/d/OpSec icon

/d/OpSec

15,203 subscribers

Discussion about OpSec, Threat Models, Protection, Assessment and Countermeasures.

A new wave of LE tor nodes; CIA Triad

by /u/Zolyn · 5 votes · 1 week ago

There's is a new wave of bad exit nodes collecting as much information as it can. These nodes are mainly in Sweden territory and named CIA Triad. I use qubes And whonix with proxy-chains so each TCP packet is individually going through Tor so if my exit is compromised my tor control has a proxy. but I map my exit nodes for extra protection. These exit nodes have already come across my system about 4 times. Upon analysis of these exits nodes these servers are trying to download a certificate onto my machine. Meaning if a select IP has authorization to that certificate the attacker can download, or spy on my currently activity. Always verify your exit node watch out for CIA Triad.

Comments (42)
/u/Xerax909 · 5 votes · 1 week ago · Link

Can you please provide more information for the layman on how to protect against this?

Or point toward some resources that provide a strong start to researching it?

/u/Zyln · 1 votes · 1 week ago · Link

If you are on Windows this a much more significant risk since OSCP verification is required for each application and signature of a HTTP/HTTPS request through the system. If you are using Windows this will attack WINHTTP storage. Certificates are used to sign most websites you visit and the applications requesting updates to assure thy are legitimate. Meaning an IP can acquire access by verifying that illegitimate certificate and download spyware or malware. The solution is controlling your exit node with trusted nodes TCP over-lay. Isolating your session is most important that's why Qubes always win.

/u/StarScream999 · 1 votes · 1 week ago · Link

How do SSL certificates and how they're verified in Windows have anything to do with your theory that the CIA are running TOR exit nodes? Your claim that that OSCP will accept illegitimate certificates has no merit. Where are you getting your information?

/u/Zyln · 1 votes · 1 week ago · Link

Unfortunately Windows saves certificates to WINHTTP for future use meaning no specific application but authorization per HTTP/HTTPS request. If you read the post the node is trying to download illegitimate OSCP to the system in the background for authorization through HTTP requests by Verizon a know NSA FBI and CIA contributor.

/u/StarScream999 · 1 votes · 1 week ago · Link

Where's the proof that this node is transmitting illegitimate OSCP validated SSL certificates?

All phone companies in America are NSA,FBI,CIA contributors. Ever heard of FISA?

/u/Zyln · 2 votes · 1 week ago · Link

/u/StarScream999 if you actually want to make valid points and have a discussion because I could be wrong but don't come at me defenselessly. Don't make points based of emotion.

/u/StarScream999 · 1 votes · 1 week ago · Link

Sorry, I'm sort of having a bad night, I didn't mean to come off on you, and I appreciate you being civil. However, I find your theory that the CIA is running TOR exit nodes in their own name to be completely absurd.

/u/Zyln · 1 votes · 1 week ago · Link

I understand and again I may be completely incorrect. I have multiple experiences with IP stating CIA triad in either sand box sessions and my Tor would not verify the signature the next day every-time.

/u/StarScream999 · 1 votes · 1 week ago · Link

I am not familiar with that detailed level of TOR networking. And, I don't want to get in a huge all night argument with you about it or anything, as I'm feeling pretty shitty after all the abuse I've been put through on Dread tonight, but, what is the TTL of a signature on a TOR exit node? Meaning, if you connected to an exit node last night, and the signature didn't validate the next day, what would that be indicative of?

/u/greatwhitelemonshark · 1 votes · 1 week ago · Link

is this a worry for people using tails?

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

Make sure that your browser settings are set to "HTTPS-Only mode" under Privacy and Security.

/u/CasioMarket · 1 votes · 1 week ago · Link

Interesting, thanks for the info!

/u/StarScream999 · 1 votes · 1 week ago · Link

Do you have any proof this is happening? Where did you gleen this "top secret" information from?

