Microsoft MVP (Enterprise Security) Microsoft Certified Trainer (18 years) Founder: Cybercrime Security Forum! Winner: Microsoft Speaker Idol 2006 Author: The Seventh Day Andy Malone (United Kingdom) Follow.
Download ReportTranscript Microsoft MVP (Enterprise Security) Microsoft Certified Trainer (18 years) Founder: Cybercrime Security Forum! Winner: Microsoft Speaker Idol 2006 Author: The Seventh Day Andy Malone (United Kingdom) Follow.
Microsoft MVP (Enterprise Security) Microsoft Certified Trainer (18 years) Founder: Cybercrime Security Forum! Winner: Microsoft Speaker Idol 2006 Author: The Seventh Day Andy Malone (United Kingdom) Follow me on Twitter @AndyMalone www.Andymalone.org What is TOR and how does it keep me anonymous? Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business TOR: A Tale of Two Sides Freedom from Censorship, No Restrictions, Private Communication, Many US UK Agencies use similar private channels The Dark Web: Drugs, Guns, Malicious Software, Pedophiles. Slavery, Black Market Tails TOR Browser TOR Atlas Stem (Development Environment) Orbot (Android) https://www.torproject.org/ ARM (Shell) Pluggable Transports TOR Cloud TOR: Key Principle “There are no conspiracies. We don’t do things we don’t want to. No backdoors ever!” Jacob Appelbaum: TOR (2013) Home Users can protect themselves when online Activists can anonymously report abuses from danger zones Whistleblowers can use Tor to safely report on corruption Journalists use Tor to protect their research and sources online Military and law enforcement can protect communications, investigations, and intelligence (No IP Trace) Alice • Each OR maintains a TLS / AES connection to every other OR • Users run an onion proxy (OP) to fetch directories, establish circuits across the network • Each OR maintains a long & short term onion identity key (10 mins) • Used to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,etc Port 9001 Port 9090 Port 443 Unencrypted Encrypted TOR Node Bob Jane Alice Port 9001 Port 9030 Step 1: Alice’s TOR Client obtains a list of TOR Clients from a directory server Unencrypted Encrypted TOR Node Bob Dave Jane Unencrypted Encrypted Port 443 TOR Node Alice Step 2: Alice’s TOR Client picks a random path to a destination server. Green links are encrypted, red links are in the clear Port 80 Bob Jane Dave Unencrypted Encrypted TOR Node Port 443 Alice Step 3: If at a later time Alice connects to a different resource then a different, random route is selected. Again Green links are encrypted, red links are in the clear Bob Port 80 Dave Jane Onion Routing: Peeling back the Layers Alice builds a two-hop circuit and begins fetching a web page. https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html • Control cells: interpreted by the nodes that receive them • Relay cells: which carry end-to-end stream data. Has an additional header on front of the payload containing • streamID • Integrity checksum • Length of payload and relay command. Payload Command Payload circuit identifier or circutID Instruction Header TLS Encrypted Data Fixed-sized cells 512 bytes with a header and a payload TOR Node Onion Routing: Cell Commands Relay data: data flowing down stream Relay begin: to open a stream Relay end: to close a stream cleanly Relay teardown: to close a broken stream Relay connected: to notify successful relay begin Relay extend/extended: to extend the circuit by a hop Relay send me: congestion control Relay drop: implements long-range dummies Exploring the TOR Project A Journey Inside the Darknet Controlled substance marketplaces Armories selling all kinds of weapons Child pornography Unauthorized leaks of sensitive information Money laundering Copyright infringement Credit Card Fraud Dynamic Unlinked Private Site Contextual Limited Access Scripted •Varied access pages with differing ranges of client IP addresses •Limited technically (e.g. using Robots Exclusions, CAPTCHAs. Or nocache Pragma HTTP headers, which prohibit browsing & caching •Accessible through links produced by JavaScript •Content dynamically downloaded via Flash or Ajax Non HTML/Text Exploring the Darkweb Timing Attack Entry Monitoring Intersection Attack Ddos Attack Predecessor Attack (Replay) Exit node Sniffing Unencrypted Encrypted TOR Node Criminal posts anonymous content out to Compromised Server Compromised Node Police Law Enforcement Monitor suspects client machine (Entry Point) Bob Unencrypted Encrypted TOR Node Criminal posts anonymous content onto Server Compromised Node Police • • An exit node has complete access to the content being transmitted from the sender to the recipient If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internet Infected with malicious code Law Enforcement Monitors Target client machine (Exit Point) Target Unencrypted Encrypted TOR Node Criminal posts anonymous content out to Compromised Server Compromised Node Offline Node Network Analysis Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis Police Bob Tor is vulnerable to DoS attacks because users can consume more network resources than allowed or render the network unusable for other users. Tor deals with these attacks with Puzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier. Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow. Agency IP Address Hidden from Site owner Unencrypted Encrypted TOR Node Security Agencies TOR is a key technology in the fight against organized crime on the internet Illegal Site TOR Looks like regular HTTPS Traffic on port 443… The Truth is revealed Obtain list of TOR Servers Obtain list of TOR Servers Then create an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list Add output to IP Address tables * Additional links on slides Blocking TOR – Application Aware Firewalls Regular I.E 11 Browser Privacy IE 11 Browser Older TOR Updated TOR Other Privacy Solutions Proxy Heaven Alice: TOR traffic disguised via OpenWRT compatible modem Bob: TOR traffic disguised via OpenWRT compatible modem Alice Bob Unencrypted Eavesdropper: Skype Video Traffic Encrypted git://git-crysp.uwaterloo.ca/codetalkertunnel What is TOR and how does it keep me anonymous? Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business The Extras… Follow @AndyMalone & Get my OneDrive Link www.microsoft.com/ trustedcloud www.microsoft.com/sir www.microsoft.com/sdl www.microsoft.com/twc blogs.technet.com/security http://technet.microsoft.com/library/dn765472.aspx http://technet.microsoft.com/en-us/library/hh546785.aspx http://www.microsoft.com/en-us/server-cloud/products/ windows-azure-pack http://azure.microsoft.com/en-us/ http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://developer.microsoft.com