FBI Harassing TOR Software Developer, Refusing To Explain Why They Want To Meet Her

Posted on

Short Bytes: Little did Isis Agora know that working for the Tor would land her into a land of troubles. This account of a series of events that happened between her and the FBI is sufficient to explain the intention of the FBI and what traumatic and post-traumatic behavioural changes a normal citizen has to go through after such incidents. 

To crack its authoritarian whip, FBI seems so wilful in its act. They like to chase, sniff and sometimes, even let loose from a distance that the sound is perceived not so loud to others yet it reaches out to the intended person. Such is the case with Isis Agora Lovecruft.

Isis Agora Lovecruft has been working with the Tor for many years. Currently, her job role is a lead software developer. Besides working as a lead software developer, she has experience in working with other security and encryption products and services like Open Whisper Systems and the LEAP Encryption Access Project.


Well, like her, there are many in the US who have such a job role and same working experience in security as a developer. So, is that a coincidence that FBI ‘just’ wants to talk to her?

It began with an FBI agent coming to her parents’ house, leaving behind his visiting card and later making phone calls to her parents when she was not at home and out for work. Puzzled by such incidents, Lovecruft decided to hire a lawyer who reached out to the FBI agent in the scene above.

Here is what happened:

The lawyer calls the FBI agent. The lawyer said that now he represents the Lovecruft’s family and asked the FBI agent that instead of directing the questions to the family members, all the questions should be directed to him. For which the agent agreed but asked to call back in five minutes.

Back then, LoveCruft was in a process of shifting to Germany permanently. Even in Germany, FBI gave her frequent visits and calls.

Meanwhile, in the discussion with the lawyer, the FBI kept mentioning some documents which they had no idea about and FBI insisted always on meeting with her in person.

However, the next day, Agora’s visa was approved but eight hours later, his lawyer received a voicemail saying:

Hello this is Special Agent Kelvin Porter, we spoke two days ago regarding your client. Umm… well… so the situation with the documents… it’s umm… it’s all fixed. I mean, we would of course still be happy to meet with your client if she’s willing, but the problem has… uh… yeah… been fixed. And uh… yeah. Just let us know if she wants to set up a meeting.

But this voicemail from January is not the end of the story.

Last week, FBI came knocking again at her door with a subpoena for her to serve. The lawyer representing Lovercuft was informed of the subpoena and asked that she should meet one of their agents in San Francisco. The situation looked like Lovecruft might be a potential target which FBI was reluctant to talk about from the beginning.

Owing to such tremendous pressure, she stopped contacting others fearing she might endanger them as well. Her parents a-9lso would sometimes receive threats and so will his lawyer.

As she mentions in the end that paychecks for working on Tor come from the US government. She is not doing any crime, she is just working on a software which lets people browse safely.



CloudFlare: 94 Percent of Tor Traffic Is Automated or Malicious

Posted on Updated on

CloudFlare explains how it deals with Tor traffic. After being accused of intentionally sabotaging Tor traffic last month, CloudFlare has come forward with an official statement in which it explains why the company does what it does.

Regular Tor users are well aware of CloudFlare’s practice of showing CAPTCHAs to users who are accessing the websites of their clients using a Tor exit node IP.

According to CloudFlare, this measure was implemented after it constantly saw Tor IPs being abused for suspicious activity.

CloudFlare shows CAPTCHAs to Tor users because it has to

“Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious,” CloudFlare wrote yesterday. “That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers.”

This includes a large amount of comment spam, requests from vulnerability scanners, ad click fraud, content scraping, and login scanning.

On the matter of surveillance, also raised by members of the Tor Project, CloudFlare has denied that it tracks Tor users across its infrastructure, saying that they actually do the opposite, opting not to implement a super-cookie like system.

Nevertheless, CloudFlare admits that it does track and mark Tor exit node IP addresses and it also assigns them higher threat scores. Because the Tor Browser includes user anti-fingerprinting protection, and because CloudFlare says that it respects the project’s goal of providing anonymity to its users, it has no alternative than to show CAPTCHAs to users coming from a Tor-based IP.

The decision is controversial and will likely annoy legitimate Tor users, but to be fair, CloudFlare is a security firm, and all its clients hire its services for this purpose.

Most of CloudFlare’s clients would like to ban Tor traffic altogether

In fact, CloudFlare reveals that many of its clients would like to downright ban Tor traffic altogether, and it is only because of CloudFlare that this hasn’t happened yet.

The company explains that it intentionally left out options in its customer backend panel that would have allowed its clients to blacklist Tor, and only shows the option to whitelist Tor addresses or show a CAPTCHA field.

The decision was made because the company fears the scandal that would come with blacklisting Tor traffic altogether. CloudFlare understands why Tor was created in the first place and that it’s not the Tor Project’s fault that cyber-criminals are also using it.

The company has also recently started working with the Tor Project in order to create some sort of client-side solution in the Tor Browser itself, so CloudFlare and other security firms can distinguish legitimate Tor users from automated requests and ban the latter.

