Jump to content
Not connected, Your IP: 3.147.65.47
B0R3D

Tor exploit by government agencies

Recommended Posts

Hello,

 

of course, a malware which is installed on your computer running with high privileges makes any encryption irrelevant. VPN and TOR protect your line, not your computer, they should never be considered an anti-virus or anti-malware tool.

 

Kind regards

Share this post


Link to post

If you used an outdated TBB and had JavaScript enabled but ran under a VPN you would still be safe because the exploit would have returned only the VPN's IP. There is no malware to remove. It was simply a JavaScript exploit to send your real IP, MAC address and UUID to an FBI controlled server.

BTW Tor Mail was hosted on Freedom Hosting which means the servers are now under LEA control.

Share this post


Link to post

Tormail under LEA is bummer. So all the mail in those servers get sifted through now? What about airvpn subscribers who used tormail for their vpn accounts?

Share this post


Link to post

There is nothing you can do. Don't ever try to log back in to your Tor Mail account. It will just make any potential problems worse.

This is an issue with all centralised messaging systems. Decentralised systems like Bitmessage and I2P-Bote work fine. The problem is you would need to use third party gateway providers to communicate with regular email users.

Share this post


Link to post

Well no anti malware or anti virus seem to detect the javascript exploit currently. And the hosting company was hacked so it was their problem in the first place. Anything on the vpn side that can prevent such exploits?

@Staff: The exploit's main objective is an ip address and the windows system's hostname. So which ip address would they recieve on their end, the vpn's or the user's actual ip?

Share this post


Link to post

Bor3d, According to hashtag's post above, the javascript exploit used in the tor browser bundle's version of Firefox (below version 17.0.7) only returns your AIRVPN i.p. and not your actual i.p., but I'd like to see confirmation of that.  I haven't come across a post anywhere else that addresses the issue, and unfortunately I don't understand javascript enough to examine it and figure out how it's going about obtaining the i.p. address that it's storing and passing along.  I'll do some searching around and see if it's been addressed and maybe post the question in one of the crypto threads where they were dissecting the code.   

Share this post


Link to post

While we wait for official confirmation I will just say that the VPN cannot prevent disclosure of your MAC address. Your IP, however, would not be exposed because the Tor application cannot route around the network layer. All traffic goes through the TAP adapter. If you used a VPN that kept logs you would be totally screwed.

Share this post


Link to post

Well, I got some clarification from Vlad Tsyrklevich that initially analyzed the javascript exploit.  According to him, if you are connected through a VPN at the time of the "attack" your VPN IP address is what is logged.  As long as the outbound connections your browser makes goes through your VPN then it should have your post VPN IP.  As has been mentioned the M.A.C. of your network card or adapter, your Windows hostname, and the site (such as Tormail) you picked up the javascript from are also passed along via a cookie.  Of course that is all dependent on you using a version of Firefox < 17.0.7 and connecting to one of the infected Freedom Host sites.  Pretty interesting...  

Share this post


Link to post

From Ars:

 

This, the researchers said, means one of two things. The first possibility, the researchers admit, is that "we simply read the robtex report wrong early Monday morning—all of us." The second is that the data somehow changed between early Monday morning and noon, when Wired's Kevin Poulson and others started looking at the data and questioning the researchers' assessments.

 

You can bet your ass that the data DID change from early morning to noon. This is the NSA we're talking about. Getting an ARIN/Robtex entry changed over the course of a few hours is complete child's play to them! Don't like that your name or address are in the phone book? Change them. That's what I'm sure the NSA did. Under a secret national security directive of course.

Share this post


Link to post

I am reading old news around the net suggesting your isp or a exploit like the java one above could get your MAC address,  is this true ?

 

Is it work enabling mac spoofing under your router or changing your mac address via register or software then ?

Share this post


Link to post

According to arma this is correct (from Tor blog).

"Incorrect, the exploit code itself doesn't get your IP because the kernel functions the code can call only know your network adapter's IP which is pretty useless (i.e. if you're behind a router like most are it's probably a generic 192.168.x.x or similar). The server on their end gets the IP because your router strips the LAN IP and adds its WAN IP to the packet (your "real" IP). However if you're going through a VPN the VPN then strips that and adds its own. So the server would only know the VPN's IP. They would get your MAC address even through the VPN but that's no use to them without also knowing your real IP."

...

The concept of using a Tor hidden email host has been completely destroyed unless you host it yourself. If someone starts a new service there is no way of knowing if NSA or FBI are behind it. If Tor Mail is brought back with all your old accounts you will know it is definitely a honeypot.

Share this post


Link to post

If you use a windows 8 box with your microsoft account linked to it, then they can simply query google search or microsoft and find out who you are( Since they recieved your hostname) right?

Share this post


Link to post

If you decide to use Tor make sure you are using the newest version of the Tor Browser Bundle available. If your version of TBB is Older than 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013), 2.4.15-beta-1 (released July 8 2013), or 3.0alpha2 (released June 30 2013) then your version of TBB is vulernable to the recently discovered exploit and you should go download the newest version of TBB. It's safer to run TBB on Linux than it is to run on Windows. Windows users are more vulnerable to this exploit than Linux users are. Always make sure you connect to a VPN (if possible) before connecting to Tor. It's also smart to setup your firewall to drop any Non-VPN incoming and Non-VPN outgoing packets (Fail safe firewall rules) in case your VPN suddenly disconnects. If you setup your firewall this way, and your VPN suddenly disconnects but yet you are still connected to the Tor network, all packets will be dropped until you re-connect to your VPN. This will prevent Tor (and other internet programs you may be running at the time) from working and revealing your real ISP IP address. If you are a windows user I would suggest running Tor inside of SandBoxie or some other sand box program. This way if you do get effected/infected by an exploit/malware it should (hopefully) not be able to escape the sand box and infect your windows operating system. Another option would be to setup a Virtual Machine with Linux or Windows on it and use that as a sandbox to run TBB in. If you are worried about your mac address being revealed, just use a mac address changer to change your mac address before connecting to your VPN and Tor. They are available free of charge for both windows and linux.

Share this post


Link to post

Well no anti malware or anti virus seem to detect the javascript exploit currently. And the hosting company was hacked so it was their problem in the first place. Anything on the vpn side that can prevent such exploits?

@Staff: The exploit's main objective is an ip address and the windows system's hostname. So which ip address would they recieve on their end, the vpn's or the user's actual ip?

 

Using NoScript would have prevented the exploit...

From what I understand it was the MAC address that was communicated not the ip address

Share this post


Link to post

This was exactly why I was asking,  is it not best to run a mac software changer..... that way your software is changing the mac address every now time you restart the pc ?

 

Noscript is highly annoying and blocks much websites,  takes a while to setup I guess.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...