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

Can you verify any of the following:

188.126.94.100 Sweden AS42708

188.126.94.102 Sweden AS42708

188.126.94.103 Sweden AS42708

188.126.94.113 Sweden AS42708

188.126.94.165 Sweden AS42708

188.126.94.167 Sweden AS42708

188.126.94.175 Sweden AS42708

188.126.94.176 Sweden AS42708

188.126.94.187 Sweden AS42708

188.126.94.37 Sweden AS42708

188.126.94.39 Sweden AS42708

188.126.94.42 Sweden AS42708

188.126.94.50 Sweden AS42708

188.126.94.52 Sweden AS42708

188.126.94.58 Sweden AS42708

188.126.94.59 Sweden AS42708

188.126.94.60 Sweden AS42708

188.126.94.70 Sweden AS42708

188.126.94.71 Sweden AS42708

188.126.94.72 Sweden AS42708

188.126.94.78 Sweden AS42708

188.126.94.83 Sweden AS42708

188.126.94.88 Sweden AS42708

188.126.94.93 Sweden AS42708

188.126.94.99 Sweden AS42708

/u/Zyln · 1 votes · 1 week ago · Link

unfortunately I forgot to save the credentials of my other account. These are very similar I decided to keep restarting my Tor control panel and anonymity over-lay. Not the original:

IPv4: 185.220.101.163

ISP: CIA Triad Security

Services: Suspected Network Sharing Device

City: Triesen

Country: Liechtenstein

Referring to the original meaning regarding networking; Confidentiality, Integrity, Availability. These IP addresses usually return to very unusual https://. The one shown above downloads a OSCP Verizon signed certificate leading to a IP of 72.29.xx.xx. Every report of 72 is deleted every 3 months of people upset about constant application manipulation.

/u/HeadJanitor Moderator · 2 votes · 1 week ago · Link

Make sure that your browser settings are set to "HTTPS-Only mode" under Privacy and Security and don't run any cryptocurrency until whatever you are describing clears. Be safe.

/u/Zyln · 1 votes · 1 week ago · Link

Completely agree, You as-well.

/u/StarScream999 · 2 votes · 1 week ago · Link

LOL. You do realize that the CIA wouldn't just advertise themselves under their own name? They use fake corporation names when they do their work, so let's have a look at this IP you claim is from the CIA.

inetnum: 185.220.101.64 - 185.220.101.255

netname: RELAYON

remarks: -----------------------------------

remarks: This network is used for Tor Exits.

remarks: We do not have any logs at all.

remarks: For more information please visit:

remarks: https://www.torproject.org

remarks: -----------------------------------

organisation: ORG-CTSL7-RIPE

org-name: CIA TRIAD SECURITY LLC

org-type: OTHER

address: 2701 Centerville Road

address: New Castle County

address: Wilmington

address: Delaware 19808

address: USA

So, "CIA Triad Security" is the name of a company registered in Wilmington, Delaware, which is where many corporations choose to place their LLC, S-Corp, INC, DBA, etc. Anyone can name a company CIA or whatever they want, which is what this corporation is. Let's take a look at the Delaware business registration.

I hate to have to out these people, as it's more than likely the TOR Project who owns and operates this node. Because why would the CIA advertise running their own exit node? That agent must have slept through spy school if he did some shit like that.

http://linx4f75phtm63mxalb2wtspofcodku5lwofiyoupda4n4uc6cfjuzid.onion/cia.png

Looks like they forgot to pay their taxes on their LLC. BIG MISTAKE CIA!

X - Ceased Good Standing - This represents an entity that failed to pay their annual taxes timely. For example: 2002 taxes due June 1, 2003 were not received by end of day June 1, 2003.

The server name is tor-exit-163.relayon.org and it is running in Berlin, Germany. I can tell by the nameservers.

101.220.185.in-addr.arpa IN NS ns3.in-berlin.de 86400s (1.00:00:00)

101.220.185.in-addr.arpa IN NS ns1.in-berlin.de 86400s (1.00:00:00)

101.220.185.in-addr.arpa IN NS ns2.in-berlin.de 86400s (1.00:00:00)

101.220.185.in-addr.arpa IN NS ns4.in-berlin.de 86400s (1.00:00:00)

101.220.185.in-addr.arpa IN PTR 101.220.185.in-addr.arpa 86400s (1.00:00:00)

