The anonymous browser TOR is the most popular end user security tool in the world. Using this browser allows people to surf the internet anonymously. The service is used worldwide to avoid secret police surveillance by dissidents living under repressive regimes in places like Syria, Turkey and the United States. It is also used by hackers and others to conceal their identities. According to Wired Magazine's security blog “Threat Level,” the service was compromised by a hack Sunday night.
The malware inserted itself into the browser via a compromised website and immediately began broadcasting the infected computer's MAC address, user name, IP address, and any websites visited subsequently to an IP address in Herndon Virginia owned by Verizon and block leased to SAIC, a major defense and intelligence contractor.
The TOR browser product keeps its users anonymous by routing their HTTP requests through an ever changing string of gateway proxies that hide the receivers’ true location. Encryption is provided end to end. The proxies change with each individual web request so multiple requests to the same server will follow different routes often across different countries and networks.
The product also allows users who operate a proxy to set up services that can only be used through TOR, including TOR only web and email servers. Thus a website built inside the TOR network is almost impossible to physically locate. It was one such server that was the target of the attack.
The server, Freedom House, provided anonymous web hosting and email as a turnkey service. Some of its web hosting users used the anonymity of Freedom House to distribute child pornography. The operator of Freedom House was arrested in Ireland last week on charges of facilitating child pornography after arriving there from Romania allegedly with a large amount of cash. The FBI is seeking his extradition to the United States. The loose hacktivist collective Anonymous has repeatedly targeted Freedom House with DDOS attacks for its activities.
The attack began when any user accessed any page on Freedom House. The malicious code exploited an old and known security flaw found in previous versions of Firefox, the web browser that TOR is based on. Accessing the target's computer through JavaScript it caused the downloading of a tiny application named Magneto. This application then began transmitting data from the user's computer to SAIC's Herndon VA host in real time. Unlike many traditional forms of malware, Magneto makes no attempt to install additional software exploits on its host machine.
Magneto is speculated to be a FBI program. Some industry sources claim it is the often referred to but as yet unseen Computer and Internet Protocol Address Verifier (CIPAV) written in 2002 and first acknowledged to exist by the FBI in court in 2007. Commercial anti-virus products cannot detect it. Now that a sample has been isolated, it remains to be seen if it will be added to the virus definitions of common industry products.
A strong possibility exists that Magneto is not CIPAV and was not written or deployed at the behest of the FBI. SAIC has one known current contract with the FBI, where it is one of 46 vendors contracted to deliver computer security products on a task by task basis. SAIC was the lead vendor along with Dyncorp in building a new case management system from 2001 to 2005. The work was never completed and was later abandoned. Lockheed Martin was given the contract for the successor project and after delays finally delivered the FBI its first comprehensive software update since 1995 in March 2012.
SAIC had no known contracts with the FBI between 2005 and 2009. Prior to 2005, it had a contract to build the FBI's Virtual Case File system and no computer security contracts that the Free Press could locate. Dyncorp's role in the Virtual Case File debacle was the security and network components of the system.
According to federal government databases, SAIC has IT service contracts with a number of non-FBI government agencies, including Customs Enforcement, the Defense Intelligence Agency, and the Defense Security Service. Magneto could also have been a deliverable for any one of these agencies.
SAIC itself is not a government agency, and has no police powers to investigate any crimes in the Ireland, Romania or the United States. A private person using malware to unlawfully access data on another person’s computer could be charged with a crime, much akin to some of the charges against Bradley Manning and Jeremy Hammond. No agency of the United States or any other country has announced any investigation of this illegal hack. Many of the infected users provably did not access child pornography on the Freedom House server yet were still spied on by this private corporation. No public statements have been issued about the cyber attack by either SAIC or any U.S. federal agency.
The Free Press attempted to acquire a copy of Magneto for independent examination. These attempts so far have not borne fruit and one such attempt resulted in a poorly written hijack attempt. Nice try script kiddie, no bitcoins for you. Should we acquire a copy and learn anything newsworthy we will update our readers.