You are the internet

Similar documents
Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

CS Paul Krzyzanowski

IP address. When you connect to another computer you send it your IP address.

Computer Security. 15. Tor & Anonymous Connectivity. Paul Krzyzanowski. Rutgers University. Spring 2017

Private Browsing. Computer Security. Is private browsing private? Goal. Tor & The Tor Browser. History. Browsers offer a "private" browsing modes

A SIMPLE INTRODUCTION TO TOR

Tor: Online anonymity, privacy, and security.

Tor Networking Vulnerabilities and Breaches. Niketan Patel

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

surveillance & anonymity cs642 computer security adam everspaugh

Outline. Traffic multipliers. DoS against network links. Smurf broadcast ping. Distributed DoS

Surfing safely over the Tor anonymity network. Georg Koppen Philipp Winter

The Activist Guide to Secure Communication on the Internet. Introduction

Anonymous Communication and Internet Freedom

CNT Computer and Network Security: Privacy/Anonymity

Peeling Onions Understanding and using

Anonymous Communication and Internet Freedom

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Introduction to Tor. January 20, Secure Web Browsing and Anonymity. Tor Mumbai Meetup, Sukhbir Singh

Port-Scanning Resistance in Tor Anonymity Network. Presented By: Shane Pope Dec 04, 2009

Vulnerabilities in Tor: (past,) present, future. Roger Dingledine The Tor Project

Dark Web. Ronald Bishof, MS Cybersecurity. This Photo by Unknown Author is licensed under CC BY-SA

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Tor Hidden Services How Hidden is 'Hidden'?

Isaiah Fischer-Brown Comp 116 Final Project December 13 th, Unmasking 101: How [not] to use Anonymous Browsing.

Managing SSL/TLS Traffic Flows

FBI Tor Overview. Andrew Lewman January 17, 2012

Anonymity. Assumption: If we know IP address, we know identity

Darknet an where it is taking the law

Avoiding The Man on the Wire: Improving Tor s Security with Trust-Aware Path Selection

Vulnerability Assessment of the Tor Browser Bundle and Potential MitM Attacks from Exit Nodes

2012 in review: Tor and the censorship arms race. / Runa A. Sandvik /

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Anonymity, Usability, and Humans. Pick Two.

CS 155 Final Exam. CS 155: Spring 2009 June 2009

OnlineAnonymity. OpenSource OpenNetwork. Communityof researchers, developers,usersand relayoperators. U.S.501(c)(3)nonpro%torganization

PracticeTorrent. Latest study torrent with verified answers will facilitate your actual test

Anonymity With Tor. The Onion Router. July 5, It s a series of tubes. Ted Stevens. Technische Universität München

Metrics for Security and Performance in Low-Latency Anonymity Systems

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Network Security. Thierry Sans

Anonymous communications: Crowds and Tor

Man-In-The-Browser Attacks. Daniel Tomescu

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Anonymous Connections and Onion Routing

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

Dissecting Tor Bridges A Security Evaluation of their Private and Public Infrastructures

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Endpoint Protection : Last line of defense?

CE Advanced Network Security Anonymity II

0x1A Great Papers in Computer Security

Tor and circumvention: Lessons learned. Roger Dingledine The Tor Project


Cisco Ransomware Defense The Ransomware Threat Is Real

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

anonymous routing and mix nets (Tor) Yongdae Kim

Anonymous Communications

CS 161 Computer Security

Online Anonymity with Tor Browser Bundle

T o r o n i b o a r d s c

Secure web proxy resistant to probing attacks

CPSC 467: Cryptography and Computer Security

Setting Up PhonePad for Remote Mode Access Over the Internet

Host Website from Home Anonymously

Network Defenses 21 JANUARY KAMI VANIEA 1

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

The Battle Against Anonymous Browsing: The Security Challenges Presented by Tor

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Anonymity Tor Overview

Man in the middle. Bởi: Hung Tran

Tor Hidden Services. Roger Dingledine Free Haven Project Electronic Frontier Foundation.

The Security Impact of HTTPS Interception

BBC Tor Overview. Andrew Lewman March 7, Andrew Lewman () BBC Tor Overview March 7, / 1

An Extensive Evaluation of the Internet s Open Proxies

2 ND GENERATION ONION ROUTER

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Network Defenses KAMI VANIEA 1

How to build a multi-layer Security Architecture to detect and remediate threats in real time

Transport Layer Security

Deanonymizing Tor. Colorado Research Institute for Security and Privacy. University of Denver

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Sirindhorn International Institute of Technology Thammasat University

Network Defenses 21 JANUARY KAMI VANIEA 1

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

CS232. Lecture 21: Anonymous Communications

Privacy defense on the Internet. Csaba Kiraly

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO

DFRI, Swedish Internet Forum 2012

Anonymity. With material from: Dave Levin and Michelle Mazurek

Range: 10 miles. Copyright 2003 How to change frontier router ip address. All rights reserved.

The Six Most Dangerous New Attack Techniques And What s Coming Next? Ed Skoudis CounterHackChallenge

ANONYMOUS CONNECTIONS AND ONION ROUTING

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012


Wireless Network Security Spring 2014

Denial of Service, Traceback and Anonymity

Security Fundamentals

How Do Tor Users Interact With Onion Services?

