How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.

According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identifies Tor users on the Internet and then executes an attack against their Firefox web browser.

The NSA refers to these capabilities as CNE, or computer network exploitation.

The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the Internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.

The NSA creates "fingerprints" that detect HTTP requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool that NSA boasts allows its analysts to see "almost everything" a target does on the Internet.

Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of Internet traffic that it sees, looking for Tor connections.

Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring Internet traffic.

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.

Exploiting the Tor browser bundle

Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.

This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.

According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for JavaScript. This vulnerability exists in Firefox 11.0 -- 16.0.2, as well as Firefox 10.0 ESR -- the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.

The Quantum system

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

This same technique is used by the Chinese government to block its citizens from reading censored Internet content, and has been hypothesized as a probable NSA attack technique.

The FoxAcid system

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an Internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public Internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. http://baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html is an example of one such tag, given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.

According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.

The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.

In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer, called Personal Security Products or PSP, in the manual.

FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them.

FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.

The NSA also uses phishing attacks to induce users to click on FoxAcid tags.

TAO additionally uses FoxAcid to exploit callbacks -- which is the general term for a computer infected by some automatic means -- calling back to the NSA for more instructions and possibly to upload data from the target computer.

According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data.

By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all.


This essay previously appeared in the Guardian. It is the technical article associated with this more general-interest article. I also wrote two commentaries on the material.

EDITED TO ADD: Here is the source material we published. The Washington Post published its own story independently, based on some of the same source material and some new source material.

Here's the official US government response to the story.

The Guardian decided to change the capitalization of the NSA codenames. They should properly be in all caps: FOXACID, QUANTUMCOOKIE, EGOTISTICALGIRAFFE, TURMOIL, and so on.

This is the relevant quote from the Spiegel article:

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

That should be "QUANTUMINSERT." This is getting frustrating. The NSA really should release a style guide for press organizations publishing their secrets.

And the URL in the essay (now redacted at the Guardian site) was registered within minutes of the story posting, and is being used to serve malware. Don't click on it.

Posted on October 7, 2013 at 6:24 AM • 121 Comments

Comments

sleeperOctober 7, 2013 7:27 AM

The paragraph "FoxAcid servers also have sophisticated capabilities[...]" is there twice.

JeffHOctober 7, 2013 7:31 AM

So if the FoxAcid servers are on the public Internet, running Windows Server 2003, what is the likelihood of *someone else* compromising those servers? Sure, the NSA are almost certainly experts in securing systems as they're busy attacking them, but still, servers on the public Internet get compromised. It's an intriguing idea that someone else could subvert a FoxAcid server, already used as a surveillance system, to add in their own.

ThomasOctober 7, 2013 7:40 AM

@Bruce,

You mentioned that since you've gained access to this stuff you've bought a new computer that's never been connected to the Internet.

A lot of this post seems to be about gaining more permanent access.

Putting 2 and 2 together (and quite possibly coming up with "5") does this mean you wouldn't even trust a formatted-and-reinstalled PC, i.e. some of these exploits might survive that (firmware-level malware)?

Given how compliant (coerced?) Telcos and Software Vendors are is there any reason to believe your firmware is safe?

Apparently EFI-boot (the 'secure' BIOS replacement) has more LoC than the Linux kernel. Any chance of a helpful feature or two among hidden away?

(taking off tinfoil hat now, but keeping it close by just in case!)

Terry ClothOctober 7, 2013 7:40 AM

Two comments about the example website (2ndhalfplays.com):

1) You should move the warning and the URL closer together. I suspect I'm not alone in surfing over there as soon as I'd finished the sentence. Either put the warning in a sentence before the URL, or redact it in the text, and supply it in the in the additional edit.

2) If it's still in hostile hands (maybe the NSA?), they have a sense of humor. It now (2013-10-07, 0826 ET) is a page with two links: to the EFF website, and to their 26 October DC rally (https://rally.stopwatching.us/). Oh, and according to the HTML, some Google ads which I didn't see since I keep Javascript off.

As for the DNI's response, while they protest their purity and good intentions, he says nothing about why the spooks so strenuously object to anything resembling democratic oversight.

Many thanks for keeping us informed, on this and so many other topics.

Future Tor RelayOctober 7, 2013 7:58 AM

I had plans to install a Tor relay when my Internet connection gets upgraded to fiber sometime in the next year though I've never felt the need to use Tor myself. I will probably still do that.

However it seems that Tor needs another component in its architecture and that is a group of security sophisticated volunteers using Tor and trying to detect these types of attacks. These FoxAcid sites (no matter which country is the sponsor) need to be identified and published. Then there needs to be a way to check ones history to see if a potentially malicious site on the published list had been visited.

There also needs to be more education around the use of virtual machines that will be used for only one session for certain types of Tor use such as accessing sites like wikileaks.

SellThemOctober 7, 2013 8:10 AM

@Thomas: "you've bought a new computer that's never been connected to the Internet."

Do you think, Bruce, that the Windows OS on that computer might obey to instructions NSA may succeed to plant on your USB key (Stuxnet-like attacks) ? Or do you use a liveCD OS to reformat any key before inserting them ?

Does your wifi or bluetooth recievers have been taken off ?

@JeffH: "subvert a FoxAcid server, already used as a surveillance system, to add in their own."

Or to sell the exploit hosted there to China/Russia/anonymous/chaos computer club/...

Matthias UrlichsOctober 7, 2013 8:13 AM

@FutureTorRelay: I'm running an exit server. Whatever you do, give it an unique IP address; otherwise some sites even refuse to accept your (legitimate, non-TOR) email.


Anyway, seems that the main requirement for becoming a NSA hacker is to remember a hundred associations between CrypticCodename (or CRYPTICCODENAME, natch), what the thing is supposed to do, what it is actually doing, and who is allowed to know the latter. :-/

Not really anonymousOctober 7, 2013 8:26 AM

@Ricky: Lynx has had its share of security issues. I wouldn't expect using it to do anything more than possibly buy you a little time (while they cooked up an exploit for it).

Evil JavaOctober 7, 2013 8:28 AM

Java/js attack surface is too huge. Time to break out OpenBSD shell text browser

Steve FriedlOctober 7, 2013 8:56 AM

@Bruce, the "TOR Stinks" source material has a number of redactions; if they were made post-Snowden, is there anything you can tell us about that?

gwernOctober 7, 2013 9:03 AM

> So if the FoxAcid servers are on the public Internet, running Windows Server 2003, what is the likelihood of *someone else* compromising those servers?

