When the anonymity ends for darknets In this track we will be discussing methods and tools can be used by someone, who wants to get information about the user and is ready not only to banal traffic analysis on the output nodes, and use the features of font rendering, vulnerability onion-resources and some disadvantages configuration. Demonstration of information leakage channels about the darknet-resident; increasing anonymity in Tor. Unique method of drawing a psychological portrait of the darknet-user, which has not been previously published.

1. Tor, I2P, FreeNet… for what?

2. When the anonymity ends for
darknets
Denis Makrushin (@difezza), Maria Garnaeva
Global Research and Analysis Team, Kaspersky Lab

3. “I know what you did last summer”

4. … but how?

5. “Freedom Hosting” in jail

6. Exploits, fingerprinting… Yep-yep.

7. Flash, HTML5, entry-node detection…
Yep-yep.

8. But how…
… could they find my mega-private-0day forum?!
… could they find me?!

9. PASSIVE DATA COLLECTION SYSTEM
HOW THEY FOUND MY MEGA-PRIVATE-0DAY-FORUM OR …

11. >> EXITPOLICY ACCEPT *:*

12. >> TSHARK –l 1 –W DUMP.PCAP

13. Tor-user’s psychological portrait

14. Psychological portrait. Part two.

16. ACTIVE DATA COLLECTION SYSTEM
KNOCK-KNOCK, DUDE! OR …

17. Traffic injection… Yep-yep.

18. From “clearnet” with love

19. So different cookies

20. Tell me, who are you?

21. Fingerprint
Device fingerprinting
• Tracking you after you delete your cookies.
• Tracking you after you change your IP address.
• Various measurements such as the User-Agent
string, screen size, time zone, fonts, browser
plugins and….rendering!

22. Source: https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf
Year: 2013
Web-based fingerprint

24. Meanwhile, in Tor Browser:
getImageData()
var canvas = document.getElementById("canvas");
if (canvas.getContext)
{
var canvas = document.getElementById("canvas");
if (canvas.getContext) { var ctx = canvas.getContext("2d");
ctx.fillStyle = "rgb(0,127,0)";
ctx.fillRect(10,10,20,20);
var Pixel = ctx.getImageData(29,10,2,1);

25. Fifty shades of font rendering
hinting/antialiasing
Calibri
Times New Roman
Arial
Georgia

26. Let me measure your text

27. FONT VALUE
Impact 3409372
Georgia 3344049
Courier New 3430809
Consolas 3392005
MS Gothic 3383290
GetClientBoundingRect()

28. • The <span> tag is used to group inline-elements in a
document.
• The <span> tag provides no visual change by itself.
• The <span> tag provides a way to add a hook to a part of a
text or a part of a document.
<span>fingerprint</span>
for (var j = 0; j < STYLES.length; j++)
{
var style = STYLES[j];var div = DIVS[style];var span = SPANS[style];
// This is where the measurment occurs.
span.textContent = c;var w = span.offsetWidth;var h = div.offsetHeight;
// Add to checksum.
checksum = addsum(checksum, w);checksum = addsum(checksum, h);
}

29. “Yep-Yep, we know” – Tor Project

30. Proof-of-concept: preparing patient

31. Proof-of-concept: inject it!

32. Proof-of-concept: analyze it!

33. Proof-of-concept: peace of… dump
{"Times New Roman":"c2c91d5b3c4fecd9109afe0e",
"Arial":"4917211a76ddf69db033e125", "Courier
New":"eb211de3b75234ea90a50c3f",
"Symbol":"709ab9f882b1808b323e7d09", "Droid
Sans":"fbc25f5e038a28b94454fa13", "DejaVu
Sans":"c0bf2bce71e4313758d1aba8",
"serif":{"d":"5daa940a38e3b137916aadcb",
"fonts":["Impact","Bookman Old Style","Consolas", "MS
Gothic","Constantia","Calibri","Cambria","Wingdings",
"Webdings","Ubuntu Mono","Inconsolata","Inconsolata
LGC", "Source Code Pro","Lucida
Handwriting","Georgia","System","vgaoem"]}, "sans-
serif":{"d":"46a9a2d351881662502ed793","fonts":[]}}

34. Vector of attack

35. XSS is a pain of .onion
45%
29%
17%
9%
26%
Medium
Low
XSS
Others

36. I know you by the font

37. Scanning onion again
59%
36%
05%
Online
Offline
Seized
30%
70%
JS
NoJS 05%
95%
Canvas

38. Update Aug 2015: Fonts fixed

39. Alternatives
• Math routines with floating point?
• Measuring time of calculations?
• Mouse/pointing events?
• Battery Status API?
• Unique keystrokes traits?
• Other gaps…

41. THANK YOU!
QUESTION?
Denis.Makrushin@kaspersky.com
Maria.Garnaeva@kaspersky.com
http://twitter.com/difezza