Conference DEFCON 22. Adrian Crenshaw. What can "burn" users of TOR
Hello, my name is Adrian Crenshaw. I'm a co-founder of Derbycon, the founder of Irongeek.com, interested in information security and working as a senior security consultant at Trusted Sec. I'll tell you how people place their original documents in Darknet and how it makes them easy to catch.
These are all well-known stories about people who used TOR or other anonymizers and were caught mainly due to neglect of OPSEC rules.
The story I assigned to number 0 is a bomb that was allegedly planted at Harvard University last year. One guy sent an e-mail to various departments of the university administration, including the security service and the student newspaper, indicating the locations of the bombs: the science center, Sever Hall, Emerson Hall, Thayler Hall. He wrote that they would act quickly, because the bombs would soon explode. The announcement of this was published in the media on December 1? 2013.
So, who was this guy? He used the "guerrilla" mail service for sending out Guerilla Mail emails and sent his letter through TOR.
But he did not consider the fact that Guerilla Mail places the original IP-address of the sender in the header of the letter. For example, if you send a letter from home, then it will indicate the IP address of your home computer. The slide shows an example where I used my mailbox on irongeek.com to show how it works. This guy thought about anonymity and used TOR, so his letter specified the IP address of the TOR server. However, he did not consider that all TOR nodes, with the exception of "bridges", are known and are in the public domain - they are given, for example, on this site torstatus.blutmagie.de , and it is easy to determine whether the particular computer belongs to the TOR network or not. If you do not use the "bridge", it is very easy to track who and from where joined the Harvard local network and used TOR at the time the threatened letter was sent. arstechnica.com/tech-policy/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon .
From this case you can draw such conclusions:
use the TOR network constantly, and not from time to time. The fact that your browser stores cookies, and if you were on some site, and then again went to it openly, without using TOR, the browser will again send him your cookies. So you can easily intercept them and find out who you are. TOR is also good because it does not store cookies and clears the whole story when you turn it off;
do not give anybody personal information, because if you share a whole bunch of data with someone who can be arrested, you too can be arrested;
as I said, remember that correlation attacks are a preppy thing.
Next, consider case number 2 - the company Freedom Hosting provided customers with mail services within the TOR network, that is, they allowed them to create their own mailboxes within the anonymous network. They, among other things, were also used to distribute child porn, although they were mainly used simply to exchange letters between users. It is because of child porn that this hosting in 2011 was attacked by Anonymous during the operation to "sweep" Darknet.
In particular, the Lolita City site hosted on Freedom Hosting was subjected to a DDoS attack, as a result of which the hackers "Anonymus" were able to publish an entire list of its users in public. In July 201? the FBI compromised several Freedom Hosting mailboxes and introduced malicious jаvascript code into it, which exploited the vulnerability of the CVE-2013-1690 version 17 of the ESR Firefox browser. As you know, the software package TOR is based on Firefox. Its developers have released a patch that fixes the vulnerability, but many Thor users, as usual, have not updated the on-time version of the bulbous browser.
This vulnerability allowed the FBI to gain control over Freedom Hosting mail by deploying an exploit called Magneto. It is a tiny Windows executable file. "Magneto" searches for the name of the victim's Windows host and the MAC address of her computer and sends the information back to the FBI server in Virginia, exposing the victim's real IP address. Back the script sends data with a standard HTTP request outside the TOR network. Details can be read at ghowen.me/fbi-tor-malware-analysis .
This project is similar to a project called Egotistical Giraffe, an instrument that the FBI used against vulnerable TOR users through vulnerable software on their computers. To the similar spyware used by feds, also includes Magic Lantern, FOXACID and CIPAV - the verifier of addresses of protocols of the Internet and computers.
As a result, the FBI managed to destroy Freedom Hosting, having arrested for the distribution of child pornography its owner, the 28-year-old Irish citizen and US Eric Wohnen Marquez. He was able to connect to the Freedom Hosting server through payment documents. He bought something, and information about the purchase, linked to his real IP address, remained in his Freedom Hosting mailbox. When he was arrested by special services, he rushed to turn off his laptop, so that when the system was re-booted, the data encryption system on the hard disk was activated, but it failed.
From this case you can learn the following lessons:
never contact the host company associated with Captain Picard or Julian Bashir. If you are familiar with the 4chan culture, you know that these nicknames denote the 2 first nicknames CP, or "child pornography" (child porno), and the second is JB, or "jailbait",
update, update and renew again. If all these people on time installed a patch with the "patches" of the vulnerability of Firefox, the FBI would not have been able to implement the exploit "Magneto" in TOR. Now, if you are using an outdated version of the Tor, a line appears on top with an invitation to update it;
Do not let yourself be tracked by your "payments", do not use e-mail to store payment documents that have your personal information;
leave your laptop in an encrypted state when not in use.
