The FBI Unmasks Tor Users Using an Open-Source Hackerware

Tor logo - question markA powerful software called Metasploit has been one of the most important tool in the hacking world. Regarded as a multipurpose tool to exploit weaknesses on the web, available for anyone who's interested: from security professionals, random criminals to federal agents.

Technology is used by many people. Since it has evolved into something that enters the human life, more people are becoming dependent to it. Scientists, criminals and governments can get along well when they support the use of certain technology, but when using that particular technology, purpose is a lot different matter.

Metasploit is one of the world's most popular software for penetration testing. Supported by a community of over 200,000 users and contributors, Metasploit is a powerful tool to test security holes for both security professionals and criminals.

With the popularity of the software, Metasploit has a new revealed fan: the FBI. The federal agents relied an abandoned Metasploit side project called the "Decloaking Engine".

The FBI first started using the project in "Operation Torpedo," a 2012 attempt to locate and target users of the three dark net child porn websites. The operation began after the FBI arrested Aaron McGrath, a Nebraska man responsible for hosting the three websites.

McGrath's websites were located in the deep web, the part of the web where no ordinary browser and search engine can go. Users at that time could only access the sites using Tor, a well-known anonymizing service. With the project, FBI infects all visitors to those websites with a malware that exposes their IP address.

This was the first recorded incident in which the FBI has targeted all visitors to a website instead of using code against a particular suspect. This was also the its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network. The operation successfully arrested 14 individuals.

The FBI relied on Metasploit's Decloacking Engine that assembled five different tricks to break through the anonymization system used by TOR. One of the tricks was to use a 35-line Flash application to initiate a direct connection with users over the web. This bypasses Tor and reveals their true IP addresses.

Since the success of "Operation Torpedo," the FBI has cracked Tor and other anonymizing services on several other occasions. In 2013, a similar attack was initiated by the FBI against Freedom Hosting which maintains the servers that host a number of popular Tor websites. The method was to use a custom attack code that exploited a relatively fresh Firefox vulnerability. Beside collecting IP addresses, the FBI also succeeded in revealing the visitors' MAC addresses. There was also "Operation Onymous" where the FBI participated in an international legal effort to shut down a number of "underground" websites. In the process, 17 people were arrested. Including Blake Benthal, the owner and operator of Silk Road 2.0.

One of the more prominent suspects was Timothy DeFoggi, the former acting director of cyber security at the U.S. Department of Health and Human Services (HHS), who was convicted in August 2014 on seven counts, including engaging in a child exploitation and conspiracy to advertise and distribute child porn and using a computer with that intention.

An attorney for one of the defendants ensnared by the code is challenging the reliability of the software, arguing that it may not meet Supreme Court standards for the admission of scientific evidence.

Tor, the Anonymity on the Web, Busted?

Tor is a free and open-source project originally funded by the US Navy. First released in September 2002, it uses a sophisticated anonymity software that protects users by routing traffic through encrypted connections. Because of its ability to cloak the user's identity on the web, Tor is popular to those that dislikes tracking methods done by many internet services, and that include hackers and criminals.

Tor, beside being widely popular with hackers and criminals, it's used by others as well: human rights workers, activists, journalists, whistleblowers, to even Facebook since October 2014.

Julian Assange, the figure behind WikiLeaks, has said that the site sends all its own information through a Tor network, along with "hundreds of thousands" of fake document to obscure genuine documents. Edward Snowden, a former NSA contractor, also uses Tor to distribute his revelations.

With so many legitimate users depending upon the system, the successful attacks on Tor has raised questions: did the FBI develop its own method of attack, or did it outsourced the job? Did the NSA took part in it? Were there any innocent users effected?

The Judicial Conference of the U.S. is considering a Justice Department petition to explicitly permit spyware deployments, based in part on the legal framework established by Operation Torpedo. Critics of the petition argue the Justice Department must explain in greater detail how its using spyware, allowing a public debate over the capability.

Metasploit was created by HD Moore, white hat hacker, in 2003. The tools is known as a sophisticated open-source penetration testing tool that allows it user to assemble and deliver an attack from component parts to identify targets, exploiting them, and deliver a payload that could damage them. And because it's supported by a massive community, Metasploit is updated to recent changes in the internet security, like for example the Heartbleed bug in April 2014.

Moore believes in transparency when it comes to security holes and fixes. He applied that ethic in other projects under the Metasploit's flag. The project with that initiative has earned Moore a warning from law enforcement officials.

It was in 2006 that Moore launched the Metasploit Decloaking Engine. If a user installed Tor, the user usually thinks that they are 'totally' anonymous. But in certain possibility, they aren't. If they made a mistake in setting Tor, or when using it, their anonymity can be revealed. With the Decloack, if the users' made that mistake, their IP address would appear on the screen, proving them that they weren't as anonymous as they thought they would be.

"That was the whole point of Decloak," said Moore. "I had been aware of these techniques for years, but they weren’t widely known to others."

This was a response of the growing popularity of Tor, and 'hidden-sevices' that are available in the deep web with addresses ending in .onion.

The race between scientists, criminals and government officials in exploiting and strengthening Tor continues. Some people said that the FBI was lucky that the agents can trace anyone using the code, and saying that suspects are using old Tor versions that made them vulnerable. Initiating direct connection to Tor via Flash was a known issue even in 2006. Newer versions of Tor Project cautions users not to install Flash.

One of the problem with hidden services such as Tor, is that the server logs seized but the FBI are far from enough. Server logs can provide IP addresses of anyone visiting the website hosted in it - leveraging one bust to a serial of other busts. But with Tor, all incoming connection traces can only be tracked to the nearest Tor node. Since Tor bounces connection to multiple node, encrypted, the logs are useless.

But Metasploit's role in Operation Torpedo reveals the FBI's Tor-busting efforts as an improvision in using an open-source code that is available to anyone.