Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Torsploit - NSA tools behind attack | CONFIRMED

To stay ahead of new and evolving threats, cryptostorm has always looked out past standard network security tools. Here, we discuss and fine-tune our work in bringing newly-created capabilities and newly-discovered knowledge to bear as we keep cryptostorm in the forefront of tomorrow's network security landscape.
User avatar

Topic Author
Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Torsploit - NSA tools behind attack | CONFIRMED

Postby Baneki » Sat Sep 14, 2013 6:05 pm

{continued forward from existing Torsploit thread, to increase ease of access for newcomers to the topic ~admin}

Guest wrote:It would take sometime for the FBI to compile the list, get the names and such from the providers, and then do a risk analysis of some kind as to who they should get. They will probably do token raruds and arrests, butleave the rest to the states to prosecute.


It's been just a hair more than a month since the Torsploit adventure, and even as we've continued to do some continuing sleuthing behind the scenes, we've sat back and watched how the public perception of things has unfolded. At the risk of over-simplification, we've noted two distinct trends:

    One is the assumption that some unspecified shady arm of the U.S. government was obviously behind Torsploit, and that the attack first squarely into the modus operandi of NSA shenanigans that Snowden and the journalists working with him have been exposing one after another.

    Two is a repetition of the "party line" from the FBI and various aligned entities that this was simply some kind of routine law enforcement operation, designed to catch "bad guys" and not only justified but rather routine.

It takes no close reading to see that these two trends are pretty much in direct structural opposition: they can't both be true.

Today, Kevin Poulsen reported on some new data points disclosed as part of the bail hearings of the only person actually charged with a crime in the entire Torsploit story thus far. At that hearing was an FBI agent, who confirmed that the FBI was "behind" the Torsploit attack. So that means that the first version of events, listed above, has proved to be correct?

Not quite. Or not yet, anyhow - and if we were the sort of folks who bet, we'd be putting good money against it. There's still a whole forest of unknowns yet to be disclosed, but here's what we see...

Marques was arrested originally in late July. There is no public data confirming how that initial arrest came to be - how the FBI got on Marques initially. In this week's reports, the FBI is saying that they have "linked" Marques to U.S. bank accounts that were used to pay for servers leased at an unspecified hosting company in France. Did they get those bank records after the raid in late July - or before, and use them to trace to Marques? We don't know, yet.

But the claim is now made that after the late-July arrest, Marques "somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control" (source: Wired). But he was in custody after the original arrest, according to all reports we've read thus far (if this is incorrect, please post a link to accurate data - thanks). How was he wrestling for control of servers if he was in custody?

Kevin Poulsen further states that "In addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down." That actually makes sense - given the nature of FDE, unless he down-powered the laptop, the FBI could "scrape" the RAM for his cached passkey and have full access to plaintext (which, apparently, is exactly what they did). But once he was in custody, the whole idea of a "wrestling match" for servers is decidedly odd.

Anyway, Once Marques is in custody it is of course trivially easy for the FBI to gain full control of the servers themselves. Assuming the machines weren't themselves powered down remotely, the FBI (or whomever) would have physical access to them - which allows for the same "RAM scrape" attack against FDE (assuming they were FDE'd). This is assuming they're dedicated boxes, which seems reasonable.

However, even with physical root to the machines (dom0 if they're virtualized), it's quite possible that layers up the chain could be very difficult to access without credentials. We're not familiar with the mechanics of hosting Tor hidden services, but in general one can do a fairly good job of locking down applications upstream from the metal in a box that has been powered down (as for example in a RAM scrape attack). And - we are left somewhat with instincts to go by here - our gut is that this isn't what happened. Here's what seems more likely...

If the FBI was able to locate the physical machines (i.e. servers in France) before the raid on Marques, they'd be able to sit as a "bump on the wire" in the datacentre and wait for a reboot. They could engineer a reboot (assuming the DC is cooperating - which is routine): turn the power off, and wait for the admins of the boxes (whoever that was - assuming they don't know who Marques is yet) to log in and boot the machine back up. If it's FDE'd, the admin could either do so via KVM (trivially easy to intercept) or they'd have a DC employee type in the FDE passphrase (in which case they have it). With that, and some good tech skills, they can "piggyback" on the boot-up & squirrel themselves away up in the OS and in the app layer of the server.

