Description
$30,000 to $1 Million -- Breaking Tor Can Bring In The Big Bucks
FORBES STAFF
I cover crime, privacy and security in digital and physical forms.
Earlier this year, before his company was torn apart by a security breach, I was having coffee with Eric Rabe, the mouthpiece for Hacking Team. The Italian organisation, which even its CEO called a “notorious” provider of government spyware, was looking to expand its line of products, Rabe said. That included targeting the anonymizing Tor network, where civil rights activists, researchers, paedophiles and drug dealers alike try to hide from the global surveillance complex.
Rabe wouldn’t say much more on how it might do that, but just a matter of weeks later, the leaks from the attack revealed their Tor exploits – a service that would see Hacking Team hardware placed on a target’s ISP to intercept their previously-hidden traffic. Given it was selling its malware for millions of dollars, one would expect its anti-Tor tools to be worth a fair sum too, such is the obsession amongst mandarins and snoops with the so-called “dark web”.
If it hasn’t already been made apparent, cops, spies and their contractors will pay anyone big money to break Tor. Unsubstantiated claims from the Tor Project that a pair of Carnegie Mellon (CMU) researchers were paid $1 million by the FBI to de-anonymize users are shocking not so much because of the figure, but because university researchers, not private dealers, were allegedly selling (keep in mind no one has admitted to any such deal and for now, the claims are based on hearsay and educated assumptions). There’s also been much anxiety around the techniques used – essentially catch-all exploits that could well have ensnared a vast number of innocent users, according to Tor Project leader Roger Dingledine. Was it justifiable to do that for the sake of catching a Silk Road 2 user and possibly some paedophiles?
There are, though, a vast number of those private exploit salesmen and women now focusing on Tor. A few times a year they share their exploits in private forums and exhibitions. Their hacks might place most Tor users in danger, but there’s currently not so much of a furore surrounding their business practices, even if concerns have been raised in the past.
Chaouki Bekrar, the founder of exploit sales firms VUPEN and Zerodium, says attacks targeting Tor nodes and de-anonymizing dark web users “are the holy grail of exploits for government agencies in charge of criminal investigations”. Zerodium, he says, is currently offering researchers up to $30,000 per zero-day exploit – an attack on an otherwise-unknown, unpatched vulnerability – targeting the Tor Browser Bundle. That’s the same Zerodium that offered a $1 million bounty for an untethered iPhone 6 jailbreak via browser exploits. As Zerodium will then sell zero-days on to interested parties, there’s likely a significant mark-up on that $30,000 by the time it is passed on to government agencies.
Hacking Team’s Rabe, though coy about his company’s interest in Tor over email, expressed little surprise that a university may have been paid $1 million for such a service. ”If the work led to shutting down a major drug bazaar on the Internet, law enforcement might well feel that $1 million was cheap compared to the lives potentially destroyed by the criminal activity. “Clearly, any effort such as the one Tor alleged happened here would have significant value based on the time and expertise required as well.”
The company was due to talk at ISS World Training in Prague this summer about breaking Tor, in a presentation entitled “Demystifying SSL/TOR Interception: Attack case history and state-of-art countermeasures”. SSL is a web encryption protocol, shown in the address bar with the HTTPS prefix. The company’s CEO David Vincenzetti, operations manager Daniele Milan, and QA manager Fabrizio Cornelli were due to give the talk.
A brief look at the line-up for recent ISS conferences, which press and non-industry folk are not permitted to attend, also provides ample evidence that the dark web is a big seller. In October, the events organizer, TeleStrategies, provided a training seminar in Washington D.C. with the title “Understanding and Defeating Tor”.
The techniques described in the presentation’s blurb cover similar ground to the promises of the cancelled Black Hat talk from CMU. TeleStrategies’ Dr. Matthew Lucas, who told me his alma mater happens to be CMU, was focused on “identifying Tor traffic via IP lookups and protocol signatures”. He was also to guide law enforcement attendees through malware infection and uncovering “identity-related traffic outside the Tor stack”.
Dr. Lucas was due to give a talk about how Bitcoin and dark markets, such as the now-defunct drug bazaar Silk Road, worked together too. That was part of an entire track dedicated to the “Dark Web, Tor and Bitcoin Investigation”. There will be many, many more seminars on exposing those on Tor across a wide range of ISS events over the next year.
