You are the internet

Size: px

Start display at page:

Download "You are the internet"

Jennifer Small
6 years ago
Views:

1 The Onion Router

2 Hello World I'm Tony I am interested in the concept of security I work for a local ISP / MSP I like skills sharing / access to knowledge Hackspaces are awesome 2

3 You are the internet DEMO 1: Plaintext Everyone can read everything! No privacy, no anonymity DEMO 2: HTTPS / SSL / TLS Server knows who made request / location / content served etc. Some privacy, no anonymity from server etc. What does this tell us? Encryption gives us (some) privacy of content, but not annonomity Destination knows who we are, where we are & what we've asked for What are the risks? In some countries / states / conditions, guilty by association is enough to lead to dire consequences What can we do? We need annonimity by design 3

4 Why not use a Proxy? Proxies are based on trust People are the weakest link Proxies are vunerable to attack Implementations - known / unknown weaknesses Single points of failure Best Practice / Standardisation 4

5 Birth of Tor Generation 1 Onion Routing U.S. Naval Research Laboratory Defense Advanced Research Projects Agency (DARPA) Traffic Analysis need for widespread use Generation 2 - The Tor Project Electronic Frontier Foundation (c)(3) research-education nonprofit (tax exempt) % of Tor Project's $2M annual budget from the US gov, remainder Swedish gov, other org's providing the rest - WSJ 5

6 What can Tor do? Provide Annonimity the destination / endpoint does not know where communication is coming from. Provide Hidden Services - access to services / websites who's location cannot be determined, only available via Tor. 6

7 How does Tor do this? "a riddle, wrapped in a mystery, inside an enigma" - Winston Churchill Tor relies on layers of encryption layers, like an Onion 7

8 DEMO 3: Tor (plaintext) SOURCE: Tony ENTRY NODES: Blue 2 RELAY NODE: Green 1 EXIT NODE: Red 1 DESTINATION: Server RESULT: Exit node can read traffic to/from destination 8

9 DEMO 4: Tor (HTTPS/SSL/TLS) SOURCE: Tony ENTRY NODES: Blue 1 RELAY NODE: Green 2 EXIT NODE: Red 2 DESTINATION: Server RESULT: Exit node cannot read traffic to/from destination 9

10 How does Tor Work 10

11 Tor Hidden Services Provides annonimity to web services.onion address not a recognised DNS domain, usually only accessible via a Tor, or via a trusted proxy 6 hops, as opposed to usual 3 Hidden services found via directory lists or search engines e.g. hidden wiki, Tor Search, DuckDuckGo Silk Road Marketplace Tor Mail compromised by FBI due to: Special interest groups - Freedom Hosting (more later) 11

12 How Can I Use Tor Can configure to run as a local proxy service Tor Browser Bundle - preferred method Initiates connection with Tor network confirms if using current version of Tor (warns if not) launches own build of firefox NoScript not enabled by default... DEMO: Tor Browser Bundle 12

13 How can I get caught? Forget to use Tor LulzSec 2011 Fine Gael, HBGary, and Fox Broadcasting Company, Sony (repeatedly), The Times, The Sun, SOCA etc. Sabu Hector Montsegur Arrested June 2011 Worked for FBI for 7 months Forgot to log into Tor. Once. 13

14 Be the only Tor user How can I get caught? Eldo Kim 20 yro Harvard Student Using Tor and annonomous account (Guerrilla Mail) sent shrapnel bomb threat, claiming to have placed multiple devices on campus to disrupt final exams Arrested 2 days later Faces up to 5 years in prison & $250,000 fine header shows originated from Tor network Only user on campus WiFi connected to Tor... was Eldo using his Harvard ID 14

15 How can I get caught? Browser based vunerabilites Firefox e.g. FBI - EgotisticalGiraffe Targeted against Freedom Hosting Code gathered some information about the user and sent it to a server in Virginia and then crashed Tor Mail FBI seised copy of all mail 15

16 How can I get caught? QUANTUM / FOXACID NSA run systems, revealed by Snowden Quantum systems at key places on the internet backbone can respond faster as a result - race condition Redirects users to FoxAcid server, impersonating other websites e.g LinkedIn / Google etc. to deliver a malicious payload infecting users machine 16

17 De-anonomysiation How can I get caught? Logging in to something that identifies you e.g. Facebook Anything that connects direct, outside of Tor: Javascript NoScript plus browser config Flash video / ads Torrents Opening PDF / DOC / media files while online connect direct, outside of Tor 17

18 How can I get caught? SSL / TLS based attacks Man In The Middle / ARC4? 18

19 Does Tor work? Snowden links show Tor works & NSA doesn't like it - Tor Stinks 19

20 Summary Use up to date Tor Browser Bundle HTTPS over TOR is Good, but SSL based attacks still a concern Configure Tor Browser Bundle to lock it down / NoScript / Flash etc. Mindful of fingerprinting Don't give away your anonymity Support the TOR project 20

21 Q&A 21

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship. Tor Tor Anonymity Network Free software that helps people surf on the Web anonymously and dodge censorship. CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk Initially developed at the U.S.