Windows DRM Files Used to Decloak Tor Browser Users
bleepingcomputer.comI only ever use Tor for security research and with the nature of my particular work, I don't have a reason to download files but...
If I did and I cared about anonymity I would never download a file unless all internet on my machine or VM was piped through Tor (such as using Whonix or some dedicated security appliance). If I was using the Tor browser I wouldn't even even turn on Javascript without those protections for that matter.
On the other side of the spectrum, running Tor on Windows is insane. Almost every flaw I have seen in Tor mostly or only effects Windows users.
The list of file formats that can trigger the viewer to fetch a resource over the internet is so large that it's impossible to cover them all. Unless you're working with plain text or something you know is safe, don't open files downloaded over Tor if you're running on a standard OS (and not, say, in a whonix workstation that's isolated from direct internet connections).
Tor was developed by the US Naval Research Laboratory as a munition (that's the strong view of cryptography and developing munitions is what NRL does). There are a number of assumptions baked into it's design. Among them is hygiene appropriate when handling munitions in the external operating environment.
Viewed as a munition, the fact that Tor source code was opened up more than a decade ago but well into the post-Patriot act era suggests that its direct value as a munition had become less significant. However, since the release seems to have had the effect of retarding development of alternatives for some years, this might be seen as an indirect value of Tor as a munition.
Practically speaking, Tor on its own and absent an ecosystem of serious security hygiene, is likely to leak data to an attacker with targeted intelligence and barely non-trivial technical means. Because relatively few people have the will and the technical skill and the need to do all the other things that are required to use Tor in a secure manner.
Or to put it another way, in the context of the GWOT, it seems likely to me that Naval Research Labs only provided a free and unlimited crytpographic munition only because it could readily defeat its use by adversaries.
What's the standard way to use Tor for people who are really diligent with their operational security?
Personally I haven't used Tor except for short casual testing. But if my personal security would depend on the anonymity provided by Tor, I think I'd seriously consider adding an additional layer of protection to avoid information leaking out "to the sides".
Use Tails or Whonix which prevents leaking data outside of the Tor network. Qubes OS makes Whonix easy/transparent (though I haven't had the pleasure of trying out Qubes yet).
Never access files downloaded over Tor outside of those environments, and _never_ mix identities: if you're going to be pseudononymous, don't access files downloaded under another pseudonym or visit websites you'd access (especially if logging in) under another. If you're going to be anonymous, don't save the data: let it be ephemeral, which is easy in the case of Tails, which is ephemeral by default.
Always use Tor Browser, not Tor over Foxyproxy in a vanilla Firefox or something. Don't rely on torify on your normal setup for complete anonymity, for reasons above.
But it depends on your threat model. I _do_ do both things in the previous paragraph for my day-to-day stuff where my threat model involves e.g. advertisers and other privacy-invading trackers, where I'm reading tech-related articles or downloading videos of talks, for example. But that involves a number of other addons as well (e.g. Privacy Badger, HTTPS Everywhere, NoScript, uBlock Origin, self-destructing coookies, ...).
Edit: Forgot to mention: https://www.whonix.org/wiki/DoNot
>Use Tails or Whonix which prevents leaking data outside of the Tor network. Qubes OS makes Whonix easy/transparent (though I haven't had the pleasure of trying out Qubes yet).
Use Whonix, not Tails. Tails doesn't do a particularly good job preventing leaks outside of Tor network.
It's also a good idea to assume Tor is already pwned and to follow good opsec(burner devices, mac address cloaking, using open/pwned wifi APs, loading & running OS completely through ram, and use hard drive write blockers). True anonymity is tough nowadays.
Tails randomizes the MAC address by default, I believe.
(Edit: https://tails.boum.org/contribute/design/MAC_address/)
But yes, you need hardware you can trust. Burner won't be a bad idea if your life depends on your anonymity.
Out of curiosity: Why is this necessary? Being not exactly a network expert I would have assumed that leakage of the MAC address terminates at the next router or switch (which eg. would be my home router, if using TOR from home). Is the MAC address part of IP packets somehow?
Typically, the MAC address is not public beyond the next router. Software could intentionally leak it, but I don't think that's likely on a system built for anonymity. However, it is possible that, should your traffic get traced to your true IP address, interested parties would attempt to then trace it to an individual. Any router you connect to could be storing access logs (or even passing them on to the next connection point) for a long enough time that they could narrow down which MAC the traffic came from. If they have you on camera, and the recorded MAC matches your PC, that's a bit more evidence. Sure, you could potentially fight it in court (MACs can be trivially spoofed, after all!), but why bother taking the risk?
