Slashdot Mirror
Windows DRM-Protected Files Used To Decloak Tor Browser Users (bleepingcomputer.com)
An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.
1. Determine which TOR-nodes you're talking to. (Netstat or Ethereal) /32s the TOR-nodes are on through the ISP router
2. Remove default route through your ISPs router
3. Add specific routes to the
Traffic routed through TOR will work fine.
Traffic going outside of TOR will fail except for the local network (your home or office LAN).
E
"First they came for the kiddy fiddlers, and no one objected..." Then a month from now, the FBI is ordered to embed these bugs in videos of services at mosques, and videos of anti-Trump protests, and videos of CNN interviews, and seed them all around the internet to build The Bigly List of Brown People and Dissenters.
In the Bush era, I would have laughed this off as a slippery slope argument. In present times, knowing what Snowden has taught us and watching the current political climate, I don't see it as a laughing matter.
The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.
Next? There's a high likelihood this is already happening in Windows 10. Every time you open a file, Windows 10 is sending unknown "telemetry" back to the mother ship. Those Windows Defender and Microsoft Security Essentials updates you get every day? They're hash lists. You can bet your ass those lists contain more than just virus signatures, and matches are being recorded somewhere.
And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.
If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.
That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.
The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.
And avoid both DRM and Windows like the plague, even if you're not doing something that would get you in trouble with your government.
-- sudon't
Air-ride Equipped