These presentations are from 2007 or something. I'm sure they've upgraded OSs since then.

AbsintheOctober 7, 2013 9:35 AM

@Terry Cloth
Oh, and according to the HTML, some Google ads which I didn't see since I keep Javascript off.

Yea those Google ads are probably because they can use the Doubleclick ID to identify Tor users.

121jigawattsOctober 7, 2013 9:41 AM

"does this mean you wouldn't even trust a formatted-and-reinstalled PC, i.e. some of these exploits might survive that (firmware-level malware)?

@Thomas
It is possible for Intel CPU's to be covertly reprogrammed using an Intel CPU bug remediation strategy called "Microcode". Would Intel allow this to be used by three letter agencies? You shall know a tree by its fruit.

It was Intel slipped covert 3G wireless hardware/stealth remote access support into recent CPU's

It was Intel (the first five letters of the word intelligence) who sabotabed the traditionally strong pseudorandom generation under Linux the runs under Intel devices.

Reformatted AMD seems to be your best bet.

Mike the goatOctober 7, 2013 9:49 AM

Absinthe: I imagine it is just someone with too much time to their hands given it was registered post publication.

AbsintheOctober 7, 2013 9:56 AM

@Mike the goat

What does it mean that the site was "registered post publication"?

I mean why would Bruce post an actual link (instead of just a plain text string without a link in it) to a site that would not have existed?

Mike the goatOctober 7, 2013 10:03 AM

Absinthe: if you do a WHOIS on 2ndhalfplays.com you'll see it was registered just a few hours after Bruce's article first appeared on The Guardian. It was a demo link only in the slides, showing how the link would look innocuous enough. A third party has registered it after publication and seems to be pushing a link to the EFF (nothing malicious was served when I wget'd it for analysis).

Interesting on the document from 2006 posted by Washington Post they speak of decloaking hidden onion sites in much the same way as I posited on this blog earlier. Seems they are hell bent on breaking tor.... that said, it would have to be targeted. It is just too much work to decloak everyone.

Eugeniu PatrascuOctober 7, 2013 10:05 AM

When did Belgium become the enemy of the United Kingdom ? I saw no news about a war declaration or anything similar :)

maxCohenOctober 7, 2013 10:09 AM

@Mike the goat
If it was only a demo link in the slide, it doesn't explain why it was linked in the article originally [see: http://cryptome.org/2013/10/nsa-link-removed.htm ] if it was registered after the article appeared and later the link disappeared. Probably best just to contact the owner of the site.

This isn't a conspiracy idea, just curious what happened.

Cheers.

Tal Be'eryOctober 7, 2013 10:15 AM

@Bruce, you wrote:
"..the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other web users."

TOR traffic can be easily identified once it leaves a TOR Exitnode into the "regular" internet, as the list of the IP addresses of all TOR's Exitnodes is made available to all TOR clients, by design.
There are even some web services that export this list to the web. (e.g. torstatus).

Anyway, the the main argument holds: identifying is easy, de-anonymizing is hard.

Mike the goatOctober 7, 2013 10:23 AM

max: No idea as to why it was hyperlinked in the original article given it was obviously meant to be a demo link. As to why someone saw it and registered it - who knows? Funny in the source of the page that they put up they have /* NSA */ written. Seems like someone who thought it'd be a laugh and maybe might get some ad revenue too. Then again I can't prove it wasn't done with malicious intent. :-)

maxCohenOctober 7, 2013 10:27 AM

@Mike the goat
Come to think of it, I wonder if it was an editorial error when it was posted on the Guardian site. The link might have been there and the CMS operator probably thought "Oh, that needs to be a link". Lot of fun has come from that though! :)

If anyone is interested you can probably ask the owner of the domain based on this trail back to the possible admin...
http://senseantisense.com/2ndhalfplays/

Carlo GrazianiOctober 7, 2013 10:41 AM

Wait a minute.

They can differentiate Tor users from other users. But those users are still initially anonymous, so they can't initially target an individual of interest for redirection to a FOXACID server.

Does that mean that they redirect every Tor connection that passes through an officially corrupted telco, and attempt to subvert every browser they see on those connections?

I hope not, because if that's true, then this story is even worse than it started out as. The NSA would be one of the largest and most sophisticated botnet herders on the net, spewing vast amounts of malware and practicing vast numbers of man-in-the-middle attacks on innocent and unsuspecting victims. If this is right, it's high time someone honey-trapped the bastards, and put their payloads under a public microscope.

Please someone tell me I've got this wrong.

anOctober 7, 2013 10:41 AM

Id love to get Bruce's ideas about that reformatting a pc being safe and all too. Please comment on this Bruce ?

Mike the goatOctober 7, 2013 10:58 AM

Max: yeah, most likely. Yeah I saw the Google analytics ID in the source when I pulled it a few days ago, just didn't go any further as the site was harmless (I had a look as a few people on arstechnica claimed it infected their machine with malware)

Evil JavaOctober 7, 2013 11:07 AM

@scripted linux user ... that bug only can be replicated on gentoo and only because the guy who compiled it did so incorrectly. The lynx that is priv seg'd and custom in openbsd is not affected nor would any standard Linux package be, or if you knew what you were doing while compiling.

If course the NSA with unlimited resources can exploit anything but at least if you faked your OS fingerprint and user agent it would buy you some time and leave you out of the easy js dragnet. The only solution is to dismantle the police state

coolcowOctober 7, 2013 11:36 AM

It also make a laughing stock of the argument about a 3rd party being involved in a communication means it is public and thus legitimate to analyze. What a joke the law has become.

RonKOctober 7, 2013 11:41 AM

> a type confusion vulnerability in E4X

I feel a disturbance in the "FOSS", as if hundreds of security researchers converged simultaneously on a poor defenseless buggy library, silencing its vulnerabilities... forev... er, for a short period...

ScottOctober 7, 2013 11:47 AM

I wonder if you could connect to an open proxy through Tor, and use an up-to-date version of Firefox/Chrome through that proxy. The UA string would look fairly normal, and the IP would not appear to be from the Tor network. This is assuming the NSA targets you based on the website you are visiting.