Transcription:

The Onion Router

Hello World I'm Tony I am interested in the concept of security I work for a local ISP / MSP I like skills sharing / access to knowledge Hackspaces are awesome 2

You are the internet DEMO 1: Plaintext Everyone can read everything! No privacy, no anonymity DEMO 2: HTTPS / SSL / TLS Server knows who made request / location / content served etc. Some privacy, no anonymity from server etc. What does this tell us? Encryption gives us (some) privacy of content, but not annonomity Destination knows who we are, where we are & what we've asked for What are the risks? In some countries / states / conditions, guilty by association is enough to lead to dire consequences What can we do? We need annonimity by design 3

Why not use a Proxy? Proxies are based on trust People are the weakest link Proxies are vunerable to attack Implementations - known / unknown weaknesses Single points of failure Best Practice / Standardisation 4

Birth of Tor Generation 1 Onion Routing - 1995 U.S. Naval Research Laboratory Defense Advanced Research Projects Agency (DARPA) - 1997 Traffic Analysis need for widespread use Generation 2 - The Tor Project - 2002 Electronic Frontier Foundation 2004-05 2006-501(c)(3) research-education nonprofit (tax exempt) 2012-80% of Tor Project's $2M annual budget from the US gov, remainder Swedish gov, other org's providing the rest - WSJ 5

What can Tor do? Provide Annonimity the destination / endpoint does not know where communication is coming from. Provide Hidden Services - access to services / websites who's location cannot be determined, only available via Tor. 6

How does Tor do this? "a riddle, wrapped in a mystery, inside an enigma" - Winston Churchill Tor relies on layers of encryption layers, like an Onion 7

DEMO 3: Tor (plaintext) SOURCE: Tony ENTRY NODES: Blue 2 RELAY NODE: Green 1 EXIT NODE: Red 1 DESTINATION: Server RESULT: Exit node can read traffic to/from destination 8

DEMO 4: Tor (HTTPS/SSL/TLS) SOURCE: Tony ENTRY NODES: Blue 1 RELAY NODE: Green 2 EXIT NODE: Red 2 DESTINATION: Server RESULT: Exit node cannot read traffic to/from destination 9

How does Tor Work 10

Tor Hidden Services Provides annonimity to web services.onion address not a recognised DNS domain, usually only accessible via a Tor, or via a trusted proxy 6 hops, as opposed to usual 3 Hidden services found via directory lists or search engines e.g. hidden wiki, Tor Search, DuckDuckGo Silk Road Marketplace Tor Mail compromised by FBI due to: Special interest groups - Freedom Hosting (more later) 11

How Can I Use Tor Can configure to run as a local proxy service Tor Browser Bundle - preferred method Initiates connection with Tor network confirms if using current version of Tor (warns if not) launches own build of firefox NoScript not enabled by default... DEMO: Tor Browser Bundle 12

How can I get caught? Forget to use Tor LulzSec 2011 Fine Gael, HBGary, and Fox Broadcasting Company, Sony (repeatedly), The Times, The Sun, SOCA etc. Sabu Hector Montsegur Arrested June 2011 Worked for FBI for 7 months Forgot to log into Tor. Once. 13

Be the only Tor user How can I get caught? Eldo Kim 20 yro Harvard Student Using Tor and annonomous email account (Guerrilla Mail) sent shrapnel bomb threat, claiming to have placed multiple devices on campus to disrupt final exams Arrested 2 days later Faces up to 5 years in prison & $250,000 fine Email header shows email originated from Tor network Only user on campus WiFi connected to Tor... was Eldo using his Harvard ID 14

How can I get caught? Browser based vunerabilites Firefox e.g. FBI - EgotisticalGiraffe Targeted against Freedom Hosting Code gathered some information about the user and sent it to a server in Virginia and then crashed http://cryptome.org/2013/10/nsa-egotisticalgiraffe.pdf Tor Mail FBI seised copy of all mail 15

How can I get caught? QUANTUM / FOXACID NSA run systems, revealed by Snowden https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.htm Quantum systems at key places on the internet backbone can respond faster as a result - race condition Redirects users to FoxAcid server, impersonating other websites e.g LinkedIn / Google etc. to deliver a malicious payload infecting users machine 16

De-anonomysiation How can I get caught? Logging in to something that identifies you e.g. Facebook Anything that connects direct, outside of Tor: Javascript NoScript plus browser config https://www.torproject.org/docs/faq#tbbjavascriptenabled Flash video / ads Torrents Opening PDF / DOC / media files while online connect direct, outside of Tor 17

How can I get caught? SSL / TLS based attacks Man In The Middle / ARC4? 18

Does Tor work? Snowden links show Tor works & NSA doesn't like it - Tor Stinks http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document 19

Summary Use up to date Tor Browser Bundle HTTPS over TOR is Good, but SSL based attacks still a concern Configure Tor Browser Bundle to lock it down / NoScript / Flash etc. Mindful of fingerprinting Don't give away your anonymity Support the TOR project 20

Q&A 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback