Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Academic papers on possible Tor vulns & de-cloaks

To stay ahead of new and evolving threats, cryptostorm has always looked out past standard network security tools. Here, we discuss and fine-tune our work in bringing newly-created capabilities and newly-discovered knowledge to bear as we keep cryptostorm in the forefront of tomorrow's network security landscape.
User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Academic papers on possible Tor vulns & de-cloaks

Postby Pattern_Juggled » Sun Jul 28, 2013 4:09 pm

'Tortilla' Spices Up Active Defense Ops
New free Tor tool, due out at Black Hat USA, aims to make the Tor anonymizing network easier to use for all types of intel-gathering
Kelly Jackson Higgins | July 16, 2013 | Dark Reading


A researcher later this month at Black Hat USA will release a free tool that simplifies the use of Tor and makes it more approachable for all types of security researchers, not just malware analysts.

CrowdStrike researcher Jason Geffner says the new tool, called Tortilla, routes all TCP/IP and DNS traffic anonymously via the Tor Project's network, but unlike existing Tor tools, it operates with Windows and works with all types of browsers.

Geffner says he got the idea for Tortilla after realizing that no other Tor tools provided all of the elements he needed to anonymize his Internet access while he researched bad cyberactors. The new tool also supports Flash and other plug-ins, and doesn't require additional hardware or virtual machines, he says.

But perhaps one of the more attractive features for enterprises is that it plays nicely with Windows, which isn't traditionally the case with other Tor tools, many of which require Linux, for example, Geffner says. "It doesn't require that users work with OSes that are unfamiliar to them," he says. "One of the requirements for Tortilla was that it would require it to be as easy as possible for users to use."

It also prevents malware from circumventing the Tor tunnel, he says -- something that wily hackers can do today via the Tor's browser, the Tor Browser Bundle tool, which is based on Firefox. "While it's great in concept, the downside [with Tor Browser Bundle] is if you're visiting a website with Tor Browser Bundle and the browser gets exploited, it's possible that the exploit could use code executed in the browser to circumvent that Tor tunnel," say Geffner, who is providing only limited details on Tortilla prior to its release.

Tortilla is the latest of a series of free active defense tools becoming available in the public domain. Security experts John Strand, Paul Asadoorian, Ethan Robish, and Benjamin Donnelly offer a Linux distro set of tools called Active Defense Harbinger Distribution (ADHD) for active defense measures, including feeding the attacker phony information about the targeted network.

Active defense, not to be confused with pure "hacking back," is about frustrating, identifying, and, in some cases, physically locating the bad guys behind the keyboard. The goal is to raise the bar and make it more expensive for the attacker, and it's a constant game of one-upsmanship.

"We want to see companies start doing ... [these] nontraditional defense tactics," Strand says. "We're trying to get as much of this open source" and generate other ideas as well for it, he says.

CrowdStrike's Geffner says Tortilla was designed with security researchers in mind, including those who aren't necessarily downloading malware for analysis or communicating with command-and-control servers. "[CrowdStrike has] a large intel team that seeks to capture actionable information on ... adversaries. Some of us do very technical work, and others research the actors themselves, reading their blogs and Web forum posts," he says. "They are using Tortilla with whatever browser they like to have."

For enterprises investing in threat intel efforts, it allows their researchers to investigate malicious actors without revealing their identities, he says. "If Company XYZ gets hit and the attacker sees connections to its server with probes from Company XYZ, that's going to tip off the attacker. If the company can anonymize their research through Tor, it keeps the attacker in the dark and raises the cost to the attacker."

Geffner plans to post both the source code for Tortilla and a working executable during his July 31 presentation at Black Hat in Las Vegas.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

Identifying Proxy Nodes in a Tor Anonymization Circuit (pdf)

Postby cryptostorm_admin » Sun Aug 04, 2013 9:08 pm

Identifying Proxy Nodes in a Tor Anonymization Circuit

Sambuddho Chakravarty
Columbia University, NY
sc2516@cs.columbia.edu

Angelos Stavrou
George Mason University, VA
astavrou@gmu.edu

Angelos D. Keromytis
Columbia University, NY
angelos@cs.columbia.edu



Abstract

We present a novel, practical, and effective mechanism that exposes the identity of Tor relays participating in a
given circuit. Such an attack can be used by malicious or compromised nodes to identify the rest of the circuit, or as
the first step in a follow-on trace-back attack. Our intuition is that by modulating the bandwidth of an anonymous
connection (e.g., when the destination server, its router, or an entry point is under our control), we create observable
fluctuations that propagate through the Tor network and the Internet to the end-user’s host. To that end, we em-
ploy LinkWidth, a novel bandwidth-estimation technique. LinkWidth enables network edge-attached entities to esti-
mate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. Our ap-
proach also does not require compromise of any Tor nodes. In a series of experiments against the Tor network, we show that we can accurately identify the network location of most participating Tor relays.

septis-tor.pdf
(371.7 KiB) Downloaded 655 times
cryptostorm_admin - a mostly-shared, admin team forum account (sort of a person, but also shared)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar

cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

Trawling for Tor Hidden Services: Detection & Deanonymizatio

Postby cryptostorm_admin » Sun Aug 04, 2013 9:16 pm

Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization
2013 IEEE Symposium on Security and Privacy

Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann
{alex.biryukov,ivan.pustogarov,ralf-philipp.weinmann}@uni.lu
University of Luxembourg


Abstract

Tor is the most popular volunteer-based anonymity network consisting of over 3000 volunteer-operated relays. Apart from making connections to servers hard to trace to their origin it can also provide receiver privacy for Internet services through a feature called “hidden services”.

In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services. We give a practical evaluation of our techniques by studying: (1) a recent case of a botnet using Tor hidden services for command and control channels; (2) Silk Road, a hidden service used to sell drugs and other contraband; (3) the the hidden service of the DuckDuckGo search engine.


Keywords
Tor; anonymity network; privacy; hidden services

4977a080.pdf
(469.54 KiB) Downloaded 1224 times
cryptostorm_admin - a mostly-shared, admin team forum account (sort of a person, but also shared)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar

cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

Characterization of Tor Exit-Nodes (pdf)

Postby cryptostorm_team » Sun Aug 04, 2013 9:21 pm

Characterization of Tor Exit-Nodes
Alexander Schaap
a.l.schaap@student.utwente.nl
University of Twente
P.O. Box 217, 7500AE Enschede
The Netherlands


ABSTRACT

Tor is popular open-source software that provides anonymity to its users. However, it is possible to monitor plain-text trac coming from exit-nodes. Additionally, when one has control over an exit-node, many attacks exist to expose the original source of the trac, negating the users' anonymity. This allows for potentially disastrous consequences. Yet no work speci cally about Tor exit-nodes has been published. In this work, we present a characterization of Tor exit-nodes, in which the following questions will be examined: Who provides exit nodes? Where are they located? And are these nodes used for malicious activities? The results indicate that there are many countries in which exit-nodes are located and many organizations to whom the IP addresses belong. The malicious activity detected from these exit-nodes is low.

50f4b62dc2b71.pdf
(376.99 KiB) Downloaded 721 times
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Practical Vulnerabilities of the Tor Anonymity Network

Postby Baneki » Mon Aug 12, 2013 1:02 pm

Practical Vulnerabilities of the Tor Anonymity Network
Paul Syverson
Center for High Assurance Computer Systems
U.S. Naval Research Laboratory


Abstract

Onion routing is a technology designed at the U.S. Naval Research Laboratory to protect the security and privacy of network communications. In particular, Tor, the current widely-used onion routing system, was originally designed to protect intelligence gathering from open sources and to otherwise protect military communications over insecure or public networks, but it is also used by human rights workers, law enforcement officers, abuse victims, ordinary citizens, corporations, journalists, and others. In this article our focus is less on what Tor currently does for its various users and more on what it does not do. Use of Tor for law enforcement and the national security applications that motivated it faces more signi cant adversaries than most other uses. We discuss some of the types of threats against which Tor currently o ers only limited protection and the impacts of these on all classes of users, but especially on those most likely to confront them.

tor-vulnerabilities-iccs.pdf
(242.77 KiB) Downloaded 650 times

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

The Parrot is Dead: Observing Unobservable Network Communica

Postby Baneki » Mon Aug 12, 2013 1:10 pm

The Parrot is Dead: Observing Unobservable Network Communications
Amir Houmansadr Chad Brubaker Vitaly Shmatikov
The University of Texas at Austin


Abstract

In response to the growing popularity of Tor and other censorship circumvention systems, censors in non-democratic countries have increased their technical capabilities and can now recognize and block network traffic generated by these systems on a nationwide scale. New censorship-resistant communication systems such as SkypeMorph, StegoTorus, and CensorSpoofer aim to evade censors’ observations by imitating common protocols like Skype and HTTP.

