On the 8th of August, wired.com revealed that one version of the FBI’s infamous “CIPAV” software has finally been caught and reverse-engineered. This version sought to identify people connecting to Freedom Hosting’s hidden (.onion) services, sending computer hostnames and MAC addresses back to the FBI. Curiously, this version did not seek user’s IP addresses like some other varients have been reported to do. Is the FBI relying on Microsoft records tying MAC addresses to credit card purchases instead?
This attack sought to identify all users of a certain hidden Tor service. Only Windows users with versions of Torbrowser recent enough to include FIrefox 17 but before June 26 were affected. It should be assumed that similar code exists for other vulnerabilities, maybe other platforms. The browser vulnerability exploited by this particular CIPAV varient was cross-platform on Firefox 17-the versio used by recent versions of Torbrowser. Tails, Linux versions, and even Mac were all immune to this particular exploit code
server. NoScript would not only block the code-but show the claimed identity of the
server, which could easily be changed in the future to something like “gooogle,” “yaho,”
or “nsn.” There are flaws in this kind of attack I won’t publish unencrypted, but which
imply the FBI’s hackers are not very good at working against NoScript.
Updates to Tor browser June 26 and later make this varient useless. Also, the FBI will
now be more reluctant than ever to committ new versions of CIPAV to attacks on anyone
deemed connected to hackers. Get a reputation as a hacker, make the FBI lose their appetite for fucking with your computer!
Countermeasures to future varients :
Not using Windows stopped this attack, might not stop others
avoiding using Tor (or ANYTHING) with untrusted recipent sites
Randomizing mac addresses-every time
Using Tor from public wifi spots when it counts-Tor as one layer
of defense, not your only defense.
Source code (I downloaded it just in case!)::
IP address used by CIPAV (THIS time around!) : 126.96.36.199
Tor security advisary: