A new collection of NSA documents crawled by the Edward Snowden was leaked online during the weekend, the German news agency Der Spiegel has published online a dump of PDF files detailing how intelligence agencies belonging to the Five Eyes Alliance (USA, UK, Australia, Canada and New Zealand) run cyber attacks on popular anonymizing technologies.
The documents cover a period between the 2010 and 2012 and offer an interesting view of the activities run by the Intelligence of the five countries to break strong encryption online and de-anonymize users.
As you know, I’m very interested in the activity run by the NSA and its allies to de-anonymize the Tor users and I found a document dated June 2011 that analyzes a technique to track Tor users.
“A potential technique to deanonymise users of the TOR network”.
The 18-page document classified as “UK TOP SECRET STRAP1 COMINT” states that the GCHQ has the capabilities to try to de-anonimize Tor users:
“We have shown a technique that can deanonymise TOR web-browsing given packet times between the client and guard node and packet times from the exit node filtered to a single circuit. The false positive rate looks low enough to suggest this technique should be carried forward.
The required data is not collected at present. For this technique to work the following additional data feeds will be required:
- Second-accurate packet logging at TOR exit nodes we control with packets labelled by a unique circuit identifier.
- Second-accurate packet logging of sessions between TOR clients and TOR guard nodes. This data could be obtained by SIGINT [signals intelligence] or by running guard nodes. The SIGINT solution would require an up-to-date feed of TOR “consensus” documents; TOR IP addresses could then be extracted from the “consensus” documents for filtering by the SIGINT system.
At the time of writing JTRIG [Joint Threat Research Intelligence Group] are investigating the collection of the exit node data and ICTR-FSP are trialling a feed of guard node data from research bearers.”
The document explains why the British Intelligence was not able to track a circuit through the Tor Network. The experts had the main problem of a high “false positive rate” that requested further test sessions to tune the technique. The researchers compared two different sources of data:
The archive includes also set of slides from GCHQ that includes the results of the study on the feasibility of the Tor network hacking.
The documents reveal the great effort spent by the Intelligence to break online encryption, in particular the agencies tried to compromise protocols like PGP to secure emails, the AES standard and the OTR, aka Off-the-Record Messaging, used to provide encryption for instant messaging services.
The documents confirm that PGP is still secure, meanwhile the SSH had also been successfully attacked and a slide reveals the existence of a database of obtained SSH keys/passwords.
Regarding the attack on instant messaging services, the agencies consider OTR secure, so they opted to research bugs in the client software used by the targets.
VPN and SSL protocols could be decrypted is the agencies are able to infect the computer of the interlocutors to steal shared secret keys and passwords.
“For VPN this would involve, say, hacking into a victim’s router or PC, or slapping a court order on a company’s sysadmin, while SSL private keys can easily be swiped by asking the CA root to hand it over.” state a blog post published by the Register.
Let me suggest you to give a look at the documents, below the complete list related to the analysis of the “Deanonymizing” techniques exploited by the Agencies.
(Security Affairs – Tor network, Intelligence)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.