Clive RobinsonOctober 7, 2013 11:53 AM

@ Bruce,

    That should be "QUANTUMINSERT." This is getting frustrating. The NSA really should release a style guide for press organizations publishing their secrets

Don't ever let anyone tell you that you don't have a sense of either humour or irony ;-)

Mike the goatOctober 7, 2013 12:01 PM

Scott: I do just that (with js and java disabled). I also use a separate machine that runs the tor client. Only access out is through the SOCKS proxy through for, to avoid DNS leakage or any underhanded software exploits escaping the torification. If I were really concerned I would go through multiple VPNs and chain it too... If I were that concerned I wouldn't be using a desktop browser though

Mike the goatOctober 7, 2013 12:04 PM

Scott ... That said they can still ID you as the exit node IPs are known. But at least they won't serve an exploit based on TBB's user agent. IMHO tbb should spoof the UA of the current Firefox build.

Mike the goatOctober 7, 2013 12:13 PM

Scott: perhaps I should clarify. You would want the proxy to not include the Forwarded-For header. I connect using tor to a free shell account (signed up via tor of course and not linked to IRL identity) via ssh and use its port forwarding feature to forward a local instance of torclient http proxy. So essentially I am double tor'd with a hop in between.

ScottOctober 7, 2013 12:19 PM

@Mike the goat

As far as Java is concerned, I never enable that anywhere. As far as TBB is concerened, I agree that they should spoof the current UA string; I would go as far as for it to randomly spoof as Windows/Mac if you are on Linux, Mac/Linux if you are on Windows, etc. just to mess with them :)

There's also a lot more data to consider if you want to be anonymous, like installed fonts and screen resolution. This makes it very difficult to be truly anonymous, and I am not sure if TBB takes everything into account, of course if something is fairly unique across most browsers, then I'm not sure TBB could possibly hide itself while simultaneously keeping you anonymous. See:

https://panopticlick.eff.org/

Clive RobinsonOctober 7, 2013 12:30 PM

@ Thomas, an,

When you get a new "laptop" or "named brand" desktop/server it has been through the manufactures validation process, wrapped and sealed in a box and oppened by you in the state it left the factory.

Now unless the "brand holder" is complicit with the NSA the chances are that the PC is not infected with NSA or any other malware (unless the country of origin has it's hooks into the manufacture which has been speculated about Lenovo).

So where can malware be put on a PC?

Well any memory that is semi-mutable and involved directly or indirectly with the boot process.

This includes,

1, Flash BIOS chip.
2, Flash chips on PCI etc I/O devices.
3, Flash devices on keyboard controlers.
4, Flash devices on HD/DVD/CD drives.
5, HD and other magnetic media.
6, Flash devices on CPU support chip sets.
7, Flash memory in the CPUs (motherboard, video card,etc).

And one or two other places.

However a certain degree of care is required because various software liecencing scheams use the memory in these areas to "lock the software" to a particular PC.

Obviously it helps if the main hardware and OS suppliers (Intel, Microsoft, etc) are complicit along with those supplying anti-malware software...
Basical

Mike the goatOctober 7, 2013 12:32 PM

Scott: indeed my android phone running a third party browser is particularly bad:

Your browser fingerprint appears to be unique among the 3,460,803 tested so far.

My decidedly average Windows machine fares a lot better.

john kOctober 7, 2013 12:40 PM

“After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdroppingy information back to the NSA."

I have used Tor (browser bundle) a number of times in the last few months. Does this now mean my (windows) machine is now infected?

If I had known about Intel I would have purchased an AMD.

Evil JavaOctober 7, 2013 12:51 PM

RE: panopticlick

It's not that accurate:
http://www.mail-archive.com/...

If you refresh multiple times it sometimes changes footprint completely. Also requires java/js.

I recall some years ago on a blackhat forum somebody was selling a push-button solution to faking browser fingerprints. It ran in a VM and you would pass traffic to localhost:(port) where it scrubbed your traffic and faked various plugins for the purposes of committing fraud on sites that check these things. BSD pf filters also do browser fingerprinting (more accurately).

I would imagine Tor Project can combat this by publishing a VM image so every user has the exact same fingerprint, or ssh into a remote box through Tor and start up Lynx in the shell. Use their fingerprint.

Clive RobinsonOctober 7, 2013 12:54 PM

@ Mike the goat,

I get the same results for my Android phone...

What is not 100% clear from the article is exactly how the "Man on the side" attack works. That is can it be detected by having the wrong sort of response to the request.

One way things can with normal malware be "slowed down" is in effect "whitelisting" sites through a proxie computer acting as a firewall.

One way to do this is to modify the browser software such that it hooks out URL's and differentiates them between user activated and automaticaly activated. Those considered to be "user activated" get sent via UDP to the proxie to alow short term access. Those not considered to be "user activated" get blocked and the firewall sends back an indicitive response.

ScottOctober 7, 2013 12:56 PM

@john k

As far as I understand it, the NSA only runs the attack on targets that they specifically identify as people to exploit, e.g. people who go to known terrorism-related websites. So, it doesn't mean that you are infected just because you use Tor, but who knows what the determining factors are.

Secret PoliceOctober 7, 2013 1:08 PM

Reading the NSA secure android paper they make note of supply chain security, where an adversary watching you may have the ability to intercept the shipment in transit and do whatever backdoors they wish then perfectly reseal the shipment. Some criminals accomplished this here by working at a delivery company and modifying POS equipment en route to merchants. They just made cheap fake security bags that looked good enough to fool whoever casually opened the box. They were caught by something else then police discovered their work room full of modified POS machines that had been intercepted waiting to be repackaged.

Considering agents can secretly have any company they want hold a shipment this is a viable attack for them should you be on a federal list.

ScottOctober 7, 2013 1:27 PM

With regard to VMs, the one thing that you may need to be concerend about is the quality of random numbers. VMs don't have as much entropy, and if you blow out and reload the snapshot every time to avoid malware, you risk having exploitable/guessable session keys. If you are using Linux, I would consider having a script that uses SSH to connect to the host machine and pulls entropy from /dev/[u]random to use to add entropy to the guest OS.

Privacy KingOctober 7, 2013 1:38 PM

Given what we've learned, I'd consider it utterly unlikely that the NSA does not make an attempt to infect anyone and everyone that uses Tor. These people are spending billions on scooping up everything from everyone, over the proverbial 99.9 percent of which is in no way shape or form a threat to anyone or anything, let alone national security. No way do they want people with a free pass to communicate without supervision with a simple add on like Tor. Why build a space suit with even the tiniest of tiny pinpricks in it?