Additionally, CloudFlare also wants the Tor Project to start using SHA256 for generating .onion addresses. More of its clients could thus create .onion versions for their legitimate sites, where they could redirect Tor traffic and where CloudFlare wouldn’t have to display its CAPTCHAs, which in recent weeks have been failing at an astonishing high rate.


Tor Project says it can quickly catch spying code

Posted on

The organization has worked for three years to improve its ability to catch fraudulent software. The Tor Project is fortifying its software so that it can quickly detect if its network is tampered with for surveillance purposes, a top developer for the volunteer project wrote on Monday.

There are worries that Tor could either be technically subverted or subject to court orders, which could force the project to turn over critical information that would undermine its security, similar to the standoff between Apple and the U.S. Department of Justice.

Tor developers are now designing the system in such a way that many people can verify if code has been changed and “eliminate single points of failure,”wrote Mike Perry, lead developer of the Tor Browser, on Monday.


Over the last few years, Tor has concentrated on enabling users to take its source code and create their “deterministic builds” of Tor that can be verified using the organization’s public cryptographic keys and other public copies of the application.

“Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue,” Perry wrote. “From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.”

Two cryptographic keys would be required for a tampered version of the Tor Browser to be distributed without at least initially tripping security checks: the SSL/TLS key that secures the connection between a user and Tor Project servers plus the key used to sign a software update.

“Right now, two keys are required, and those keys are not accessible by the same people,” Perry wrote in a Q&A near the end of the post. “They are also secured in different ways.”

Even if an attacker obtained the keys, in theory people would be able to check the software’s hash and figure out if it may have been tampered with.

Apple is fighting a federal court’s order to create a special version of iOS 9 that would remove security protections on an iPhone 5c used by Syed Rizwan Farook, one of the San Bernardino mass shooters.

A ruling against Apple is widely feared by technology companies, as it could give the government wider leverage to order companies to undermine encryption systems in their products.

On Monday, the Justice Department indicated it is investigating an alternative method to crack Farook’s iPhone, which if successful would not require Apple’s assistance.

Perry wrote that the Tor Project stands “with Apple to defend strong encryption and to oppose government pressure to weaken it. We will never backdoor our software.”

Tor, short for The Onion Router, is a network that provides more anonymous browsing across the Internet using a customized Firefox Web browser.  The project was started by the U.S. Naval Research Laboratory but is now maintained by the nonprofit Tor Project.

Web browsing traffic is encrypted and routed through random proxy servers, making it harder to figure out the true IP address of a computer. Tor is a critical tool for activists and dissidents, as it provides a stronger layer of privacy and anonymity.

But some functions of Tor have also been embraced by cybercriminals, which has prompted interest from law enforcement. Thousands of websites run as Tor “hidden” services, which have a special “.onion” URL and are only accessible using the customized browser.

The Silk Road, the underground market shut down by the FBI in October 2013, is one of the most infamous sites to use the hidden services feature.



Russian firm tasked with cracking Tor throws in towel

Posted on

The company hired by the Kremlin to gather information on and crack the anonymous browser Tor is now looking to pay more than the contract’s value in legal fees to back out of the agreement, according to Bloomberg.

Last year, Russia’s Interior Ministry offered a contract, then worth approximately $110,000, “to study the possibility of obtaining technical information on users and users’ equipment of Tor anonymous network,” in an attempt to crack the anonymity offered by the network.

A Russian firm tasked with gathering information on Tor users is paying more than the value of the contract to back out of the agreement.
A Russian firm tasked with gathering information on Tor users is paying more than the value of the contract to back out of the agreement.

The Central Research Institute of Economics, Informatics, and Control Systems, a state-run maker of helicopters, weapons, and other military and industrial equipment, accepted the contract.

The firm was not able to hack into the browser, according to online Russian news site Meduza.

Documents obtained from a database of state-purchased disclosures revealed the company agreed to pay $150,000 in legal fees to abandon the Tor project and several other classified government contracts, according to the Bloomberg report.

Lawyers from Pleshakov, Ushkalov and Partners are negotiating with Russian officials to help the firm reach a settlement.


HORNET: Tor-style dark web network allows high-speed anonymous web browsing

Posted on

A new anonymous web browser capable of delivering encrypted data across the dark web at high speeds has been developed by security researchers.

HORNET (High-speed Onion Routing at the Network Layer), created by researchers from Zurich and London, is capable of processing anonymous traffic at speeds of more than 93 Gb/s, paving the way for what academics refer to as “internet-scale anonymity”.

The research paper detailing the anonymity network reveals that it was created in response to revelations concerning widespread government surveillance that came to light through the US National Security Agency (NSA) whistleblower Edward Snowden.

A new browser for the dark web could offer significantly higher browsing speeds than Tor
A new browser for the dark web could offer significantly higher browsing speeds than Tor

HORNET has also been designed to overcome the flaws identified with other anonymous web browsers, such as Tor.

“Recent revelations about global-scale pervasive surveillance programs have demonstrated that the privacy of internet users worldwide is at risk,” the researchers have stated.

