[Crypto-chi] Tor at risk

Freddy Martinez freddymartinez9 at gmail.com
Wed Dec 24 14:06:19 CST 2014 

Well,

This is a serious flaw in Flash (which is garbage software), not really Tor.

Here is what we know. The FBI identified a web server in operation
Torpedo (FWIW: that's a pretty clever portmanteau). Then they simply
logged
in to the webpage because the web server's admin username was "admin"
and the password was .... wait for it... not set. From there, they
installed an invisible iFrame that uses Flash to ping an FBI server
with the real IP of the Tor user.  Eventually users noticed this and
quickly abandoned the webpage.

What was vulnerable? Tor users using an old version of TBB that was
outdated and allowed Flash to execute. (By default TBB ships with
NoScript (but disabled) and does NOT allow Flash to execute. There
have been discussions about shipping TBB with noscript enabled by
default but that breaks a lot of webpages. However, Flash shouldn't
have been able to execute anyways and the end-users allowed it to
execute.)

What remains to be decided / understood? Under what authority can the
FBI hack into webpages? Notice this was against all visitors to a
webpage. Related: the FBI is pushing the DoJ for greater latitude to
install RATs [0] in laptops.

tl;dr  Keep your TBB up to date and don't run Flash

(actually good advice for all web browsers, tor or not...), Also don't
open PDFs while on Tor etc etc.

Freddy

[0] http://www.theatlantic.com/technology/archive/2014/12/the-webcam-hacking-epidemic/383998/

On Wed, Dec 24, 2014 at 12:03 PM, joe fuentes <joseph.fuentes at live.com> wrote:
> Especially today Christmas Eve day.  Our rights to privacy at risk.  Tor is
> the target.
>
> First, FBI was able to obtain some user IP addresses from Tor.  This uses
> open source Metasploit from a  security researcher Moore. See below
>
> http://www.wired.com/2014/12/fbi-metasploit-tor/?mbid=social_fb
>
> This in fact earned Moore a warning from law enforcement thus discouraging
> security researchers from performing their work. See below
>
> http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers
>
> And if this wasn't enough an report shows the NSA keeps track on who looks
> up Tor and visits website. Kinda like Santa Claus watching who's naughty or
> nice.  See below
>
> http://www.theverge.com/2014/7/3/5868159/new-report-says-the-nsa-is-checking-who-visits-tors-website
>
> Wot are your thoughts on this everybody??
>
> - Joe
>
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi
>

More information about the cryptoparty-chi mailing list