This presentation introduces topics like Anonymity, Data Anonymization and De-Anonymization, then it focus the attention on possible security and privacy attacks in "The Onion Router" (Tor) web. Lesson was made on 24/05/2016 for the "Web Security and Privacy 2015/16" course in "La Sapienza" University, Rome.

1. Presented by
• Alessandro Granato
• Emilio Cruciani
• Giovanni Colonna
• Silvio Biagioni
Deanonymization
Web Security and Privacy course – 2015/2016 – «La Sapienza» University

2. Presented by
• Alessandro Granato
Information
• http://www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web
• linkedin.com/in/alessandro-granato-40b03081
• a.granato.89@gmail.com
Deanonymization – The Onion Router
Web Security and Privacy course – 2015/2016 – «La Sapienza» University

3. • What is Anonimity?
▫ Colloquial use – Web use
• What is Data Anonymization?
▫ Information Sanitization
▫ Security Privacy
• What is De-Anonymization?
▫ Cross-reference
Introduction

4. • Tor is a free SW for anonymous communication
▫ Volunteer relays to conceal user’s location
Introduction – The Onion Router
• Nested “Onion” encryption
▫ Encrypts Data, Sender IP, Receiver IP
▫ Through random circuits
▫ Last Relay!

5. • Monitoring to guarantee safety
• Tor abused by Cybercrime and Terrorists
• Monitoring capabilities over anonymizing networks
Governments vs Tor
People directly connected
to Tor in 2014:
2.5 Mln
Connected Users

6. • Tender for companies: “Perform research, code ‘TOR’ (Navy)”
• Develop technology to track Tor’s users
Russia vs Tor
Rewards:
4 Mln rubles
(~$ 111.000)

7. • Counter-Attack to deanonymizers in Tor Network
• Philipp Winter
• Stefan Lindskog
• Karlstad University
Spoiled Onions: Exposing Malicious Tor Exit Relays

8. • Tor circuits are encrypted tunnels
• Exit Relays -> Open internet -> Final destination
• Traffic usually lacks of end-to-end encryption
• Man in the middle by design
• Relays run by volunteers!
▫ Innocent
▫ Malicious
Spoiled Onions

9. • Goal: find malicious exit relays
▫ Develop an exit relay scanner
▫ Design browser extension patch
 Fetch and compare suspicious X.509 certificate
 standard for a public key infrastructure (PKI) to manage digital certificates
▫ Probe exit relays for 4 months
Spoiled Onions: The study

10. • Python based exit relay scanner
• Create custom circuits to exit relays
• Circuits probed by modules
▫ Estabilish decoy connections
• Objective
▫ Provoke exit relays to tamper with
these connections
▫ Reveal them!
Spoiled Onions: ExitMap
• Stem Library
▫ Implements Tor control
port
▫ Inititiate/close circuits
▫ Attach streams to circuits

11. • Fetch network to know online exit relays
• Get fed with set of exit relays
▫ Random permutation
• Initiate circuits over exit relays
• Invoke desired probing module that estabilish decoy connection
▫ __LeaveStreamsUnattached
▫ __DisablePredictedCircuits
Spoiled Onions: Using ExitMap

12. • HTTPS module
▫ Fetches decoy destination’s X.509 certificate -> extract fingerprint
▫ Compare to expected fingerprint (hard-coded inside)
▫ If mismatch -> ALERT!
• SSLSTRIP module
▫ Sslstrip attack: rewrite HTTPS answer as HTTP
▫ Silent attack: browsers don’t show alert
 You must notice the absence of TLS indicator (green address bar)
▫ The module verifies if the expected HTTPS link was «downgraded» to HTTP
Spoiled Onions: Probing modules

13. • In 2014:
▫ N = 1000 exit relays
▫ M = 25 malicious exit relays
▫ 2 relays: DNS censorship
▫ 1 relay: misconfigurated
▫ All the others: MitM attack
Spoiled Onions: Enemies Found!

14. • Connection with decoy destination
• Change decoy’s certificate with their own self-signed version
• Certificate is not issued by trusted autority of Tor’s certificate store
• Probable Man in the Middle attack!
▫ User redirected to the about:certerror warning page
Spoiled Onions: Enemies Found! (cont’d)

15. • Subset of malicious relays run by same group of people
▫ Same self-signed certificate (Main Autority)
▫ Same country (Russia)
▫ Same VPS provider
▫ Same netblock (176.99.0.0/20)
▫ Same old version of Tor
▫ Same destination target: Facebook
 Social Networks are often
attacked using MitM
Spoiled Onions: Enemies Found! (cont’d)

16. • ExitMap checks browser event DOMContentLoaded
▫ Whenever a document is loaded by the browser
• Check URI to find «about:certerror» warning page
• If found, there is self-signed certificate
• It can be authentic, but not in tor certificate store
• Refetch certificate with another circuit
• Compares the two fingerprints
▫ If same = authentic
▫ If not same = MitM attack
Spoiled Onions: Extension design

17. • If Man in the Middle attack:
▫ Show a warning pop-up
▫ User can send info about the case
Spoiled Onions: Extension design (cont’d)

18. • In 2014 there were ~1000 Tor exit relays
• Researchers developed a scanner to monitor exit relays for 4
months
• M = 25 malicious exit relay discovered
• The majority of MitM attacks were coordinated
• To avoid user deanonymization
▫ Developed ExitMap
▫ Developed a set of patches for Tor browser which are capable to fetch self-
signed certificates to evaluate their trust-worthiness and advise the user
Spoiled Onions: Conclusion

19. • Slideshare:
▫ http://www.slideshare.net/AlessandroGranato/deanonymization
-in-tor-web
• Infosec:
▫ http://resources.infosecinstitute.com/hacking-tor-online-
anonymity/
• Spoiled Onion paper:
▫ http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf
Useful links

20. Thank you!
Deanonymization – The Onion Router
Web Security and Privacy course – 2015/2016 – «La Sapienza» University
Questions?