The Tor onion router project is used by countless numbers of users around the world in a bid to protect their privacy and provide a degree of anonymity. According to new revelations published today by the Guardian newspaper from data pilfered by whistleblower Edward Snowden, Tor users have been specifically targeted by the National Security Agency for years.
Edward Snowden is the former NSA contractor who has been leaking all manner of confidential documents about U.S government Internet surveillance efforts.
The way that Tor works is users are routed through multiple “onion” routers, with each layer adding more abstraction and potential anonymity for users. The FBI recently shut down the Silk Road illegal goods marketplace that was obfuscating its owners and location with Tor. In the Silk Road case though, the FBI was able to track down the alleged mastermind behind the operation without technically breaching Tor security.
In a presentation obtained by Snowden titled “Tor Stinks,” the NSA admits that it will “never be able to de-anonymize all Tor users all the time.”
The Tor Stinks document identifies a number of ways that Tor user anonymity could be breached. One of them is by using cookies that can be placed on sites that could be used to fingerprint Tor users even when they’re not on Tor.
Matt Johansen, head of WhiteHat Security’s Threat Research Center, explained to eWEEK that the use of Tor only keeps a user anonymous while he or she is using Tor.
“It seems that some cookies that are set by popular ad networks while you are in Tor may persist to your sessions outside of Tor,” Johansen said.
Johansen warned, however, that cookies are by no means tamper-proof.
“If a malicious Tor user wanted to throw blame toward another party, there are many Web attack vectors that would allow them to take their ad network cookie and force it upon another user,” Johansen said. “This could lead to false identifications and throw pursuing parties, such as the NSA, off the proverbial trail.”
The Guardian has also published an alleged NSA document detailing a technique to attack Tor known as the “Egotistical Giraffe,” which is a Computer Network Exploitation (CNE) approach.
The Egotistical Giraffe involves potentially exploiting the Tor browser bundle, which is a popular way for users to access Tor. In August, the Tor Project revealed that there was a hack of the network made possible by vulnerable versions of the Tor browser bundle. At the time, there was no explicit connection or admission that U.S government authorities were in any way connected.
Going a step further, the Guardian report alleges that when the NSA does identify Tor users, the agency directs them to a set of servers known as “FoxAcid.” The goal of FoxAcid is to drop some kind of exploit on the user’s system such that they can be tracked or otherwise infiltrated.
There are some steps that individual users might be able to take to potentially mitigate the risk of being exploited.
“The FoxAcid details, and its use to gain long-term access to the clients it attacks, underscore another key point: If you care about privacy, assume that any system is compromised by default,” Kevin O’Brien, enterprise solution architect at CloudLock, told eWEEK. “A Linux-based OS that’s running from read-only media (like a DVD) or a known-clean VM environment should be the default for anyone who is regularly using TOR.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.