What Desktop Innovation Needs to Succeed
Open Source Feminism: The Unfinished Revolution
Why Debian Is the Gold Standard of Upstream Desktop Linux
Yesterday's Man: The Fall of Richard Stallman
What's the Future of Free Software?
August 7th, 2013

Is the NSA Targeting TOR?

I like the expression, “Just when you thought it was safe to get back in the water.” I almost used it to open this article, but I didn’t. It would be inaccurate. Nobody in his right mind would consider the Internet waters safe at this junction in time.

Today while surfing tech sites looking for items for our news feed, I ran across an item on the Beeb titled Users of hidden net advised to ditch Windows, with the “hidden net” being TOR. Since it always brightens my day to discover some security geek has found yet more vulnerabilities in Redmond’s finest, I checked out the news item.

It wasn’t what I thought. TOR was singling-out Windows not because of any newfound security issues with Redmond’s operating system, but because TOR had been compromised with malware that was specifically designed to infect Windows machines.

If you’re new to the world of tech freedom, TOR is supposed to be a safe zone, a sanctuary. Among other things, it offers a way to surf anonymously. Governments hate it because the bad guys can use it as a way to evade detection. Digital freedom fighters like it for the same reason.

Like anything worthwhile, TOR is both light and dark, good and bad, angelic and demonic. When Aaron Swartz designed DeadDrop as a secure way for whistleblowers and other sources to safely communicate with news organization, he made the use of TOR mandatory. But DeadDrop can also be used for less noble purposes–as a way for terrorists or a criminal mob to communicate in secret for instance. Freedom is very paradoxical, you see.

According to the BBC, it was initially assumed hackers had targeted TOR as an action against kiddie porn:

“The code to exploit the bug was fed into the Tor network via servers owned by Freedom Hosting that ran sites accessible only via Tor. In 2011, Freedom Hosting sites on Tor came under attack by the Anonymous hacktivist collective, which claimed they hosted large amounts of images of child sexual abuse.

“The most recent attack is widely believed to have been carried out in an attempt to identify people viewing or swapping images of abuse via Freedom Hosting.”

That turned out to most likely not be the case, however. When malware was installed on TOR users’ Windows machines, it called home using an IP address hardcoded into the malware. Naturally, the security folks thought this would be a good clue to investigate:

“The warning comes as security researchers and computer forensics experts try to trace where the unique IDs grabbed by the attack code were being sent.

“Early work showed it was going to a location in the American state of Virginia. Further sleuthing now suggests the web address it is being sent to is run by the US National Security Agency.”

Aha! Our old friends at the NSA haven’t seemed to learn to retreat or even to pretend to do so as a public relations ploy. The only reason I can see for such an action, especially one that left a trail of breadcrumbs that could be followed to their door, is that our favorite spooks wanted to get caught. This has all the appearances of a warning shot over the bow or the Borg collective announcing, “Resistance is futile.”

A similar conclusion was expressed in an article on Ars:

“The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud’s discussion board wrote, ‘It’s psyops—a fear campaign… They want to scare folks off Tor, scare folks off all privacy services.'”

Although indications are that the IP address used by the malware initially belonged to defense contractor SAIC and was allocated to the NSA as part of several blocks of IP addresses handed over, the address could possibly belong to another government agency instead:

There are several sources that contend that the analysis of the DNS records…is flawed because of aged domain data for the IP address, and that the address block could be in use by any number of federal agencies or government contractors connected through Verizon Business / UUNET in that area. But DNS data points to the address being owned by SAIC.

While much of the news coming out of the NSA spy revelations is disturbing, to say the least, there have been a few rays of hope coming out of this mess. For example, on Saturday Reuters. reported it was evident at this years Black Hat conference and Def Con that the recent spy scandals have dealt a serious blow to the NSA recruitment efforts. Def Con went so far as to ask the NSA to not attend this years event and sentiment against Federal intelligence agencies was rampant:

“Peiter Zatko, a hacker hero who funded many small projects from a just-departed post at the Pentagon’s Defense Advanced Research Projects Agency, told another large audience that he was unhappy with the surveillance programs and that ‘challenging the government is your patriotic duty.’

“The disenchanted give multiple reasons, citing previous misleading statements about domestic surveillance, the government’s efforts to force companies to decrypt user communications, and the harm to U.S. businesses overseas.

