below.

 

Tor hacking Russian Government 2

 

The Tor is perceived by the Russian Government as a serious threat, its use, like the adoption of any other anonymizing tool, is “discouraged” by the Kremlin.

Although, the Russian Government isn’t unique one that is trying to de-anonymize Tor, the FBI for example exploited a zero-day flaw in the Firefox browser to identify Tor users for its investigation on child-pornography, the code used is considered the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Recently German broadcaster ARD reported that NSA experts were monitoring two Tor directory servers in Germany to de-anonymize IP addressed of Tor users using them.

Lets’ close this post with another curious case, early this year researchers Philipp Winter and Stefan Lindskog of Karlstad University in Sweden, identified 25 nodes of Tor network that tampered with web traffic, decrypted it and censored websites.

The experts discovered that a not specified Russian entity was eavesdropping exit nodes at the edge of the Tor network, the attackers appeared to be particularly interested in users’ Facebook traffic. On the overall nodes compromised, 19 were tampered using a man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly.

tor network Russian Government

 

Who is spying on Tor network exit nodes from Russia?

It is another attempt of the Russian Government to compromise the Tor anonymity?

Moving on….

A few weeks ago, researchers  from Carnegie Mellon University’s computer emergency response team (CERT), Alexander Volynkin and Michael McCord, announced that they are able to de-anonymize Tor users and planned to reveal their discovery during the next Black Hat Conference in August.

We were all waiting for the presentation when the organization of the BlackHat had been contacted by the university’s lawyers which informed it that the researchers will not participate in the event.

“Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release,” states the message posted on the official website of the event.

Roger Dingledine, the expert known as one of the creators of  Tor, explained that he has no idea on the reason of the decision made by the researchers, but he added that the Tor Project had been “informally” shown some of the materials that would have been presented.
“In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the BlackHat Webpage.”

“I think I have a handle on what they did, and how to fix it. We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything. The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find. I’m currently waiting for them to answer their mail so I can proceed.” “Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world.” he added.

Christopher Soghoian, principal technologist with the American Civil Liberties Union, has speculated that the researchers might have feared to be sued by criminal prosecution for illegal monitoring of Tor exit traffic.

“Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes,” he added.

Tor network hacking Soghoian Tweet

The reality is that law enforcement agencies and intelligence all over the world are trying to develop capabilities to track users in the deepweb, and in particular on Tor networks. Hacking Tor is a goal for many Intelligence agencies as demonstrated also by the collection of documents leaked by Edward Snowden, that explicitly refers to a project named ‘Tor Stinks’ which has the scope to track Tor users.

Last year the FBI exploited a zero-day flaw in the Firefox browser to identify Tor users for its investigation on child-pornography. The exploit was based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

Firefox Zero-day against Tor Anonymity

The security expert and exploit developer Vlad Tsyrklevich analyzed the JavaScript code’s payload noting that it connects to a server to send back the user’s data.

Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

The code is considered the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Recently German broadcaster ARD reported that NSA experts were monitoring two Tor directory servers in Germany to de-anonymize IP addressed of Tor users using them.

We will never know why these researchers have cancelled their participation to the BlackHat, but the unique certainty is that government are spending a huge effort to track users on anonymizing network and probably they have exploited and are exploiting zero-day flaws in these systems.