We demonstrate that these systems completely fail to achieve unobservability. Even a very weak, local censor can easily distinguish their traffic from the imitated protocols. We show dozens of passive and active methods that recognize even a single imitated session, without any need to correlate multiple network flows or perform sophisticated traffic analysis. We enumerate the requirements that a censorship-resistant system must satisfy to successfully mimic another protocol and conclude that “unobservability by imitation” is a fundamentally flawed approach. We then present our recommendations for the design of unobservable communication systems.


Keywords

Censorship circumvention; unobservable communications; Tor pluggable transports

shmat_oak13parrot.pdf
(240.54 KiB) Downloaded 643 times

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Users Get Routed: Traffic Correlation on Tor by Realistic Ad

Postby Baneki » Wed Sep 04, 2013 3:35 pm

Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

Aaron Johnson | Rob Jansen | Paul Syverson
U.S. Naval Research Laboratory, Washington DC
{aaron.m.johnson, rob.g.jansen, paul.syverson} @nrl.navy.mil

Chris Wacek | Micah Sherr
Georgetown University, Washington DC
{cwacek, msherr} @cs.georgetown.edu


ABSTRACT

We present the first analysis of the popular Tor anonymity network that indicates the security of typical users against reasonably realistic adversaries in the Tor network or in the underlying Internet. Our results show that Tor users are far more susceptible to compromise than indicated by prior work. Specific contributions of the paper include (1) a model of various typical kinds of users, (2) an adversary model that includes Tor network relays, autonomous systems (ASes), Internet exchange points (IXPs), and groups of IXPs drawn from empirical study, (3) metrics that indicate how secure users are over a period of time, (4) the most accurate topological model to date of ASes and IXPs as they relate to Tor usage and network configuration, (5) a novel realistic Tor path simulator (TorPS), and (6) analyses of security making use of all the above. To show that our approach is useful to explore alternatives and not just Tor as currently deployed, we also analyze a published alternative path selection algorithm, Congestion-Aware Tor. We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.

usersrouted-ccs13.pdf
(1.79 MiB) Downloaded 565 times

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Locating Hidden Servers (.pdf)

Postby Baneki » Fri Oct 04, 2013 12:03 am

Locating Hidden Servers

Lasse Øverlier
Norwegian Defence Research Establishment
and Gjøvik University College
lasse.overlier@{ffi,hig}.no

Paul Syverson
Naval Research Laboratory
syverson@itd.nrl.navy.mil


Abstract

Hidden services were deployed on the Tor anonymous communication network in 2004. An-nounced properties include server resistance to distributed DoS. Both the EFF and Reporters Without Borders have issued guides that describe using hidden services via Tor to protect the safety of dissidents as well as to resist censorship.

We present fast and cheap attacks that reveal the location of a hidden server. Using a single hostile Tor node we have located deployed hidden servers in a matter of minutes. Although we examine hidden services over Tor, our results apply to any client us-
ing a variety of anonymity networks. In fact, these are the first actual intersection attacks on any deployed public network: thus confirming general expectations from prior theory and simulation.

We recommend changes to route selection design and implementation for Tor. These changes require no operational increase in network overhead and are simple to make; but they prevent the attacks we have demonstrated. They have been implemented.

locating-hidden-servers.pdf
(612.85 KiB) Downloaded 775 times

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Anonymity Network Tor Needs a Tune-up to Protect Users...

Postby Baneki » Mon Oct 28, 2013 8:02 am

Anonymity Network Tor Needs a Tune-up to Protect Users from Surveillance
Fixes are planned for Internet anonymity tool Tor after researchers showed that national intelligence agencies could plausibly unmask users.
By Tom Simonite on October 25, 2013 | MIT Technology Review



When reports published earlier this month revealed that the U.S. National Security Agency could reverse the protections of Internet anonymity tool Tor, many activists and others who rely on the tool had little reason to panic. Despite the alarmist tone of some headlines, the techniques revealed relied on attacking software such as Web browsers rather than Tor itself. After reviewing the leaked NSA documents, the Tor Project declared “there’s no indication they can break the Tor protocol.”

All the same, the Tor Project is trying to develop critical adjustments to how its tool works to strengthen it against potential compromise. Researchers at the U.S. Naval Research Laboratory have discovered that Tor’s design is more vulnerable than previously realized to a kind of attack the NSA or government agencies in other countries might mount to deanonymize people using Tor.

Tor prevents people using the Internet from leaving many of the usual traces that can allow a government or ISP to know which websites or other services they are connecting to. Users of the tool range from people trying to evade corporate firewalls to activists, dissidents, criminals, and U.S. government workers with more sophisticated adversaries to avoid.

