The FBI has once again launched its harpoons into the Deep Web, piercing the anonymizing layers of Tor to drag out the identities of two New York men who were indicted earlier this month on charges of possessing child abuse images.
The FBI doesn’t reveal how it bypasses Tor to track down the true IP addresses it’s designed to obscure.
(One exception was when the US government found itself defending the methods with which agents, without a warrant, managed to pull back the curtain and reveal the location of the hidden website for Silk Road.)
Some observers have suggested that court documents hint at the possibility of the FBI having planted a drive-by installation of some kind of malware to unmask the two men who allegedly possessed child porn.
As Motherboard reports, Stanford computer science and law expert Jonathan Mayer spotted a passage that journalist Nate Raymond had uncovered in the filings and which Mayer says confirms that the FBI deployed malware – what’s called a “Network Investigative Technique” in the court filing – to obtain the men’s real IP addresses.
Confirmed: the FBI deployed malware on another seized Tor hidden service. Nice docket sleuthing by @nateraymond. pic.twitter.com/5gtwqPeFbW
— Jonathan Mayer (@jonathanmayer) July 14, 2015
Foiling Tor to pull out the true identities behind the terrorists, paedophiles, gun-runners, drug dealers, sex traffickers and other serious criminals on the Deep Web has picked up steam in the past few years, as has interest in the FBI’s techniques to do it.
But while the FBI used some sort of IP-revealing trick, that doesn’t necessarily mean there’s zombie malware running riot through the world, downloading onto innocent people’s computers.
As Naked Security’s Paul Ducklin points out, the FBI doesn’t necessarily need to install malware to have a good chance of figuring out who or where you really are.
It doesn’t require a drive-by download or a true drive-by-install onto the computers of all visitors to the Dark Web site.
The FBI appears to have enough tools in its kit that agents don’t need to permanently plant something onto your computer.
Rather, a transient, one-shot shellcode payload is sufficient – no persistence needed (that’s a fancy word for software that unexpectedly keeps on running after you reboot, or log out and back in, or even just after you close your browser).
Just a link that ties some anonymous traffic to a specific computer during one specific time slot, paired with whatever other evidence the prosecution presents, would surely be enough to press charges.
While there’s been a lot written about how difficult it is for law enforcement agencies such as the FBI to deal with the Dark Web, the reality is that in the past few years, we’ve seen:
- The Dark Web isn’t necessarily all that tough to map. One researcher, for example, has been making a map, pulled from the places on the normal, indexed internet where users talk about the Dark Web and direct each other to specific hidden sites. Granted, while many parts aren’t all that hard to find or visualise, mapping this land still entails tracking a fast-moving target: some 10% of sites posted on Pastebin are deleted within 48 hours, given that most are set up temporarily by criminals to point to illegal services before quickly being deleted.
- We might be overestimating how many sites are out there. It’s been estimated that the Dark Web only has about 7000 active sites at any one time. How much of those are devoted to images of child abuse? There’s an interesting, though unverified, post on Reddit from an admitted pedophile who says there are very few, in spite of what the media describes as a Deep Web awash in child porn:
Of the hundred or so advertised onion [child porn] sites, only about 5 are imageboards or communities actively trading [child porn]. The rest of the sites are stories, links, and other non [child porn] material. Lack of new material and few onion [child porn] sites the past years made users open to trying the honeypot site to see if a server with new material was made.
- NASA’s mission to explore the universe now includes the Deep Web. It recently joined up with the Defense Advanced Research Projects Agency (DARPA) on its Memex program, which is working to “access and catalog this mysterious online world.” Memex tools were actually used by law enforcement to track down sex traffickers for about a year before Memex was revealed.
- A number of investigations have used undercover policy, malware and/or clever technology. One example is Silk Road, once one of the top markets for illicit drugs and other contraband and services. The FBI didn’t foil Tor to get at Silk Road just once, mind you: it took it down multiple times. The site’s reboot, Silk Road 2.0, was taken down after a successful, 6-month attack on Tor.
It matters whether the recent bust involved a so-called watering hole attack, which would have downloaded malware onto the computer of every one of the unnamed site’s 200,000+ visitors, many of whom well may have been innocent when it comes to possessing child porn.
If that’s what the FBI did in fact use, it was not only an impressive feat – given that it was done with only one search warrant – but also a worrisome one from a legal standpoint, given that such a so-called “general warrant” is extraordinarily broad.
But the fact is, we don’t really know how the FBI got the true IP addresses of the men it indicted.
All we know is that it’s got far more than just one way to peel an onion.
Image of laptop courtesy of Shutterstock.
6 comments on “FBI again thwarts Tor to unmask visitors to a Dark Web child sex abuse site”
Hmmm. Naked Security usually publishes the text in images (in Courier font) beneath the images, even when the images themselves are eminently readable.
But today you’ve published an image (from Twitter) that’s unreadable and failed to add the text content. Disappointing….
Hi Laurence, Sorry to hear you’re disappointed in us. We did link to the passage (https://www.documentcloud.org/documents/2165971-us-v-ferrell-affidavit-in-support-of-search.html#document/p11/a227112) in the paragraph above but we see your point about embedding that tweet with the image attached. It’s a bit long to embed the text from the documents in our article but hopefully the link to the passage helps. Thanks.
It still boggles the mind that there was sign off for sites like AshleyMadison or some illegal site getting created online and that those that concocted the sites thought they wouldn’t be a target.
Corruption at its finest
In the case file document referenced, the last sentence (in the screenshots available) mentions the data that is returned “each time any user or administrator logged into Website A by entering a username and password.”
The curious bit of data returned from the target is “information about whether the NIT had already been delivered to the computer.”
Something must be left on the machine in order for it to return this info, because the document clearly states that this is from the TARGET; not from DATABASE containing information about the target,
By now it should be obvious to anyone and EVERYone that the FBI, the NSA, and even Homeland Security have “teamed-up” to form what ” I ” refer to as international cyber “Superpol!!!” ( The Internet’s worldwide super police force. ) In short, the international community receives at least 3 million dollars YEARLY just for the purpose of fighting cyber crime!!! It don’t matter what you say, what you do, or how ‘clever’ you might be, there’s just no way to fight that kind of well funded dedicated effort and super-sophisticated law enforcement technology on a regular beer ( working-man’s ) budget!!! Now the deep web is not so deep anymore. In fact, it’s like a very clear, very shallow “wading pool!!!!” Yesterday, the Internet was a cool place to get away with questionable behavior. TODAY, the World wide web is a STUPID place to misbehave. Child porn people will now have to go back to wearing trench coats and peddling their trash in seedy neighborhoods where there’s still a slight chance of getting away with it. They sure as hell can’t use the INTERNET no more, ….. Praise The Lord.