It's not part of the IP packet, but in some previous cases exploits on Tor (such as the one the FBI used in the Freedom Hosting takedown) have explicitly queried the MAC address and then exfiltrated that information. I assume the intent was that they could then arrest the suspect and compare the captured MAC address to the physical machine to prove it was the same person.
In addition to providing confirmatory evidence, MACs are essentially serial numbers in a can. Every batch of chips sold can be traced to an OEM. If that was a laptop OEM then the manufacturer will know the serial number of the device with that MAC, and CPU ID etc. There is a good chance they can trace who initially purchased the laptop.
Also, if it is a WiFi MAC then your laptop is blasting that out constantly, and many services collect that info. Fortunately we are slowly seeing a move to randomisation of the MAC used when scanning. Unfortunately an active probe can pierce the veil by causing the true MAC to be used. Lots of venues (shopping malls) offer free Wifi because it causes the phone to reveal its true address when it connects, allowing tracking (lots of other entropy in Wifi apart from the MAC though).
There is no reason random MACs shouldn't be used for all transmissions in modern systems except for software inertia.
In addition to what the others said, it could be used to correlate you across multiple e.g. public wifi hotspots. Imagine some dissident in a repressive regime leaking information and law enforcement checking the logs of the routers for various public places. If they find a MAC at all locations, they might be able to check security cameras and see what individuals were present at that time and correlate that MAC with an individual, and then further use that information to track their movements.
Yes it can be spoofed and someone could potentially be framed, but it's just more information that can be used in conjunction with other data to help deanonymize a person.
Have you noticed that Starbucks has wifi sponsored from Google? Considering that Google tracks everything else, it is reasonable to assume they track MAC addresses at nearly every Starbucks, too. It has been reported that shopping centers do this as well. You do not have to actually be connected to their SSID either because your MAC address will be broadcast with any frames transmitted.
Hardcore people in the security circles do all their serious stuff inside one-use-only virtual machines, once their stuff is done, the machine is deleted and shredded.
That's the most clean-cut way of not mixing anonymous and regular files/configurations/whatever.
If my life depended on Tor, I would definitely do this.
Add to that - do not use full web-browsers, but curl/wget/links instead.
This! The fact that a Firefox fork is often used as the "secure for browser" is really pretty disturbing. You have no clue what Firefox is doing 90% of the time and you probably never will.
Not just windows DRM files. Specifying a special codec is enough to trigger an auto download attempt in certain players. You can even embed smil animations in quicktime files to trigger content downloads.
This is why the feds want to redistribute child porn for weeks at a time. They can't break tor to de-anonymize users. They need to distribute files with beacons in them for this plan to work. Never mind that the police have become the child porn traffickers.
http://disinfo.com/2016/01/why-did-the-fbi-operate-a-child-p...
While true this is like any other file type that connects back to the internet. It has nothing at all to do with DRM in particular.
For example you could download a HTML file over Tor, that file could have a <img /> tag in it which reveals your real IP when you open it in the non-Tor browser. Ditto with Office macros, any scripting language, Adobe Reader, etc. If you're going to just accept through warning dialogs then you're in trouble.
There are other ways of doing a similar attack which have been covered by HD Moore. We found this one interesting due to the minimal interaction required on Windows and the prevalence of media sharing on the darknet (for good or evil).
just to clarify, there are no warning messages doing this with signed WMV files. There is a single warning from Tor which you can selectively disable - and I am sure many users do. You open the file and the action is triggered, office documents now have protected mode which comes with alerting and I am sure that Adobe warns users in a similar fashion. Most users would not expect playing a movie file to perform this action hence why it has a use case here.
OFFTOPIC: Does anyone know the name of the song from that video? I searched for the title of what was playing, but only came up with some weird anime soundtracks for some reason.
Ask @hackerfantastic (Twitter). He made the video.
It is a copyright free video from bassrebels.
Couldn't find the exact video, but great music. I needed some background music like this to listen to at work.
Also, great work on finding the exploit in the video.
It would be interesting to see if this could be extended to images? Can't Windows DRM be used with certain image formats? It's just a thought.
>such a niche attack
Niche indeed. The potential target group of users who think "just use Tor and you're safe" is vanishing rapidly.
This is a TOR exploit in the same way that downloading a blob through TOR is a TOR exploit.
Nobody said it was a Tor exploit. It's just a deanonymization technique, which like most, rely on social engineering (convincing the user to push a "Save File" button).
Would simply saving it, without opening it, execute it?