Once there, they can sit and wait to see who logs in.

At some point, they get enough data from that privileged position on the server to ID Marques physically - and they schedule the raid on him. This is congruent with all known facts thus far, and with previously-disclosed FBI attacks on other overseas targets in the past. So far, so good. If they have access to those machines prior to Marques' raid, then they can of course be listening in for any "associates" who might also come through them. That's a key point.

Once Marques is arrested, here's what we think likely happened: someone else with access to the admin capabilities of his machine(s) cycled passwords on them - this is the putative "wrestling match" that took place after his arrest... Marques was not directly involved at all. But if the FBI (or whoever) had physical root, they could win that battle - eventually - unless the outside admins were very clever, very quick, or both. So that'd explain things going down for a while - which is what happened, going from previous press reports.

At this point, Freedom Hosting is down. Marques is in jail. There's no public explanation for what's going on. This is Wired's Kevin Poulsen, reporting on 5 August:

"Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail."


(this is also where Kevin first proposes that Torsploit is actually the FBI's "CIPAV" tool - which has been around since at least 2002; more on that below)

So technically, the sites weren't "down" - they were displaying a maintenance page that was loading the malicious .js... from the moment Marques was raided. Which is interesting - and means someone had control of the boxes in all but realtime during or immediately after the raid. We're reading the raid as having taken place on Thursday, 1 August 2013 (Independent: "Barrister Ronan Kennedy, counsel for the Attorney General, said Mr Marques was arrested on Thursday [1 August] on foot of an extradition warrant issued by a US court on July 29.").

The Torsploit iframe injection was noticed pretty quickly (Kevin Poulsen says that "[t]he malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting," but we're aware of no definitive argument that it actually "showed up" on Sunday, but rather it seems more likely based on what we've seen that it was first noticed and discussed publicly on Sunday (the Daily Dot says the malware injection started "[s]hortly after Marques went into custody"). If someone has better data on the timing of the first citation of the iframe injection in the wild, we'd love to nail that down. In any case, sometime between Thursday and Sunday, the injection started.

As readers of this thread will already know, we began our forensic work on the two C&C IP addresses ("pitcher" and "catcher") early Monday am. By the end of the day, those IP addresses no longer responded to requests to the usual ports for web traffic - which they had been doing as of Monday am. We've been told by folks since then that they have remained nonresponsive ever since (although other addresses in the "ghost block" do respond, in odd ways - a separate post, that).

Also: there may - or may not - have been some jiggering with ARIN/RIPE records on Monday am, after we flagged the questions surrounding its provenance.

- - -

So, does this week's set of bail hearings for Marques - in which the FBI confirmed it had arrested Marques and said exactly nothing about Torsploit, malware injections, or any post-arrest fiddling with the former Freedom Hosting servers - confirm that the FBI "secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors" (cite: Kevin Poulsen). Yes, sorta - they did get access to the servers, but exactly when is not yet disclosed publicly. They do claim they had live, operational control of the servers after the 1 August raid - because they claim Marques (or someone else with admin access, since he was in jail) got control back of the machines, then lost control again to... someone.

Kevin's read on this, as we understand it, is that the FBI took over the server(s) - before or after the arrest, it's not clear - and then someone, seeing all the inevitable press coverage of Marques' arrest, cycled passwords and locked the FBI out. Fair enough - we're on page up until there.

But now what happens?

Here again, we read Kevin as suggesting that the FBI got control back and then shortly thereafter (at least on or before Sunday)... and started serving the Torsploit malware via the .js in the iframe. By the end of the day Sunday GMT, word was out and people were analysing Magneto. And that the Torsploit malware is actually just... CIPAV, a known FBI tool.

Hmm, well... Kevin's a smart, conscientious, and well-informed guy. But we're going to respectfully disagree.

Some discongruent points:

    1. Torsploit made use of a fresh Firefox 0day, which means it was coded quite recently; it couldn't have been old, nor obviously could it date back to 2002. If it's "CIPAV," then it's something so new and so fresh-coded that it's the same as the old tool in name only.

    2. Torsploit was deployed against anyone who visited any of Freedom Hosting's sites - including Tormail users. CIPAV was never used previously in that way, not even close. CIPAV was/is a targeted tool.

