Delivery-Date: Tue, 07 Jul 2015 11:57:33 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 75E621E0AEB;
	Tue,  7 Jul 2015 11:57:31 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 577E235FDA;
	Tue,  7 Jul 2015 15:57:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8436535EED
 for <tor-talk@lists.torproject.org>; Tue,  7 Jul 2015 15:57:22 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id YDCRxbXCDqhg for <tor-talk@lists.torproject.org>;
 Tue,  7 Jul 2015 15:57:22 +0000 (UTC)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com
 [IPv6:2a00:1450:400c:c05::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 39ECB35ECB
 for <tor-talk@lists.torproject.org>; Tue,  7 Jul 2015 15:57:22 +0000 (UTC)
Received: by wiga1 with SMTP id a1so261002437wig.0
 for <tor-talk@lists.torproject.org>; Tue, 07 Jul 2015 08:57:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20120113;
 h=from:message-id:date:user-agent:mime-version:to:subject:references
 :in-reply-to:content-type:content-transfer-encoding;
 bh=9d8HHK0kd4t2hLja+JNo/u8T4s8cEkcqYGY5k79cU88=;
 b=CRMe2BPLqf8lA0u6L0fHAY20odHsMpz1Pl1lglzNzw2XBuqZ6/qk3wxo9srQPfYSEn
 Thy2sWrg3Qlk06hab/tpy55ai+EfoO1YLJFqSqtU6hOkH5k1AJ0N55TKpxj0iLEB1P+z
 o6R45tDCRIZTzj7S0fB4JbLAHQaqKk/GYehPE1deFxj+S2mWfv63qgfYKDyDxdkNkHUP
 k+02jTHUkWmfxt53msfvGdpRpzhgEAzDyQ1XCWJht0X6xXGbNF/bcN0BhbjY99GMzJpk
 a0X8AIDm0fYDDCah3pru+JdNkot52pd3zyDfiqmJMa1D6/IcXHRiR8x1L8aMU7FDEAWi
 X9WA==
X-Received: by 10.180.100.74 with SMTP id ew10mr106661531wib.12.1436284639232; 
 Tue, 07 Jul 2015 08:57:19 -0700 (PDT)
Received: from [172.16.41.91] (195-154-136-42.rev.poneytelecom.eu.
 [195.154.136.42])
 by mx.google.com with ESMTPSA id x5sm1572015wif.21.2015.07.07.08.57.17
 for <tor-talk@lists.torproject.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 07 Jul 2015 08:57:18 -0700 (PDT)
From: aka <akademiker1@googlemail.com>
X-Google-Original-From: aka <akademiker1@gmail.com>
Message-ID: <559BF6A0.5080005@gmail.com>
Date: Tue, 07 Jul 2015 17:56:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <559BE795.8020505@gmail.com> <559BEFAD.9090604@countermail.com>
In-Reply-To: <559BEFAD.9090604@countermail.com>
Subject: Re: [tor-talk] Regarding the Hacking Team leak and the "TOR
 interception" (all uppercase Tor obviously)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

The browser would send a socks5 connect request to the hacking team
proxy server, which would connect to the real hidden service and
transparently proxy the content to the browser. If the hidden service
had an SSL connection (like facebook hs), it would try to MITM with the
installed cert.
The infected client would have to use internet explorer or chrome, setup
for tor usage.

chloe wrote:
> Hello,
> 
> how would this method work if an infected client tries to visit a hidden
> service?
> 
> Regards,
> Chloe
> 
> aka skrev den 7/7/2015 16:52:
>> Nothing special, they try to infect the machine using browser exploits
>> while the victim surfs without Tor. The malware then manually installs
>> an ssl cert and redirects the browser proxy from 127.0.0.1:9050 to
>> evilguys.com:9050, which does ssl interception with that installed ssl
>> cert. At the time of leak only browsers on mac and internet explorer on
>> windows were supported, because they used registry keys to change proxy
>> settings...
>> Their attack currently doesn't work on TBB, not because it's securer,
>> but because Hacking Team is incapable to program proper
>> pre-encryption-interception on the victim machine. If your computer is
>> infected ALL your traffic CAN be intercepted by definition, it just
>> takes some *able* malware developers to implement it.
>> Fun fact: old, public source malware like ZeuS is able to intercept all
>> encrypted traffic in internet explorer and firefox (including TBB).
>> So don't panic if hipsters like jacob post pdfs without
>> reading/understanding them.
> 
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

