id: Гость   вход   регистрация
текущее время 08:09 28/05/2018
Владелец: okdan (создано 24/09/2013 15:26), редакция от 25/09/2013 09:45 (автор: SATtva) Печать
Категории: софт, анонимность, политика, tor, уязвимости, спецслужбы, firefox
http://www.pgpru.com/Новости/2013/ФБРОфициальноПризналасьВКонтролеНадАнонимнойСетьюTor
создать
просмотр
редакции
ссылки

24.09 // ФБР официально признало взлом хостинга скрытых сервисов Tor


Федеральное бюро расследований (ФБР) подтвердило свою причастность к взлому и управлению серверами, обслуживающих анонимную сеть Tor. Соответствующее заявление в суде сделал специальный агент ФБР Брук Донахью (Brooke Donahue), сообщает Wired.


28-летний Эрик Оуэн Маркес (Eric Eoin Marques), проживающий в Дублине предположительный создатель хостинг-компании Freedom Hosting, обвиняется в распространении детской порнографии через сеть Tor.


По словам защитников Маркеса, агенты ФБР еще до его ареста, без судебных санкций, вторглись в дата-центр, где размещались сервера Freedom Hosting, и установили ПО для перехвата данных.


Газета The Irish Independent утверждает, что Маркес еще несколько месяцев назад пытался внести изменения в настройки серверов Freedom Hosting, но не смог этого сделать, поскольку ФБР сменило их пароли.


Сеть Tor позволяет анонимно размещать в Сети веб-сайты и предоставлять пользователям доступ к ним на условиях анонимности. В числе прочих задач она используется для распространения запрещенного контента, например, детской порнографии.


Стоит заметить, что Freedom Hosting, попавший под контроль ФБР – немаловажный хостинг Tor. Через три дня после очередного ареста Маркеса 4 августа 2013 г. в блоге компании Tor Project была опубликована запись о множественных обращениях пользователей о пропаже из сети большого количества адресов скрытых сервисов. В общей сложности из каталога исчезло около половины сайтов, работающих в псевдодомене .onion (являющихся скрытыми сервисами Tor), в том числе и не связанных с нелегальным контентом.


Эксперты проанализировали код установленного на серверах ПО и пришли к выводу, что оно эксплуатирует уязвимость в браузере Firefox 17 ESR, на основе которого собран пакет Tor Browser Bundle. Этот пакет, свободно размещенный на официальном сайте проекта, предназначен для пользователей, которые желают воспользоваться анонимной сетью.


Обратный инжиниринг позволил выяснить, что целью скрытого кода является разоблачение анонимных пользователей: путем передачи уникального MAC-адреса устройства, с которого выполнен вход в интернет, и имя компьютера жертвы в операционной системе Windows.


Эти данные отправлялись на неизвестный сервер в Северной Виргинии, США, для определения IP-адреса пользователя. Удалось найти два адреса, на которые скрытый код отправлял данные, однако с кем они были связаны, установить не удалось – трассировка обрывалась на одном из серверов американской телекоммуникационной компании Verizon.


Причастность ФБР к созданию этого кода была подтверждена официальным представителем впервые. До этого наблюдатели могли лишь догадываться о том, кто является его автором. Было наиболее очевидно, что к этому причастны именно властные структуры, так как предназначением кода было рассекречивание пользователей, а не установка какого-либо бэкдора.


Выступая в суде, спецагент Донахью пояснил, что код был внедрен для поиска соучастников Маркеса.


Недавно внимание к сети Tor было проявлено по той причине, что, как оказалось, ее финансированием на 60% занимается американское правительство. Стоит отметить, что изначально Tor создавалась как военная разработка, и уже затем этот проект приобрел открытый характер.


Источник: http://www.cnews.ru/top/2013/0.....noy_setyu_tor_543194


 
На страницу: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 След.
Комментарии [скрыть комментарии/форму]
— аноон (06/08/2015 22:37)   профиль/связь   <#>
комментариев: 12   документов: 0   редакций: 0
Эксплоит на браузер при авторизации юзера? Метод типа как в тексте новости?