101.220.185.in-addr.arpa IN SOA

server: ns1.in-berlin.de

email: domain@in-berlin.de

serial: 2021091612

refresh: 7200

retry: 1800

expire: 604800

minimum ttl: 86400

So, here's 2701 Centerville Rd, Willington, DE. Looks like a PO forwarding address or a server farm. (Sorry for the image filesize)

http://linx4f75phtm63mxalb2wtspofcodku5lwofiyoupda4n4uc6cfjuzid.onion/cia2.png

So, unfortunately, I'm not willing to fill out the $10-20 to the State of Delaware to see the name of the owner, which probably wouldn't tell me much anyway.

https://centralops.net/co/DomainDossier.aspx?addr=185.220.101.163&dom_whois=true&dom_dns=true&traceroute=true&net_whois=true&svc_scan=true

Relayon.org is behind a privacy shield, as all domains are these days. And here's their entire list of exit nodes.

https://nusenu.github.io/OrNetStats/w/contact/b29345483f843f6e8a62bd103fd5c41f.html All 185., no 72.29's to be had.

So, what about relayon.org?

Relayon.org

----------------

relayon.org Domain Dossier

With a COMPLETELY VALID SSL certficate.

HTTPS - 443 Certificate validation errors: None

Signature algorithm: sha256RSA

Public key size: 2048 bits

Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB

Subject: CN=relayon.org

Subject Alternative Name: DNS Name=relayon.org, DNS Name=www.relayon.org

Serial number: 0080B6CDF27E4358084AE5062082F051BF

Not valid before: 2021-04-13 00:00:00Z

Not valid after: 2022-04-13 23:59:59Z

SHA1 fingerprint: B825228389B6A9AC0814B27AA1B372C389CC7BC0

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100

x-powered-by: PHP/7.2.34

content-type: text/html; charset=utf-8

cache-control: public, max-age=0

expires: Mon, 22 Nov 2021 04:54:29 GMT

date: Mon, 22 Nov 2021 04:54:29 GMT

server: LiteSpeed

x-turbo-charged-by: LiteSpeed

connection: close

[1/2]

/u/StarScream999 · 2 votes · 1 week ago · Link

But wait, Mulder and Scully! We missed someone. WHO is APEX RESIDENT AGENT SERVICES LLC?!!? Well, more than likely it's a company that creates LLCs for other companies. And your CIA rabbit hole goes deeper than I want to dig right now, but if you want to, go to https://icis.corp.delaware.gov/eCorp/EntitySearch/NameSearch.aspx and hunt them down yourself. You'll have to do it in a clearnet browser because they require reCAPTCHA and etc.

So, if you're conspiracy minded: CIA Triad Security LLC is clearly a CIA front company running TOR exit nodes to catch.... well, the CIA doesn't go after drug runners, but they have been known to run drugs. Maybe they're trying to buy up all the cocaine to fund another proxy war?

And if you're not conspiracy minded: You'll realize anyone can register an LLC in Delaware and call it anything you want, like "FBI Bust Yo Ass Security" or whatever you want, just as long as you have about $500.

But, unfortunately, there is zero evidence that this network is transmitting fake SSL certificates.

This whole conspiracy theory about it transmitting fake SSL certs through OSCP is a complete myth.

Is OCSP secure?

OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List (CRL).

Does OCSP use HTTPS?

Messages communicated via OCSP are encoded in ASN. 1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders. Some web browsers use OCSP to validate HTTPS certificates.

What is OCSP and how does it work?

So, unless you know absolutely nothing about spycraft, you would know the CIA would not put servers in their own name. It would be so plainly obvious to be stupid. We know the CIA and FBI registers cars, planes, real estate, and all sorts of assets in fake names and there are countless examples of this on Google. This is like a neighbor naming their Wifi network "FBI Secure Network - Do Not Connect". It's just a joke from the registered owner of this server farm of TOR exit nodes they're running.

-SS

[2/2]

/u/Zyln · 1 votes · 1 week ago · Link

Seems like you completely missed the point I was taking about and checked the OSCP of the server. The FBI uses google services registered to google as-well as Verizon AT&T. It's very strange how hard you are trying to disprove this. Doing a WHOIS look up proves nothing.

