I like the expression, “Just when you thought it was safe to get back in the water.” I almost used it to open this article, but I didn’t. It would be inaccurate. Nobody in his right mind would consider the Internet waters safe at this junction in time.
Today while surfing tech sites looking for items for our news feed, I ran across an item on the Beeb titled Users of hidden net advised to ditch Windows, with the “hidden net” being TOR. Since it always brightens my day to discover some security geek has found yet more vulnerabilities in Redmond’s finest, I checked out the news item.
It wasn’t what I thought. TOR was singling-out Windows not because of any newfound security issues with Redmond’s operating system, but because TOR had been compromised with malware that was specifically designed to infect Windows machines.
If you’re new to the world of tech freedom, TOR is supposed to be a safe zone, a sanctuary. Among other things, it offers a way to surf anonymously. Governments hate it because the bad guys can use it as a way to evade detection. Digital freedom fighters like it for the same reason.
Like anything worthwhile, TOR is both light and dark, good and bad, angelic and demonic. When Aaron Swartz designed DeadDrop as a secure way for whistleblowers and other sources to safely communicate with news organization, he made the use of TOR mandatory. But DeadDrop can also be used for less noble purposes–as a way for terrorists or a criminal mob to communicate in secret for instance. Freedom is very paradoxical, you see.
According to the BBC, it was initially assumed hackers had targeted TOR as an action against kiddie porn:
“The code to exploit the bug was fed into the Tor network via servers owned by Freedom Hosting that ran sites accessible only via Tor. In 2011, Freedom Hosting sites on Tor came under attack by the Anonymous hacktivist collective, which claimed they hosted large amounts of images of child sexual abuse.
“The most recent attack is widely believed to have been carried out in an attempt to identify people viewing or swapping images of abuse via Freedom Hosting.”
That turned out to most likely not be the case, however. When malware was installed on TOR users’ Windows machines, it called home using an IP address hardcoded into the malware. Naturally, the security folks thought this would be a good clue to investigate:
“The warning comes as security researchers and computer forensics experts try to trace where the unique IDs grabbed by the attack code were being sent.
“Early work showed it was going to a location in the American state of Virginia. Further sleuthing now suggests the web address it is being sent to is run by the US National Security Agency.”
Aha! Our old friends at the NSA haven’t seemed to learn to retreat or even to pretend to do so as a public relations ploy. The only reason I can see for such an action, especially one that left a trail of breadcrumbs that could be followed to their door, is that our favorite spooks wanted to get caught. This has all the appearances of a warning shot over the bow or the Borg collective announcing, “Resistance is futile.”
A similar conclusion was expressed in an article on Ars:
“The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud’s discussion board wrote, ‘It’s psyops—a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.'”
Although indications are that the IP address used by the malware initially belonged to defense contractor SAIC and was allocated to the NSA as part of several blocks of IP addresses handed over, the address could possibly belong to another government agency instead:
There are several sources that contend that the analysis of the DNS records…is flawed because of aged domain data for the IP address, and that the address block could be in use by any number of federal agencies or government contractors connected through Verizon Business / UUNET in that area. But DNS data points to the address being owned by SAIC.
While much of the news coming out of the NSA spy revelations is disturbing, to say the least, there have been a few rays of hope coming out of this mess. For example, on Saturday Reuters. reported it was evident at this years Black Hat conference and Def Con that the recent spy scandals have dealt a serious blow to the NSA recruitment efforts. Def Con went so far as to ask the NSA to not attend this years event and sentiment against Federal intelligence agencies was rampant:
“Peiter Zatko, a hacker hero who funded many small projects from a just-departed post at the Pentagon’s Defense Advanced Research Projects Agency, told another large audience that he was unhappy with the surveillance programs and that ‘challenging the government is your patriotic duty.’
“The disenchanted give multiple reasons, citing previous misleading statements about domestic surveillance, the government’s efforts to force companies to decrypt user communications, and the harm to U.S. businesses overseas.
“‘I don’t think anyone should believe anything they tell us,’ former NSA hacker Charlie Miller said of top intelligence officials. ‘I wouldn’t work there anymore.'”
Another unintended consequence of this mess may be that everyday people might finally get it and understand that there absolutely can be no privacy guarantees in cyberspace. No matter what privacy laws get passed, individuals, companies and governments can and will be collecting data to which they have no right.
Although the original exploit is still considered to be part of a government operation and was relatively “safe,” versions of this malware that is not so benign could possible surface soon, as pointed-out by Dan Goodin on Ars:
“While the code is designed to limit the damage that can be done, it wouldn’t be hard for third parties to modify the script to expand the range of things it can do. Tor users are strongly urged to update their browser bundle before using the service.”
For additional information, please see the advisory posted by the TOR Project.