The Tor Browser anonymizes your IP address, and has been the subject of
intense scrutiny by the NSA.
(Credit: Tor Project)
Just because the National
Security Agency hasn't cracked the anonymizing service Tor doesn't mean that
people who use the service are free from surveillance.
The NSA has been able to use ad networks like Google's, and The Onion
Router's own entry and exit nodes on the Internet, to follow some Tor users,
according to a new report based on documents leaked by whistleblower Edward
Snowden and obtained by security
researcher Bruce Schneier with the Guardian. Tor is primarily funded by the
US State Department and the Department of Defense, home of the NSA.
Robert Hansen, a browser specialist at the security firm White Hat Security, said that Tor access node tracking is not new.Tor promotes itself as helping people "defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security."
"A couple of years ago a hacking group published exactly 100 embassy
passwords from Tor exit nodes. One hundred is too round of a number," he said.
"Just logically there must be more. If you get enough exit nodes and entrance
nodes, they can be correlated together."
Director of National Intelligence James Clapper criticized reporters
and denied that his office was doing anything illegal, citing the threat of
"adversaries."
The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.
The system that the NSA uses to locate and identify Tor users begins, at
least sometimes, with the buying of ads on networks like Google's
AdSense.
"Just because you're using Tor doesn't mean that your browser isn't storing
cookies," said Jeremiah Grossman, a colleague of Hansen's who also specializes
in browser vulnerabilities.
As Grossman described the procedure to CNET, the NSA is aware of Tor's entry
and exit nodes because of its Internet-wide surveillance.
"The very feature that makes Tor a powerful anonymity service, and the fact
that all Tor users look alike on the Internet, makes it easy to differentiate
Tor users from other Web users," he wrote.
The NSA buys ads from ad display companies like Google and seeds them around
Tor's access points.
"The NSA then cookies that ad, so that every time you go to a site, the
cookie identifies you. Even though your IP address changed [because of Tor], the
cookies gave you away," he said.
This is not some complicated or even an unusual trick, Grossman said. It's
how tracking ads were intended to function.
"That's the Web by design, not a hack," he said.
The NSA, he said, is not spending much money on it since Internet ads are so
cheap. Grossman speculated that an ad campaign would only cost around $1,000 to
seed ads with the NSA's cookies around the Web.
"$50,000 would be overkill," he said.
Because the NSA is essentially using how the Web functions to spy on its
users, tools like Tortilla that take
the burden of Tor usage away from Firefox wouldn't prevent the NSA's
tracking ads from finding people.
It wouldn't be feasible for Google to block ad buys from the NSA, and if the
company did, he said, "they could just buy through a proxy."
Google did not respond to a request for comment.
Both Tor
itself and Schneier noted that the NSA has not been able to track every Tor
user this way. "They are hard for any organization other than the NSA to
reliably execute, because they require the attacker to have a privileged
position on the Internet backbone," Schneier said.
Grossman speculated that the NSA could be using spam e-mail campaigns as it's
been using display ads, though he cautioned that he didn't have evidence that
this was actually happening.
"On the off chance that [the spam recipient] renders the HTML or clicks a
link, [the NSA] can connect your e-mail address to your browser," he explained,
which the NSA would have already connected to an IP address. "Using Tor or any
proxy wouldn't prevent it."
Not all Tor installations are created equal, added Hansen, who has an unusual
pedigree in the browser vulnerability field because he's also a veteran of the
ValueClick ad network, which was later bought by DoubleClick, which subsequently
was purchased by Google.
"It depends on whether you're using Tor Button or Tor Browser," he said. "The
Tor Button tends to be more secure because as you jump in and out of the Tor
Browser, it tracks cache and cookies."
However, since the Tor Project now includes a patched version of Firefox, it recommends not using the Tor Button and
only using the standard Tor Browser
Bundle instead.
More secure than either, Hansen said, was to run Tor on a virtual machine so
that cookies and cache are dumped when the machine is closed, and the kind of
man-in-the-middle and man-on-the-side attacks described by Schneier are
avoided.
"If you don't take the critical
steps to protect your privacy, you will be de-cloaked if you're doing
something interesting," Hansen said.
No comments:
Post a Comment