Transcript Slides

Microsoft MVP (Enterprise Security)
Microsoft Certified Trainer (18 years)
Founder: Cybercrime Security Forum!
Winner: Microsoft Speaker Idol 2006
Author: The Seventh Day
Andy Malone
(United Kingdom)
Follow me on Twitter
@AndyMalone
www.Andymalone.org
What is TOR and how does it keep me anonymous?
Who uses TOR & Why?
Understand what the Darkweb is & Learn about it’s dangers
Learn about Potential Flaws in the Technology
Forensics & Law Enforcement
TOR Technology & My Business
TOR: A Tale of Two Sides
Freedom from Censorship,
No Restrictions,
Private Communication,
Many US UK Agencies use
similar private channels
The Dark Web: Drugs, Guns, Malicious Software,
Pedophiles. Slavery, Black Market
Tails
TOR
Browser
TOR Atlas
Stem
(Development
Environment)
Orbot
(Android)
https://www.torproject.org/
ARM (Shell)
Pluggable
Transports
TOR Cloud
TOR: Key Principle
“There are no conspiracies. We
don’t do things we don’t want
to. No backdoors ever!”
Jacob Appelbaum: TOR (2013)
Home Users can protect themselves when online
Activists can anonymously report abuses from danger zones
Whistleblowers can use Tor to safely report on corruption
Journalists use Tor to protect their research and sources online
Military and law enforcement can protect communications,
investigations, and intelligence (No IP Trace)
Alice
• Each OR maintains a TLS / AES
connection to every other OR
• Users run an onion proxy (OP) to
fetch directories, establish circuits
across the network
• Each OR maintains a long & short
term onion identity key (10 mins)
• Used to sign TLS certificates which
sign the OR’s router descriptor,
summary of keys, address,
bandwidth ,etc
Port 9001
Port 9090
Port 443
Unencrypted
Encrypted
TOR Node
Bob
Jane
Alice
Port 9001
Port 9030
Step 1: Alice’s TOR Client
obtains a list of TOR
Clients from a directory
server
Unencrypted
Encrypted
TOR Node
Bob
Dave
Jane
Unencrypted
Encrypted
Port 443
TOR Node
Alice
Step 2: Alice’s TOR
Client picks a random
path to a destination
server. Green links are
encrypted, red links are
in the clear
Port 80
Bob
Jane
Dave
Unencrypted
Encrypted
TOR Node
Port 443
Alice
Step 3: If at a later time
Alice connects to a
different resource then a
different, random route
is selected. Again Green
links are encrypted, red
links are in the clear
Bob
Port 80
Dave
Jane
Onion Routing: Peeling back the Layers
Alice builds a two-hop circuit and begins fetching a web page.
https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html
• Control cells: interpreted by the nodes that receive them
• Relay cells: which carry end-to-end stream data. Has an additional
header on front of the payload containing
• streamID
• Integrity checksum
• Length of payload and relay command.
Payload
Command
Payload
circuit
identifier
or circutID
Instruction
Header
TLS Encrypted
Data
Fixed-sized cells 512 bytes with a header and a payload
TOR Node
Onion Routing: Cell Commands
Relay data: data flowing down stream
Relay begin: to open a stream
Relay end: to close a stream cleanly
Relay teardown: to close a broken stream
Relay connected: to notify successful relay begin
Relay extend/extended: to extend the circuit by a hop
Relay send me: congestion control
Relay drop: implements long-range dummies
Exploring the TOR Project
A Journey Inside the Darknet
Controlled substance marketplaces
Armories selling all kinds of weapons
Child pornography
Unauthorized leaks of sensitive information
Money laundering
Copyright infringement
Credit Card Fraud
Dynamic
Unlinked
Private Site
Contextual
Limited Access
Scripted
•Varied access pages
with differing ranges of
client IP addresses
•Limited technically (e.g.
using Robots Exclusions,
CAPTCHAs. Or nocache Pragma HTTP
headers, which prohibit
browsing & caching
•Accessible through links
produced by JavaScript
•Content dynamically
downloaded via Flash
or Ajax
Non HTML/Text
Exploring the Darkweb
Timing Attack
Entry Monitoring
Intersection Attack
Ddos Attack
Predecessor Attack (Replay)
Exit node Sniffing
Unencrypted
Encrypted
TOR Node
Criminal posts
anonymous content
out to Compromised
Server
Compromised
Node
Police
Law Enforcement
Monitor suspects
client machine
(Entry Point)
Bob
Unencrypted
Encrypted
TOR Node
Criminal posts
anonymous content
onto Server
Compromised
Node
Police
•
•
An exit node has complete
access to the content being
transmitted from the sender
to the recipient
If the message is encrypted
by SSL, the exit node cannot
read the information, just as
any encrypted link over the
regular internet
Infected with malicious code
Law Enforcement
Monitors Target client
machine (Exit Point)
Target
Unencrypted
Encrypted
TOR Node
Criminal posts
anonymous content
out to Compromised
Server
Compromised
Node
Offline Node
Network Analysis
Nodes periodically fail of
the network; any chain
that remains functioning
cannot have been
routed through either
the nodes that left or
the nodes that recently
joined the network,
increasing the chances
of a successful traffic
analysis
Police
Bob
Tor is vulnerable to DoS attacks because users can
consume more network resources than allowed or
render the network unusable for other users.
Tor deals with these attacks with
Puzzle solving: At beginning of TLS handshake or
accepting create cells, this limits the attack multiplier.
Limiting rates: Limits rates of accepting of create cell
and TLS connections so the computational work of
processing them doesn’t disrupt the symmetric
cryptography operations that allow cells to flow.
Agency IP Address Hidden from Site owner
Unencrypted
Encrypted
TOR Node
Security Agencies TOR is a
key technology in the fight
against organized crime on
the internet
Illegal Site
TOR
Looks like regular HTTPS Traffic on port 443…
The Truth is revealed
Obtain list of TOR Servers
Obtain list of TOR Servers
Then create an AI Engine rule using
a Log Observed rule block to detect
network traffic with an origin or
destination IP address on the list






Add output to IP Address tables
* Additional links on slides
Blocking TOR – Application Aware Firewalls
Regular I.E 11
Browser
Privacy IE 11
Browser
Older
TOR
Updated
TOR
Other Privacy Solutions
Proxy Heaven
Alice: TOR traffic disguised via
OpenWRT compatible modem
Bob: TOR traffic disguised via
OpenWRT compatible modem
Alice
Bob
Unencrypted
Eavesdropper: Skype Video Traffic
Encrypted
git://git-crysp.uwaterloo.ca/codetalkertunnel
What is TOR and how does it keep me anonymous?
Who uses TOR & Why?
Understand what the Darkweb is & Learn about it’s dangers
Learn about Potential Flaws in the Technology
Forensics & Law Enforcement
TOR Technology & My Business
The Extras…
Follow @AndyMalone & Get my OneDrive Link
www.microsoft.com/
trustedcloud
www.microsoft.com/sir
www.microsoft.com/sdl
www.microsoft.com/twc
blogs.technet.com/security
http://technet.microsoft.com/library/dn765472.aspx
http://technet.microsoft.com/en-us/library/hh546785.aspx
http://www.microsoft.com/en-us/server-cloud/products/
windows-azure-pack
http://azure.microsoft.com/en-us/
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com