When people install the Tor client software, their outgoing and incoming traffic takes an indirect route around the Internet, hopping through a network of “relay” computers run by volunteers around the world. Packets of data hopping through that network are encrypted so that relays know only their previous and next destination (see “Dissent Made Safer”). This means that even if a relay is compromised, the identity of users, and details of their browsing, should not be revealed.

However, new research shows how a government agency could work out the true source and destination of Tor traffic with relative ease. Aaron Johnson of the U.S. Naval Research Laboratory and colleagues found that the network is vulnerable to a type of attack known as traffic analysis.

This type of attack involves observing Internet traffic data going into and out of the Tor network and looking for patterns that reveal the Internet services that a specific Internet connection, and presumably its owner, is using Tor to access. Johnson and colleagues showed that the method could be very effective for an organization that both contributed relays to the Tor network and could monitor some Internet traffic via ISPs.

“Our analysis shows that 80 percent of all types of users may be deanonymized by a relatively moderate Tor-relay adversary within six months,” the researchers write in a paper on their findings. “These results are somewhat gloomy for the current security of the Tor network.” The work of Johnson and his colleagues will be presented at the ACM Conference on Computer and Communications Security in Berlin next month.

Johnson told MIT Technology Review that people using the Tor network to protect against low-powered adversaries such as corporate firewalls aren’t likely to be affected by the problem. But he thinks people using Tor to evade the attention of national agencies have reason to be concerned. “There are many plausible cases in which someone would be in a position to control an ISP,” says Johnson.

Johnson says that the workings of Tor need to be adjusted to mitigate the problem his research has uncovered. That sentiment is shared by Roger Dingledine, one of Tor’s original developers and the project’s current director (see “TR35: Roger Dingledine”).

“It’s clear from this paper that there *do* exist realistic scenarios where Tor users are at high risk from an adversary watching the nearby Internet infrastructure,” Dingledine wrote in a blog post last week. He notes that someone using Tor to visit a service hosted in the same country—he gives the example of Syria—would be particularly at risk. In that situation traffic correlation would be easy, because authorities could monitor the Internet infrastructure serving both the Tor user and the service he or she is connecting to.

Dingledine is considering changes to the Tor protocol that might help. In the current design, the Tor client selects three entry points into the Tor network and uses them for 30 days before choosing a new set. But each time new “guards” are selected the client runs the risk of choosing one an attacker using traffic analysis can monitor or control. Setting the Tor client to select fewer guards and to change them less often would make traffic correlation attacks less effective. But more research is needed before such a change can be made to Tor’s design.

Whether the NSA or any other country’s national security agency is actively trying to use traffic analysis against Tor is unclear. This month’s reports, based on documents leaked by Edward Snowden, didn’t say whether the NSA was doing so. But a 2012 presentation marked as based on material from 2007, released by the Guardian, and a 2006 NSA research report on Tor, released by the Washington Post did mention such techniques.

Stevens Le Blond, a researcher at the Max Planck Institute for Software Systems in Kaiserslautern, Germany, guesses that by now the NSA and equivalent agencies likely could use traffic correlation should they want to. “Since 2006, the academic community has done much work on traffic analysis and has developed attacks that are much more sophisticated than the ones described in this report.” Le Blond calls the potential for attacks like those detailed by Johnson “a big issue.”

Le Blond is working on the design of an alternative anonymity network called Aqua, designed to protect against traffic correlation. Traffic entering and exiting an Aqua network is made to be indistinguishable through a mixture of careful timing, and blending in some fake traffic. However, Aqua’s design is yet to be implemented in usable software and can so far only protect file sharing rather than all types of Internet usage.

In fact, despite its shortcomings, Tor remains essentially the only practical tool available to people that need or want to anonymize their Internet traffic, says David Choffnes, an assistant professor at Northeastern University who helped design Aqua. “The landscape right now for privacy systems is poor because it’s incredibly hard to put out a system that works, and there’s an order of magnitude more work that looks at how to attack these systems than to build new ones.”


group
Posts: 1
Joined: Fri Apr 17, 2015 8:42 am

Re: Academic papers on possible Tor vulns & de-cloaks

Postby group » Fri Apr 17, 2015 8:57 am

We present fast and cheap attacks that reveal the location of a hidden server. Using a single hostile Tor node we have located deployed hidden servers in a matter of minutes. Although we examine hidden services over Tor, our results apply to any client us-
ing a variety of anonymity networks. In fact, these are the first actual intersection attacks on any deployed public network: thus confirming general expectations from prior theory and simulation.????


Return to “cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity”

Who is online

Users browsing this forum: No registered users and 7 guests

Login