Get the hidden server to contact you to determine its real IP address and to find out if it is vulnerable to various vulnerabilities, such as buffer overflow, etc.
This is necessary in order to avoid fiddling and not getting under federal supervision by contacting such a server inside the TOR network.
Case number 3 refers to the well-known Silk Road, or the Silk Road. This Darknet market was run by a guy with the pseudonym Dread Pirate Roberts, or "The Horrible Pirate Roberts". This was an electronic platform for buyers and sellers, which traded, let's say, not quite legal goods. The materials of the "Silk Road" case on September 2? 2013 show that about 1?000 lists of goods placed on websites related to such requests as "marijuana", "ecstasy", "intoxicants", "opioids" were found in the TOR network "," Precursors "," psychedelics "and the like of narcotic substances. In short, it was the dream of Charlie Sheen.
Also on the site of the TOR, 159 sites were discovered, providing services for hacking accounts of various networks at the request of the client, including Facebook and Twitter so that the customer was able to arbitrarily manage and change the personal information of the account holder. 22 educational tools on hacking ATMs, as well as contacts of suppliers of such illegal services as "anonymous bank accounts", "counterfeit accounts in CAD /GBP /EUR /USD currency", "sale of firearms and ammunition", "stolen goods" information of bank cards and PayPal accounts "and even" hired assassins in more than 10 countries ". The only thing that was not offered for sale or was not found on the network is fake diplomas, certificates, medical prescriptions and counterfeit money. Apparently, the owner of the site had problems with this.
After the volume of transactions reached 1.2 billion dollars, the FBI became interested in the Silk Road. They first of all began to check the very first links to Silk Road on the public Internet, using queries in the Google search engine, changing the time intervals. They found the earliest link to this resource on the small website of Shroomery addicts, where the guy under the altoid nickname posted a link to the Silk Road page in the TOR network.
In fact, he advertised this site, informing that on the site of the "Silk Road" one can anonymously purchase anything, anything. This post was posted on January 2? 2011.
Then, on the site bitcointalk.org, someone opened the topic "Heroin Shop", and the user under the name ShadowOfHarbringer wrote that Silk Road may not sell heroin, but it is the first trading platform where you can buy anonymously all other drugs for bitkoy. This also sounded like advertising this resource, and this user ended his post with the phrase: "guys, let me know what you think about it!", Hinting at the feedback.
Thus, the federals have established that the "Silk Road" really exists and works. Later, in October of the same year, on the same site bitcointalk.org there was a familiar character on the Shroomery site under the nickname altoid, which opened the topic "I'm looking for a professional IT specialist for opening a bit-start-up", where he wrote that interested people can apply to him to the specified e-mail address. And do you know what he did? He wrote the address of his mailbox, registered on his real name and last name - Ross Ulbricht, [email protected] This is called the total failure of the OPSEC principle.
Therefore, the FBI could easily establish a connection between the altoid, the first mention of the Silk Road and the bitkoy. The email altoid was the same as Ross's. Profile of Ulbricht on Google+ showed that he was interestedthe institution of libertarians Ludwig von Mises, "the world center of the Austrian school of economics."
Further they found out that the signature of Dread Pirate Roberts on the forums of the "Silk Road" contained a reference to the Moses Institute, and the Austrian economic theory had a great influence on the philosophy of Silk Road. In addition, from the account "Ross Ulbricht" was recorded on StackOverflow with a request to help him in writing PHP code for communication with hidden TOR services.
True, this account was quickly replaced by "frosty", but the first name of the user corresponded to his real name and surname. The combination of these evidence enabled the FBI to obtain an arrest warrant for Ulbricht and left no doubt that Ross William Ulbricht and Dread Pirate Roberts are one and the same person.
I, probably, too would not hide the true person, if has earned ?2 billion dollars. The Feds also found out that someone was connecting to the "silk road" host server from an Internet cafe located next to Ross's apartment in San Francisco. Letters addressed to the name of Pirate Roberts showed that he lived in the Pacific Time Zone.
The IP address of the Silk Road server was connected to the VPN network via an IP address belonging to the Internet cafe on Laguna Street in San Francisco, and from there, at that time, on June ? 201? Ross entered his gmail inbox.
