I was kind of excited about this years Tor talks because it was almost skipping over the details of what is Tor and going strait to some more advanced subjects. Roger Dingledine made a great presentation about the vulnerabilities of Tor where he went through each major security bug that was ever discovered. He is very honest about some of the future attacks like Latency Tables, SSL Website Fingerprinting, automatic control port authentication problems, attackers buying old certificate authorities so that SSL MITM attacks would be available anytime, and even how governments are starting to make laws forcing Tor admins to have an real time access to current Tor nodes.

Latency Tables

This was actually pretty interesting to me. Roger made a comment about how an attack would be easier if the attacker had access to a latency table which would keep track of the latency between one point to another on a global scale. This is a theoretical attack as no one has been able to do this effectively.

SSL Website Fingerprinting

This is the theory that it would be possible to document the size of an SSL encrypted web site request so that although an attacker cannot see the data going over the connection, it is possible to see what website the user is visiting. It could even be taken one step further where the table could not only have the initial website size but the first page, and then the redirected page after login. For instance, if someone visits their bank, they first get an initial login, and then a secondary authentication screen, and finally their actual online banking information. Each of those pages have a size that when put together, makes a pretty unusual fingerprint. If you tie this fact together with Mike Perry's SSL cookie exploit, one can imagine a situtuation where an attacker finds the website the user is visiting, inject an <img src="http://www.visitedwebsite.com"> where the cookie is sent in clear text and then a session hijack occurs.

Automatic Control Port Authentication

There has been an addressed issue that shows how an attacker could gain control of a Tor client's control port (which is what's used to generate tunnels) thereby granting the ability to redirect the tunnel or something even more malicious. The work around for this was to provide authentication done either by a password or by a session cookie. Clients like Vidalia now support the authentication mechanism but the problem currently is how is the authentication done at the boot time when a user installs Tor as a Windows Service. Roger didn't have an answer yet to this issue besides that it was currently being worked on.

Purchasing Old CA's

If you look in Firefox or IE or Opera or whatever, you'll see a pretty long list of pre-trusted certificate authorities that come when you install the browser. These are some of the most popular ones that have been trusted for years and come with the browser itself. It just so happens that a lot of these CA's are not even in business anymore but they're still in the browsers in case someone has purchased a certificate that extends through 2020. So what? Well the issue is what if an attacker purchased one of those old CA's, if they wanted to do a MITM attack with SSL, they could and the browser would have no problem with it. There was even a comment about how China is interested in purchasing one to help out with deep packet inspection even on SSL connections.

Governments and Law Enforcement

The last big issue that I thought was interesting to bring up was how some governments (see Germany and others) are pressuring Tor to provide "real time access to law enforcement." Whatever real time and law enforcement really ends up being. Roger makes the point that if it becomes this hard and this illegal, it may not be possible to run a Tor server in that country and it may be difficult to do so in the future.

External Links

http://www.torproject.org - Tor Project Website
http://www.kreativrauschen.com/blog/2007/11/09/german-bundestag-decides-to-implement-data-retention/ - Blog about the new German data retention logs
http://en.wikipedia.org /wiki/Data_retention - Wikipedia entry about data retention laws in other countries

Last year was my first year at Defcon so I was sucking up as much information as possible but generally I just went to the talks and then back to the room to play with the things that I had learned.  I didn't get into the social scene very much.

This year I still attended a ton of the talks but instead of taking time to go back to the room and play, my friends and I made more of an effort to get into the Defcon social scene.

Overall Experience

Just like last year I had a blast but I think even more this year because of some of the people we met. I've seen some posts complaining about the situation at Defcon about how it was too crowded and they missed some talks because of this. It sounds to me like a lot of people have gone to things like Microsoft Events where you stand around some muffins and coffee and then sit through 2 hours of talks.Defcon hacks the conservative convention idea and takes into account the amount of hackers that have ADD.They offer 5 tracks of talks at the same time, lock picking training, wireless village, general hang outs, and more. Then when the talks are all done, there are parties all over the city. It's not cup of coffee, stand in line, polite conversation kind of gathering but rather a red bull and vodka, bum rush, punch in the face cluster of people from all over world meeting to show solidarity in the hacker community. At least that's the my ideal perspective of what Defcon should be, it may be growing in a different direction.

