Skip to main content

Is the NSA ultimately behind malware that de-anonymised pedophiles on Tor?

The brouhaha surrounding online pornography and the NSA snooping scandal appear to have converged in dramatic fashion, after malware that compromised user anonymity on the Tor 'deep web' network was traced by security researchers back to US government surveillance agencies.

Tor confirmed recently that a Firefox JavaScript exploit had been used to expose the identities of certain users of Freedom Hosting, a hidden service provider operating on the supposedly anonymous network.

Specifically, the attack is understood to have de-anonymised those utilising Freedom Hosting's deep lying servers to access sickening child abuse images, including a 28-year-old Irishman dubbed by the FBI as the "the largest facilitator of child porn on the planet."

Eric Eoin Marques is thought to be in police custody in Dublin ahead of a potential extradition to the United States and Freedom Hosting is now offline.

Tor has quickly sought to distance itself from pedophiles who might operate on the deep web.

"Organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example," Tor wrote.

Now, joint research by Baneki Privacy Labs and VPN provider Cryptocloud as revealed by ArsTechnica claims to have identified the source of the Tor breach - private US defence contractor Science Applications International Corporation, or SIAC.

The truly spine-chilling revelation is that the IP address traced appears to have been part of a block allocated by SIAC to the NSA, the US security body whose controversial PRISM programme was recently revealed by whistleblower Edward Snowden.

"One researcher contacted us and said, 'Here's the Robotex info. Forget that you heard it from me,'" a member of Baneki who requested not to be identified told Ars.

Some have said that the research may be flawed due to aged domain data, but the researchers maintain that DNS data points firmly to SIAC facilities.

"We've seen many cases of geo info in ARIN inaccurate, but NEVER a case where IP ownership info is 'outdated,' ever. Again, however, we defer to credentialed subject matter experts as the final arbiters on what the IP data signify We'll be surprised if in the end, it's somehow an 'error' and NSA/SAIC has no connection whatsoever," commented a Baneki spokesperson.

One theory is that the the NSA or SAIC may have deliberately left the IP address behind the attack traceable, so as to make a statement to the online community.

"This challenges the assumption people have made that Tor is a simple way of maintaining your anonymity online," Alan Woodward, CTO at security firm Charteris, told the BBC.

Woodward added: "The bottom line is that is not guaranteed even if you think you are taking the right steps to hide your identity. This is the first time we've seen somebody looking to unmask people rather than just security researchers discussing the possibility."