/u/StarScream999 · 1 votes · 1 week ago · Link

Not just a WHOIS. In all seriousness, it's a very good service. Try it out sometime CentralOps click on Domain Dossier and it will do the following:

  • domain whois record

  • network whois record

  • DNS records

  • service scan (port scan of commonly open ports and their responses to them)

  • traceroute

They also have a very nice Nslookup tool, an email validator to see if an email address is working, and some other cool free tools.

You checked the OSCP of which server specifically and how did you check it? How do you query an OSCP server and determine it's giving out invalid information? This is something I honestly don't know, but I understand how OSCP works. You're talking about an SSL spoofing exploit that TOR wouldn't detect (even though most onion domains only run HTTP and not HTTPS)?

Or are you saying the certificates passed between TOR nodes are transmitting fake SSL data, because last time I checked, TOR doesn't use OSCP?

I'm a bit confused by your entire premise.

Yes, we all know all phone, internet companies within the 5 Eyes Countries cooperate with their internal security services to scrape data. But that still doesn't mean the NSA has cracked TOR, or if they have, they sure aren't doing a lot about it.

/u/Zyln · 1 votes · 1 week ago · Link

As you saw with my Windows statement it downloads the certificate for authorization used by a IP address 72.29.xx.xx to WINHTTP in the background. The NSA could be on your computer right now and you would have no idea with the types of malware they have automatically distributed.

/u/StarScream999 · 1 votes · 1 week ago · Link

Well, that's not exactly how it would work.

This is in relation to Apple, but same principle:

Tor does not, never has, and never has even tried to, capture "ALL" of the traffic on any OS. It's just a SOCKS proxy, period. If you ever thought Tor could do that, you were just wrong.

There are various third party add-ons for various systems that do try to funnel "ALL" traffic through Tor in various ways. ORBot for Android tries to act like a VPN for the phone. Outboard hardware like the Pi-hole will try to put everything on a subnet through Tor. Tor-centric OSes like Whonix and TAILS put all of their traffic through Tor. You can hack something up to do it on vanilla Linux.

... but so far as I know, there has never been anything that tried to do it on MacOS. Maybe I just don't know about some weird hack that's available, but even if there is one, it's not part of Tor proper.

It's also not something anybody should ever have relied on anyway, because trying to "act like a VPN", on a general-purpose OS that's not cooperating, is prone to be leaky regardless of the OS. As long as programs running in an OS can find out the system's "real" IP address, they can leak it, so if you're serious about containing non-cooperative programs, you need to deprive them of that information.

The Tor Browser doesn't do any that. It just sends the traffic from the browser app itself over Tor using SOCKS

Tor browser only routes its own traffic through the Tor network. By the time that traffic hits the kernel it should already be encrypted.

So, it would not be possible for an SSL certificate to run an executable program on your computer remotely. That would require an entirely different set of tools. If it was spoofing the SSL certificate validation, it would be able to steal your traffic from that node while you're connected to it for the X amount of time you're connected until point Y when you disconnect (I'm not sure if TOR publishes data for how long it stays connect to each of the 3 nodes it connects you through, but it would also depend on packet loss, users closing their servers, servers crashing, etc, etc, etc., then TOR would simply reroute you somewhere else.)

[url=https://news.ycombinator.com/item?id=25110793]Source[url]

[/quote]

But, let me make sure I'm understanding you correctly. You're connecting to a TOR exit node that's running OSCP, and I am searching my little fingers to the bone to try and find out if TOR actually even uses OSCP, there are reports of old bugs with it from the 2010s and them being patched, and that's as far as I can get, this post from 2011 saying they patched a bug in the CA (certificate authorities) being compromised. So, I can't give you a valid answer. I searched the entire TOR Project's website for "OSCP" and got no results back, so one of us might have to take a dive onto TOR's IRC server or someone and ask an actual human being, because I was under the impression that TOR does not use OSCP.

As far as WinHTTP, you can read all about it's details in all it's glory here: https://docs.microsoft.com/en-us/windows/win32/winhttp/about-winhttp, however, it is very vague. I don't know if it runs in as a service, is a kernel level mechanism, if every web browser goes through WinHTTP, or only Microsoft's.... However, it appears most services are using something called WinINet now, and not WinHTTP https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-vs-winhttp.

