ACPEnw 2014

Internet Anonymity Using “Tor”or

“On the Internet, nobody knows you’re a dog”

Jack Maynard, CISSP, CRISC, CCSK, C|EH

Principal Security Consultant

Prevail Securityjack@prevailsecurity.com

www.prevailsecurity.net

Don’t let your security fail, Prevail!

Speaker Bio – Jack Maynard

• Jack Maynard, CISSP, CRISC, CCSK, CEH, is an Information Security Manager with 18 years of national and international security experience working in a variety of information security roles.

• Previous security experience includes delivery of Red Team services including ethical hacking/penetration testing, threat & vulnerability management, secure software development, infrastructure hardening and UNIX/Linux operating systems.

• Prior to his current position, Jack held a number of security positions with Hewlett-Packard Company (HP), including R&D Security Architect and Security Strategist reporting to the HP Services CTO.

• Jack is owner and Principal Consultant of a private information security firm “Prevail Security”, a company he uses to speak freely about interesting and sometimes controversial security topics.

• LinkedIn: https://www.linkedin.com/in/jackmaynard

• Twitter: @PREVAILSecurity

Full Disclosure

Session Goals (agenda)

• Figure out how to make this session applicable to educational technology

• Learn something interesting about technology

• Provide a general introduction to:

o Internet anonymity using Tor

o How to block Tor at the Firewall

o Deep Web

o Tor Hidden Services

o Silk Road Anonymous Marketplace (Hidden Service)

o Bitcoin (decentralized digital currency)

Disclaimer – pay attention to this part ;)

1. This presentation is provided for informational and technical training purposes only.

2. It is intended to familiarize you with some of the methods, tools and services used to provide Internet anonymity.

3. It may at times “pull back the veil” and offer a look at the darker side of the Internet. If your senses are easily offended, this session may not be for you.

4. Neither I, the ACPEnw Board, or anyone who employs me, in any way encourage or support using the information presented in this session for illegal, or unethical purposes.

5. Individuals should have the authorization of the system and network owners before using any of the tools or techniques demonstrated or described here on any systems, networks, or applications.

“On the Internet, nobody knows you’re a dog”

“On the Internet, nobody knows you’re a dog”

• "On the Internet, nobody knows you're a dog" is a popular saying used to describe the anonymity of the Internet.

• It began as the caption of a cartoon by Peter Steiner, published in The New Yorker on July 5, 1993 and is still used today over 20 years later, when talking about the issues around online identity.

• Mr. Steiner has stated that he has earned over $50,000 over 20 years from this one cartoon drawing alone, which he didn’t really like all that much.

• http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you're_a_dog

• http://www.washingtonpost.com/blogs/comic-riffs/post/nobody-knows-youre-a-dog-as-iconic-internet-cartoon-turns-20-creator-

peter-steiner-knows-the-joke-rings-as-relevant-as-ever/2013/07/31/73372600-f98d-11e2-8e84-c56731a202fb_blog.html

“On the Internet, nobody knows you’re a dog”

Time Magazine –The Secret Web, November 11, 2013

Tor

What is Tor?

• Tor is free open source software that helps defend against network surveillance (for good or bad)

• Tor enables bypassing Internet content filtering

• Ding! Connection to educational technology ;)

• If Tor is used by students on your district network, this is probably not a good thing

• The Tor Network is a volunteer run world-wide network of relay servers

• An open network of virtual private network tunnels permitting people and groups to browse the Internet with anonymity.

• A Tor bridge relay instance can be run on Amazon Web Service (AWS) at a cost of about $20 month

What can Tor be used for?

• To violate “Acceptable Use Policies”

• Bypassing Internet filtering that uses destination Blacklists

• To do legal stuff

• Surf the Internet anonymously

• Look at LOL Cats (anonymously of course)

• Bypass Internet censorship intended to defeat the free exchange of ideas and speech (e.g. Russia, China media censorship)

• Anonymous Government Whistleblowers

• To do illegal stuff (anonymously)

• Buy illegal drugs

• Buy real fake passports

• Exchange child porn

• Hire an asassin

Who invented Tor?