“To protect against these and other surveillance threats, several anonymity protocols, tools, and architectures have been proposed. Tor is the system of choice for over 2 million daily users, but its design as an overlay network suffers from performance and scalability issues: as more clients use Tor, more relays must be added to the network.”

Due to Tor’s system of encryption between the servers or relays that make up its network, web browsing can be a much slower experience than on the open web.

In order to achieve higher speeds, HORNET uses “source-selected paths and shared keys between endpoints and routers to support [anonymous communication]”, meaning that data is not encrypted as often as Tor, but still remains anonymous.

According to its creators, HORNET is also less vulnerable to attacks that have been used to reveal the identity of Tor users. The Tor Project has declined to comment on HORNET until the research has been peer-reviewed.


Vawtrak Banking Malware Hides Its Servers in Tor

Posted on

Some variants of Vawtrak banking Trojan, also known as Neverquest, have been found to hide their command and control (C&C) servers in Tor anonymity network, making the cybercriminal operation more difficult to disrupt.

Most versions of the malware rely on hard-coded IP addresses for the C&C, but this approach makes the domains used to deliver commands to the infected machine easy to discover via threat analysis techniques.

DGA is not foolproof

A different mechanism for making Vawtrak more resilient to takedown efforts involves a domain generation algorithm, which creates a set of domain names the malware contacts to receive commands.

Cybercriminals register only a small number of them because Vawtrak will check each of them until the appropriate response is received.

Raul Alvarez from Fortinet explains how the process works for this piece of malware, saying that Vawtrak’s code includes multiple DWORD values matching different domain names.

Vawtrak Banking Malware Hides Its Servers in Tor
Vawtrak Banking Malware Hides Its Servers in Tor

“Each DWORD value is a seed used to generate the domain name. These seeds are stored as fixed values within the malware code, thereby producing the same pseudo-randomized domain names. To generate the corresponding domain name, Vawtrak uses the seed to generate the pseudo-randomized characters of the domain name,” he says in a blog post.

However, this technique is not infallible because researchers can break the algorithm and find the strings generated.

Tor2Web proxy used to access hidden services

More recent variants of the threat rely on Tor2Web, a proxy that establishes a direct connection to a server in Tor network without the need for additional tools.

The strings generated by the DGA are for locations in Tor, and the author implemented a function that passes them through the Tor2Web proxy service.

Although a user connecting to the proxy service can be traced, the connection beyond it is not. Traffic in Tor is encrypted and routed through multiple machines that do not keep records of the origin and destination. The result is access to a server whose location is shrouded in anonymity.

Vawtrak includes multiple protection mechanisms (such as disabling antivirus solutions) that allow it to evade detection and analysis. After compromising a machine, it can pilfer credentials and record user activity (keystrokes, screenshots and video).

Its operator can access the system remotely through a VNC channel and alter web sessions by injecting fake content in order to collect passwords for online banking accounts and the additional codes needed to access them.


Unmasking hidden Tor service users is too easy, say infosec bods

Posted on

Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.

The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.

Unmasking hidden Tor service users is too easy, say infosec bods
Unmasking hidden Tor service users is too easy, say infosec bods

Not so, say Filippo Valsorda, a member of CloudFlare’s security team, and George Tankersley, an independent researcher. In their presentation, the pair showed that it’s surprisingly easy to subvert anonymous access to a hidden server – and thus possibly identify a user of that server – if you’re sneaky about it.

That’s bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like Facebook. Tor often hits the headlines for enabling things like online drug souksand other criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and anyone who values their privacy, to exchange information and surf the web anonymously.

“If you run a hidden service that does not need location hiding, you are unnecessarily exposing your users to this risk,” the researchers said. “It would probably be better to let them use Tor on your TLS-enabled clearnet site.”

When using Tor to browse the open web anonymously, you log into an entry point server and then your traffic is rerouted and fed out of an exit server, disguising your IP address. The weakness in this approach is that it would technically be possible to run enough rogue entry and exit nodes to link where users hop onto the Tor network to where they hop off. It would require massive resources and for Tor operators not to notice, but it’s possible.

Hidden services eliminate this possibility, because all traffic stays within the Tor network itself. There’s no exit node to link to an entry node, which is why using hidden services is thought to be more secure.

What the researchers found, however, is that it’s possible to spoof connections to hidden services to identify their users – and doing so might be even easier than identifying users by their exit nodes.

Hidden services require the use of HSDir (hidden service directory) nodes to operate, two sets of three apiece. These nodes manage connections to the hidden service, and it only takes four days of continuous operation for an HSDir node to be considered “trusted.”

The two suggest an attacker could identify users’ connections by running rogue HSDir nodes themselves, something that is relatively easy and computationally cheap to do. To demonstrate, they set up such nodes and then successfully convinced Facebook’s hidden service to accept most of them as its HSDir providers.

There are ways for site operators to protect against this, however. Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.

The researchers have released software tools to help spot dodgy HSDir nodes and they say that aproposed change to the Tor software for hidden services could stop this kind of correlation attack. A spokesperson for the Tor Project could not be reached for comment.