Meet the new hackers: Johnny Law

It seems hackers have attained a new image. Forget scruffy 20-something males carrying backpacks and desperately in need of personal grooming. Think buzz cuts, gray suits, and Brylcreem.

As feds and hackers eyed each other warily across the blackjack tables at last week’s Black Hat conference, some were apparently busy attacking the Tor anonymity network.

[ Also on InfoWorld: Someone is spying on your Google searches — but it’s not who you think. ]

Tor was designed to mask the identities of political dissidents, whistleblowers, abuse victims, and anyone else concerned about who might be watching where they go on the Web. But like every tool created for good, it has also been deployed by criminal elements. Now it seems these tools can be abused by a third party: our friends in law enforcement.

Tor takes a tumble

This much we know: Over the weekend, somebody exploited a known JavaScript vulnerability in the Firefox browser that’s included with the Tor anonymity software bundle and used it to distribute malware.

They created websites on Ireland-based Freedom Hosting, a notorious hive of child porn that’s accessible via only the Tor network. These sites then performed drive-by malware downloads to anyone who visited. The sole purpose of the illicit code wasn’t to coerce the compromised computers into a bot network. It was not to steal personal information. It was not to host other illicit websites, send spam, hold the systems ransom, or any of the other nefarious things real cyber criminals do.

No, the sole purpose of this malware was to uniquely identify each machine — period — and to send that identifying info back to servers based in Reston, Va. In other words, it was really an attack on Tor’s ability to keep its users and hosts anonymous.

Security researcher Vlad Tsyrklevich, who reverse-engineered the hack, says the malware was most likely planted by law enforcement agents attempting to establish a digital trail between a suspect’s machine and the websites in question.

Given that the FBI just announced plans to extradite the “largest facilitator of child porn on the planet,” and said facilitator happens to be the operator of Freedom Hosting — well, even I can add two and two and come up with four (most of the time).

Wired hacker-turned-journalist Kevin Poulsen makes a strong case that the technology in play is one that has been used by the feds for more than 10 years — the “computer and Internet protocol address verifier” (CIPAV). A 2009 Freedom of Information Act request by Wired revealed that the FBI had used CIPAV in multiple cases involving extortion, threats, cyber stalking, and other crimes, all of them after obtaining court approval for using the software.

Today it’s Tor, tomorrow it’s … ?

I don’t think any reasonable person can have a problem with the FBI going after a child porn merchant, especially if indeed it obtained court approval first. The problem is what else that software can be used for. What other seemingly anonymous Tor users could be outed? Like, say, any of the whistleblowers that have been filling the headlines lately? Remember, the New Yorker Magazine’s Strongbox alternative to WikiLeaks also operates as a hidden service on Tor.

This is not a new problem, nor will technology alone make it go away. Just last week I had a conversation with the CEO of a company that sells communications encryption hardware. Plug one of this company’s AES256 chips into your phone, put one in your recipient’s handset, and you can have a conversation without worrying about whether the NSA, Chinese spies, or anyone else is squatting in between you with their finger on the Record button.

I asked him the obvious question: What’s to keep the bad guys from using his technology to evade detection? His response was that his company always performs thorough background checks before it sells anything to anyone — and certainly won’t do business with anyone one hailing from the U.S. government’s short list of verboten countries.

Since many of his clients are in the federal government — he mentioned the DOD, but refused to confirm or deny any three-letter agencies — his company has a keen interest in avoiding any suggestion of criminality. But background checks only go so far (remember, Ed Snowden and Bradley Manning both passed theirs), and there are certainly encryption companies with fewer scruples.

The other obvious question I asked: If one of the endpoint devices in the communication gets compromised, isn’t that essentially game over? If the spooks can listen in on one end, doesn’t that make encryption moot?

His response: No one in the security business will ever tell you any solution is 100 percent secure.

I guess the same now goes for the world of anonymity services.