apops - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Patched Tor browser vulnerability puts users' identity at risk

News roundup: Tor browser patches de-anonymizing vulnerability. Plus, Senators ask Obama to release information on Russia's impact on the election, Mirai botnet for rent and more.

Both Mozilla and the Tor Project have patched a vulnerability that was actively used to de-anonymize Tor browser users.

This vulnerability was a previously unknown flaw in the Firefox browser, on which the Tor Browser is based. Tor hides its users' public IP addresses, but with the exploit, attackers were able to collect the IP and MAC addresses by having the user load a webpage that contains malicious JavaScript and SVG code. According to a post on the Mozilla Security blog, the exploit would only work on Windows systems, but the vulnerability also exists on Mac OS and Linux, so all users of Mozilla and Tor should update their browsers immediately.

This patch arrived on the heels of the news that the FBI hacked thousands of Tor users during a 2015 child pornography investigation using a "nonpublicly-known vulnerability." In a related case, U.S. District Court Judge Timothy L. Brooks provided details about the FBI's methodology in the investigation into the anonymous site Playpen and its users. According to the court filing from Brooks, the FBI used a network investigative technique (NIT) to learn a user's "true IP address" and thus the identity and location of that user.

The exploit patched by Mozilla on Nov. 30 bears similarities to the exploit used by the FBI in 2015. In a blog post about the patch, Mozilla security lead Daniel Veditz wrote, "The exploit in this case works in essentially the same way as the 'network investigative technique' used by FBI to de-anonymize Tor users (as FBI described it in an affidavit). This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency."

There is no proof that this week's exploit is the same the FBI used in the Playpen investigation. Veditz acknowledges that, but went on to say that, "If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader web."

There is a history in recent years of the FBI or other federal government agencies looking for ways to deanonymize Tor browser users. In 2014, a federal judge confirmed that the Department of Defense hired researchers at the Software Engineering Institute of Carnegie Mellon University to research ways to obtain the IP address of Tor users.

It is unknown whether the research from Carnegie Mellon is the same exploit used by the FBI in 2015, or even if it is the same exploit patched by Mozilla Nov. 30. There is speculation among security experts as to whether one, two or three exploits exist for Tor vulnerabilities that reveal Tor users' IP addresses.

In other news:

  • U.S. Senator Ron Wyden (D-Ore.) teamed with seven members of the Senate Select Committee on Intelligence to pen a letter to President Obama, calling on him to release more information about the Russian government's suspected hacking related to the 2016 U.S. presidential election. The letter reads, "We believe there is additional information concerning the Russian Government and the U.S. election that should be declassified and released to the public. We are conveying specifics through classified channels." It is signed by Wyden, Martin Heinrich (D-N.M.), Jack Reed (D -R.I.), Angus King (I-Maine), Mark R. Warner (D-Va.), Mazie K. Hirono (D-Hawaii), and Barbara A. Mikulski (D-Md.). This letter follows the November confirmation from the White House that it contacted the Russian government days before the election warning it about interfering with the process.
  • Former CIA and NSA director Michael Hayden said the private sector offers the better protection against cyberthreats, not the government. While speaking at the Ingram Micro ONE event, Hayden said, "In terms of the day-to-day, somewhat serious attacks, the government is not protecting you. You're going to the private sector for the tools, products and services that you need to keep yourself safe." Hayden also said that the government's slow start in addressing cybersecurity threats means it will always be behind the curve, whereas the private sector has a better understanding of cybersecurity. "There is an incredible amount of entrepreneurial and technology energy in the private sector to make you and me safer in the cyber domain," Hayden said. "The private sector in this domain is the prime mover." Hayden served as NSA director from 1999 to 2005 and as CIA director from 2006 to 2009.
  • Aspiring hackers can now rent out a botnet of 400,000 IoT devices infected with Mirai malware. The Mirai malware has grown rapidly since it first attacked security journalist Brian Krebs, moving on to launch a large-scale attack on DNS provider Dyn and take portions of the internet offline for a day. Two hackers known as BestBuy and Popopret are the botnet landlords -- previously, they were behind the GovRAT malware that stole data from a large amount of U.S. companies. They used the XMPP/Jabber instant messenger to advertise the botnet rental. According to Popopret, the rental price is "determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount)." The original Mirai botnet only had 200,000 devices, so the two hackers are offering a significant increase in the number of infected devices. They offer no proof to potential renters that they are actually in possession of this massive botnet.
  • The new Hack the Army bug bounty program kicked off Nov. 30. After the success of the Hack the Pentagon program earlier in 2016, HackerOne has again teamed up with the U.S. Department of Defense to host the first Hack the Army initiative. Running through Dec. 21, the program offers cash rewards to hackers who find currently unknown cybersecurity vulnerabilities in the U.S. Army. Unlike Hack the Pentagon, which was only open to civilians, Hack the Army is also open to U.S. government employees and active duty military personnel. Army Secretary Eric Fanning said "What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security, but lack a legal avenue to do so." The Hack the Pentagon bug bounty program found and resolved 138 vulnerabilities in the Pentagon.

Next Steps

Discover whether Firefox or Chrome is the more secure web browser

Find out how researchers were able to identify over 100 malicious Tor nodes

Learn more about the discovery of malicious Tor nodes secretly collecting user data

Dig Deeper on Web security tools and best practices