[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How do we defeat exit node sniffing?





Scott Bennett wrote:
     On Mon, 09 Jun 2008 20:51:10 -0700 Jack Straw <JackStraw@xxxxxxxxxxxx>
wrote:
F. Fox wrote:
defcon wrote:
so what do you all suggest if I must authenticate to a non ssl
connection?  How do I do it anonymously and safely?
(snip)

AFAIK, you can't.

However, there are three personal rules I stick to, when using accounts
which need a login through Tor. They may or may not apply to your scenario:

1.) Any account used for anonymity, must be created through Tor, and
never have been touched without it.

2.) Any such account must, of course, always be accessed through Tor
after its creation.

3.) Any such account must be considered expendable; i.e., if an exit
sniffer stole the credentials and either locked you out or impersonated
you, it wouldn't be a real problem.

If you'd rather not have to follow Rule 3, make sure you use accounts
with services that use strong encryption - and watch out for accidental
leaks*.


*: Supposedly, Gmail's Web interface sometimes leaks, even when using it
under HTTPS. To minimize such leaks, it's important to switch on POP or
IMAP ASAP, and use a client with it with SSL/TLS enabled.

I have a question about that, which has puzzled me for quite some time.
Perhaps I'm being too rigid in regards to this.

I have a Gmail account that was created through Tor.
I should say, that this anonymous account is a test account. I use it
for no sensitive communications, however I treat the account as if I do.

 I have only accessed that GMail account through Tor, and my Xerobank
account. Mixing it up. I have  been very cautious in adhering to that.
Well sort of... My bad.

A few months back, in haste, I accidentally accessed the account naked
from my standard IP address. Maybe 2-4 times. That's all. But it happened.
I felt that the account had to be abandoned as it was now "tainted."

But then I thought, "How so?"

Let's say hypothetically, I have accessed that account 1,000 times.
950 times I have logged in using Tor. 48 times I've logged in using my
Xerobank account.

On those few occasions, I've logged in from my home IP.

Logically, how would a potential adversary know where I'm coming from?

For all they'd know, I was traveling, and logged in using a friend's
computer as the access was less than a half dozen times. Unless I'm
missing something, that unintended access really tells them nothing. Or
does it? It may be suggestive, I'd think, but that's it. For some, that
be enough to abandon the account and I understand that.

I accept all that Fox wrote as "Best Practices" and should always be
adhered to. One doesn't want to take risks or play Russian Roulette.

I agree.

But is that account really tainted?

     Okay, let me don a black hat for a bit to tackle this one.  Suppose
I can watch the traffic going into and out of the destination, where you
hold your account, an account that particularly interests me for reasons
unknown to you.  I've noticed already that the source addresses of the
connections coming in to access this account seem to bounce around the
globe from one connection to the next.  I might think you were traveling,
except that I see occasions where the access times that I've logged show
consecutive addresses that are too far apart geographically for the user
to have traveled between them in the time between those accesses.  E.g.,
one time the user accesses the account from an IP address in the London
metro area, and an hour later accesses it again, but this time from Delhi.
So I check more closely, comparing those IP addresses to various lists I
keep up-to-date copies of and...voila!  All of them are tor exit nodes!
Except, perhaps, this one IP address that might be someone's home computer
because it doesn't appear as an exit for the port in question in the
cached-descriptors list that I keep on hand, in which case, I've probably
found you.  OTOH, perhaps you run a tor exit node for that port, in which
case that method doesn't work.  But wait just a sec here...hmmm...the
last access was from a tor exit for the appropriate port, but then there
are no accesses after since that time over a week ago, but the user has
typically been accessing it at least every two or three days ever since
the account was opened.  I wonder...could the user have slipped up and
accessed the account without realizing that the access had not gone
through the tor network?  Perhaps he had disabled the use of tor in
his/her browser and forgotten to reenable it, in which case I've got you
located by IP address and can find out your street address quite easily.
Now maybe I don't have any real evidence to use against you for Vaterland
Security or FiBbI or wherever my blackhat character happens to work, but
maybe I have a girlfriend who works down the street at the IRS, who might
take an interest in the tax protest postings to various USENET groups
from your account.
     Dropping the black hat to return to normal self :-)...so in that
light, is your account tainted?  I would contend that it probably is if
Mr. Black Hat has been focusing on your account.  To the extent that I
may be doing by hand all the closer examination of your account accesses,
rather than using a completely automated process that simply delivers
these results to me, you might be able to cover the trail, especially if
you do run a tor exit node for the port in question, by doing something
like this after your little accident occurred:  roll a 20-sided die to
determine how many more times you will access the account via the tor
network before abandoning the account, so that the cessation of accesses
will not so obviously point to your IP address.
     I realize that may not seem to be much consolation, but you should
understand that all of this occurred to me while I was still reading
your message the first time.  It didn't take any real pondering to come
up with.