This is becoming quite the complex topic.

/u/pizzamaker873245238 · 1 votes · 1 week ago · Link

Is there any read ups about downloading and verifying Ques / Whonix on here at all?

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

There is a vast amount of information out there about the Qubes-Whonix setup.

https://www.whonix.org/wiki/Qubes

Just to be clear. The complete package is a bare-metal hypervisor based on Xen, upon which Qubes sits, managing separate and isolated VMs for Whonix or Debian or Fedora; enabling enhanced compartmentalization of user activities for better privacy and security.

Their documentation/wiki is gold.

You can very easily test-run Whonix on your current machine.

/u/pizzamaker873245238 · 1 votes · 1 week ago · Link

sned me a message in my inbox please. I would like to talk with you further :)

/u/HeadJanitor Moderator · 2 votes · 1 week ago · Link

Done.

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

There are currently 1419 exits as of this post and your account has three hours -- where did you download your installation of Tor?

/u/Zyln · 1 votes · 1 week ago · Link

I only came to post about the issue. I use Qubes and Whonix with Tor TCP over-lay and a proxy. I monitor my onion circuits continuously map my exit nodes. I found this month ago when I was editing my Torcc.

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

You should see an error message stating: The SSL certificate served by https://www.torproject.org is invalid!

It could be an exit node doing SSL interception but either way change your circuits and identity. Hopefully it is a transient error. Stay safe.

/u/Zyln · 1 votes · 1 week ago · Link

I was thinking SSL interception at first originally. But as I dug more it targets the system more than the actual HTTP request.

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

If you were able to build a circuit in the first place then things were working properly and the exit node wouldn't know who you were. This could either be a strange occurrence or a direct attack from outside of the Tor network. Telecom Liechtenstein AG indicates zero risk with 9001/tor-orport closed and no proxies. Hopefully the system itself is sound and clean.

/u/Zyln · 1 votes · 1 week ago · Link

I'm wondering if it's a system issue myself I could be wrong. A lot just doesn't add up with CIA Triad that's why it's so suspicious. Especially when sand boxing the session and the unusual HTTP requests. I had to stop using Tor for a while since this came across the first time Tor Browser couldn't verifying the signature and would decide the download useless. I map everything specially now so it should be fine.

/u/HeadJanitor Moderator · 1 votes · 1 week ago · Link

It might be your system. You can always edit “torrc” settings file and set TOR Exit Node to Specific Countries via ExitNodes and avoid whatever country is of concern. And/or remove and re-install Tor and verify the file.

/u/Zyln · 1 votes · 1 week ago · Link

Yes that's exactly what I am referring to.

/u/Anonimo · 1 votes · 1 week ago · Link

as long as they increase the speed.

/u/Zyln · 1 votes · 1 week ago · Link

lol that is pretty funny.

/u/Anonimo · 1 votes · 1 week ago · Link

Don't forget about the RealTime Clone / Mirror Website:

http://dreadytmvtqgvzlqgrkfy5hkhkwrg74l3ma4qrs4tu2udnqhz3xa25id.onion/post/81b70e750bbc15fee2ca

vs.

http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/81b70e750bbc15fee2ca

/u/sstanl · 1 votes · 1 week ago · Link

So, how is this a problem?

If you're browsing darkweb, it's irrelevant anyways (no exit nodes involved).

If you're browsing clearweb through Tor and follow recommendations (https only, own store of trusted ca certs only), all they could see is which servers are connected to for as long as a circuit lives, still without knowing any content nor who's using that circuit. Really an issue here?

Of course, if you use http, or any other (maybe cleartext) protocols via Tor, they'll have something to spy on ;)

But if not, why not just thank them for the extra exit bandwidth?

/u/CodingTypo · 1 votes · 1 week ago · Link

CIA Triad is a well known INFOSEC term refering to confidentiality, integrity and availability, you sure this is LE?

/u/Cerebrate · 1 votes · 1 week ago · Link

Lmao as another user said CIA Triad isn't the three letter agency, it's a term used in security meaning Confidentiality Availability and Integrity.

/u/Dumas · 1 votes · 1 week ago · Link

Thx for info mate