    3. No court orders relating to Torsploit have been disclosed yet (Kevin suggested that it "Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them" [italics added]). They could still be sealed, of course - but at this point any such court order is purely imaginary.

    4. We have learned, since early August, that the NSA has been on a decades-long binge of illegal/a-legal/extra-legal hacking, intrusion, subversion and disruption of the world's network security technologies... a veritable cavalcade of attacks with nary a court order in sight - not even from the FISA kangaroo court. TAO reins supreme. We've a screenshot of a NSA/CQHQ application that specifically targets Tor users - Quick Ant - although we don't know much more than that... yet.
    QuickAnt.png


    5. We have heard nothing from the FBI about any arrests or planned arrests of anyone targeted by Torsploit injection de-anonymisation. Indeed, as many folks have pointed out, the method through which Torsploit did this didn't seem to make any effort to ensure there was enough forensically-valid data to power actual prosecutions in a U.S. courtroom... which is what the FBI is paid to do.

    6. The FBI has refused to comment on Torsploit - neither confirm its involvement, nor denying it. If this is a burned tool to hit a bunch of Freedom Hosting visitors, what's the point in keeping it "secret" now, if you're the FBI?

    7. Torsploit was not selectively deployed against allegedly CP-hosting hidden services. It was served shotgun-style. It went after Tormail users - which, obviously, if one has control of the server sufficient to inject the malware in the server-side "error page" loads, one can choose which visitors get it. Everyone got it - that wasn't an accident... nor was it some "carefully crafted" targeting, as Kevin suggested.

In summary, until we see more objective data - and with all respect to Kevin - we disagree that this is some newly-birthed flavour of CIPAV, and that it was served & managed by the FBI. The pieces just don't add up.

The FBI has taken the public role in the Marques extradition case itself. That is correct. The rest is speculation: was it the FBI "wrestling" with unknown outside Freedom Hosting admins, in the first weekend of August, as Marques sat in a jail cell? Perhaps... but that just stretches the bounds of credulity, to us. There's some .gov folks with ample capability for that kind of realtime tit-for-tat on a reasonably heavily-secured (overseas, non-US) server running Tor hidden services... but not many work for the FBI. Cough - TAO - cough.

Our posited hypothesis is a refinement of what we've said all along: this is an NSA job. The NSA aided the FBI in both locating the FH servers, in France, and in gaining access to them prior to Marques' arrest. After the arrest, an effort was made to cycle (or wipe) the FH servers by someone other than Marques. That effort, demonstrably, failed - some outside entity got root control of FH's machines, realtime. They also out-"wrestled" professional server admins in doing so. Not too shabby.

At this point, Marques' arrest was already splashed across the news. FH had gone down - including Tormail... if not for a considerable time, then almost certainly in blips (a "wrestling match" for admin/root control of physical machines is going to involve downtime, unless this is some sort of bizarre VM-based memory overflow battle... or something). There was no way to keep secret that FH was either compromised, or running somewhat rudderless with its alleged main admin in jail. So the panic was already out, in the public.

And at this point, what the hell would the FBI be doing taking their super-secret CIPAV tool and promptly serving it up as easy-to-reverse .js to hundreds/thousands of people visiting FH and Tormail? They just got a wild hair up their ass, and felt it would be "fun?" They figured, hell, we'll just gather a big database of people using FH - whatever they were doing - and, um, sit on it for a while? We'll go arrest some people... except not actually arrest anyone? It just doesn't fit the pattern, sorry.

What does fit the pattern is this: once someone (TAO) had control of that server (or servers) back after a brief tussle, they decided to use it as a bit of a test lab, a petri dish to see how a new bug would play in the wild. Off the shelf comes the Torsploit 0day - a routine bit of code for an agency who has been subverting security and crypto for a decade strong, secretively, with a massive budget to do so - and they drop it into FH. Everything at FH. In doing so, they gather a really nice dataset.

Yep, the data that streamed back to the "catcher" IP in Virginia are going to be a Tor attack vector researcher's best friend: they'll show the geographic distribution of FH visitors. That cookie-like thing Torsploit dropped into the browser could well connect up with... something - some other NSA system ("The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website") - Cheesy Name, or Bogus And, or Bouncing Baby... who the fuck really knows. There's so many secret programs yet to be shown the light of day within Snowden's 50,000-file stash that anyone who claims they know the full extent of NSA shenanigans must needs be playing for laughs.

