The Washington Post and The Guardian continue to publish articles based on leaked documents about NSA capabilities via Edward Snowden. Writing in The Guardian, Bruce Schneier explains in his latest article related to Edward Snowden that the National Security Agency (NSA) had tried, unsuccessfully, to mount an attack on the Tor network, hoping to circumvent the protection of anonymity of service.
The presentation documented in the NSA library is called Tor Stinks. The agency admits that it will never be able to draw from anonymity to all network users in a sustained manner. The Tor network, originally known as The Onion Router, is a system to protect anonymity through a series of servers offered by volunteers around the world. In many cases the network is used by activists, journalists and political dissidents to express their ideas. It is a fundamental resource to escape the restrictions of authoritarian governments.
The NSA attacks for Tor
NSA says Tor network is being used to conceal illegal activities, such as selling illegal drugs and weapons, as in the case of the Silk Road site. Tor works by taking traffic from one user and passing it between other users of the network, changing the data’s path through the Internet constantly and providing effective anonymity. The communication is so robust that NSA can’t actually track someone using it–so it had to find a way to get around it.
What the NSA did was chosen a middle path known as a “man in the middle attack.” Security expert Bruce Schneier explains in detail how the NSA can circumvent security by apparently run a Tor user focused on special servers that mimic legitimate sites, such as a bank or Google. These fake sites hosted on that server NSA called “FoxAcid”, then try to infect the target browser and inject malware that can compromise a Tor connection.
One of the methods was exploiting bugs in the software of Tor users. The use of exploits carried out in an operation codenamed EgotisticalGiraffe. By a separate department within the NSA and using its own server codenamed FoxAcid, the NSA used various vulnerable exploits software. For example, an exploit was existed in an outdated version of Firefox, part of the popular Tor Browser Bundle. NSA used to run the exploit on Windows 2003 and serving through Perl scripts as special URLs, which were requested by a visitor.
For a Firefox user with an active Tor connection to lure the FoxAcid servers, the NSA use its drainage capacity to telecommunications companies and a man-in-the-middle attack run. Browsers with known flaws can be sent to Web pages that are custom-designed to infect them and then the user can be sent on their way. Since the browser is now compromised, it can be made to do all kinds of things such as IP logs, report browsing history, or even inform on other nodes in the Tor network.
Another method as described in the document is to analyze Tor traffic. The NSA and GCHQ can do this by tapping huge amounts of data traffic over the Internet backbones. In this way NSA compromised users’ computers, allowing the identification of users. Redirection is possible thanks to the use of special servers, called “Quantum”, and which are installed in NSA ISPs partners. Thanks to this, the fake server is able to respond to a request before the legitimate server, interfering with the victim’s connection espionage. It would be especially looked at finding patterns in data that Tor exit nodes in and out.
“The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to ‘degrade/deny/disrupt Tor accesses”, Schneier wrote.
Even the most efficient method used by the NSA is a classic attack. The NSA uses these fast Quantum servers to execute a packet injection attack. The work of attacking Tor is done by the NSA’s application vulnerabilities branch. These fingerprints are loaded into NSA database systems like XKeyscore (and with different processes such as process Turbulence, Turmoil or Tumult), a bespoke collection and analysis tool which NSA boasts allows its analysts to see almost everything a target does on the internet.
The NSA could also study the date, time and location of a target connection and then search Tor connections with the same parameters. However, it is difficult to select the candidates and the programs that are in place are not very effective.
Tor is still safe?
Last week, the Federal Bureau of Investigations (FBI) arrested Ross Ulbricht and shut down his Silk Road online marketplace. Silk Road’s discovery is the most recent event to shine a spotlight on Tor software and expose it to public view.
According to the findings of security expert Robert Graham, the CEO of Errata Security, 76 percent of Tor’s supposedly anonymous network traffic might be crackable by the NSA. The newest update, version 2.4 of Tor uses 1024-bit DH keys and incorporates a different kind of DH encryption that uses a powerful next-generation encryption technique called elliptical curve cryptography. As per Graham research, only 24 percent of Tor traffic uses the elliptic-curve cryptography in version 2.4.
It’s not at all clear that NSA can break 1024-bit keys easily, or even at all currently. The main risk is that there will come a time in the future when it is easy — and we don’t know when that time will arrive — and if they’ve logged Tor traffic flows from today, they’ll be able to break those flows at that future point.
The NSA has not yet managed to fully break Tor or encryption. You can get a package of Tor traffic and automatically say where it comes from and what data you have. In fact, the techniques used are not particularly effective right now, especially if the user takes the necessary precautions.