• Tor was originally developed as project of the U.S. Naval Research Lab.

• It was originally developed for the primary purpose of protecting government communications.

• Today, it is an open source software project used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and criminals.

• High visibility uses of Tor include WikiLeaks and Silk Road:

• Used by WikiLeaks to receive government documents anonymously from Whistleblowers.

• Used by Silk Road to host anonymous marketplace for sale of illegal items.

Is Tor evil or bad (or illegal)?

• Technology is inherently neutral

• Nothing is inherently evil or bad

• Like anything, Tor can be used by bad people to do bad things

• Tor can also be used by good people to do good things

• Use of Tor for Internet anonymity is perfectly legal, though its use is overshadowed by the common belief that if you are using Tor, you must be doing something illegal.

How does Tor work?

• Tor provides anonymity by bouncing your Internet traffic around a distributed network of encrypted relays run by volunteers around the world.

• It prevents somebody watching your Internet connection from learning what sites you visit (masks destination IP)

• ISPs

• IT department (including District IT)

• Foreign & domestic governments

• NSA

• Law Enforcement

• It prevents sites you visit from learning your physical location (masks source IP)

• Useful for free exchange of speech, hacking, Illegal downloads (torrents),and other criminal activity

What is Onion Routing?

• Onion routing encrypts and decrypts your network traffic typically 3 separate times, once for each Tor node it passes through on the way to the destination, the entry node, the relay node, and the exit node.

• It does this using the public-key of the router (Tor Server), which only the router’s private-key can decrypt.

• No single router knows the entire network path from source IP to destination IP.

Installing Torhttps://www.torproject.org

Installing Tor

Installing Tor

Tor Bridge Relays

• Bridge relays are Tor relays that aren't listed in the main Tor directory.

• Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges.

• If you suspect your access to the Tor network is being blocked, you may want to use the bridge feature of Tor.

• Finding more bridges for Tor:

• Send mail to bridges@bridges.torproject.org with the line "get bridges" by itself in the body of the mail. You'll need to send this request from a gmail account.

• Almost instantly, you'll receive a reply that includes:Here are your bridge relays:bridge 60.16.182.53:9001bridge 87.237.118.139:444bridge 60.63.97.221:443

Installing Tor

Installing Tor

How Tor Works – Step 1

• To create a private network pathway with Tor, Alice’s Tor client first queries a global directory Dave to discover where on the Internet all the Tor servers are.

How Tor Works – Step 2

• Tor Client then incrementally builds a circuit of encrypted connections through Tor servers on the network.

• The Tor software negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

How Tor Works – Step 3

• No individual server ever knows the complete path to Bob or Jane that a data packet has taken.

Data visible to eavesdroppers when you don't use Tor or HTTPS

Potentially visible data includes:

• the site you are visiting (SITE.COM)

• your username and password (USER/PW)

• the data you are transmitting (DATA)

• your true ISP IP address (LOCATION)

• whether or not you are using Tor

Data visible to eavesdroppers when you use HTTPS only

Potentially visible data includes:

• the site you are visiting (SITE.COM)

• your username and password (USER/PW)

• the data you are transmitting (DATA)

• your true ISP IP address (LOCATION)

• whether or not you are using Tor

Data visible to eavesdroppers when you use Tor only

Potentially visible data includes:

• the site you are visiting (SITE.COM)

• your username and password (USER/PW)

• the data you are transmitting (DATA)

• your Tor Exit IP address (LOCATION)

• whether or not you are using Tor

Data visible to eavesdroppers when you use Tor & HTTPS

Potentially visible data includes:

• the site you are visiting (SITE.COM)

• your username and password (USER/PW)

• the data you are transmitting (DATA)

• your Tor Exit IP address (LOCATION)

• whether or not you are using Tor

“Why” block Tor at the Firewall?