I use Tor sparingly, but recently used it for some thing or another innocuous and very quickly thereafter was met with a raft of new virus attachments via email. I don't have the sophistication of most and perhaps all of you, but I use a whole host of surfing hygienics, managing my scripting, cookies, what have you--far more than the average bear. Security and privacy have been cherished interests of mine for years, and I predicted all of these things, including Stuxnet, when most industry people were poo poohing it all.

The obvious next step here is to dive in and figure out what they've done and how we can assess.

I've long wondered why it is so difficult for a user to control what gets to transmit information out of the box. I'd think there'd be a lot of dough if someone could offer a simple tool that managed any process on a box and its ability to go out webward--I struggle even just to get programs under wraps on Windows 7 whereas in previous iterations it was a snap.

I'm sure you're all laughing at my naivete, maybe firmware is the devil in the details, but shouldn't this somehow be finite? Simply monitoring what the hell is going on in the pipe in and the pipe out and offering some switches to that effect?

Bruce has said it all in recent weeks, but let's reiterate: the Constitution is in shreds.

I beg this community to save digital communications. I love my country and would never ever harm her in any way. While I'm staunchly opposed to the death penalty--the exception I maintain is for treason. I want the most vigorous defense, the kind the government isn't doing on our physical borders, merely the digital ones. Still, the founders risked their lives to give us all the basic human freedom from unwarranted search and seizure and it's been stolen without a moment's consultation with we the people.

I'm very tempted to give up on all digital pursuits and live out my years away from this wretched travesty, but in the meantime, I'd rather Uncle Sam not collect my emails while shutting down the FDA and illegally mandating I buy bogus health coverage that enriches entrenched insurance and pharmaceutical lobbyists and their corporate puppeteers.

We must build, publicize, and distribute the tools and safeguards to hold firm the rights that make us who we are. We had a couple of small scale attacks on one day a decade ago because we left the keys in the car in a bad neighborhood. For this we punt the Fourth Amendment into the Stalinfields?

Enough.

Secret PoliceOctober 7, 2013 1:39 PM

True, especially for a VM o/s like whonix or qubes. They start unattended VMs that just run the Tor daemon, so no user interaction to add entropy. They traded security of preventing your IP from being exposed for possibly having all your traffic and pgp decrypted. Should have just bought a firewall/nat and loaded BSD on it to get internal VLAN IP

Bruce SchneierOctober 7, 2013 1:50 PM

"You should move the warning and the URL closer together. I suspect I'm not alone in surfing over there as soon as I'd finished the sentence. Either put the warning in a sentence before the URL, or redact it in the text, and supply it in the in the additional edit."

You're all adults on this blog. It would never occur to me to click on the link without seriously thinking about it first.

Mike the goatOctober 7, 2013 2:10 PM

Re browser fingerprinting: many years ago (early 90s) when Internet advertising was just starting to take off I signed up for a number of affiliate accounts on doubleclick. Initially I used a single account and put it on a few legit sites but of course got greedy. As many of you will remember open squid caches were very common back then. There were lists published on usenet and I acquired a few databases and made a shell script to verify they had open www relay. My first attempt simply involved a script that used a single proxy and just hammered at their servers. They quickly banned this account. I got smarter and wrote a pretty little bit of perl that randomly picked a relay, spoofed a User-Agent from a text file I had with a whole heap collected (mainly just taken from my www server's access_log) at random and requested the advert complete with a plausible looking referer. I added a delay between 1 and 10 seconds and ensured that a proxy would not be used more than once in a 4h period nor with a different UA for at least 48h. Anyway, sure enough I quickly became a 'trusted' affiliate. They eventually implemented more rigorous validation and this killed my little pocket money stream (give me a break - I was young and bored). Perhaps today if I were a young geek I would be guessing BrainWallet addresses and trying out the resulting hashes instead?! Anyway my point is - browser fingerprinting (that is looking at more than just the UA, e.g. the lack of js and the HTTP_ACCEPT config would have given away that it was just wget in disguise) could have and likely is used to prevent this sort of thing. I know for a fact that both PayPal and Facebook use heuristics which include browser metadata when determining whether account access is 'unusual' (along with geoIP).

Bruce: I agree. The link contains (as of 1900Z) nothing malicious anyway.

Mike the goatOctober 7, 2013 2:32 PM

Scott: Yeah, I have seen people roll their own by doing things like:


ssh myhost@whatever head /dev/urandom >/dev/random

in your hourly crontab (if you were going to do that I guess you'd want to just write a quick few lines in C to push a few hundred chars from the CSPRNG and dump it to stdout and use chsh to make it that user's shell to avoid leaving around a user with shell access that doesn't need it) but I imagine there are innumerable issues with this approach. That's why I like daemons like entropybroker… There are a few others lying around the 'net that do much the same thing.

JimOctober 7, 2013 2:46 PM

...the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the Internet, the NSA...

what

gonzoOctober 7, 2013 3:22 PM

@jim

If the NSA is using tools to find ALL Tor traffic, then they certainly can find all the exit notes. Monitor those, and you capture the IP addresses of the users.

Have the IP addresses of the users, and then its off to the "race exploit condition" scenario to compromise those users' machines as they use them for their non-Tor traffic.

1st2nd4thOctober 7, 2013 3:23 PM

@Privacy King
re: affirming the death penalty for treason
The devil in that belief is in who gets to decide what does and does not constitute treason and who is guilty of it. Does Snowden qualify (TPTB seem to think so)? Did al Awlaki?

1st2nd4thOctober 7, 2013 3:28 PM

Would it be feasible for an outfit with significant IP resources (such as the Tor Project) to identify the Quantum servers by exploiting their strength, i.e, the quicker response time?

1st2nd4thOctober 7, 2013 3:36 PM

re: Tor & browser choices, I wouldn't look for any radical changes. The Tor Project has needs that sometimes conflict. They certainly do want to fulfill their objective of providing an anonymous browsing experience, but at the same time they need to broaden their user base and retain/increase their committed sponsorship to continue to be viable. I trust that a sponsor that wanted to directly undermine privacy (NSA; PLA) would be rejected, but a big sponsor's requests may not align 100% with the needs of the average anonymous browser user, either.

