NSA slideshow on 'The TOR problem'

http://apps.washingtonpost.com/g/page/world/nsa-slideshow-on-the-tor-problem/499/

Shocking slides!
I'd say the NSA is exploiting flash frequently, not surprised.

~ Removed Copyrighted Image ~

 

Re: NSA slideshow on 'The TOR problem

The problem facing Tor is not unique. The javascript enabled by default issue is the perfect example of the security vs convenience issue. The typical user has no idea what javascript is, what it does, or how it can be used against them. Allow it and they're vulnerable. Block it and they're complaining sites won't work. It's a no-win situation for the developer. While TBB and Tails are the best options available for the average user, neither can protect users from powerful adversaries like the NSA unless the user becomes an active part of the solution instead of being part of the problem. Effective anonymity can't be achieved using a "one size fits all" software bundle. If a user wants both good anonymity and functional websites, they need to learn to filter javascript, not just turn it on and off. If a user doesn't want their browser bypassing Tor and exposing their real IP, they need to learn to configure a software firewall to block all direct browser connections. The tools needed for strong anonymity are all freely available. Learn the abilities and limitations of them. Learn to chain the necessary tools, eg
Browser>Proxomitron>SocksCap>Tor
Learn your firewall well enough to force all the traffic through that chain.

 

Re: NSA slideshow on 'The TOR problem

Or you could like, use a VPN under Tor or like... use Tor2web on Tor to make your Tor route through 6 tor nodes and separate you from actual viewing a website, only a copy at Tor2web.

 

Re: NSA slideshow on 'The TOR problem

If your browser or system leaks your real IP, it won't matter if you went through a dozen nodes and VPNs. Most all of the deanonymizing methods described in those slides target the FireFox browser and its plugins/add-ons. If one believes those slides, they've been largely ineffective against Tor itself. They've set up a few nodes of their own and managed to compromise a few others, but have been largely unable to affect the Tor network itself.

The problems for the user are:

1. The FireFox build ID is unique to TBB, making it easy to identify. The developers made it very difficult to tell one TBB user from another but made it easy to tell a TBB user from a conventional FireFox user. For the developers, deciding what to give the average user is a choice between 2 evils. Any bundle that's openly available to the public can be fingerprinted fairly easily. In one respect, their decision to use FireFox has made that problem worse. The standard version updates far too often for them to be able to properly audit it.
2. Javascript can coerce the browser into revealing the users real IP. A script that launches the default browser and directs it to a predetermined link will reveal the users IP. The easiest way to defeat such a script is to make the browser using Tor the default browser and use another for direct connections. Javascript can also be used to obtain your real IP directly. Plugins (java, flash, PDF, media player, etc) can all be used to coerce direct connections. Any of these can expose the users identity regardless of how many nodes or VPNs are used.

TBB is a compromise solution that targets the average user. It assumes that user has no other safeguards in place. Skilled users can create their own packages. If the user pays attention to detail and tests their work, their package can be equally or more secure, more functional, and much harder to identify as using Tor.

 

Re: NSA slideshow on 'The TOR problem

It is possible (and easy) to start Tor and let Chrome connect to the Tor socks proxy running locally on port 9050. That way, you will use the Tor network with Chrome, just like you are using the bundle.

 

Re: NSA slideshow on 'The TOR problem

Any internet app that can connect via Socks can potentially use Tor. I've run SeaMonkey that way for a long time. Getting another browser to connect through Tor is the easy part. The harder part is making certain that all of its traffic goes through Tor, including DNS. In order to prevent leaks and exposing the users real IP, it should be made impossible for the browser to make any direct connections. If Tor fails or is shut down, the browser should fail to connect to anywhere.

 

Re: NSA slideshow on 'The TOR problem

But i am wrong or these slides referred to the previous Tor browser version? I mean the "old" version of firefox which had a javascript leak that got busted the owner of freenxx?

The latest version of Tor didnt claim to fixed this issue?

However i always block all the scripts the java,javascript,flashplayer etc etc isnt it enough?

 

Re: NSA slideshow on 'The TOR problem

That's true. But those are old slides.

It's safe to assume that the NSA has some good zero-day vulnerabilities.

It's best, I think, to compartmentalize stuff. If there's something that you don't want linked to something else, they belong in different machines. If there's something that's especially valuable, or especially dangerous, it belongs in its own machine. If you don't have many machines, you can use multiple VMs.

 

Re: NSA slideshow on 'The TOR problem

NSA and GCHQ target Tor network that protects anonymity of web users.

Links to bullet items are in the article link above.

-- Tom

 

Re: NSA slideshow on 'The TOR problem

VPN when set up correctly routes all system traffic through your VPN providers servers. If your browser gave away your real IP at the time of using a VPN it could only give your VPN server IP or your host local ip of 192.168.0.7 etc which is no use.

 

Re: NSA slideshow on 'The TOR problem

Attacking Tor: how the NSA targets users' online anonymity by Bruce Schneier.

-- Tom

 

Re: NSA slideshow on 'The TOR problem

There was a website a few years ago that was sort of a proof of concept that Java could reveal a person's IP using TBB. I tried it a few times. But with my VPN enabled, it only saw the IP address of my VPN. To this date I have never seen an example of java or javascript revealing a person's true IP while a VPN is connected. Except for using the router for geolocation. But of course you can disable that feature in Firefox. Do you know of a website that proves that they can reveal your true IP while using a VPN?