“‘I don’t think anyone should believe anything they tell us,’ former NSA hacker Charlie Miller said of top intelligence officials. ‘I wouldn’t work there anymore.'”

Another unintended consequence of this mess may be that everyday people might finally get it and understand that there absolutely can be no privacy guarantees in cyberspace. No matter what privacy laws get passed, individuals, companies and governments can and will be collecting data to which they have no right.


Important Update: The code for this exploit has now been confirmed to be circulating online. The exploit takes advantage of a vulnerability in Firefox that has since been patched. Users of TOR are advised to make sure they are using the most up-to-date browser bundle available from the TOR project. TOR users are also advised to disable both JavaScript, Flash and most browser addons while attempting to browse anonymously.

Although the original exploit is still considered to be part of a government operation and was relatively “safe,” versions of this malware that is not so benign could possible surface soon, as pointed-out by Dan Goodin on Ars:

“While the code is designed to limit the damage that can be done, it wouldn’t be hard for third parties to modify the script to expand the range of things it can do. Tor users are strongly urged to update their browser bundle before using the service.”

For additional information, please see the advisory posted by the TOR Project.

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

8 comments to Is the NSA Targeting TOR?

  • sobe

    Tor wasn’t compromised, Tor users were compromised by a Javascript exploit in Firefox 17, and user ignorance (allowing javascript) to run was the reason. It’s not Tor’s fault!

  • Hi, @sobe ! I don’t think I implied it was TOR’s fault. However, what you say isn’t true. TOR hidden service servers were hacked and planted with JavaScript malware so that when a TOR user visited a hidden site they were infected, if they were running the unpatched TOR bundle and had JavaScript enabled.

  • sobe

    Third paragraph…

    It wasn’t what I thought. TOR was singling-out Windows not because of any newfound security issues with Redmond’s operating system, but because TOR had been compromised with malware that was specifically designed to infect Windows machines

    Once again, Tor was not compromised.

    This is like the third article I’ve seen blaming Tor for this vulnerability. The vulnerability was in an unpatched version Firefox 17. It’s not Tor’s fault that people are allowing javascript to run in the browser. Tor users were compromised by a Javascript exploit in unpatched Firefox 17 that targeted Windows users of Firefox 17 who were not blocking javascript. Tor has since been bundled in a “patched” version of “Firefox 17” and all is well. Even the unpatched version of Firefox would not have been compromised if the users would not allow javascript to run. Lesson, no matter what OS or browser your using? Turn off javascript…block it…period.

  • @sobe Again, TOR hidden service servers were hacked and planted with JavaScript malware so that when a TOR user visited a hidden site they were infected, if they were running the unpatched TOR bundle and had JavaScript enabled. It’s hard to say the network wasn’t hacked in this case. Also, if TOR had stuck with the TOR button instead of deciding they needed to fork Firefox, nobody would be running an unpatched browser right now.

  • Just a couple more of several things that might need fixed in this article and then I won’t bother reading this site anymore due to inaccurate, un-researched reporting. The headline! The NSA is not targeting Tor, they “were” targeting a javascript vulnerability that affects Windows users who were using an un-patched version of Firefox 17. And also, there is no Malware involved. The vulnerability they were targeting was simply to snatch the IP address of the users who fell victim. No Malware is gonna surface, they just wanted IP addresses that’s all. With that said, you might as well scrap the whole article since none of it is accurate. And before you try to change all of it and once again say I’m mistaken, you never said these things, I learned a long time ago to take screenshots because of sneaky writer’s.

  • Actually, infecting your computer without your permission to harvest your MAC address qualifies as malware, sobe. And whoever was responsible, be it the FBI or the NSA was NOT targeting Firefox. They were taking advantage of a vulnerablitiy in Firefox to target TOR users.

  • well this is why I never touch the noscript extension when using tor, it just cases more problems than the nice conviniances it provides. In anycase who in the right mind, freedom fighter or otherwise would believe that using anything by apple or microsoft would ever keep thier stuff secure? at least in ubuntu I can unstall the malware the mark shuttleworth decided to add. heck I can’t remember the last time I had to defrag my hdd manually, do updates manually (thnx cron), and worry about many exploits for ubuntu. Even then with severe mal/spyware or viruses, if you keep your linux machine up to date, you should be ok.

  • […] this Microsoft/NSA issue, one blogger writes: “I like the expression, “Just when you thought it was safe to get back in the water.” I […]