Overall Classification
(U) Overview
• (U) "The Onion Router"
• (U) Enables anonymous internet activity
General privacy
Non-attribution
Circumvention of nation...
The Web
wI TOR client
Installed
(U) What isTOR?
Clienl
Browsing
The Web
TOR client
Installed
(U) What isTOR?
• (U) TOR Browser Bundle
Portable Firefox ao ESR(tbb-firefox.exe)
Vidalia
Polipo
TorButton
TOR
" Idiot-proof"
(U) What isT...
(S//SI//REL) The TOR Problem
(TSIISIIIREL) FingerprintingTOR
(TSIISIIIREL) FingerprintingTOR
• (TS//SI//REL) TorButton cares about TOR
users being indistinguishable from TOR users
• (TS//SI//REL) We only care about ...
(S//SI//REL) The TOR Problem
• (TS//SI//REL) tbb-firefox is barebones
Flash is a no-no
NoScript addon pre-installed ...
...but not enabled by default!
...
• (TS//SI//REL) ERRONEOUSINGENUITY
Commonly known as ERIN
First native Firefox exploit in a long time
Only works against ~...
• (TS//SI//REL) Type confusion vulnerability in
E4X
• (TS//SI//REL) Enables arbitrary read/write
access to the process mem...
• (Ts//si//REL) Can't distinguish OS until on box
That's okay
• (Ts//si//REL) Can't distinguish Firefox version
until on b...
(S//SI//REL) The TOR Problem
• (TS//SI//REL) Tests on Firefox 10 ESRworked
• (TS//SI//REL) Tests on tbb-firefox did not
Gained execution
Didn't receive...
• (TS//SI//REL) Easy fix
Turn off prefilter hashing
FUNNELOUT
• (TS//SI//REL) OPSEC Concerns
Pre-play attacks
PSPs
Adversa...
(S//SI//REL) The TOR Problem
Peeling back the layers of Tor with EgotisticalGiraffe
Upcoming SlideShare
Loading in...5
×

Peeling back the layers of Tor with EgotisticalGiraffe

488

Published on

Selected extracts show how NSA uses a technique with codename EgotisticalGiraffe to attack Tor users through vulnerable software on their computers.
The Guardian.

Published in: News & Politics, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
488
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Peeling back the layers of Tor with EgotisticalGiraffe"

  1. 1. Overall Classification
  2. 2. (U) Overview
  3. 3. • (U) "The Onion Router" • (U) Enables anonymous internet activity General privacy Non-attribution Circumvention of nation state internet policies • (U) Hundreds of thousands of users Dissidents (Iran, China, etc) (5115 IIIRE L) (511511IREL) Other targets too! (U) What isTOR?
  4. 4. The Web wI TOR client Installed (U) What isTOR?
  5. 5. Clienl Browsing The Web TOR client Installed (U) What isTOR?
  6. 6. • (U) TOR Browser Bundle Portable Firefox ao ESR(tbb-firefox.exe) Vidalia Polipo TorButton TOR " Idiot-proof" (U) What isTOR?
  7. 7. (S//SI//REL) The TOR Problem
  8. 8. (TSIISIIIREL) FingerprintingTOR
  9. 9. (TSIISIIIREL) FingerprintingTOR
  10. 10. • (TS//SI//REL) TorButton cares about TOR users being indistinguishable from TOR users • (TS//SI//REL) We only care about TOR users versus non-TOR users • (TS//SI//REL) Thanks to TorButton, it's easy! (TSIISIIIREL) FingerprintingTOR
  11. 11. (S//SI//REL) The TOR Problem
  12. 12. • (TS//SI//REL) tbb-firefox is barebones Flash is a no-no NoScript addon pre-installed ... ...but not enabled by default! TOR explicitly advises against using any addons or extensions other than TorButton and NoScript • (TS//SI//REL) Need a native Firefox exploit (TS//SI//REL) Exploiting TOR
  13. 13. • (TS//SI//REL) ERRONEOUSINGENUITY Commonly known as ERIN First native Firefox exploit in a long time Only works against ~3.0-~6.o.2 • (TS//SI//REL) EGOTISTICALGOAT Commonly known as EGGO Configured for ~~.o-~6.0.2... ...but the vulnerability also exists in ro.o: (TS//SI//REL) Exploiting TOR
  14. 14. • (TS//SI//REL) Type confusion vulnerability in E4X • (TS//SI//REL) Enables arbitrary read/write access to the process memory • (TS//SI//REL) Remote code execution via the CTypes module · (U) EGOTISTICALGOAT
  15. 15. • (Ts//si//REL) Can't distinguish OS until on box That's okay • (Ts//si//REL) Can't distinguish Firefox version until on box That's aIso okay • (Ts//si//REL) Can't distinguish 64-bit from 32- bit unti I on box I think you see where this is going (TS//SI//REL) Exploiting TOR
  16. 16. (S//SI//REL) The TOR Problem
  17. 17. • (TS//SI//REL) Tests on Firefox 10 ESRworked • (TS//SI//REL) Tests on tbb-firefox did not Gained execution Didn't receive FINI(DIFFERENT • (TS//SI//REL) Defeated by Prefilter Hash! Requests EGGI: Hash(tor_exit_ip II session_id) Requests FIDI: Hash(target_ip II session_id) (TSIISIIIREL) Callbacks from TOR
  18. 18. • (TS//SI//REL) Easy fix Turn off prefilter hashing FUNNELOUT • (TS//SI//REL) OPSEC Concerns Pre-play attacks PSPs Adversarial Actors Targets worth it? (TSIISIIIREL) Callbacks from TOR
  19. 19. (S//SI//REL) The TOR Problem
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×