Да, в новостях пишут подробности:

Legal warrant or not?

Legal experts told Ars that there are significant questions about precisely how the unnamed Tor site was breached, exactly how its "Network Investigative Tool" (or NIT, i.e., malware) works, how many of the users were outside of the judicial district, and if the seized server contained other non-criminal content.

"This is another example of the FBI obtaining a warrant that they are not yet authorized to obtain or execute based on the lack of technical expertise of the judiciary," Ahmed Ghappour, a law professor at the University of California, Hastings, told Ars. Ghappour pointed to a proposed change to Rule 41 that is currently working its way through the judicial system. He has written at length about this potential upcoming modification to Rule 41. Legal experts told Ars that there are significant questions about precisely how the unnamed Tor site was breached, exactly how its "Network Investigative Tool" (or NIT, i.e., malware) works, how many of the users were outside of the judicial district, and if the seized server contained other non-criminal content.

"This is another example of the FBI obtaining a warrant that they are not yet authorized to obtain or execute based on the lack of technical expertise of the judiciary," Ahmed Ghappour, a law professor at the University of California, Hastings, told Ars. Ghappour pointed to a proposed change to Rule 41 that is currently working its way through the judicial system. He has written at length about this potential upcoming modification to Rule 41.

With the Tor-server effort, the affidavit does not clearly indicate how the malware was specifically deployed, nor if it was used against users outside of the Eastern District of New York.

"As you say, [the amendment to] Rule 41 has not yet been implemented, and so the variety of users on this website that were abroad to the extent that they were hacked as a result of the execution of this warrant, that would be in violation of the current venue restrictions of Rule 41," Ghappour added. "Even if someone from out of state was to have their computer searched as a result, that would be outside the bounds of the venue restriction of the current rule."

"The court filings scrupulously avoid naming Tor (or mentioning hacking). Instead, they provide a detailed description of an anonymizing 'Network' and how a particular website was hidden in that 'Network'," Jonathan Mayer, a Stanford University legal scholar and current computer science doctoral candidate, told Ars. "There's only one software tool with the described popularity and with the described client and server functionality. That's Tor."

The FBI's NIT was used in previous investigations. It's cited in court papers for the case USA v Cottom et al, which is currently being tried in the Nebraska US District Court. A team of experts hired by the defense—Dr. Ashley Podhradsky, Dr. Matt Miller, and Josh Stroschein of Dakota State University—performed forensic analysis of the NIT, reverse-engineering the code. They found it used the same techniques as Rapid7's Metasploit "decloaking engine"—a component of the Metasploit framework that in this case used a known Flash vulnerability to extract information about computers running an older, unpatched version of the Tor Browser Bundle. (Ironically, Metasploit's core developer for several years was also named Matt Miller—but he now works at Microsoft.)

While leveraging an exploit to extract identity information from computers connecting to the Tor service, the defense expert investigators wrote that they "do not consider the NIT to be 'hacking'" because the NIT "exploited a configuration setting that did not require offensive-based actions." The NIT exploit bypassed Tor by creating a direct socket connection that eschews Tor's routing—in this particular case, by using a Flash component. This functionality, the experts noted, was identical to Metasploit's decloaking code.

Tor only routes Transmission Control Protocol (TCP) traffic and does not handle other Internet communications protocols. The exploit took advantage of this to send information about the system that the exploit executed on over the public Internet, both revealing its public address and tying that address to the website the exploit was launched from. A "policy file" on the server hosting the exploit is checked by the exploit package "to see which type of method to use on the client side," the expert investigators wrote to the court. "The choices given in the NIT were Java, Javascript, or Flash. This allows the NIT to only connect via Flash when it is the 'best method' available."