And, finally, as has been pointed out before, this attack is going to do an outstanding job of FUDding the entire Tor ecosystem. The injection heard 'round the world. The Tor team has been under fire ever since (fairly or not), scrambling to contain the PR damage from Torsploit. Total chaos. People are in a panic: the Tors is broken!!!!!

If you're the NSA, well... not a bad little spot of work, that.

If you're the FBI - you've blown the cover of CIPAV, you've failed to arrest anyone else but Marques, you've targeted countless FH visitors who had nothing to do with CP or anything even remotely illegal, and you've managed to cause an international stink in the process. Which would mean the FBI is dumb - and the FBI isn't dumb. Q.E.D.

See also: "parallel construction," if you're wondering how the FBI might end up on front street in taking credit for Marques' arrest... even if, behind the scenes, it's a laundry list of NSA-powered programmes that are at work. This is the world in which we live.

In time, the truth of all this will out. At core, if nobody else gets charged - beyond Marques and whoever else might be close to him in the alleged actual operations of FH - then this wasn't FBI. The FBI doesn't go on international darknet fishing expeditions - expeditions that are guaranteed to be exposed in the process - just for the hell of it. If they did it, they were going after scalps... and when they hunt scalps, they generally get them. The exposure of Torsploit, its analysis, and the panic it caused? All predictable - and all, therefore, intended. The FBI doesn't fit that model.

We understand that Kevin is convinced this is CIPAV... but calling this CIPAV is about as useful as calling PRISM "Carnivore." 'Nuff said. We've nothing but respect for Kevin's work... but this is the rare case in which we feel he's blinding himself to the larger picture in order to force a fit between his initial assumptions, and the data as they come visible.

It's still possible we're dead wrong on this, of course. If so, we'll send Kevin something cute. An FBI windbreaker, perhaps? :angel: That said, we're seeing the pattern evolve as we predicted a month ago: too many loose ends, too many discongruent pieces, too many stories that don't quite fit up. That's our world, at Baneki: we're used to stuff that leads deeper down the rabbit hole. Kevin's done excellent reporting on the FBI for years - including of course Kingpin - so we can see how it seems to fit that pattern: when one holds a hammer, all the world appears to be a nail.

But Torsploit isn't a nail to fit the FBI's hammer. It's something else entirely... what, nobody outside .gov yet knows for sure. In due course, we'll know - and we'll be that much more attuned to the real threat vectors people face out there on the interwebs post-Snowden.

Respectfully,

    Baneki Privacy Labs
http://baneki.nu

User avatar

Topic Author
Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Re: Torsploit Reloaded...

Postby Baneki » Sat Oct 05, 2013 12:05 am

Ok, so newly-released Snowden docs show the NSA has been working on anti-Tor techniques, for years. And, in particular, 0day bugs in Firefox as a tool for de-anonymising Tor users. Via javascript, natch.

Torsploit.
torsploitproof.png

We await an argument to the contrary - i.e. that torsploit did not utilize NSA capabilities.

Back in August, many folks water-carried the "official" story that torsploit was an FBI job, top to bottom. We said, in essence, "bullshit."

Q.E.D.

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Torsploit Reloaded...

Postby Pattern_Juggled » Sat Oct 05, 2013 12:15 am

"Several attacks result in implanting malicious code on the computer of Tor users who visit particular websites. The agencies say they are targeting terrorists or organized criminals visiting particular discussion boards, but these attacks could also hit journalists, researchers, or those who accidentally stumble upon a targeted site."

From the Guardian's recent article on the NSA's attacks on Tor.

So, there's your proof.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Guest

Re: Torsploit Reloaded...

Postby Guest » Sat Oct 05, 2013 12:45 am

Also posted was an NSA prsentation saying Tor sucks cuz encryption is too hard.

With Javascript off to stop most exploits, diasbled cookies, and a simple add on to put a damper on browser fingerprinting, whats left besides 0-days?

Throws firefox/torbrowser within a sandbox/chroot jail, and even within a VM on top of that, then what? I can think of any vectors left, of course they probably have 0-days for VM's, cant rule that out

User avatar

Topic Author
Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Re: Torsploit Reloaded...

