{"id":16637,"date":"2013-08-05T10:57:53","date_gmt":"2013-08-05T17:57:53","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=16637"},"modified":"2013-08-07T14:09:34","modified_gmt":"2013-08-07T21:09:34","slug":"tor-anonymity-attacked-feds-suspected","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/tor-anonymity-attacked-feds-suspected\/","title":{"rendered":"Tor Anonymity Attacked – Feds Suspected"},"content":{"rendered":"

\"Tor-Attacked\"<\/a><\/p>\n

Some of the most noteworthy malware were likely considered a failure by their authors. Flashback<\/a>, for instance, turned out to be pretty much worthless<\/a> for its authors \u2013 when you\u2019re trying to stay under the radar of fraud detection, being a huge and almost-overnight success is not so good. Over the weekend, another moment of sketchy code flying into radar range occurred, which may have exposed a component of the US Government\u2019s CIPAV<\/a> data gathering tool.<\/p>\n

In case you\u2019re not keeping a running list of the acronyms and codenames used to describe shadowy government surveillance tools (Is there a single page for this somewhere? That\u2019d be super handy!) CIPAV stands for Computer and Internet Protocol Address Verifier. It was, at least in theory, meant to capture a variety of location data including MAC and IP address.<\/p>\n

The existence of the tracking tool first came to light in 2007, in a court filing pertaining to a high school kid<\/a> that made bomb threats. No samples were available at the time, so AV companies were left to speculate<\/a> as to whether it would be detected. It\u2019s likely that the tool has been used to a limited extent since at least 2002<\/a>.<\/p>\n

This weekend<\/a>, a 0-day exploit was found that targets an older version of Firefox<\/a> that\u2019s used as part of a Tor browser package. This exploit was used to compromise a large number of \u201chidden services\u201d sites within the Tor network, effectively cutting off a significant chunk of the Tor “onion”. These compromised sites contained scripts to download a tracking tool that would identify the MAC address of the user\u2019s machine, and send this information to an IP address in northern Virginia, which would give the receiver the user\u2019s IP address as well.<\/p>\n

Because this exploit affected so many different sites, it attracted a lot of attention. It\u2019s unlikely that we will ever know for certain whom the real author was. Because the behavior of this script was so different from the usual financial motivation of malware, it seems likely that it was not the work of the usual suspects. And if this is indeed a tracking tool written by the government, there\u2019s probably a lot of scurrying going on right now to significantly re-write the code so as to get themselves back under criminals\u2019 radar.<\/p>\n

photo credit: \/*dave*\/<\/a> via photopin<\/a> cc<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Some of the most noteworthy malware were likely considered a failure by their authors. Flashback, for instance, turned out to be pretty much worthless for its authors \u2013 when you\u2019re trying to stay under the radar of fraud detection, being a huge and almost-overnight success is not so good. Over the weekend, another moment of […]<\/p>\n","protected":false},"author":6,"featured_media":16643,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[5],"tags":[553,569],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n