 

Re: NSA slideshow on 'The TOR problem

I'm not aware of any that directly test this. When I need anonymity, I use a separate browser that can only connect out via Tor. I haven't experimented with a VPN. Considering what's been recently revealed regarding tracking, vendor coercion, etc, I don't think I'd trust a VPN. When I finish building my virtual XP unit, I might experiment with a few VPNs just to determine what their abilities and limitations are.

That POC you mentioned regarding revealing your IP can be found at browserspy.dk. AFAIK, flash, javascript, and exploits involving PDF and media player plugins can also do this, especially if those apps have internet access. A while back I was trying out the WorldIP browser extension. When set to display my local IP, it also displayed my real internet IP from behind a hardware firewall, through 2 layers of NAT with UPnP disabled. When I activated the "kill nosey javascripts" filter in Proxomitron (part of its default filterset), the extension displayed "new or unknown network" instead of my real IP. AFAICT, the extension is primarily javascript. It's another item that I want to examine more closely when I finish the virtual test system.

Back on the original subject, if you use TBB, there's no realistic way to hide the fact. That said, Tor is legal here, at least for the moment. Since it is legal, I see no reason to hide the fact that I'm using it. They're trying to monitor everyone anyway, regardless of what they use, what they do, or who they are. Trying to stay "under the radar" is really pointless unless you disconnect entirely. They'd probably consider that suspicious as well. For myself, I've opted to hide in plain sight by running a relay, a low volume exit node that's listed. Although the traffic volume is low by relay standards, it's quite a bit more than the traffic I generate, and more than enough to make it difficult to tell relayed traffic from my own. Completely legal plausible deniability.

 

Eh, Just need VPN + NoScript Strict Rules + TorBB. You can't be detected in any way unless you run something on your computer or change your NoScript rules. Even if you did your VPN IP would be shown, even if people know it, you have a true no logging VPN your data is already gone.

 

LOL @ "TOR STINKS" must of needed a few monkeys to come u with that.

So the NSA runs TOR exit nodes, who would of thought of that. But they can't crack the underlying encryption of TOR which is good for users. What strikes me as a blatant betrayal of free speech everywhere on the internet is how their stated goal is to influence the development cycle of TOR. I bet they are trying to get bugs and backdoor's inserted into the code, hopefully the TOR developers are with high morals and don't let this happen.

miririm is right when he says they have good 0-dayz. BUT you can only do so much before it's noticed like the FH attack, it was noticed pretty quickly.

One thing I know is that they have a hypervisor bypass for VM's that allows remote connections for them to sneak inside your PC. So someone needs to look through the code of VMware and VirtualBox to find it because as far as I've been told it affects both of them and is unpatched.

 

Do you have a cite for that?

 

Re: NSA slideshow on 'The TOR problem

Thank you for the answer Mir, i would like to ask to u and to all the guys of the forum a curiosity, i read somewhere that if i connect to an exit node (or a normal node?), this one is able to see ALL the things that im doing, the sites that im visiting etc etc but he's not able to know who i really am, he just can see my traffic but not my identity, is it true or i read wrong?

I also read that the only way that he has to see who i really am is to controll not just one node but all the ones which im connected to, and this is like 1 possibility on 10000000 (i dont remember the number but was a really remote possibility)

I read this many months ago so, for sure, i dont remember it good so if someone could explain me this better i would really appreciate thank you guys

 

No, but I've seen it with my own eye's mirimir, it was using an outdated linux distro running TOR and was a windows box using a VM (not saying which one) and using a VPN underneath it. It did certainly turn on remote connections I saw that with my own eye's so I know for sure it's real. This has been confirmed by a few others I have talked to, they are trying to figure out what happened, but sadly I don't think they will ever find out how the bug, malware, code what ever you call it escaped the VM. I'm scratching my head too.

Hyperviser bypasses are like gold for everyone in the security industry and at a guess they only use them when they want to decloak someone very much of interest.

 

NSA tracks Google ads to find Tor users.

-- Tom

 

Re: NSA slideshow on 'The TOR problem

Care to create a turtorial?

 

Re: NSA slideshow on 'The TOR problem

( http://ip-check.info ) = Make Everything Green.

/

You can probably control enough Tor nodes to de-anonymity non VPN Tor users with maybe $5.000.000 / year spending. Its not that hard.

 

Re: NSA slideshow on 'The TOR problem

Yes but how many individuals are worthing 5 millions dollars?? Just the "big fish" of the darknet i guess, but i think they cant be considered "non VPN" users. (Even if 2 of them have been busted in simple ways...) if i remember well, one logged in on his personal twitter account when he was on Tor and the other one (the boss of silk road) used his personal mail and info in some forum

 

Re: NSA slideshow on 'The TOR problem

If NSA really cared they could bankroll it, would not even be hard. You have to remember, its not bad people on Tor they want to catch, its good people everywhere in every medium for leverage and incrimination to shape the world through blackmail and fear.

 

Re: NSA slideshow on 'The TOR problem

A lot of it is already posted. See this thread for info on chaining a browser>Proxomitron>Sockscap>Tor. A software firewall with good loopback control rules will prevent bypassing the chain. I could make a tutorial for the firewall I use, Kerio 2.1.5. It would be up to the user to determine how to work with another firewall. Proxomitron is very capable of filtering and modifying javascript on the fly, but it does require the user to understand what they're doing.

A good addition to other Mozilla browsers is PrefBar. It allows you to easily disable javascript, java, flash, and plugins from the toolbar. It also lets you control the user agent, referrer, cookies, and most other settings. It's configurable enough to allow you to keep all of these in plain sight.

 

This is why I never have javascript and flash enabled while using Tor