List of talks I attended:

• Welcome by DT & Making the DEFCON 16 Badge with Joe "Kingpin" Grand
• Clinton Wong - Web Privacy & Flash Local Shared Objects.
• Roger Dingledine -Security and anonymity vulnerabilities in Tor: past, present, and future
• Robert Ricks -New Tool for SQL Injection with DNS Exfiltration.
• Magnus Bråding -Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol.
• Eric Schmiedl -Advanced Physical Attacks: Going Beyond Social Engineering and Dumpster Diving Or, Techniques of Industrial Espionage
• Fyodor -NMAP-Scanning the Internet.
• Matt Yoder-Death Envelope: Medieval Solution to a 21st Century Problem.
• John Fitzpatrick -Virtually Hacking.
• Nathan Evans -De-TOR-iorate Anonymity
• Movie Night With DT: Premiere of "Hackers Are People Too
• Cameron Hotchkies-Under the iHood.
• Jay Beale-Owning the Users with Agent in the Middle.
• Luciano Bello & Maximiliano Bertacchini-Predictable RNG in the Vulnerable Debian OpenSSL Package, the What and the How.
• Panel: All your Sploits (and Servers) are belong to us.
• Mike Perry-365-Day:Active https cookie hijacking.
• Tony Howlett-The death of Cash: The Loss of anonymity & other danger of the cash free society.
• Ryan Trost-Evade IDS/IPS Systems using Geospatial Threat Detection.
• Rick Hill-War Ballooning-Kismet Wireless "Eye in the Sky"
• Jay Beale-They're Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
• DAVIX Visualization Workshop
• Stealing the Internet

Tor

I've been following Tor for a while now so it was interesting to go to the two Tor specific talks – both about vulnerabilities in Tor. Roger Dingledine presented a general overview of past, present, and future vulnerabilities in the Tor network and Nathan Evans went over a specific vulnerability which allowed an attacker to find out all nodes in a circuit. Both talks were interesting and I'm going to go into much more detail in future blog entries.

Sidejacking Redux

Last year, the concept of sidejacking was in its infancy. Sidejacking or session hijacking is when an attacker uses a man in the middle to steal the current session of something a user is accessing. For instance, with this attack, an attacker could steal the cookies used to authenticate a person's gmail account which would grant the attacker access to Gmail and all other Google services for the amount of time that session was valid. This year Jay Beale of the company Intel Guardians released a tool called “The Middler” which automates this process and Mike Perry of Riverbed and the Tor Project pointed out a flaw in the way that some companies have tried to protect users from this exploit.

Since last year, services like Gmail have offered SSL encryption to protect from this attack but they didn't force users to use SSL which lead to Mike Perry's talk. He pointed out an attack on a Gmail  where even though the user was using an SSL connection, the cookie could be transmitted in clear text allowing a session hijack. This was done by doing a MITM attack, using a tool to check which online service the user was using, inject a piece of html that pointed to the non-SSL encrypted version of that online service and then perform a session hijack after reading in the credentials. He even pointed out a simple fix that he has told Gmail and Yahoo about where you can set a bit in the cookie to only transmit in SSL.

War-Ballooning

One of the most fun talks that I attended was Rick Hill's War-Ballooning demonstration. They were planning on doing a live demo from the roof of the Riveria but at the last minute, some authorities decided to stop them. War-Ballooning was a development of last years idea of War-Rocketing which shot a rocket in the air and then searched for wireless signals while it parachuted to the ground. This year they took a professional balloon that was used by photographers for shooting aerial shots, attached a cooler filled with various wireless gear, and configured a orbital webcam that controlled which direction the yagi antenna was pointing. So they gave a video of the demonstration which was recorded the day before in a park five miles out of town. For added drama, they used Kismet's feature to read wireless networks out loud as it found them. They had the balloon up for ten minutes and found over 300 wireless signals as it broadcast a 7 mile radius. 30% of those were unsecured.

Hackers Are People Too - Ashley Schwartau

And how could I forget to add something about my acting debut in the documentary Hackers Are People Too which was premiered at Defcon XVI. Well ok, maybe I was on the screen for less than 2 seconds and I wasn't quoted as saying anything but hey, to be in a hacker documentary was really cool. Ashley even recognized me when I came up to her vendor booth. But enough of my vanity, the documentary was so cool and people really should pick it up to show to their friends and family and get the scarey idea of what hackers are out of their heads.

External Links

http://www.hackersarepeopletoo.com - link to the Hackers Are People Too official website (BUY BUY BUY!!!)
http://fscked.org/ - Mike Perry's website
http://www.defcon.org-Defcon
http://www.intelguardians.com/ - Intel Guardians will soon be releasing "The Middler"
s

Coming back from Defcon, one subject I'm now very well versed in is Tor and other anonymity networks. After sitting through what my friend called the “ten hours of tor,” I learned a lot about the inner workings and the future of what Tor has planned.

What is tor

Tor is a service that aims to allow a user's online activity to be anonymous and untraceable. It is a project that creates a network of servers to route traffic in a way to make it harder for attackers to find out where the traffic is going, or where it originated from. This is an example of what's called an onion routing network and in fact, it's the first and original one created. [If you're interested in other onion routing projects, check out JAP [http://anon.inf.tu-dresden.de/index_en.html].]

How does it work?