Postby Baneki » Sat Oct 05, 2013 1:06 am

From the Washington Post:

An FBI agent told an Irish court last month that Freedom Hosting, unmasked with NSA-devised techniques, was among the largest purveyors of child pornography in the world, according to news reports. Silk Road, an online market place some called “the eBay of illicit substances,” also relied on Tor — and was targeted by the FBI. Federal officials arrested the alleged founder and shut down the site Wednesday.

Privacy advocates, however, say Tor is valuable and should be protected even if it is sometimes used by criminals. “Tor is networking technology,” said Christopher Soghoian, an ACLU technologist. “It is no different from a postage stamp or a highway. Good people use highways and bad people use highways.”

The NSA documents portray a years-long program to defeat what the agency called “The Tor Problem,” with the agency repeatedly updating its tactics as Tor’s developers made changes to the network.

The NSA also altered tactics as Mozilla introduced new versions of Firefox. In anticipation of a new release of Firefox, one agency official wrote in January that a new exploit was under development: “I’m confident we can have it ready when they release something new, or very soon after :).”


(boldface added; however, smiley emoticon in original citation - for real)


Guest

Re: Torsploit - NSA tools behind attack | CONFIRMED

Postby Guest » Sat Oct 05, 2013 3:51 am

"5. We have heard nothing from the FBI about any arrests or planned arrests of anyone targeted by Torsploit injection de-anonymisation. Indeed, as many folks have pointed out, the method through which Torsploit did this didn't seem to make any effort to ensure there was enough forensically-valid data to power actual prosecutions in a U.S. courtroom... which is what the FBI is paid to do.

I disagree. Assuming they captured the data, they now have probable cause to issue search warrants after they get the data from the ISPs. They won't announce any raids or arrests until after they happen. It would take at least 3-4 months to get their ducks lined up to start the raids.

"Accessing" and "receipt" are crimes re CP. They can theoretically prove one visited a known CP site - so that is that. Intent is another matter. I am assuming the visitors to these sites have already cleaned up their computers.


Guest

Re: Torsploit - NSA tools behind attack | CONFIRMED

Postby Guest » Sat Oct 05, 2013 1:29 pm

The injected code was first noticed (afaik) by Cloud from 4Pedo on Saturday 3th (Aug) around 2PM UTC. This was after the initial downtime for all sites hosted on FH.

After 2PM some sites returned like normal but not all of them, those that returned included the Torexploit, not only in the "server down" message but also in every normal webpage.

On Monday August 5th around 4 PM UTC all Freedom Hosting website went down.

Later that month OPVA (Onion Pedo Video Archive) went down without notice and hasn't returned since. We don't know if this is related in any way, this was the largest video site out there.

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

When was torsploit FH .js iframe injection first observed?

Postby Pattern_Juggled » Sat Oct 05, 2013 2:02 pm

That's useful timing info in terms of how this played out.

There's still a host of tactical questions regarding torsploit that remain unanswered. These facts about what happened on what time and on what date - not just what the press reported (which often was either rumour, or was just printed because someone else already printed it) but from firsthand (or close thereto) observations - are extremely useful. Sometimes they help bolster a given hypothesis; more likely, and often more definitively, the can serve as disconfirmation of hypotheses that might be otherwise congruent with known facts, but don't fit a new one.

The old adage is that a bucket full of confirmatory findings is emptied by just one drop of concentrated disconfirmation. Some of the theories going around don't meet known, verified facts - whether these facts are "small" or not generally matters not one whit. A successful theory must match all observed facts, without exception.

To me, the biggest dark spots on the map for torsploit - and the Silk Road takedown - relate to the rooting of the underlying servers: when, how, for how long, to what ends, with what tools? The "who" could still theoretically be in question - since we don't know the vector used to root the boxes, we can't really conjecture. It could be they got passwords from an angry ex-lover (random hypothetical example) - in which case no tech capabilities were required. More likely, it might seem, is a pretty high-calibre offensive intrusion capability... but that's still merely a hunch at this point.

As to who do the "Magneto"-injecting .js served by the compromised hosts, that's really not subject to meaningful dispute at this point in time. As we've said all along: NSA.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Guest

Re: Torsploit - NSA tools behind attack | CONFIRMED

Postby Guest » Sat Oct 05, 2013 5:09 pm

Baneki wrote:{continued forward from existing Torsploit thread, to increase ease of access for newcomers to the topic ~admin}

[list]1. Torsploit made use of a fresh Firefox 0day, which means it was coded quite recently; it couldn't have been old, nor obviously could it date back to 2002. If it's "CIPAV," then it's something so new and so fresh-coded that it's the same as the old tool in name only.


