Thursday, January 7, 2016

Did FBI really "crack TOR?"

Reports have surfaced that the FBI cracked TOR to bring down more than 1000 people involved in child pornography.  After the FBI was able to seize the illicit website "Playpen" and was then chose to host it for approximately two weeks on its own servers.  Details as to how the FBI was able to do this are a little sketchy, but previously techniques developed by CMU have been thought to be critical in unmasking the TOR hidden server.


The FBI then used a Network Investigative Technique (NIT) to reveal data about site visitors and "crack TOR."  While some sites are reporting this as revolutionary, it probably isn't.  Realistically, this could be something that could have been done with the open source code that Tim Tomes published with HoneyBadger.  

At Rendition Infosec, we like to remind clients that every time you visit a website, you have to trust that they will not attempt to compromise you.  This is especially true if the site requires the browser to run active content.  This is why as infosec professionals we consistently tell users not to click on untrusted links.  But what then constitutes a "trusted" link?  After the FBI seized the Playpen server it was no longer trusted, even though users had no way of knowing this. 

The FBI essentially pulled off a watering hole attack.  A watering hole attack is one where the adversary compromises a website used by a specific target population and then uses it target that population by delivering malware.  Watering hole attacks are nothing new and have been reported on since at least 2012.  They've been reported on for years.  In one recent case, the Forbes site was reportedly compromised in an attempt to exploit users in the financial services industry.  There's no good defense against a watering hole attack: once you trust a site, you generally continue to trust the site.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.