• Not debating what is right or wrong about Internet content filtering

• K-12 E-Rate program subsidized?

• Internet usage must comply with CIPA (Child Internet Protection Act)

• Could risk losing federal subsidized funding for Internet access and transit

• AUP’s (Acceptable Use Policies) are a management control

• Firewall rules are a technical control

“How” to block Tor at the Firewall

• Use a Layer-7 Firewall (Palo Alto Networks) or Web Application Proxy to perform deep packet inspection (DPI) at the application layer of protocols passing through the firewall and block Tor.

• Use a Tor Blacklist to create Tor blocking ACLs

• Block Tor Exit Nodes

• Refresh your Tor Exit Node Blacklist regularly:

• Query for Tor Exit Nodes:

• https://check.torproject.org/cgi-bin/TorBulkExitList.py

Tor Exit Nodes - Global

Tor Exit Nodes - USA

Tor Hidden Services

What are Tor “Hidden Services”?

• Tor makes it possible for users to hide their locations while offering various kinds of services.

• Tor can provide anonymity to website stores and other server services.

• Rather than revealing a server's IP address (and thus its network location), a hidden service is accessed through its 16 character “onion address” (.onion) derived from the services public-key.

• The Tor network understands these .onion addresses and can route data to and from hidden services, even to those hosted behind firewalls or network address translators (NAT), while preserving the anonymity of both parties.

• Tor Browser is necessary to access hidden services.

• A good example of a hidden service is “Silk Road” Anonymous Marketplace.

• https://www.torproject.org/docs/hidden-services.html

Deep Web

What is Deep Web?

Silk Road

Silk Road Marketplace – Tor Hidden Service

Silk Road Marketplace – Tor Hidden Service

Silk Road Marketplace – Seized by FBI

Silk Road Marketplace – Seized by FBI

Tor Demo

Bitcoin

Bitcoin Introduction

Thanks for Attending

Presentation Slides @ http://bit.ly/QeNrQb

Appendix

How Tor Works – The Onion Router

• To create a private network pathway with Tor, Alice’s Tor client first queries a global directory Dave to discover where on the Internet all the Tor servers are.

• Tor then incrementally builds a circuit of encrypted connections through Tor servers on the network.

• The circuit is extended one hop at a time, and each server along the way knows only which server gave it data, and which server it is giving data to.

• No individual server ever knows the complete path to Bob that a data packet has taken.

• The Tor software negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

Anonymous Internet Using Tor

1. Start Tor - When you run Tor browser software to access the Internet, all your data, including your web searches are wrapped in layers of encryption.

2. Tor Relays - To hide your source and destination IPs, Tor sends your data through a network of relays (other computers using Tor). Each relay strips a layer of encryption before passing it on to the next Tor Relay. Tor changes your relay path frequently. Each Tor relay knows only the IP address of the relay before and after it, never your true IP address.

3. Final Destination - Tor has more than 4,000 relays. Your encrypted data passes through three of them. Once the last layer of encryption is stripped, the Tor exit relay connects you to the website you want to visit.

4. Hidden Services - If the website you want to visit is a hidden service (.onion address, example Silk Road) then you never exit the Tor Network.

5. Payment - At checkout, you use a digital currency called Bitcoin, which is exchanged via digital wallets on the buyer's and seller's computers, which provides anonymous payment services.

Anonymous Internet Using Tor

6. Delivery - Sellers ship goods. After you receive the merchandise an escrow account releases Bitcoin payment to the seller.

7. BUYER --> Encrypted Data --> ISP --> Tor Entry Relay --> Tor Relay --> Tor Exit Relay --> Website Server --> ISP --> Decrypted Data -- SELLER

Tor Example –Bypassing Internet Censorship of Free Speech

Tor Example –Bypassing Internet Censorship of Free Speech

Tor Example –Bypassing Internet Censorship of Free Speech