OK to break Tor… most of the time
Why are Tor exploit sales deemed a depressing fait accompli but similar deals between academia and government are perceived as more ethically abhorrent? Universities across the world work closely with intelligence agencies and law enforcement, receiving significant funding in return.
CMU, for instance, hosts a major Computer Emergency Response Team (CERT) that regularly partners with government and law enforcement as they try to cope with manifold online threats. It is primarily funded by the U.S. Department of Defense and the Department of Homeland Security, and is widely seen as a boon to keep everyone abreast of the latest digital threats.
Born in the embryonic phase of the Cold War, the MIT Lincoln Laboratory, a federally-funded entity, continues to research ways to benefit national security. It has dedicated surveillance and cybersecurity arms.
In the UK, GCHQ is increasingly active in its sponsorship of universities. The Heilbronn Institute, for instance, comprises of distinguished research fellows at various UK universities. Half their time is spent pursuing research directed by the spy agency. Their research output is esoteric and little is known about how GCHQ uses the fellows’ findings.
Just this week, GCHQ announced a £6.5 million scheme “to support cutting edge cyber security research and protect the UK in cyber space”. Again, who knows how GCHQ might use what it learns from the so-called CyberInvest project? It has certainly been interested in hacking Tor in the recent past.
Academics need that kind of sponsorship to get on with their work, to the extent that a $1 million payday from the FBI shouldn’t be much of a surprise if true. “Note that a £100,000 personal grant is barely sufficient to obtain a PhD in UK for an EU citizen,” said Dr. Markku-Juhani O. Saarinen, a research fellow with the Centre for Secure Information Technologies at Queen’s University Belfast. “In CMU a small multiple of that would be required due to significantly larger tuition fees. Factor in administration, laboratories and other facilities, travel to conferences, etc., and a research project employing a couple of persons for few years may easily cost $1 million.”
It’s also worth noting that the Tor Project has received significant grants from various parts of the US government – grants that help it stay up.
“I think Tor are being a little disingenuous,” said Professor Alan Woodward, a security expert from the University of Surrey, one of a handful of UK universities to have been named an Academic Centre of Excellence in Cyber Security Research, receiving a grant in the process. “CMU is a research-only university and relies external funding from a variety of sources. Not a great surprise then that the US government would pay them for their expertise in this area.”
But, for many, if CMU really did give away a set of Tor exploits for $1 million, there are ethical difficulties. Saarinen said that if he had the chance to earn that much to crack Tor, he would take it, but he would ask for assurances he could report any findings back to the Tor team.
Keith Martin, from London’s Royal Holloway, said GCHQ provides both sponsorship of PhD projects and small grants for certain projects, though it is never requested by the intel agency. But, he said, if the stories were true about CMU, he’d see “an ethical clash between CMU’s apparent undermining of Tor and its technical support for Tor”. CMU not only helps run some of the nodes that make up the Tor network, but is believed to have set up malicious ones to carry out its attacks.
Matthew Green, cryptographer and professor at Johns Hopkins University, perhaps put it most eloquently in a blog post today: “Active attacks that affect vulnerable users can be dangerous, and should never be conducted without rigorous oversight — if they must be conducted at all. It begins with the idea that universities should have uniform procedures for both faculty researchers and quasi-government organizations like CERT, if they live under the same roof. It begins with CERT and CMU explaining what went on with their research, rather than treating it like an embarrassment to be swept under the rug.”
Whether true or not, Dingledine’s claims have brought up some big ethical questions that, by their very nature, polarizing and possibly intractable. One fact that everyone can agree on, however, is that Tor is frequently shown to be flawed. For those who perceive Tor to be the home of drug dealers and paedophiles, this can only be a good thing. For those who see it as a beneficial tool for those who want to preserve their privacy and speak their mind away from the gaze of government, it’s simply depressing.
Period | 12 Nov 2015 |
---|
Media coverage
Media coverage
Title $30,000 to $1 Million -- Breaking Tor Can Bring In The Big Bucks Degree of recognition International Media name/outlet Forbes Date 12/11/2015 Producer/Author Thomas Fox-Brewster URL www.forbes.com/sites/thomasbrewster/2015/11/12/earn-money-breaking-tor/ Persons Markku-Juhani Saarinen