Feds suspected of using malware to attack online anonymity tool

Security experts believe government agencies used malicious software against Tor protected computers

By Natasha Lennard

Published August 5, 2013 5:53PM (EDT)


Tor, the online anonymity tool used by everyone from journalists, to hackers, to child pornographers in order to anonymize their I.P. addresses and avoid having their online searches tracked, has reportedly been attacked by malware. According to Wired and a number of other sources, the FBI is the prime suspect behind the attack.

Tech blog Cryptocloud noted that attributing the malware exploit to the feds is "a leap of assumptive logic." However, a number of security experts reviewing the attacks say that it is likely that the malicious software, used to identify Tor users by exploiting a vulnerability in browser Firefox's security, originated with the FBI. Via Wired:

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

Cryptocloud points out, however, that malware used in the Tor exploit has, in fact, been traced to an I.P. space belonging not to the FBI but to the NSA. Without concluding with any authority that the NSA or the FBI are behind the Tor attack, the tech blog notes:

What is an NSA IP address doing as a command & control contact for javascript malware being deployed in the #torsploit [the hashtag behind used to describe the incident] attack? That remains to be seen... but we already know that PRISM data has been "jumping the wall" and leaking into other law enforcement hands. Is this an example of further abuse of PRISM's "national security only" dataset?

While Tor has been known to be used by criminals to avoid detection, it is a crucial tool for journalists and activists and any internet denizen with interest in protecting their privacy -- be it from government surveillance or tracking by other unwanted parties. Those who had thought using Tor exempted them from government dragnets may, in light of #torsploit, think again.

Natasha Lennard

Natasha Lennard is an assistant news editor at Salon, covering non-electoral politics, general news and rabble-rousing. Follow her on Twitter @natashalennard, email nlennard@salon.com.

MORE FROM Natasha LennardFOLLOW natashalennardLIKE Natasha Lennard

Related Topics ------------------------------------------

Anonymity Fbi Nsa Privacy Spying Surveillance Tor