Attacking Tor: how the NSA targets users' online anonymity

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.

According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identified Tor users on the internet and then executes an attack against their Firefox web browser.

The NSA refers to these capabilities as CNE, or computer network exploitation.

The first step of this process is finding Tor users. To accomplish this, theNSA relies on its vast capability to monitor large parts of the internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.

The NSA creates "fingerprints" that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet.

Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of internet traffic that it sees, looking for Tor connections.

Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring internet traffic.

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.
Exploiting the Tor browser bundle

Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.

This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.

According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for Javascript. This vulnerability exists in Firefox 11.0 – 16.0.2, as well as Firefox 10.0 ESR – the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.
The Quantum system

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. Anarticle in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

This same technique is used by the Chinese government to block its citizens from reading censored internet content, and has beenhypothesized as a probable NSA attack technique.
The FoxAcid system

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag [LINK REMOVED] is given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSAoperation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.

According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.

The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.

In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.

FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them.

FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.

The NSA also uses phishing attacks to induce users to click on FoxAcid tags.

TAO additionally uses FoxAcid to exploit callbacks – which is the general term for a computer infected by some automatic means – calling back to the NSA for more instructions and possibly to upload data from the target computer.

According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data.

By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all.

***********************************************

Courtesy : Bruce Schneier [http://www.theguardian.com]

U.S. Government Has Weaponized the Internet. Here’s How They Did It !!!!

The internet backbone — the infrastructure of networks upon which internet traffic travels — went from being a passive infrastructure for communication to an active weapon for attacks.

According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”

If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.

Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.

Here’s how it works.

The QUANTUM codename is deliciously apt for a technique known as “packet injection,” which spoofs or forges packets to intercept them. The NSA’s wiretaps don’t even need to be silent; they just need to send a message that arrives at the target first. It works by examining requests and injecting a forged reply that appears to come from the real recipient so the victim acts on it.

In this case, packet injection is used for “man-on-the-side” attacks — which are more failure-tolerant than man-in-the-middle attacks because they allow one to observe and add (but not also subtract, as the man-in-the-middle attacks do). That’s why these are particularly popular in censorship systems. It can’t keep up? That’s okay. Better to miss a few than to not work at all.

The technology itself is actually pretty basic. And the same techniques that work on on a Wi-Fi network can work on a backbone wiretap. I personally coded up a packet-injector from scratch in a matter of hours five years ago, and it’s long been a staple of DefCon pranks.

So how have nations used packet injection, and what else can they do with it? These are some of the known uses.
Censorship

The most infamous use of packet injection prior to the Snowden leaks was censorship, where both internet service providers (ISPs) and the Great Firewall of China injected TCP reset packets (RST) to block undesired traffic. When a computer receives one of these injected RST packets, it closes the connection, believing that all communication is complete.

Although public disclosure forced ISPs to stop this behavior, China continues to censor with injected resets. It also injects the Domain Name System (DNS) — the system all computers use to turn names such as “www.facebook.com” into IP addresses — by inserting a fake reply whenever it sees a forbidden name. (It’s a process that has caused collateral damage by censoring non-Chinese internet traffic).
User Identification

User cookies, those inserted by both advertising networks and services, also serve as great identifiers for NSA targeting. Yet a web browser only reveals these cookies when communicating with such sites. A solution lies in the NSA’s QUANTUMCOOKIE attack, which they’ve utilized to de-anonymize Tor users.

A packet injector can reveal these cookies by replying to an unnoticed web fetch (such as a small image) with a HTTP 302 redirect pointing to the target site (such as Hotmail). The browser now thinks “hey, should really go visit Hotmail and ask it for this image”. In connecting to Hotmail, it reveals all non-secure cookies to the wiretap. This both identifies the user to the wiretap, and also allows the wiretap to use these cookies.

So for any webmail service that doesn’t require HTTPS encryption, QUANTUMCOOKIE also allows the wiretap to log in as the target and read the target’s mail. QUANTUMCOOKIE could also tag users, as the same redirection that extracts a cookie could also set or modify a cookie, enabling the NSA to actively track users of interest as they move across the network — although there is no indication yet that the NSA utilizes this technique.
User Attack

The NSA has a collection of FOXACID servers, designed to exploit visitors. Conceptually similar to Metasploit’s WebServer browser autopwn mode, these FOXACID servers probe any visiting browser for weaknesses to exploit.

All it takes is a single request from a victim passing a wiretap for exploitation to occur. Once the QUANTUM wiretap identifies the victim, it simply packet injects a 302 redirect to a FOXACID server. Now the victim’s browser starts talking to the FOXACID server, which quickly takes over the victim’s computer. The NSA calls this QUANTUMINSERT.

The NSA and GCHQ used this technique not only to target Tor users who read Inspire (reported to be an Al-Qaeda propaganda magazine in the English language) but also to gain a foothold within the Belgium telecommunication firm Belgacom, as a prelude to wiretapping Belgium phones.

One particular trick involved identifying the LinkedIn or Slashdot account of an intended target. Then when the QUANTUM system observed individuals visiting LinkedIn or Slashdot, it would examine the HTML returned to identify the user before shooting an exploit at the victim. Any page that identifies the users over HTTP would work equally well, as long as the NSA is willing to write a parser to extract user information from the contents of the page.

Other possible QUANTUM use cases include the following. These are speculative, as we have no evidence that the NSA, GCHQ, or others are utilizing these opportunities. Yet to security experts they are obvious extensions of the logic above.