                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

cott Bennett wrote:
> On Mon, 09 Jun 2008 20:51:10 -0700 Jack Straw <JackStraw@xxxxxxxxxxxx>
> wrote:
>> F. Fox wrote:
>>> defcon wrote:
>>>> so what do you all suggest if I must authenticate to a non ssl
>>>> connection?  How do I do it anonymously and safely?
>>> (snip)
>>>
>>> AFAIK, you can't.
>>>
>>> However, there are three personal rules I stick to, when using accounts
>>> which need a login through Tor. They may or may not apply to your scenario:
>>>
>>> 1.) Any account used for anonymity, must be created through Tor, and
>>> never have been touched without it.
>>>
>>> 2.) Any such account must, of course, always be accessed through Tor
>>> after its creation.
>>>
>>> 3.) Any such account must be considered expendable; i.e., if an exit
>>> sniffer stole the credentials and either locked you out or impersonated
>>> you, it wouldn't be a real problem.
>>>
>>> If you'd rather not have to follow Rule 3, make sure you use accounts
>>> with services that use strong encryption - and watch out for accidental
>>> leaks*.
>>>
>>>
>>> *: Supposedly, Gmail's Web interface sometimes leaks, even when using it
>>> under HTTPS. To minimize such leaks, it's important to switch on POP or
>>> IMAP ASAP, and use a client with it with SSL/TLS enabled.
>>>
>> I have a question about that, which has puzzled me for quite some time.
>> Perhaps I'm being too rigid in regards to this.
>>
>> I have a Gmail account that was created through Tor.
>> I should say, that this anonymous account is a test account. I use it
>> for no sensitive communications, however I treat the account as if I do.
>>
>>  I have only accessed that GMail account through Tor, and my Xerobank
>> account. Mixing it up. I have  been very cautious in adhering to that.
>> Well sort of... My bad.
>>
>> A few months back, in haste, I accidentally accessed the account naked
>> from my standard IP address. Maybe 2-4 times. That's all. But it happened.
>> I felt that the account had to be abandoned as it was now "tainted."
>>
>> But then I thought, "How so?"
>>
>> Let's say hypothetically, I have accessed that account 1,000 times.
>> 950 times I have logged in using Tor. 48 times I've logged in using my
>> Xerobank account.
>>
>> On those few occasions, I've logged in from my home IP.
>>
>> Logically, how would a potential adversary know where I'm coming from?
>>
>> For all they'd know, I was traveling, and logged in using a friend's
>> computer as the access was less than a half dozen times. Unless I'm
>> missing something, that unintended access really tells them nothing. Or
>> does it? It may be suggestive, I'd think, but that's it. For some, that
>> be enough to abandon the account and I understand that.
>>
>> I accept all that Fox wrote as "Best Practices" and should always be
>> adhered to. One doesn't want to take risks or play Russian Roulette.
>>
>> I agree.
>>
>> But is that account really tainted?
>>
>      Okay, let me don a black hat for a bit to tackle this one.  Suppose
> I can watch the traffic going into and out of the destination, where you
> hold your account, an account that particularly interests me for reasons
> unknown to you.  I've noticed already that the source addresses of the
> connections coming in to access this account seem to bounce around the
> globe from one connection to the next.  I might think you were traveling,
> except that I see occasions where the access times that I've logged show
> consecutive addresses that are too far apart geographically for the user
> to have traveled between them in the time between those accesses.  E.g.,
> one time the user accesses the account from an IP address in the London
> metro area, and an hour later accesses it again, but this time from Delhi.
> So I check more closely, comparing those IP addresses to various lists I
> keep up-to-date copies of and...voila!  All of them are tor exit nodes!
> Except, perhaps, this one IP address that might be someone's home computer
> because it doesn't appear as an exit for the port in question in the
> cached-descriptors list that I keep on hand, in which case, I've probably
> found you.  OTOH, perhaps you run a tor exit node for that port, in which
> case that method doesn't work.  But wait just a sec here...hmmm...the
> last access was from a tor exit for the appropriate port, but then there
> are no accesses after since that time over a week ago, but the user has
> typically been accessing it at least every two or three days ever since
> the account was opened.  I wonder...could the user have slipped up and
> accessed the account without realizing that the access had not gone
> through the tor network?  Perhaps he had disabled the use of tor in
> his/her browser and forgotten to reenable it, in which case I've got you
> located by IP address and can find out your street address quite easily.
> Now maybe I don't have any real evidence to use against you for Vaterland
> Security or FiBbI or wherever my blackhat character happens to work, but
> maybe I have a girlfriend who works down the street at the IRS, who might
> take an interest in the tax protest postings to various USENET groups
> from your account.
>      Dropping the black hat to return to normal self :-)...so in that
> light, is your account tainted?  I would contend that it probably is if
> Mr. Black Hat has been focusing on your account.  To the extent that I
> may be doing by hand all the closer examination of your account accesses,
> rather than using a completely automated process that simply delivers
> these results to me, you might be able to cover the trail, especially if
> you do run a tor exit node for the port in question, by doing something
> like this after your little accident occurred:  roll a 20-sided die to
> determine how many more times you will access the account via the tor
> network before abandoning the account, so that the cessation of accesses
> will not so obviously point to your IP address.
>      I realize that may not seem to be much consolation, but you should
> understand that all of this occurred to me while I was still reading
> your message the first time.  It didn't take any real pondering to come
> up with.
>
>                                   Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at cs.niu.edu                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************

Scott, that was a brilliant answer. And I appreciate the time you invested in it.

I wasn't sure, and I wasn't trying to be defensive or protect a position.

But I could not logically parse, how Gmail logins from an overwhelming majority of random IP's with minimal logins from my valid home IP could possibly compromise the account.

But it is precisely that small number of tainted logins that with careful research would prove to be the most revealing or productive for an adversary. Often, the smallest piece of evidence turns out to be the most significant.

When it comes to security, one must always consider as the priority, the worst possible scenario, which you did.

I wholeheartedly agree. The account is tainted.

Thanks Again!!

Jack Straw