Direly need ScallopsOctober 7, 2013 3:55 PM

I looked through the source material for references to DireScallop details but none of the linked materials seem to include them.

Where are the references for DireScallop?

Privacy KingOctober 7, 2013 4:00 PM

1st2nd4th, don't want to go off topic here, but given the Snowden situation, your point should be addressed, and given the incredible complexity of capital punishment, perhaps I might have left it out in the first place, as you can't ever be glib with it.

Treason is sometimes hard to define, perhaps just as often not, but surely it's a lot easier and safer just to forbid the state ever to take a life. Morally and ethically that's a far more clear and humane place. I just find treason a truly sick thing.

Snowden is a patriot. I thought Manning was incredibly reckless and very arguably treasonous, but young and naive. I'd hardly vote for him to fry. Given the timbre of the times, I wouldn't even give him life. Ten or fifteen.

Snowden very methodically whistleblew on what in my assessment are constitutional crimes against the people. Other whistleblowing paths were proven worthless, the Senators themselves in many cases were in the dark. The founders themselves allowed that such actions were justified and I've seen not one scintilla that our security has been compromised by his actions, although naturally true state enemies now know to go analog.

Manning did cause damage--and the bulk dump approach is inexcusable. No fan of Assange here. I really wonder about that whole thing. Still smells funny to me.

Should Snowden have made like Ellsberg and stood his ground? Nasty tough call there. Got to walk in those shoes to hazard a guess. Hong Kong and Russia, however, were indeed very poor choices, but not capital crimes.

If Snowden leaked to China and should die, where do we start with every last federal agency that has passively allowed the entire digital federal footprint--the people's own digital birthright--be swept overseas to one of the more treacherous and devious empires in history? A mere layman like me has been saying for years that large entities need to hire the best and brightest and present the most robust cyber protection strategies possible. Meantime the NSA let hired gun contractors have at the crown jewels with a thumb drive and a lavabit account. History will not be kind to the bumbling idiots of the Digital Jurassic.

A true jury one's peers in civilian court can ascertain treason. I'm still somehow comfortable with that.

Yours,

The King

By the way, obviously what Scooter Libby--and no doubt a couple of other well known entities--did was treason. I'd televise those renderings.

jonathan burrOctober 7, 2013 5:09 PM

* A very important question for Bruce Schneier:

Bruce, for myself and thousands of others, based on the facts you've presented here, is it your professional opinion that anyone that has used the Tor Bundle Browser should reinstall their OS?

I thank you for any response you may care to give.

Carlo GrazianiOctober 7, 2013 5:17 PM

Apparently, then, the NSA has been tampering with the computers of thousands (tens of thousands? hundreds of thousands?) of innocent TOR users, in an effort to locate a small number of intelligence targets. If any of those tampered computers belong to US citizens on US soil, I have a pretty good idea about what an attorney would say about the legality of the program. And since there is no way of knowing in advance where a TOR connection is coming from, this has certainly happened.

It would seem that these attacks on the general population of TOR users have very distinct signatures of their own. At a minimum, the initial redirection to FOXACID servers should be detectable by a differential technique, comparing the responses to TOR and non-TOR requests. Corrupted activity should show up as differences in HTTP redirects and in served cookies.

It seems to me that these signatures could serve as the basis for honeypot analyses, with VM-sandboxed TOR processes serving as bait and the sandboxes as jails for recovered malware.

The objectives would be (1) Determine and publish the IP addresses of the FOXACID servers; (2) Study, and publish analyses of, the served malware; (3) Expose the officially-corrupted telcos that participate in these indiscriminate man-in-the-middle privacy-stripping attacks on the TOR-using population.

To say nothing of (4) Develop evidence for a lawsuit against the US government for running what is functionally an indiscriminate botnet-recruitment program against innocent US citizens. That's a legal fund I plan to send money to, if such a lawsuit comes into existence.

Clive RobinsonOctober 7, 2013 6:02 PM

@ jonathan burr ,

    for myself and thousands of others, based on the facts you've presented here, is it your professional opinion that anyone that has used the Tor Bundle Browser should reinstall their OS?

Read my above comment about semi-mutable memory ( https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html#c1844510 ).

Basicaly from a proffesional position modifing the OS is a bad move, it's fairly easy to detect and resolve. Therefor it does not realy qualify as persistant.

Getting at the flash memory that stores the BIOS is also fairly easy to detect although marginaly harder to resolve. Modifing code in the Flash memory on PCI and above I/O cards is only marginaly harder but for most people well neigh impossible to find. Finaly modifing code on hiden CPUs in the main CPU support chips or actually inside the main CPU is not just virtualy impossible to detect, it's also almost impossible to change back.

So re-installing the OS on HD would only cure the lowest of the low malware that is easily detectable and replacable and the sort of thing "chancer" internet fraudsters would do rather than go the extra mile to make less than obvious "mother board infection".

jonathan burrOctober 7, 2013 6:33 PM

@ Clive Robinson

Thanks for the heads up. So in fact an open door left by Intel for the NSA to install their 'tracers'? Sickening. I wonder if AMD are also on the NSA payroll? But I guess if you're not 'with' the NSA (the USA government) you're regarded as a traitor.

I have a 13 year old pc with an Intel MB and P3 cpu. I wonder if it is the safest machine I could use? Or maybe Intel have also left a back door open for the USA government even back then....

The land of the free - so I've read.

MingoVOctober 7, 2013 6:52 PM

There are a lot of comments here about technical aspects of the Tor attacks and how to avoid them. What I'm not reading is outrage. It's bad enough that the NSA illegally spies on almost every resident in the USA. Now it is infecting their computers! The spying and malware infections have nothing to do with terrorism or security; it's all about leverage and control of as many people as possible. The entire staff of the NSA should be imprisoned -- their behavior is worse than that of many convicted felons.

ScottOctober 7, 2013 6:53 PM

@jonathan burr

I would look into virtual machines, as has been mentioned a few times above, with a service like entropybroker, which Mike the goat mentioned. Unfortunately, we don't know anything about the targeted systems, the details of the attack, etc., so we can only speculate. You may be perfectly safe, you may not be. I would run Linux, although we don't know if it was targeted or not; it's less likely to be exploited than Windows, but not at all unlikely. A remote code execution vulnerability in Firefox combined with a privilege escalation vulnerability in Linux can do a lot of damaage.

