Windows DRM-Protected Files Used To Decloak Tor Browser Users

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.

Re:Quicker workaround

stop using IE (physically break it)
stop using windows
stop using .asf .wma .wmv files. seriously these formats should be erased from existence!!!
deny all media players access to the web. seriously no video or music HAS to have access to the internet unless it has drm shit. and you should NEVEr buy drmed music or videos. if you want lyrics, open your browser.

It's right there in the FAQ:Don't torrent over Tor

[maggotbrain_777]

This is kind of no-brainer since it says, right in the Tor Browser FAQ [Section B], not to torrent while using the browser:

"Don't torrent over Tor
Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else."

https://www.torproject.org/download/download.html.en#warning

Re:I'm ok with this behavior in those use cases

[amiga3D]

Well if you're up to no good you certainly should learn linux and also get some good info on computer security. Use one computer for fun, youtube, surfing, contacting family and friends, playing games. For anything where security is paramount you should use a hardened system. The more dire the ramifications of a breach the more hardened. Perhaps a CD based OS that is impossible to overwrite the system files. A custom built router with a good open source router OS. Keep all files encrypted on a removable micro-SD card. I'm sure if I was involved in anything like this I'd think of other things to do and avoid. Mostly I'm astounded by how careless people engaged in seriously illegal activity often are.

Not so fast... Re:Not Tor Problems!

[theshowmecanuck]

Vice has an article titled "Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal," that you might want to read.

"The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network," Jardine writes.

Bridges had the strongest association with political repression. "Moving from a country like Burkina Faso (political repression equals 8) to a country like Uzbekistan (political repression equals 14) results in an increase of around 212.58 Tor bridge users per 100,000 Internet users per year," the paper reads.

If that were the only reason to use Tor you would be absolutely right. But my understanding is that Tor is also used (used more in fact) in countries where the governments will throw you in jail or kill you for the only reason of trying to exercise free speech. Those governments can employ the same tactics to find and jail political dissenters. And that would be a shame. It would be nice to be able to figure out the wheat from the chaff. But there are many governments that I wouldn't want making that determination, including the one being lead by the latest POTUS. In fact Tor might become a necessity for free speech in the USA soon.

Re:Umm... just WMVs?

[Gadget_Guy]

The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

Re:Umm... just WMVs?

[Gadget_Guy]

And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

Re:Umm... just WMVs?

[Burz]

Better still is Whonix (VM isolation for both Tor and Torbrowser). TAILS may have a fancy configuration to attempt leak prevention, but privilege escalation attacks are a dime a dozen on Linux.