HTTP cache poisoning. Web browsers often cache critical scripts, such as the ubiquitous Google Analytics script ‘ga.js’. The packet injector can see a request for one of these scripts and instead respond with a malicious version, which will now run on numerous web pages. Since such scripts rarely change, the victim will continue to use the attacker’s script until either the server changes the original script or the browser clears its cache.

Zero-Exploit Exploitation. The FinFly “remote monitoring” hacking tool sold to governments includes exploit-free exploitation, where it modifies software downloads and updates to contain a copy of the FinFisher Spyware. Although Gamma International’s tool operates as a full man-in-the-middle, packet injection can reproduce the effect. The injector simply waits for the victim to attempt a file download, and replies with a 302 redirect to a new server. This new server fetches the original file, modifies it, and passes it on to the victim. When the victim runs the executable, they are now exploited — without the need for any actual exploits.

Mobile Phone Applications. Numerous Android and iOS applications fetch data through simple HTTP. In particular, the “Vulna” Android advertisement library was an easy target, simply waiting for a request from the library and responding with an attack that can effectively completely control the victim’s phone. Although Google removed applications using this particular library, other advertisement libraries and applications can present similar vulnerabilities.

DNS-Derived Man-in-the-Middle. Some attacks, such as intercepting HTTPS traffic with a forged certificate, require a full man in the middle rather than a simple eavesdropper. Since every communication starts with a DNS request, and it is only a rare DNS resolver that cryptographically validates the reply with DNSSEC, a packet injector can simply see the DNS request and inject its own reply. This represents a capability upgrade, turning a man-on-the-side into a man-in-the-middle.

One possible use is to intercept HTTPS connections if the attacker has a certificate that the victim will accept, by simply redirecting the victim to the attacker’s server. Now the attacker’s server can complete the HTTPS connection. Another potential use involves intercepting and modifying email. The attacker simply packet-injects replies for the MX (Mailserver) entries corresponding to the target’s email. Now the target’s email will first pass through the attacker’s email server. This server could do more than just read the target’s incoming mail, it could also modify it to contain exploits.

Amplifying Reach. Large countries don’t need to worry about seeing an individual victim: odds are that a victim’s traffic will pass one wiretap in a short period of time. But smaller countries that wish to utilize the QUANTUMINSERT technique need to force victims traffic past their wiretaps. It’s simply a matter of buying the traffic: Simply ensure that local companies (such as the national airline) both advertise heavily and utilize in-country servers for hosting their ads. Then when a desired target views the advertisement, use packet injection to redirect them to the exploit server; just observe which IP a potential victim arrived from before deciding whether to attack. It’s like a watering hole attack where the attacker doesn’t need to corrupt the watering hole.

***

The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.

Encryption doesn’t just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.

There are many engineering and logistic difficulties involved in encrypting all traffic on the internet, but its one we must overcome if we are to defend ourselves from the entities that have weaponized the backbone.

***********************************************************

Courtesy : www.wired.com

Out in the Open: How to Get Google Maps Directions Without Google

One of the best things about Google Maps is that you can get directions from one place to another almost instantly.

But what if you want to build your own website or application that does much the same thing? Sure, Google Maps offers an API that lets developers integrate some of its tools into their applications, but if you do that, you’re beholden to Google. You don’t have complete control over your software. Or data gets shared with another company, and you can’t always modify your application in the way you want to.

That’s where Open Source Routing Machine — or OSRM — comes in. OSRM is a route planning system that runs on OpenStreetMap, a free crowdsourced mapping service. And, yes, it too is open source, meaning anyone can use and modify it for free.

Creator Dennis Luxen runs an OSRM/OpenStreetMap server where you can check it out. But anyone could host their own server — or incorporate it into another application. It’s not quite ready to replace Google Maps for consumer purposes, but it could provide an excellent alternative for developers and hackers.

Luxen started working with route planning as a PhD candidate at the Karlsruhe Institute of Technology in Germany. “The group where I worked had a strong emphasis on route planning and algorithms in general,” he says. The challenge is that you want accurate answers that feel as though they are delivered instantly.

Luxen started OSRM around 2010. “One day, I got this cold call from a guy named Frederik Ramm, who is a big contributor to Open Street Map Project,” Luxen says. “He was looking to get new ideas from outside the community. He’d been reading about route planning and was wondering if I could come talk at a meetup.”

The talk went well, so Luxen began thinking about how to put his research into action. The result is OSRM, which Luxen built with collaborators such as Emil Tin, who helped make the backend more usable; Dennis Schieferdecker, who did most of the front-end; and Christian Vetter, who helped with the basic infrastructure code.

OSRM is amazingly fast, but it does have a few limitations. For example, in Google Maps, you can you can use street address instead of coordinates to input your desired route. OSRM has trouble with that. Both services use a technique called “geocoding” to convert street addresses into coordinates, but Google Maps’ geocoding is much better than the geocoding system built into OpenStreetMap.

“It’s a matter of resources, I’d love to have a team of 2,000 people working on it,” he says. “I’m sure if we had 20 people working on OSRM that we could make it the most awesome thing when it comes to routing, but we’re not there yet.”

Will OSRM ever be a complete one-to-one replacement for Google Maps? “As much as I’d like to say yes, you want to be humble in your goals,” he says. “Google has invested so much money and ideas in routing, I’m not sure I want to say that I want to compete with them. What I want is a routing system on Open Street Map that gives you a similar experience.”

Courtesy : CobraPost