NSA repeatedly tries to unpeel Tor anonymity and spy on users, memos show

READ MORE

Analysts grudgingly hail Tor as "king of high-secure, low-latency" anonymity. 
by Dan Goodin

Wikipedia

The National Security Agency and its UK counterpart have made repeated and determined attempts to identify people using the Tor anonymity service, but the fundamental security remains intact, as top secret documents published by Friday revealed.

The classified memos and training manuals—which were leaked by former NSA contractor Edward Snowden and reported by The Guardian, show that the NSA and the UK-based Government Communications Headquarters (GCHQ) are able to bypass Tor protections, but only against select targets and often with considerable effort. Indeed, one presentation slide grudgingly hailed Tor as "the king of high-secure, low-latency internet anonymity." Another, titled "Tor Stinks," lamented: "We will never be able to de-anonymize all Tor users all the time."

Enter EgotisticalGiraffe

The documents go on to reveal a panoply of covert technologies with names like FoxAcid, Quantum, Stormbrew, Fairview, and Turbulence. The goal of some is to exploit software bugs in the Firefox browser and other software applications used by individual Tor users. Another program uses Tor servers operated by the NSA to redirect user requests or spot patterns in Internet traffic that enters or exits the Tor network. NSA and GCHQ agents also discussed efforts to "shape" or influence future developments of the Tor software and network.

One prominent technique for monitoring terrorists and other people using Tor was dubbed EgotisticalGiraffe. It involves exploiting vulnerabilities contained in the software bundle that Tor makes available to users. One attack targeted a serious bug in a Firefox component known as the ECMAScript for XML (E4X), according to cryptographer Bruce Schneier, who authored this technical analysis for The Guardian. The vulnerability was "inadvertently" fixed when Firefox developers updated the E4X library. Tor users who don't update their software, of course, remained susceptible.

A "less complex exploit" in the NSA's arsenal was the same one used in July to decloak a man suspected of using Tor to run a child porn service. The attack relied on malicious JavaScript that's embedded in a website the Tor user is visiting. The vulnerability has also been fixed in recent versions of Firefox.

According to Schneier, NSA agents were able to use secret servers located on the Internet backbone to redirect some users to another set of secret servers that were codenamed FoxAcid to infect users' computers. Because some of the servers were located on the high-speed links that connect end users to websites, NSA nodes dubbed Quantum were able to respond to requests faster than the server the end user intended to visit. Schneier cited this top-secret diagram as evidence of a Quantum server impersonating Google in such an attack.

Schneier provided additional technical details:

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag is given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

Schneier said FoxAcid was a general system operated under the NSA's computer network exploitation program and is used for many types of attacks other than the Tor attacks described in his analysis. It has a modular design, so it can be used with a variety of exploits and in a variety of settings.

What's encouraging in Friday's report is the absence of any vulnerability in Tor itself. That may be reassuring to journalists, political dissidents and, yes, Internet criminals and terrorists—who all rely on the service to keep their location and identities secret. The recent takedown of Silk Road—a Tor-protected website that arranged $1.2 billion in sales of heroin, cocaine, and other illicit goods and services—has only ramped up concern that there might be obscure flaws that allowed the government or anyone who discovered them to unmask users. Of course, no proof of crippling vulnerabilities isn't the same thing as proof that none exist, but it's better than some of the scenarios users have drawn in recent months.

"The good news is they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network," Roger Dingledine, the president of the Tor Project told The Guardian. "Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard. Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on."

Browse More Articles

Tweet

Written by Unknown

Learn Programming Language, Web Development and more Online without any cost!!!