ScottOctober 7, 2013 7:03 PM

@MingoV

Between the government shutdown, the last several months of leaks revealing the extent of the NSAs effort to undermine our privacy and security (which was much worse than I had previously believed), the 90+% reelection rate for a congress with an 80+% disapproval rating, the 2012 debates with each candidate saying "Yeah, well I love coal infinity times more than you plus 100!", the lack of any real economic plan to fix our underlying problems, the propaganda turning millions of people into corporate slaves that run around screaming "freedom", the rise of the prison industrial complex, and the pure, blind hatred that the people of the US have developed for each other, I don't have much more outrage left to give.

jonathan burrOctober 7, 2013 7:15 PM

@ Scott

The truth of the matter is that I have nothing to fear by my internet activities - it is just the knowledge that my machine has (most probably) been compromised. It is the feeling that a tentacle has been placed in my machine and the only way I can be rid of it is to purchase a new motherboard and cpu. It is the fact that Tor browser users have been red flagged by the USA government, certainly based on the presumption that anyone that would use the Tor browser can only be using it for malicious/illegal purposes.

:sigh: What a world this is morphing into.

Mr. Edward Snowden - so many millions owe you so much gratitude for sacrificing your life.

AlternativesOctober 7, 2013 7:23 PM

"Attacks never get worse; they only get better." This seems to be true for the NSA outside the crypto realm as well. Many of the documents mentioned ongoing projects, multiple approaches and increasing capabilities to attack Tor. Additionally, at least one of the documents found it notable that there are no good alternatives to Tor ready to take its place if it is undermined/taken down.

If I were in that privacy/Tor-user crowd I would be developing some alternatives about now.

Bruce SchneierOctober 7, 2013 8:08 PM

"Does that mean that they redirect every Tor connection that passes through an officially corrupted telco, and attempt to subvert every browser they see on those connections?"

I don't believe so.

I do believe they target all visitors of certain websites. But I do not know for sure.

Bruce SchneierOctober 7, 2013 8:10 PM

"I have used Tor (browser bundle) a number of times in the last few months. Does this now mean my (windows) machine is now infected?"

Doubtful. I think it depends on what websites you're visiting.

Bruce SchneierOctober 7, 2013 8:13 PM

"'...the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

'After identifying an individual Tor user on the Internet, the NSA...'

"what"

Fair enough. That was sloppy.

The NSA can't break the anonymity of Tor. That is, they don't know anything more than the traffic is from some random person using Tor.

Then, after they know that the traffic is from some random person using Tor, they...

Bruce SchneierOctober 7, 2013 8:14 PM

"I looked through the source material for references to DireScallop details but none of the linked materials seem to include them.

"Where are the references for DireScallop?"

Another, unpublished, document.

Bruce SchneierOctober 7, 2013 8:15 PM

"Bruce, for myself and thousands of others, based on the facts you've presented here, is it your professional opinion that anyone that has used the Tor Bundle Browser should reinstall their OS?"

No. I don't think that's necessary.

And I didn't do it.

Bruce SchneierOctober 7, 2013 8:17 PM

"If I were in that privacy/Tor-user crowd I would be developing some alternatives about now."

I think the real story here is that Tor works. The NSA has not defeated Tor. Tor is secure.

Were I in that privacy/Tor-user crowd, I would be building on the success of Tor.

Johannes RexxOctober 7, 2013 8:30 PM

More and more, for both protection from illegal NSA spying as well as general Internet security from the rest of the cyber-criminal community, I am convinced that, at least for surfing the web, we should be using a TOR-based browser inside a virtual machine. Snapshot the VM after you first create it, run it for the day, and revert to the clean snapshot right after breakfast.

ZorkOctober 7, 2013 9:10 PM

Since the Tor system does seem to be secure, would there be any benefits from some kind of a gadget (a small personal router that sits between the laptop and the internet) that connects to the computer through USB (taking a cue from earlier postings here) and provides a live version of e.g. TAILS?

The gadget could provide some other functionality mentioned in other postings here...TBD later...

For those who want to try TAILS, it is described here:
The Amnesic Incognito Live System
http://en.wikipedia.org/wiki/...

SoothsayerOctober 7, 2013 9:12 PM

Rather elaborate but pathetic waste of $$$$$$s...

Does NSA know or plainly ignores VMs?

They literally take about 2-3 minutes to snapshot and destroy -- and recreate.. if you are really after bad guys -- that's the first thing they will do anyways --- hey I do that every few weeks/months -- and I am not even a bad guy (i think).

If NSA is really doing this -- and thinks it's doing something useful -- EVERYONE of these dumbaxxxes should be fired -- actually they should be fired first for still writing perl scripts ..and that's even a bigger crime.

ScottOctober 7, 2013 9:59 PM

@Soothsayer

Not to defend how horribly overreaching the NSA has been, but there are a lot of terrorists out there, and you don't need to catch every single one of them to foil their plots. Not everyone is technically minded, and even those that are get careless. All they need to do is find a handful, and then do more active surveillance from there.

Without inside knowledge, it's impossible to say how effective these programs have been in stopping actual attacks. The question is if they are worth the cost, and my feeling on that is no, they are not.

Jose October 7, 2013 10:07 PM

Please somebody, could stop, those stupids nerds and bastards cyberterrorist of NSA? I want internet back to normal... How much time, we must to support , those stupids entering their fingers on our as**e*s

arkuatOctober 7, 2013 10:17 PM

@Privacy King, on your efforts to secure your system.

Are you packet-sniffing your traffic inside your own network and filtering out anything that's what you'd consider "expected" and saving the rest for later examination? Because given the efforts you've described, that seems like what I'd be doing next if I were already doing what you've described. Writing a good packet filter like that is hard, but what you're already doing sounds hard too.

Storage is cheap these days, which is one of the "intelligence community's" current big wins. We ought to be using lots of cheap storage too.

clueless noobOctober 7, 2013 10:28 PM

Having read through all of the suggestions to use a virtual machine, I'm wondering why those are better than booting from a "linux live CD" or some such?

FigureitoutOctober 8, 2013 12:09 AM

clueless noob
--B/c when someone hacks you conducting false mathematics on your machine and you decide you want a little payback; you may end up attacking a "machine" and not their machine. Now your attack may be stored somewhere for further analysis.

