Slashdot Mirror

← Back to Stories (view on slashdot.org)

How The NSA Targets Tor

Posted by Soulskill on from the i-bet-it's-a-layered-approach dept.

The Guardian has released new documents from Edward Snowden showing how the U.S. National Security Agency targets internet anonymity tool Tor to gather intelligence. One of the documents, a presentation titled "Tor Stinks," bluntly acknowledges how effective the tool is: "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand." (Other documents: presentation 1, presentation 2.) The NSA is able to extract information sometimes, though, and Bruce Schneier details what we know of that process in an article of his own. "The NSA creates 'fingerprints' that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet. ... After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems." Schneier explains in a related article why it's important that we figure out exactly what the NSA is doing. "Given how inept the NSA was at protecting its own secrets, it's extremely unlikely that Edward Snowden was the first sysadmin contractor to walk out the door with a boatload of them. And the previous leakers could have easily been working for a foreign government."

5 of 234 comments (clear)

  1. TAILS by Anonymous Coward · · Score: 2, Informative

    And this is exactly why you use TAILS. No fingerprints. Heck I have an exclusive machine for TAILS.

    1. Re:TAILS by SecurityTheatre · · Score: 5, Informative

      This is absurd.

      Listen, I've read the analysis and I've read all the available documentation. I agree with Schneider's analysis, but you're exaggerating.

      1. They can identify anyone using TOR by looking at the encrypted traffic. Doesn't matter what you're running.

      Maybe. But they do this by injecting cookies and then trying to find those cookies later on the unencrypted Internet, once you've turned off Tor. This doesn't work so well if you're using the browser bundle, or some sort of Live CD, but it may work on

      2. Using their privileged position on the internet backbone, they can perform MitM attacks by responding faster than the real servers, so they server you their malware package while serving the original content. Doesn't matter what you're running.

      The race-condition man-on-the-side capability of the NSA was never doubted, though nobody was really sure until recently how/where/if it was deployed and how often it was used. It looks like it's a rather common thing they use these days. In that vein, they can probably intercept the traffic between the exit node and the hosted content, unless, of course, you're using a .onion site, in which case, they most certainly cannot (unless they own the exit node, which they will only sometimes do).

      3. The NSA has 0-days for everything, so now you're rooted. Doesn't matter what you're running. And likely de-anonymized at this point.

      If you're rooted, you are also de-anonymized. That's almost a sure bet. Avoiding getting rooted is the key.

      4. If you're using a live CD, you might stop being rooted when you power down. Unless the NSA has a 0-day for your BIOS, which is certainly possible, in which case even that didn't help.

      Doing a blind root on a BIOS is pretty unlikely. In fact, rooting someone who doesn't have a browser/OS combination that has a pre-built exploit make is much less likely. Especially even moreso if you spoof the user agent.

      Regardless, the tone of your post is a bit over the top, and doesn't match the evidence- just figured I would point that out.

  2. Re:How about the nodes by Anonymous Coward · · Score: 2, Informative

    He means: will the NSA try to root you for running a tor node?

    One of the presentations says "probably not" and cites legal and technical challenges. We all know "legal" isn't really much of a roadblock, probably written in there for plausible deniability while the presenter mentioned with a wink and a sneer while dictating against the powerpoint, but sounds like if you run an exit node and keep it patched up, it might not be worth the squeeze for a full attack.

    Keep in mind that if they decide your node IS worthy of being attacked, you won't have the resources to defend against every known and currently-unknown exploit, so you should assume you've already been compromised and mitigate accordingly.

  3. Re:How about the nodes by ron_ivi · · Score: 5, Informative

    Second to last slide mentions that too - paraphrased "could be worse - people might find alternatives to tor or improve it if they knew what we could do".

  4. NSA 2006 Report on Tor up now. by eddy · · Score: 4, Informative

    "Our goal was to analyse Tor source code and determine any vulnerabilities in the system. We set up an internal Tor network to analyze..." http://apps.washingtonpost.com/g/page/world/nsa-research-report-on-the-tor-encryption-program/501/

    --
    Belief is the currency of delusion.