In a conversation with Ars about the most recent FBI affidavit, security researcher and former Tor developer Runa Sandvik said she believes that the same Metasploit-based NIT was used to unmask the 215,000 users of the site seized by the FBI. Alternatively, she said the FBI may have used a honeypot technique that feeds site visitors a link to a webpage outside of Tor, next using a variety of traffic analysis methods and information provided by the site users themselves to aid in identifying them. "The FBI could have used that type of method too and not relied on [JavaScript] or Flash," she noted.

While court papers filed in the Silk Road 2.0 case claim that an undercover Homeland Security investigator managed to get hired as an "admin" for the marketplace, the FBI could have used other techniques to identify hosting services that might have servers running Tor sites.

In a blog post last November, former Tor Project Director Andrew Lewman noted that ten Tor "exit nodes"—the last stops for Tor traffic before leaving the anonymizing network—had been taken offline during Operation Onymous. He noted that it was possible that law enforcement was operating Tor network nodes in an effort to identify hidden services and users.

— аноон (06/08/2015 22:41)   профиль/связь   <#>
комментариев: 12   документов: 0   редакций: 0
According to the criminal complaint filed in US Court today, the HSI undercover investigator got in on the ground floor with Silk Road's second incarnation. "DPR2," the original operator of the new site, created a forum to discuss launching a replacement site on a hidden site on the Tor network on October 7, 2013—less than a week after the original site was seized. The undercover investigator was invited to join the forum, and the next day was granted forum moderator privileges; by January 2014, the investigator was a paid staff member, receiving 16 payments in Bitcoins totalling about $32,189 based on current exchange rates.

В тему
— cypherpunks (09/08/2015 22:16)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
т.е. вангуете, что TLZ тоже уже не жилец :(

Не жилец.
Сказ о том, как австралийская полиция закрыла скрытый сервис и арестовала его владельца.

Админ получил 28 лет
— cypherpunks (14/08/2015 19:47, исправлен 14/08/2015 19:48)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12

Копипаста


No the polices misinformation about how he was located was just that, lies.

'Skee' used the nick 'Skudded' on ausamarok.com and was very active and a Senior
Member there. The cops spotted a small freckle on the finger of skee in one of
the images he shared with a Dutch guy busted. Greetings and other things were
also noted by cops about his clearnet use, however none of that was how they
located him.


"To remind people how dangerous metadata can be, the recent arrest of TLZ admin
'Skee' aka Shannon McCoole was a direct result of him leaving metadata in images
& Videos. He privately shared files with a dutch mod, who was later arrested.
Within the images/videos metadata were the Panasonic DMC-FX38 unique serial
number for the camera. Even though the camera was old the LEA could still trace
with the serial number where the camera was shipped and sold to."


It has been said in some reports he had attempted to remove the metadata.
However not all fields were infact deleted by the program he was using (program
name unreported). And that was his downfall after not double checking the files
he was privately sharing beforehand.


"McCoole tried to use a 'wiping program' to remove identifying metadata from the
camera, but police were able to obtain it through sophisticated
information-gathering technique".


In some cases the camera unique serial number is located within the metadata but
not the normal EXIF metadata people remove but within another field in the
metadata XPM data fields. Not all metadata removal software removes all metadata
fields like IPTC, ICC and XMP during the cleaning. The basic ones only remove
the EXIF fields, so make sure your software removes ALL metadata before sharing.


What McCoole did and how he was caught


HOW HE WAS CAUGHT:


Danish police discovered McCoole's content online and contacted Australian
police.


Images online were embedded with a serial number that matched McCoole's digital
camera.


FROM TLZ Admin area posted by Skee:


"This material is not to be shared outside the admin team, some of it is my own
personal material and some of it is extremely private and you will be the first
people to view it. Don't be the grinch and ruin Christmas." end.

Пруфлинки искать лень но они легко гуглятся


пруф-1
пруф-2
пруф-3

— cypherpunks (28/08/2015 06:47)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
The Agora administrators are working on a solution that will require "big changes" to the site's software stack, and it will take time to deploy, according to the message.