The Navy came up with the idea of “Onion Routing” but the EFF took the project over and this is currently how it works:

1. The Tor service is installed on the client
2. The client system is configured so that it uses the Tor service correctly and is sometimes used in conjunction with a program like Privoxy which is a web proxy server that further protects the end user
3. When the Tor service is started, it downloads a list of directory servers which keep track where valid nodes exist on the network
4. The user makes a remote request like accessing a website
5. The client establishes a circuit of nodes based on the kind of traffic you are generating [HTTP can connect to nodes that go up and down often while SSH would rather use a node that has been up for days] and it is used for the rest of the session.
6. While creating the circuit, the first node is remembered as the client's “guard node” and will be used for all future circuits relating to that type of traffic [HTTP vs SSH] while the “relay nodes”, the ones in between the guard nodes and the exit nodes, are chosen at random.
7. The traffic is then encrypted as many times as there are nodes in the circuit and forwarded over TLS/SSL
8. The first node, the guard node, removes a layer of encryption and forwards it to the next relay node in the circuit
9. This continues through the rest of the circuit until it reaches the last node, the “exit node” at which time the information is decrypted into the original data that was sent from the client.
10. The exit node forwards the information to the remote host that the client was trying to connect to and if a response from this host is required, the data travels through the same circuit backwards to the client.

When implemented correctly, the final result is that the client's traffic remains anonymous and untraceable. For the most part, that goal is successful except when you introduce adversaries to the network.

Current Challenges

The goal of anonymizing all traffic for all users at all times and doing so while relying on anonymous volunteers that have the ability to change the code is a daunting task to say the least. The main troubles the Tor developers are facing, stems from what Nick Mathewson and Roger Dingledine called “malicous nodes.” These are people that have set up Tor servers that are working “differently” than their designed purpose causing harm to the end user. In fact, Nick Mathewson and Mike Perry based some of their presentation on security challenges they are facing and how they are defending against them but although that was the most interesting part, I'm going to skip over them for now. If you'd like to see read through the presentation that Mike Perry published, you can head here: [link]

Legality of Tor:

I was explaining to a friend how Tor worked and he asked me, “Wouldn't it be possible for you to get in trouble if you were an exit node, and a Tor user was doing something illegal.” My immediate response was no you can't get in trouble because the nodes do not contain any data but then he also reminded me that to the ISP, it would look like it was coming to you. I didn't have a good response so I did some research. Here is Tor and the EFF's response to that issues:

Can EFF promise that I won't get in trouble for running a Tor server?

No. All new technologies create legal uncertainties, and Tor is no exception to the rule. Presently, no court has ever considered any case involving the Tor technology, and we therefore cannot guarantee that you will never face any legal liability as a result of running a Tor server. However, EFF believes so strongly that those running Tor servers shouldn't be liable for traffic that passes through the server that we're running our own Tor server.
[link]

There has been a case in Germany where Tor servers were confiscated during a child pornography crack down, but all the servers were returned within one days time. [link] As of today there still is no law in any country that states what legal protection or responsibility a person has involving running a Tor server but Kevin Bankston of the EFF has gone on to point out this:

Tor servers meet the definition of an Internet service provider, which means that operators are not required to know what data passed through the server... ...While it is possible for the operator of an exit node to see the data, it would likely increase their liability, because if the operator became aware of illegal activity, they would have to report it

What's planned for Tor

Roger Dingledine, Nick Mathewson, and Mike Perry outlined the future of Tor and some really cool things. Some, under request from Roger Dingledine I will not post because they are designed to circumvent firewalls and if they become publicized can be counter attacked. But one of the most interesting services that I've seen is having content hosted on the Tor network using what they called “hidden services.”

Hidden services

Tor has not only worked on forwarding information through the network and back out to the internet, but providing routing to endpoints that reside inside of the network. They call these hidden services and an example would be hosting a website. How it works is a web server connects to the Tor network and appears to users as a .onion pseudo-domain name. This is an exciting idea that is only released in the alpha stages but it looks to me to be in the same realm as the Freenet project.

Conclusions

Day 2 of Defcon was Tor day for me. There were a lot of interesting things going on that some of my friend went to but I was really interested in Tor and meeting the developers behind it. Tor is an awesome service and it's crazy to me to think about what they've created and how far they've come. I think they are facing only half the adversity they will be facing if they ever become more public. I can imagine laws being created to make using Tor illegal especially during the times we live in. I can especially envision the types of censorship that Roger Dingledine talked about but it's awesome that they are already taking preventative measures now.

External Links:

http://tor.eff.org – Tor main homepage

http://tor.eff.org/eff/tor-legal-faq.html.en – EFF's legal FAQ about Tor

http://anon.inf.tu-dresden.de/index_en.html – JAP: a German anonymity service kind of like Tor that is java based

http://www.securityfocus.com/news/11447/2 – article about an attacked on the Tor network

http://fscked.org/transient/SecuringTheTorNetwork.pdf - a temporary link to Mike Perry's presentation

http://yro.slashdot.org/yro/06/09/11/1050215.shtml - The slashdot article about the Tor servers being confiscated