Innocent Tormail Users May be Victims of FBI Hacking

In 2013, the dark web email service Tormail was seized by the FBI and the contents of their servers taken with them. It was also suspected that the FBI had made use of a network investigative technique (NIT), an FBI term for a hacking tool to compromise some users of the service. A report by the Washington Post on the FBI’s use of NITs confirmed these suspicions but also opened many more questions, such as the scope of the hacking.

Prior to its takedown by the FBI, the Tormail service ran on the dark web, only accessible through the Tor network. Such hidden email services are typically used by those in need to privacy, whether for legitimate reasons, such as journalism, or less than legal activities such as drug dealing, trading on Silk Road and other activities that could draw the attention of the FBI. The agency had supposedly obtained a warrant to hack the accounts of certain people thought to be associated with the distribution of child pornography.Despite this, at the time Freedom Hosting, a web host providing dark web services including Tormail, was seized by the FBI anyone accessing a page hosted by Freedom Hosting was served an error page. This error page was designed to serve malicious code that took advantage of a security flaw in the Firefox browser to transmit the user’s real IP address to a Virginia server.

An ex-user of TorMail told Motherboard that the error page and malicious code “appeared before you even logged in.” This brings into question whether the FBI was acting within its claims of targeting specific users if the real IP address of every single person to access TorMail was reported to them. And while there were certainly criminals making use of the service, many users were not engaging in criminal activity, regardless of their reason for wanting privacy.Christopher Soghoian,

Christopher Soghoian, a technologist for the American Civil Liberties Union, told Motherboard “If the government, in fact, delivered an NIT to every single person who logged into TorMail, then the government went too far.” Not to mention, if the FBI were hacking everyone accessing the service with the only justification being their usage of a privacy service, it could be considered unreasonable and may not respect boundaries for international users. And with NIT orders not being publicly released, even years after the fact, there is no concrete information as to what the judge actually authorized the FBI to do.

Cases like this are worrying to anyone who is concerned about online privacy. With Tor recently suspected to be compromised by the FBI and their director decrying the use of encryption without backdoors, it is unclear where the power of the FBI truly reaches. This lack of public accountability could be a threat to those who desire privacy for innocent reasons and may harm unbiased journalism should the tools it uses put it under threat.

Facebook Android App Now Supports Tor

For those who are privacy conscious or live in countries where the Facebook service is censored, the social media giant’s Android application has long been unusable. This has changed with the latest version of the Facebook app, which includes the option for the app to route its traffic through the Tor network.

The experimental new feature can be enabled through the app’s settings, depending on a separate app called Orbot to function as a proxy for routing the traffic through the Tor network. Due to the nature of the Tor network, enabling this feature does have the side effect of disabling the use of push notifications. As long as a user makes sure to manually check for updates frequently, this is hardly a big loss for the privacy aware.

Tor’s service works by routing traffic through a series of random nodes or relays in its network. This ensures that no one system in the chain can know the true origin and source of the packets sent and received. Only the initial node will know the packet’s source and the final node sending the packet onto the public internet, or exit point, knows the destination. The packets are also encrypted in such a way that the nodes are unable to snoop on the data sent. The value of this approach is that it masks the sites and services that you are accessing from your ISP and any nodes en-route as well as hiding your IP from the destination.

Facebook’s site has been available via Tor since 2014 via facebookcorewwwi.onion, a version of the site only accessible through the Tor service. Traffic to this address never passes back to the public internet to reach the regular Facebook site, so no Tor exit points or public internet relays are traversed. Sadly the app currently relies on Facebook’s public servers even when Tor is enabled, but it is to be expected that support for their .onion Tor service is in the app’s future.

Ross Ulbricht Appeals for Silk Road Retrial over Police Corruption

Ross Ulbricht, the 31-year-old man ruled to be the founder of dark web black market site Silk Road and convicted on seven counts, has appealed for a fresh trial on the grounds that two of the police officers involved in the investigation have been convicted of fraud, committed on the Silk Road site while the investigation into Ulbricht’s involvement was being held, according to the International Business Times.

Eight months after Ulbricht’s conviction, his legal team argues that the actions of DEA agents Carl Force and Shaun Bridges, both found to be stealing bitcoins from Silk Road during their investigation, were not disclosed to the court during Ulbricht’s trial, nor was the investigation into the two agents made known to the defense team.

The 145-page appeal asks that the higher courts to expunge Ulbricht’s conviction for all seven charges – narcotics trafficking, computer hacking, money laundering, conspiracy to traffic fraudulent IDs and engaging in continuing criminal enterprise – arguing that the court deliberately withheld information regarding the investigation into Force and Bridges.

“To a significant degree the extent, and in some respects the nature, of Force’s misconduct – as well as Bridge’s participation altogether – was hidden by the government from the defense (and the court) in this case until after the trial,” writes Lead attorney Joshua Dratel.