In a private message to Pirate Robets, one of the users wrote that he found a leak of information from the site through an external IP address belonging to the VPN. Then the FBI somehow managed to capture and copy the images of the hard drives of one of the servers of the Silk Road. Presumably they paid the hacker Nicholas Weaver to crack the Silk Road and link it to an external server that did not use Thor to reveal the real IP address of the Silk Road server.
On July 1? 201? the US Customs intercepted 9 identity cards for different names, but all of these documents contained a photograph of Ross Ulbricht. The security service interrogated Ross, but he denied that he had ordered the production of these certificates, and refused to give any comments on this matter. It was very sensible of him. But then he committed stupidity, saying that hypothetically anyone can go to a site called "Silk Road" or "TOR" and buy drugs or fake documents there. Why did he need to talk about this at all, if as a respectable citizen, he did not have to know anything about it?
However, private correspondence showed that Dread Pirate Roberts was interested in buying fake identity cards.
Further - one of the servers of the "Silk Road" used SSH and private keys, which contained a record frosty @ frosty. This server used the same code that was placed once on StackOverflow. Finally, on October ? the FBI arrested Ulbricht in the public library just after he entered the password into his laptop. A lot of incriminating evidence was found in the laptop.
Additional information about this case can be found in the article by Nate Anderson and in the documents that Agent Christopher Tarbell presented to the court. They are located on the links arstechnica.com/tech-policy/2013/10/how-the-feds-took-down-the-dread-pirate-roberts and www.cs.columbia.edu/~smb/UlbrichtCriminalComplaint.pdf .
From this case you can learn such lessons:
use a separate identification of your person on the network, never use genuine names, use different usernames and log into the network from different places,
think of yourself a consistent legend, in which there would be no contradictions for which you can catch on. Do not use the old nicknames, as Ross did with the name "Josh", under which fellow students and roommates knew while studying;
do not discuss your interests with anyone and do not post publicly interesting questions and requests for help;
Do not give any voluntary confessions or assumptions such as "anyone can buy these things on Silk Road".
So, we have a little time left to tell you how deanonization of TOR users works and show you several ways how you can uncover the anonymity of the user.
First you need to configure the proxy on the local machine. Then you turn to something in the TOR network, and I want to persuade you to go to a specific site and download a Word document called track.docx from there, that is, go through the link www.irongeek.com/host/track.docx .
Now I'm trying to connect to the TOR network, it depends on how your browser is set up, because it can not allow using proxy connections. So, TOR started, and now I need to go to a link to a specific site and open the document track.docx.
It is a trap. You see the TOR greeting and the loaded lines of the document on the screen. That's all, you opened this document on your computer.
Now I go to my site irongeek.com, open the log of logs and see the real IP address of the computer on which this document was opened, the opening time and the characteristics of the browser used.
What else can I do? Ask the user to download an archived credit_card.zip containing a bunch of stolen credit card data. After he does this, I will have the opportunity to see who opened this document and its real IP address on the screen at honeydocx.com/hive/sting/4254/buzz.
To open the buzz, I need to enter my login and password, which I registered on the site honeydocx.com. I do it and everything is ready - you see the IP address and coordinates of the location of the user who opened credit_card.zip.
I showed you what happens if people use TOR, but do not configure the proxy connection in the browser as it should.
There are more professional tools than me, since I use documents of different formats, after the discovery of which on the user's computer my exploit is launched.
The next thing I can do to deceive the user is to install a hidden service. On the screen, you see OWASP Mutillidae II - this is intentionally vulnerable open source application, serving as a target for various security threats. If you open the menu, you can see the types of attacks that you can experience, for example, SQL injection. In this application, you can demonstrate the pinging attack of the IP0 address using the command line, see who returns me the ping and determine its IP address.
Next, you can view links to unsafe objects and do many more such things. In this application, TOR runs very slowly, so I can not show how it works, I have too little time left to perform. I will just say that the main idea of the command line injection is that you can see who returns the ping to you. Answering the question, can I determine in this way the IP address in the VPN network, I will say yes, it is possible.
If you want, you can view a detailed video about this on my website at www.irongeek.com/i.php?page=videos/tor-hidden-services .
Thank you for attention!
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or by recommending to friends, 30% discount for Hubr users on the unique analogue entry-level servers, which was invented by us for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to divide the server correctly? (options are available with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December Free of charge when paying for a period of six months, you can order here .
Dell R730xd is 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about that How to build a building infrastructure. class with the use of servers Dell R730xd E5-2650 v4 cost 9000 euros for a penny?
It may be interesting
Thankyou for sharing the data which is beneficial for me and others likewise to see.Gulf Coast Western Reviews