"Additionally, we have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however, this is only a temporary solution," they wrote.

It's not clear which specific research the Agora administrators referred to, but a paper presented at the 24th USENIX Security Symposium two weeks ago seems to fit their description. The paper, authored by researchers from the Massachusetts Institute of Technology (MIT) and the Qatar Computing Research Institute (QCRI), describes a new traffic fingerprinting method that improves upon previous techniques and could allow attackers to determine with a high degree of accuracy where Hidden Services are hosted.

"Most of the new and previously known [de-anonymization] methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources," the Agora administrators said.

По всем новостям гудят
— Гость_ (12/09/2015 08:55)   профиль/связь   <#>
комментариев: 436   документов: 6   редакций: 11
Директор ФБР заявил, что Tor для агентов бюро как открытая книга.
They’ll use the onion router to hide their communications. They think that if they go to the dark web … that they can hide from us. They’re kidding themselves, because of the effort that’s been put in by all of us in the government over the last five years or so, that they are out of our view.
— гыук (12/09/2015 20:32)   профиль/связь   <#>
комментариев: 267   документов: 0   редакций: 0
Книга открыта (?), но найти бы ресурсы "прочесть" ее в разумные сроки. А самое неприятное (для них), что прочитав, начнут понимать что 99% содержания – мусор. ))
— cypherpunks (05/10/2015 22:32, исправлен 05/10/2015 22:33)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
The investigators said Escobosa thought he kept no copies of illegal imagery on his PC, but agents found 115 images stored in the thumbnail cache of his Tor browser – plus logs of IRC chats with other people. After he was cuffed, Escobosa kept his mouth shut and demanded a lawyer, then admitted to the Feds he had cruised websites looking for unspeakable images.

theregister

— cypherpunks (28/10/2015 00:28, исправлен 28/10/2015 00:36)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12

Новые подробности по делу TLZ.


As the media pack gathered outside the court, Griffiths and Joch had a one-on-one with McCoole and walked away with his login details and passwords. The takeover of his identity began then, on a laptop in the Adelaide courthouse.

ON TUESDAY, JUNE 10, 2014, GRIFFITHS AND Argos detective Libor Joch flew to Adelaide as SA police prepared to raid McCoole. Surveillance teams at first detected no movement inside his home – until McCoole stirred, confirming his presence. A detective knocked and waiting teams of police moved in.

The Argos investigators followed their counterparts from SA’s Investigation Branch inside. On the living room table, the laptop was open, turned on and plugged in to an external hard drive. McCoole had snapped shut his laptop. In that instant the whole operation teetered on catastrophe. If his screen was locked, police faced a likely unbreakable wall of encryption. When an officer lifted the screen, it was mercifully still unlocked.

There was more luck. McCoole had not had a chance to log in to the TLZ, but the palm-sized portable hard drive had a complete backup of the website.

The arrest of McCoole was national news. Some of the senior members of the TLZ knew the head administrator was from Adelaide and worked with children. Suspicions were aroused in the network. Pease and Joch, posing as McCoole, managed to convince the doubters the arrest was unrelated.

On arrest day, dozens of police including heavily armed riot squad officers waited outside IOH’s home. Back in Brisbane it was night, and detectives Joch and Pease were at police headquarters. The plan was for the Queensland officers, posing as McCoole, to engage IOH online while police quietly entered his home and arrested him at his computer.

Unexpectedly, their target left his house, delaying the raid. It was 4am Brisbane time when he finally returned and turned on his computer. Det. Joch, posing as NUKE, was waiting for him online. Joch had the flu and worked it into conversation with IOH. As they chatted, police quietly entered the house. They were making their way up the internal stairs when IOH went for a toilet break. He never made it to the bathroom. A message was relayed back to Joch – their target was in custody and they had full access to his computer.