“The life sentence imposed on 30-year-old Ross Ulbricht [now 31] shocks the conscience,” Dratel adds, “and is therefore substantially unreasonable. Accordingly, Ulbricht should be re-sentenced before a different judge to avoid the irremediable taint from the improper factors the court considered.”

FBI Tracked People Across The Dark Web

The FBI are known to by active in the digital world, having recently admitting to the use of Stingrays to monitor mobile communications and to use zero-day exploits to gain access to systems. It would now seem that there is nowhere that is safe for those who break the law as the extent of the FBI’s digital prowess is revealed by Joseph Cox of Motherboard.vice.

The FBI are reported to have hacked over a thousand computers as part of their action to help track down and identify individuals who were viewing or responsible for indecent child images on the Dark Web, a variation of the internet that is designed to be accessed through in secret using encrypted and rerouted traffic.

A bulletin board was created on the dark web in August 2014 allowing users to sign up and upload a variety of images, the site was later confirmed to be known as “Playpen”. After gaining nearly 60,000 in the first month, within a year of this, the site had exploded to include almost 215,000 posting over 117,000 posts. There was just one problem for people that wanted to use this site at this point, a month before this explosion of users, the server was obtained by law enforcement in North Carolina. This didn’t stop the service, the site was continued from a server in Virginia, one of the FBI’s servers none the less.

While the site was being run on the FBI’s servers, they used the opportunity to deploy a network investigative technique (NIT) also known as a hacking tool to the public. This tool was said to have been used in the identification of approximately 1300 IP addresses.

This is not the first time that actions of this kind have been used by law enforcement or even the FBI in particular, but it is the first time that such a large-scale has been made public. With all these actions covered under a single warrant, with no specific targets, some are even stating that this way of tracking, hacking and identifying is illegal no matter the warrant it uses.

Find below a section of the affidavit that was used in support of the search warrant application, showing just how much information going on a website could have revealed.

The basic idea behind their warrant was that if you visited the site and started to log in or even sign up it authorised the deployment of the NIT. The question is then raised that did the Judge who authorised the action knew what they were authorising, or if they were even informed about the scope and the methods that were going to be used as part of the action.

More and more the use of technology and government use of it within the real world is being questioned as practises and methods used for years are brought to light and identified as legally questionable.

Stolen User Data Sells for as Little as $1 on the Dark Web

Online data breaches and stolen user details are becoming a sad reality of life on the internet. Whether it’s the infamous Ashley Madison hack or a phishing attack, it’s tough to stop your information from falling into the wrong hands. You might be surprised, however, how much your personal data is worth. According to a new report from Trend Micro, entitled “Understanding Data Breaches”, user data is being sold on for as little as one dollar on the dark web.

Trend Micro also found, thanks to the Privacy Rights Clearinghouse Data Breaches database, that only 25% of data breaches between 2005 and 2015 were due to online hacks. The most common breaches are inside jobs, committed by employees of a company, as well as device skimming and physical theft of laptops, flash drives, and mobile devices.

Credit and debit card details are still being most effectively gathered via skimmers or cameras connected to an ATM or point-of-sale terminals, or by hardware keyloggers on cash registers, rather than by online methods.

Much of this stolen data is then sold on through the dark web, with bank details fetching up to $500 per account, PayPal and eBay accounts going for around $300, while US mobile accounts can go for as little as $14. Personally identifiable information (PII) – name, address, date of birth, and social security/national insurance number – sells for $1 per line, which means that the tiny sum of $4 can effectively buy a person’s identity. Bump that fee up to $25, and a full credit report on that person is yours.

Thank you ZDNet for providing us with this information.

Image courtesy of WIRED.

Thousands of Uber Accounts Are Said to Be Selling on the Dark Web

At least two vendors on the dark web marketplace named AlphaBay are allegedly selling Uber accounts. The accounts are said to let buyers order trips using whatever payment method attached to the accounts, while also providing them with the full trip history, email addresses, phone numbers and even location information of people’s home and work address stored on the accounts.

The price for such an account is said to be as low as $1, but it could get to $5, a price that won’t even get you around the block with a taxi. One of the sellers is said to have sold over 100 accounts to other buyers, but a lot more accounts are estimated to have been sold by now.

“We investigated and found no evidence of a breach,” a Uber spokesperson told The Verge. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report. This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”

The method used to acquire the accounts is not yet clear, but this comes after Uber disclosed the information about 50,000 of its drivers had been accessed by a third-party in May. The latter might indicate that a security breach might have been found in the company’s system and exploited to get access to user’s account credentials.

However, Uber stated that the breach did not affect user names and suggested that the information leaked to the third-party is unrelated to the stolen user credentials currently selling on the dark web.

Thank you The Verge for providing us with this information