The Onion Router
Hello World I'm Tony I am interested in the concept of security I work for a local ISP / MSP I like skills sharing / access to knowledge Hackspaces are awesome 2
You are the internet DEMO 1: Plaintext Everyone can read everything! No privacy, no anonymity DEMO 2: HTTPS / SSL / TLS Server knows who made request / location / content served etc. Some privacy, no anonymity from server etc. What does this tell us? Encryption gives us (some) privacy of content, but not annonomity Destination knows who we are, where we are & what we've asked for What are the risks? In some countries / states / conditions, guilty by association is enough to lead to dire consequences What can we do? We need annonimity by design 3
Why not use a Proxy? Proxies are based on trust People are the weakest link Proxies are vunerable to attack Implementations - known / unknown weaknesses Single points of failure Best Practice / Standardisation 4
Birth of Tor Generation 1 Onion Routing - 1995 U.S. Naval Research Laboratory Defense Advanced Research Projects Agency (DARPA) - 1997 Traffic Analysis need for widespread use Generation 2 - The Tor Project - 2002 Electronic Frontier Foundation 2004-05 2006-501(c)(3) research-education nonprofit (tax exempt) 2012-80% of Tor Project's $2M annual budget from the US gov, remainder Swedish gov, other org's providing the rest - WSJ 5
What can Tor do? Provide Annonimity the destination / endpoint does not know where communication is coming from. Provide Hidden Services - access to services / websites who's location cannot be determined, only available via Tor. 6
How does Tor do this? "a riddle, wrapped in a mystery, inside an enigma" - Winston Churchill Tor relies on layers of encryption layers, like an Onion 7
DEMO 3: Tor (plaintext) SOURCE: Tony ENTRY NODES: Blue 2 RELAY NODE: Green 1 EXIT NODE: Red 1 DESTINATION: Server RESULT: Exit node can read traffic to/from destination 8
DEMO 4: Tor (HTTPS/SSL/TLS) SOURCE: Tony ENTRY NODES: Blue 1 RELAY NODE: Green 2 EXIT NODE: Red 2 DESTINATION: Server RESULT: Exit node cannot read traffic to/from destination 9
How does Tor Work 10
Tor Hidden Services Provides annonimity to web services.onion address not a recognised DNS domain, usually only accessible via a Tor, or via a trusted proxy 6 hops, as opposed to usual 3 Hidden services found via directory lists or search engines e.g. hidden wiki, Tor Search, DuckDuckGo Silk Road Marketplace Tor Mail compromised by FBI due to: Special interest groups - Freedom Hosting (more later) 11
How Can I Use Tor Can configure to run as a local proxy service Tor Browser Bundle - preferred method Initiates connection with Tor network confirms if using current version of Tor (warns if not) launches own build of firefox NoScript not enabled by default... DEMO: Tor Browser Bundle 12
How can I get caught? Forget to use Tor LulzSec 2011 Fine Gael, HBGary, and Fox Broadcasting Company, Sony (repeatedly), The Times, The Sun, SOCA etc. Sabu Hector Montsegur Arrested June 2011 Worked for FBI for 7 months Forgot to log into Tor. Once. 13
Be the only Tor user How can I get caught? Eldo Kim 20 yro Harvard Student Using Tor and annonomous email account (Guerrilla Mail) sent shrapnel bomb threat, claiming to have placed multiple devices on campus to disrupt final exams Arrested 2 days later Faces up to 5 years in prison & $250,000 fine Email header shows email originated from Tor network Only user on campus WiFi connected to Tor... was Eldo using his Harvard ID 14
How can I get caught? Browser based vunerabilites Firefox e.g. FBI - EgotisticalGiraffe Targeted against Freedom Hosting Code gathered some information about the user and sent it to a server in Virginia and then crashed http://cryptome.org/2013/10/nsa-egotisticalgiraffe.pdf Tor Mail FBI seised copy of all mail 15
How can I get caught? QUANTUM / FOXACID NSA run systems, revealed by Snowden https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.htm Quantum systems at key places on the internet backbone can respond faster as a result - race condition Redirects users to FoxAcid server, impersonating other websites e.g LinkedIn / Google etc. to deliver a malicious payload infecting users machine 16
De-anonomysiation How can I get caught? Logging in to something that identifies you e.g. Facebook Anything that connects direct, outside of Tor: Javascript NoScript plus browser config https://www.torproject.org/docs/faq#tbbjavascriptenabled Flash video / ads Torrents Opening PDF / DOC / media files while online connect direct, outside of Tor 17
How can I get caught? SSL / TLS based attacks Man In The Middle / ARC4? 18
Does Tor work? Snowden links show Tor works & NSA doesn't like it - Tor Stinks http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document 19
Summary Use up to date Tor Browser Bundle HTTPS over TOR is Good, but SSL based attacks still a concern Configure Tor Browser Bundle to lock it down / NoScript / Flash etc. Mindful of fingerprinting Don't give away your anonymity Support the TOR project 20
Q&A 21