Mike the goatOctober 8, 2013 12:29 AM

Skeptical: I agree. There are numerous strategies that could be used, imho I think staining or tagging attack is the most likely to successfully be implemented. To successfully implement a traffic correlation attack you would need to be able to surveil both the first hop and the exit node, which might be a problem as although vast we don't assume the NSA has entire internet coverage.

Mike the goatOctober 8, 2013 12:33 AM

Skeptical: I haven't looked into it but what would stop, say your ISP transparently rerouting the server(s) contacted at the beginning of your tor setup so you are effectively pushed into an 'owned' tor setup for surveillance? Is there signature checking to ensure that the servers the tor client bootstraps from are legit? I hope so!

WaelOctober 8, 2013 12:38 AM

@ Jose,

NSA? I want internet back to normal... How much time, we must to support , those stupids entering their fingers on our as**e*s

I thought NSA hired the brightest minds, geniuses, psychologists, and aliens from outer space with superior alien technology. Now I learn that proctologists applied to some "NSA Job Opening" positions. Live and learn :)

CVEOctober 8, 2013 2:35 AM

@clueless noob: "Having read through all of the suggestions to use a virtual machine"

Bad suggestion: there is a consequent list of holes exposing the host OS:

http://www.cvedetails.com/vulnerability-list/...
http://www.cvedetails.com/vulnerability-list/...
http://www.cvedetails.com/vulnerability-list/...
http://www.cvedetails.com/vulnerability-list/...

Buing a separate computer with wifi and bluetooth soldered out may be a better solution than the liveCD to use TOR (remember the mainboard can be infected).

Clive RobinsonOctober 8, 2013 2:42 AM

@ Wael,

The NSA's "PR" specialists appear to be falling down on the job re Snowden so yes maybe they did hire Medical PR specialists not those of the media...

Perhaps we should FOI request requisitions of flash lights and black rubber gloves outside of "maintanence".

ForTorUsersOctober 8, 2013 2:46 AM

@Bruce Schneier: "I think the real story here is that Tor works. The NSA has not defeated Tor. Tor is secure."

Would you then consider serving a mirror of your blog on a TOR server named schneier.onion ?

Clive RobinsonOctober 8, 2013 3:19 AM

@ Cluless noob,

    Having read through all of the suggestions to use a virtual machine, I'm wondering why those are better than booting from a "linux live CD" or some such?

Now neither is a good idea as CVE has pointed out.

The problem is the speed of attacks advancing and which adversarries you are dealing with.

Historicaly a PC with good anti-virus was sufficient to keep yourself safe from cyber vandals/criminals because they by and large used simple attacks and worked on the "low hanging fruit" principle.

However when the majority of people had AV pre-installed the criminals had to up their game. So the use of "live-CD's" started as they are fairly painless to use.

But even live-CDs are getting hacked these days almost as soon as they come up on the internet and for various reasons are amongst other things "Man In The Middle" (MITM) susceptable unless you "roll your own". Which is a pain which is why those with the skills to do it opted to do the slightly easier VM approach.

But the TLA / FEDS are not working on the "low hanging fruit" principle of undirected "fire and forget" they are working on the "at any cost" "directed attack" principle.

As I mentioned above any modern PC has semi-mutable memory which if it can be got at can be used to backdoor your machine. In this respect "Plug-n-Play" has been the TLAs best friend due to what has resulted in PCI and later I/O cards and CPU support chips executing what appears as almost hidden code at boot up. Due to reducing "returns" costs the majority of hardware manufactures have moved from PROM and EPROM to EEPROM and Flash ROM to store this "boot code".

Modifying this boot code gives you "the keys to the kingdom" befor the castle foundations are laid let alone the castle built. That is the attack is in place befor the PC tries to run the leaver loader that pulls the OS in from HD/CD/USB and the OS runs the VM host and images.

This makes life somewhat problematical at best as you need to work in "batch" not "interactive" mode on an issolated and never connected to communications networks PC, then transfere the resulting work to a compleatly untrusted connected PC in encrypted form to send on. Whilst this works for "human level" work it does not work very well when it comes to "machine level" work where unencrypted command line access for administration is the norm.

CVEOctober 8, 2013 4:04 AM

@Clive Robinson: "But even live-CDs are getting hacked these days almost as soon as they come up on the internet and for various reasons are amongst other things "Man In The Middle" (MITM) susceptable unless you "roll your own"."

Then the publishers of ready-to-use live-CDs should upload a checksum on a reliable web site (?? as comments of this post) or in newspapers.

Mike the goatOctober 8, 2013 4:32 AM

Clive: I use a FreeBSD box. I installed a self-compiled kernel and everything I use has been compiled from scratch. I don't use any pkgs. Of course this doesn't stop a Thompson style evil compiler attack but I am just playing the odds here. I specifically disable Linux ELF binary compatibility - I do not want Linux binaries to work on my box. As I think I mentioned for truly sensitive things I have an airgapped SPARCStation which I keep my PGP private key on. I have less secured subkeys that I use for day to day usage. I use my BSD box to run a tor client and use pf to ensure all traffic on my second NIC gets torified (or dropped). That way I can connect.a second PC to it and be relatively sure I won't be leaking DNS or worse be decloaked via an exploit. It is not fool proof but every bit helps.

Re microcode: indeed this worries me as the microcode updates are AES encrypted so we have no idea what they are doing once they enter the 'black box'.

Re BIOS: sure BIOS level bootkits have been done before, in particular to make a trojan 'persistent' even after a reinstall. That said you have to target a specific type of BIOS and a specific OS type, e.g. win vista+ on Phoenix. Many BIOSs have a loadable module function that makes adding chunks of arbitrary code easy. I remember using the AMI BIOS editor they distributed to burn in some proprietary etherboot style code as the BIOS's own PXE implementation was a bit broken. These tools (at least used to be) made available to OEMs. We got our kit via Dell corporate.

Re UEFI: hell, this is even worse as the attack surface is magnified.

Excuse me while I go into my room, put on my Faraday suit and enjoy my SPARCStation ... :-)


SignedPkgOctober 8, 2013 4:45 AM

@Mike the goat: "I don't use any pkgs."

What about modifying your FreeBSD kernel so that:
(1) its clock does not advance, except that it advances by 1 milliseconds for each operation closing a file.
(2) its clock is updated if any file with newer date is encountered.

