FBI CIPAV attack on Tor caught

On the 8th of August, wired.com revealed that one version of the FBI’s infamous “CIPAV” software has finally been caught and reverse-engineered. This version sought to identify people connecting to Freedom Hosting’s hidden (.onion) services, sending computer hostnames and MAC addresses back to the FBI. Curiously, this version did not seek user’s IP addresses like some other varients have been reported to do. Is the FBI relying on Microsoft records tying MAC addresses to credit card purchases instead?

This attack sought to identify all users of a certain hidden Tor service. Only Windows users with versions of Torbrowser recent enough to include FIrefox 17 but before June 26 were affected. It should be assumed that similar code exists for other vulnerabilities, maybe other platforms. The browser vulnerability exploited by this particular CIPAV varient was cross-platform on Firefox 17-the versio used by recent versions of Torbrowser. Tails, Linux versions, and even Mac were all immune to this particular exploit code

This attack, in order to operate, had to load 3ed party javascript from an FBI controlled
server. NoScript would not only block the code-but show the claimed identity of the
server, which could easily be changed in the future to something like “gooogle,” “yaho,”
or “nsn.” There are flaws in this kind of attack I won’t publish unencrypted, but which
imply the FBI’s hackers are not very good at working against NoScript.

Updates to Tor browser June 26 and later make this varient useless. Also, the FBI will
now be more reluctant than ever to committ new versions of CIPAV to attacks on anyone
deemed connected to hackers. Get a reputation as a hacker, make the FBI lose their appetite for fucking with your computer!

Countermeasures to future varients :

Disabling Javascript-but there are ways around that
Not using Windows stopped this attack, might not stop others
avoiding using Tor (or ANYTHING) with untrusted recipent sites
Randomizing mac addresses-every time
Using Tor from public wifi spots when it counts-Tor as one layer
of defense, not your only defense.

Report:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/

Source code (I downloaded it just in case!)::
http://tsyrklevich.net/tbb_payload.txt

IP address used by CIPAV (THIS time around!) : 65.222.202.54

Tor security advisary:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

Advertisements

Leave a Reply --WARNING: do not "Comment using Facebook" or using Twitter-you expose your information to 3ed party tracking

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s