In North America, a member was chatting to Pease online, believing it was McCoole, when a SWAT team stormed into his home and arrested him at his computer. Pease, informed by email that the member was in handcuffs, sent a final message just in case it had been a bluff: “I don’t know what you’re doing that you think is more important than talking to me but whatever it is, it isn’t. Get your arse back to the keyboard.”

couriermail.com.au


A key arrest in the case took place not long after the Netherlands, where an alleged co-managers of "The Love Zone" was arrested – while he chatted with the officers he thought was Shannon McCoole. Arrest of the Dutchman meant, according to an official Australian document on the case that the security forces were given access to all the messages and all content on The Love Zone

The strategy worked, and in almost half a year fed the Australian investigators colleagues around the world – at least 23 people are arrested in the case – with information from "The Love Zone".

What evidence the police have against him is still unknown, since all hearings of the case have been kept behind closed doors

According to the indictment against him, he helped to create the technical framework for both "The Love Zone" and other similar network called "Hoarders Hell".

nyhederne.tv2.dk, гугл перевод


После инфильтрации и взятия контроля над скрытым ресурсом ему дали работать 6 месяцев.
Эти месяцы они имперсонировали и мониторили всё чтоб деанонимизировать как можно больше мемберов.
Из десятков тысяч мемберов и ядра самых активных нашли только 23.
Грозятся это ещё не всё.

— cypherpunks (07/01/2016 22:26, исправлен 07/01/2016 22:34)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
In a conversation with Ars about the most recent FBI affidavit, security researcher and former Tor developer Runa Sandvik said she believes that the same Metasploit-based NIT was used to unmask the 215,000 users of the site seized by the FBI.

Продолжение


A section of one of the complaints involved in the Playpen investigation, showing that 1300 true IP addresses were obtained.

Just a month after launch, Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week.

Magistrate Judge Theresa C. Buchanan in the Eastern District of Virginia, who signed the warrant used for the NIT, did not respond to questions on whether she understood that the warrant would grant the power to hack anyone who signed up to Playpen, or whether she consulted technical experts before signing it, and her office said not to expect a reply.

While Soghoian warned about what this scale of hacking may signal for the future of policing. “This is a scary new frontier of surveillance, and we should not be heading in this direction without public debate, and without Congress carefully evaluating whether these kind of techniques should be used by law enforcement," he said.

Regardless, in taking down one of the biggest dark web pornography sites, the FBI also engaged in likely the largest law enforcement hacking campaign to date.

motherboard.vice.com
0day или непропатченная вовремя уязвимость? Дыра в js? js включен по умолчанию.
1300 – больше 10% одиннадцатитысячной еженедельной аудитории.

— cypherpunks (10/01/2016 21:32)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
there are situations in this kind of field where the worst and the most prolific criminals utilize the highest level of IT subterfuge to subvert any law enforcement activity in an attempt to identify them. As a result, the government requires very significant specialists to hunt them down.

darkwebnews.com
— cypherpunks (22/01/2016 01:27, исправлен 22/01/2016 01:29)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
Officials said some of the suspects were identified in online chat room stings, where detectives posed as users and shared pornographic images with suspects. Investigators then obtained search warrants targeting IP addresses.

mercurynews.com


one defense team has made the extraordinary step of arguing to have their client's case thrown out completely. Their main argument is that the FBI, in briefly running the pornography site from its own servers in Virginia, itself distributed an “untold” amount of illegal material.

if the methods of the investigation that supposedly identified his client “cannot be reconciled with fundamental expectations of decency and fairness,” then the indictment should be dismissed.

In their argument, Fieman and Sullivan point to the Department of Justice's own view on the harm caused by the proliferation of pornography. “Once an image is on the Internet, it is irretrievable and can continue to circulate forever,” the Department of Justice website reads. In an April 2015 press release, US Attorney Josh J. Minkler said that “Producing and distributing pornography re-victimizes our people every time it is passed from one person to another.” In essence, the lawyers' point is that the FBI was, by running Playpen from its own servers, essentially distributing pornography. So, according to their argument, it is unclear how the “Government can possibly justify the massive distribution of pornography that it accomplished in this case.”

