A Little Info On NSA Targeting Tor, and “Quantum Inserts.”

First of all…

“I suspect there will be more information to come on the NSA and GCHQ attacking Tor users with targeted exploitation techniques.” [5]

Yeah. This. Very much so. Definitely. Except for me it’s less a “suspect…” than a “there’s no way this is it.”

Also, “scaring [targets] away from Tor might be counterproductive.” [2]

And, as one commenter put it, “it feels like the British and American governments treat their capabilities against Tor as one of their most valuable secrets and applied significant pressure, the resulting compromise being “you can make a story about Tor, as long as it’s based on old information that is no longer relevant”.” [6]

I would add that the “most valuable secrets” were likely kept places Snowden couldn’t get to, and therefore not going to be found in his docs.

Nevertheless, it does seem Tor’s security at least was better than I expected… even if it should by no means be considered secure against the “big boys.”

On the upside, it turns out that six years ago, Tor was fairly NSA-resistant. They had to rely on browser attacks — though the browser attacks worked well [1] — and couldn’t reliably unmask a given user[2].

On downside, six years ago the Brits already had a functional system for spotting targets’ connections to Tor, and were running more than a few nodes of their own. Those same Brits had a working timing attack capability “in the lab.”

Both the Brits and Aussies were crunching away at cracking hidden services. And, the NSA was tackling the fine art of “shaping” traffic towards exit nodes they controlled.

This was, however, six years ago. Back when Wikileaks was a new idea and Abu Ghraib was fresh in everyone’s mind.

Of the presentations made public, the only recent one (post spring 2012) specifically doesn’t talk about current attacks on Tor, except to note that LiveCDs add “severe [computer and network exploitation] misery.” [3]

However, work is ongoing, with what seems to be at least an annual anti-Tor workshop called “REMATION II.”

We also have some solid data on how the “Quantum Inserts” work. No, not the BGP attacks I suspected… far subtler. They put high-speed servers right at the Internet backbone, where those servers can respond faster than the website you’re trying to visit. By responding faster, they can feed you whatever data they want in place of the site you’re expecting.[4]

Since Kim Dotcom’s MITM involved an added delay, I’m guessing whatever he got was not this.

Possibly they were feeding him the “obvious” exploit… something that seems to be policy. If you’re likely to spot what they’re up to, they only send low-value exploits in your direction. Reasons to learn about security?

[1] http://s3.documentcloud.org/documents/801433/doc1-1.pdf
[2] http://s3.documentcloud.org/documents/801434/doc2.pdf
[3] http://s3.documentcloud.org/documents/801435/doc3.pdf
[4] http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity [5] https://twitter.com/ioerror/status/386188537239834624
[6] http://yro.slashdot.org/comments.pl?sid=4301383&cid=45037337

Main article:
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption

Advertisements
%d bloggers like this: