[Crypto-chi] Tor at risk

joe fuentes joseph.fuentes at live.com
Wed Dec 24 15:24:36 CST 2014 

Hmmmm,

And it's agreed, when using Tor don't enable javascript and don't use Flash. 

The question remains with HTML 5 taking over the throne from Flash will HTML 5 video cough up your IP address the way Flash does? 
-Joe 
> Date: Wed, 24 Dec 2014 14:06:19 -0600
> From: freddymartinez9 at gmail.com
> To: cryptoparty-chi at groups.sshchicago.org
> Subject: Re: [Crypto-chi] Tor at risk
> 
> Well,
> 
> This is a serious flaw in Flash (which is garbage software), not really Tor.
> 
> Here is what we know. The FBI identified a web server in operation
> Torpedo (FWIW: that's a pretty clever portmanteau). Then they simply
> logged
> in to the webpage because the web server's admin username was "admin"
> and the password was .... wait for it... not set. From there, they
> installed an invisible iFrame that uses Flash to ping an FBI server
> with the real IP of the Tor user.  Eventually users noticed this and
> quickly abandoned the webpage.
> 
> What was vulnerable? Tor users using an old version of TBB that was
> outdated and allowed Flash to execute. (By default TBB ships with
> NoScript (but disabled) and does NOT allow Flash to execute. There
> have been discussions about shipping TBB with noscript enabled by
> default but that breaks a lot of webpages. However, Flash shouldn't
> have been able to execute anyways and the end-users allowed it to
> execute.)
> 
> What remains to be decided / understood? Under what authority can the
> FBI hack into webpages? Notice this was against all visitors to a
> webpage. Related: the FBI is pushing the DoJ for greater latitude to
> install RATs [0] in laptops.
> 
> tl;dr  Keep your TBB up to date and don't run Flash
> 
> (actually good advice for all web browsers, tor or not...), Also don't
> open PDFs while on Tor etc etc.
> 
> Freddy
> 
> [0] http://www.theatlantic.com/technology/archive/2014/12/the-webcam-hacking-epidemic/383998/
> 
> On Wed, Dec 24, 2014 at 12:03 PM, joe fuentes <joseph.fuentes at live.com> wrote:
> > Especially today Christmas Eve day.  Our rights to privacy at risk.  Tor is
> > the target.
> >
> > First, FBI was able to obtain some user IP addresses from Tor.  This uses
> > open source Metasploit from a  security researcher Moore. See below
> >
> > http://www.wired.com/2014/12/fbi-metasploit-tor/?mbid=social_fb
> >
> > This in fact earned Moore a warning from law enforcement thus discouraging
> > security researchers from performing their work. See below
> >
> > http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers
> >
> > And if this wasn't enough an report shows the NSA keeps track on who looks
> > up Tor and visits website. Kinda like Santa Claus watching who's naughty or
> > nice.  See below
> >
> > http://www.theverge.com/2014/7/3/5868159/new-report-says-the-nsa-is-checking-who-visits-tors-website
> >
> > Wot are your thoughts on this everybody??
> >
> > - Joe
> >
> > _______________________________________________
> > cryptoparty-chi mailing list
> > cryptoparty-chi at groups.sshchicago.org
> > http://groups.sshchicago.org/listinfo/cryptoparty-chi
> >
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://groups.sshchicago.org/pipermail/cryptoparty-chi/attachments/20141224/9aa3ea06/attachment.html>

More information about the cryptoparty-chi mailing list