It compares the case to “Operation Fast and Furious”: Between 2009 and 2011, law enforcement agents infamously proliferated illegal weapons in an attempt to trace them to Mexican drug cartels. Some of the weapons, however, ended up being used in the murder of a US Border Patrol agent.

“We are in a protracted street fight with the Department of Justice and the FBI”

on December 10, the Government wrote that the defense counsel will be provided with the computer code of the NIT under a protective order. The defense is also expected to receive a detailed list of the number of pornography materials on Playpen while it was being run from an FBI server.

motherboard.vice.com
Шах и мат. Неожиданно.

— cypherpunks (30/01/2016 13:20)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
Forget 0days, traffic analysis, and crypto attacks; it's simple mistakes like this that bite the hardest.
Even sites where user privacy is absolutely imperative show negligence in this regard. Toward the end of 2015, I found a popular .onion search engine that had failed to disable the status module. As you might imagine, the result was not pretty.
— cypherpunks (02/02/2016 18:22, исправлен 02/02/2016 18:29)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12
In a hearing held last Friday, FBI Special Agent Daniel Alfin, from the agency's violent crimes against adult section, elaborated on how the Network Investigative Technique (NIT) "the agency's term for a hacking tool" was deployed only against visitors of specific sections of the site.

"The NIT was deployed against users who accessed posts in the "[skipped]" forum because users accessing posts in that forum were attempting to access or distribute or advertise pornography," he said, according to a court transcript.

This point was reaffirmed in a ruling issued by Judge Robert J. Bryan on Thursday. "The FBI setup the NIT so that accessing the forum hyperlink, not Website A's [Playpen] main page, triggered the automatic deployment of the NIT from a government-controlled computer in the Eastern District of Virginia," Bryan wrote.

The forum thread in question was entitled "[skipped]"

motherboard.vice.com


But they have also prompted a backlash of a different kind. In a court filing, a lawyer for one of the men arrested after the FBI sting charged that "what the government did in this case is comparable to flooding a neighborhood with heroin in the hope of snatching an assortment of low-level drug users."

In each case, the FBI injected the site with malware to crack Tor's anonymity.

Those hacks, developed with the help of outside contractors, were a technical milestone. When the FBI first realized it could break through Tor, Hosko said the agency gathered counterterrorism investigators and intelligence agencies to see if any of them had a more pressing need for the software. "It was this, exponentially," Hosko said.

usatoday.com


Сначала сказали NIT был автоматом при входе на сайт внешний вид которого ни о чём не говорил. Когда общественность возмутилась наглости, ФБР стало говорить NIT был после авторизации только при входе в конкретный подфорум, а кто кликал на него не мог не знать что внутри. История переписывается на лету.


That move, Motherboard has learned, is part of Operation Pacifier, a large multi-agency investigation into pornography on the so-called dark web.

Meanwhile, a presentation authored by Rob Wainwright, Director of Europol, and found via a Google search by Motherboard, describes Operation Pacifier as a "successful infiltration and technical investigation" of a Tor hidden service. According to the presentation, 3,229 cases have been generated by Europol through Operation Pacifier, and Denmark has seen 34 cases.

A Europol spokesperson confirmed the legitimacy of the presentation, but would not answer further questions related to Operation Pacifier. (Europol also declined Motherboard's request for documents related to Operation Pacifier, requested under similar legislation to the Freedom of Information Act). The Danish police declined to answer any questions.

motherboard.vice.com
Картинка


Было 1300 IP из-за Pleypen, стало 3229 IP из-за Operation Pacifier. Что химичат – сообщать отказываются.

— cypherpunks (17/02/2016 21:57, исправлен 17/02/2016 21:58)   профиль/связь   <#>
комментариев: 283   документов: 32   редакций: 12

Новости, продолжение:
Ссылка
Ссылка
Ссылка

На страницу: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 След.
Ваша оценка документа [показать результаты]
-3-2-1 0+1+2+3