I just wanted to correct that it wasn't a 0day exploit, it wast an almost 1month exploit. In fact, the latest version of Tor browser bundle at that time (17.0.7ESR) was unaffected by this exploit. This bug was fixed in Firefox because it was already known. I mean by this that it wasn't a state-of-the-art attack.

User avatar

cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

pitcher/catcher IP FOIA to NSA: classified

Postby cryptostorm_admin » Sat Oct 04, 2014 1:12 am

Last year, there was quite a bit of back and forth regarding two IP addresses associated with the Torsploit attack on Tor hidden services. A summary of that discussion can be found here.

Since then, the folks at Baneki Privacy Labs did an FOIA request on the National Security Agency specifically regarding these two IP addresses (dubbed, last year, "pitcher" and "catcher," respectively).

Here's the reply they received...
torsploitNSA_classified.jpg


The relevant text is as follows...

"...we have determined that the fact of the existence or non-existence of the materials you request is currently and properly classified matter in accordance with Executive Order 13526, as set forth in Subparagraph (c) of Section 1.4. Thus, your request is denied pursuant to the first exemption of the FOIA..."


Interesting, indeed...

Our understanding is that the folks at Baneki are continuing to work on the post-review forensics associated with those two IP addresses. However, this latest reply from the NSA perhaps gives further credence to the initial findings suggesting direct NSA involvement in Torsploit's C&C infrastructure.

    ~ cryptostorm_admin

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Torsploit - NSA tools behind attack | CONFIRMED

Postby parityboy » Sun Oct 19, 2014 5:44 pm

@thread

Marques was arrested originally in late July. There is no public data confirming how that initial arrest came to be - how the FBI got on Marques initially. In this week's reports, the FBI is saying that they have "linked" Marques to U.S. bank accounts that were used to pay for servers leased at an unspecified hosting company in France. Did they get those bank records after the raid in late July - or before, and use them to trace to Marques? We don't know, yet.


Which means they had a reason to be watching the guy in the first place. Loads of people pay for servers located in foreign countries - so what? That's not enough reason for the FBI to be watching someone, so the real question is how did he manage to stick himself on their radar? I don't think the very fact that he was running Freedom Hosting was the reason, so perhaps one of the hidden site owners let on their (possibly CP) site was being hosted by Freedom Hosting.

Even if that were so, what would happen next? Was it public fact that Marques ran Freedom Hosting? Did the FBI contact him and ask him to collaborate? Did he accept or refuse? If he accepted, what then? Assuming the Hidden Services were configured correctly, could Marques (with access to all of the servers as their leaser/renter) be able to know which sites held what? On paper yes - they were very likely VPS instances, so their virtual drives could be mounted and read (and possibly written, too); I'm willing to bet they weren't encrypted (that's something I need to play with actually), but would he be interested in trawling through them?

OK, so suppose he refused. It would be trivial then for the FBI to "ask" the data centre for access to the machines. However, if the FBI were after one particular site (and assuming the hidden servers were paid for anonymously) neither Marques nor the DC would know (or should know) which sites were sitting on which IP addresses on which piece of hardware - I doubt they would be willing to go through (possibly hundreds) of VMs.

Could that explain why all of the hidden servers were infected with Torsploit, rather than a few?

If Marques wasn't aware of the FBI's interest in him, then something else must have leaked - billing information certainly isn't enough. IP address? Somebody's (physical or electronic) mouth? Association with someone "known to us"? "unmasked with NSA-devised techniques" doesn't really tell us anything.

I'll throw something else in. The FBI is a police organisation; investigating and solving crimes, and bringing people to justice is what they do. The NSA however is a political organisation (as far as I can see). they are effectively the specialist SIGINT wing of CIA, spun out as an independent "business unit".

So the question is: why would they get involved in this? What's in it for them? What attracted them to it? Could be an axis of a) the FBI having no luck taking down a site and being embarrassed by that fact and b) the NSA having a chance to flex their muscles against Tor (and get a bigger budget)?


Return to “cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity”

Who is online

Users browsing this forum: Yahoo [Bot] and 7 guests

Login