The Onion Router

2

Hello World

● I'm Tony● I am interested in the concept of “security”● I work for a local ISP / MSP● I like skills sharing / access to knowledge● Hackspaces are awesome

3

You are the internet● DEMO 1: Plaintext

Everyone can read everything! No privacy, no anonymity

● DEMO 2: HTTPS / SSL / TLS

Server knows who made request / location / content served etc. Some privacy, no anonymity from server etc.

What does this tell us?● Encryption gives us (some) privacy of content, but not annonomity● Destination knows who we are, where we are & what we've asked for

What are the risks?● In some countries / states / conditions, “guilty by association” is enough to lead to dire

consequences

What can we do?● We need annonimity by design

4

Why not use a Proxy?

● Proxies are based on trust● People are the weakest link● Proxies are vunerable to attack● Implementations - known / unknown

weaknesses● Single points of failure● Best Practice / Standardisation

5

Birth of Tor

Generation 1 – Onion Routing - 1995● U.S. Naval Research Laboratory ● Defense Advanced Research Projects Agency (DARPA) - 1997

Traffic Analysis – need for widespread use

Generation 2 - The Tor Project - 2002● Electronic Frontier Foundation – 2004-05● 2006 - 501(c)(3) research-education nonprofit (tax exempt)● 2012 - 80% of Tor Project's $2M annual budget from the US gov,

remainder Swedish gov, other org's providing the rest - WSJ

6

What can Tor do?

● Provide Annonimity – the destination / endpoint does not know where communication is coming from.

● Provide “Hidden Services” - access to services / websites who's location cannot be determined, only available via Tor.

7

How does Tor do this?"a riddle, wrapped in a mystery, inside an enigma" - Winston Churchill

Tor relies on layers of encryption – layers, like an Onion

8

DEMO 3: Tor (plaintext)

● SOURCE: Tony● ENTRY NODES: Blue 2● RELAY NODE: Green 1 ● EXIT NODE: Red 1 ● DESTINATION: Server

● RESULT: Exit node can read traffic to/from destination

9

DEMO 4: Tor (HTTPS/SSL/TLS)

● SOURCE: Tony● ENTRY NODES: Blue 1● RELAY NODE: Green 2 ● EXIT NODE: Red 2 ● DESTINATION: Server

● RESULT: Exit node cannot read traffic to/from destination

10

How does Tor Work

11

Tor Hidden Services

● Provides annonimity to web services● .onion address not a recognised DNS domain, usually

only accessible via a Tor, or via a “trusted” proxy● 6 hops, as opposed to usual 3● Hidden services found via directory lists or search

engines e.g. hidden wiki, Tor Search, DuckDuckGo● Silk Road – “Marketplace”● Tor Mail – compromised by FBI due to:● “Special interest groups” - Freedom Hosting (more later)

12

How Can I Use Tor

● Can configure to run as a local proxy service● Tor Browser Bundle - preferred method● Initiates connection with Tor network● confirms if using current version of Tor (warns if

not) ● launches own build of firefox ● NoScript – not enabled by default...● DEMO: Tor Browser Bundle

13

How can I get caught?

● Forget to use Tor● LulzSec – 2011● Fine Gael, HBGary, and Fox Broadcasting Company,

Sony (repeatedly), The Times, The Sun, SOCA etc.● Sabu

Hector Montsegur

Arrested June 2011

Worked for FBI for 7 months● Forgot to log into Tor. Once.

14

How can I get caught?● Be the only Tor user● Eldo Kim 20 yro Harvard Student● Using Tor and annonomous email account (Guerrilla Mail)

sent shrapnel bomb threat, claiming to have placed multiple devices on campus to disrupt final exams

● Arrested 2 days later ● Faces up to 5 years in prison & $250,000 fine

● Email header shows email originated from Tor network● Only user on campus WiFi connected to Tor...

was Eldo using his Harvard ID

15

How can I get caught?

● Browser based vunerabilites – Firefox

e.g. FBI - EgotisticalGiraffe● Targeted against “Freedom Hosting”● Code gathered some information about the

user and sent it to a server in Virginia and then crashed

● http://cryptome.org/2013/10/nsa-egotisticalgiraffe.pdf

● Tor Mail – FBI seised copy of all mail

16

How can I get caught?● QUANTUM / FOXACID● NSA run systems, revealed by Snowden

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

● Quantum systems at “key places on the internet backbone” can respond faster as a result - “race condition”

● Redirects users to FoxAcid server, impersonating other websites – e.g LinkedIn / Google etc. to deliver a malicious payload infecting users machine

17

How can I get caught?● De-anonomysiation● Logging in to something that identifies you – e.g.

Facebook● Anything that connects direct, outside of Tor:● Javascript – NoScript plus browser config

https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

● Flash – video / ads● Torrents● Opening PDF / DOC / media files while online –

connect direct, outside of Tor

18

How can I get caught?

SSL / TLS based attacks – Man In The Middle / ARC4?

19

Does Tor work?● Snowden links show Tor works & NSA doesn't

like it - “Tor Stinks” http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

20

Summary

● Use up to date Tor Browser Bundle● HTTPS over TOR is Good, but SSL based

attacks still a concern● Configure Tor Browser Bundle to lock it down /

NoScript / Flash etc. Mindful of fingerprinting● Don't give away your anonymity● Support the TOR project

21

Q&A