Then the binary .pkg you produce will only depend on the other .pkg present on your system. You may sign its checksum, and distribute this .pkg ;
Others with the same approach will find the same checksum.

Then, another FreeBSD user could use this .pkg because it has been independently compiled identically by two persons he knows.

RobertTOctober 8, 2013 5:13 AM

All this makes me wonder what advice other powerful nations are giving their businessmen and high level gov't officials.

If absolutely nothing is trustworthy except some old 386 machine with self compiled FreeBSD then the commercial world is also completely compromised. If No company can have secrets, logically the end game will be some sort of alliance system akin to the old Soviet era eastern block western block.

I wonder how many companies will choose the US block despite the security problems, just so hat their executives can keep all their shiny new toys (iPhone, Android, Pads.....)

Clive RobinsonOctober 8, 2013 7:19 AM

@ CVE,

Agh the probs with being brief...

What I ment was that people running live-CDs are getting hacked almost within a few seconds of going on-line with the live-CD. Not that the distro it's self was being got at.

The simple fact is nearly all OSs or their additional environments (aka windowing systems) contain zero-days as do many of the apps running on them commercial or otherwise. And when your adversary is level three or above then the chances are they know a lot of vectors that even the best of developers don't...

SignedPkgOctober 8, 2013 2:42 PM

What I described is actually known as "deterministic builds", "reproducible builds", or "idempotent builds".

Gitian is such an implementation, but specific to Ubuntu.

GuardOctober 8, 2013 6:39 PM

Bruce-- thanks for posting. This blog is one of my main sources of news about this topic since I don't read the Guardian.

Mike the goatOctober 8, 2013 7:56 PM

SignedPkg: yes, it is a real problem as one person's build may be from the same source yet have different executables due to differing metadata (timestamps etc) or compiler flags/optimization settings. Definitely something that needs to be looked at, but for the lone wolf compiling from known good source is a sensible (but lengthy) precaution.

WaelOctober 8, 2013 8:41 PM

@ Clive Robinson,

The NSA's "PR" specialists appear to be falling down on the job re Snowden so yes maybe they did hire Medical PR specialists not those of the media...

They failed to catch him, so the new hired PRs will get a piece of Snowden's a$$, so to speak ;)

Dirk PraetOctober 8, 2013 8:49 PM

@ Clive, @ CVE

And when your adversary is level three or above then the chances are they know a lot of vectors that even the best of developers don't...

At this point I also believe that anyone facing the NSA or one of the international spy outfits they are pearing with is pretty much toast, no matter what they are running. Probably the same for the PLA and the FSB. Then again, when you're up against the secret services of Botswana or Tadjikistan, I'd still recommend any privacy/security live CD over the usual COTS OS.

@ RobertT

All this makes me wonder what advice other powerful nations are giving their businessmen and high level gov't officials.

In public, the average US "ally" will kindly go along with the smooth diplomatic assurances over "checks and balances". But it is just a matter of time before those same politicians and their administrations will start sending out internal memo's for new rules regarding security and compliance when it comes to use of US technologies and services in secure environments. In politics, the ancient Roman god Janus rules supreme.

opsecOctober 8, 2013 11:23 PM

tails has a few problems, it's OK but I wouldn't count on it if you really need privacy.

- everybody has the same browser identity, instead of randomizing it. so if you found a debian/tails attack you can easily pick out users running it

- no grsec patch, no RBAC/MAC

- too many 3rd party applications, too much complexity. liberte linux was good because it was a minimalist install, no tons of codecs or DVD software

- they refuse to allow VPN connections for some reason, so you are forced to run it in a VM if you want to hide your originating Tor traffic from your ISP, which is important in countries like China. this might have changed, last time I checked out tails was a few months ago.

- they don't do deterministic builds, so if the NSA infects the toolchain/compiler of the devs in France everybody using Tails is screwed by default install.

- no tor proxy isolation. openbsd allows to run VLANs and virtual routing to isolate/chroot apps with their own pf firewall and can connect between them with a tor isolating proxy. isolation is important in case you get exploited and something tries to phone home to identify your IP. (Freedom Host hack is a good example)

- MAC addresses are not changed. You don't want to your use wifi0 with the original mac and broadcast it to every surrounding AP

- now has an 'unsafe' browser, so you can break out of the firewall. if i'm NSA and writing an exploit, I target that.

Delete the spammers!October 9, 2013 5:10 AM

Tangent, but Bruce, please delete all the stupid spam comments on many of your recent blog entries (lots of them in Russian lately). Maybe put a simple captcha asking some basic crypto question...? :)

Mike the goatOctober 9, 2013 7:38 AM

Delete: If there's one thing better than vanilla spam it's foreign language spam!

MycosOctober 9, 2013 6:44 PM

@Scott. Your comment re: "there are lots of terrorists out there". In 1990-91, shortly after the USSR collapsed and took with it the justification long used by Pentagon bras snd politicians desirous of having a major arms-aerospace contractor set up in their state, the Bush Sr, admin tasked a few of its hawks with developing a whitepaper outlining "a new justification" for the Pentagon to receive the same level of funding it had enjoyed through the Cold War years. That paper (the Wolfowitz Doctrine) was leaked to the NYTimes where its blatantly martial tone caused so mjuch outrage the GOP was obliged to declare it "shelved".
However the 1992 Pentagon DPG sent out to key defense idept heads and arms industry CEOs still contained many of the key elements revealed in the leak. It seems the military-industrial complex had unilaterally decided their own fate in the post-Soviet world. It would embark on a path of justifying its own relevance and need for massive funding despite a complete lack of any threat justifying such,. And adopting Isarel's threats as the US's, even to point of portraying Islamic extremists as existential in nature, became the job of PNAC while GOP was out of office, then swiftly hiring the authors of the Wolfowitz Doctrine, the 92 DPG, placing them in key positions where they would launch the "Bush Doctrine" (aka the Wolfowitz Doctrine 19 years later) just as soon as one of the many Muslim extremists the US had spent a great deal of time and energy provoking actually took the actions they knw were now inevitable (remember, the Bush 2 admin had no way of knowing how catastrophic that one particular attack would be given the surprise of Bin Laden himself)
Anyway... The point is terrorism is a criminal offence deliberately amplified into one capable of sustaining a sector of the US government that took growing talk of a peace dividend and a draw-down of the military as a threat to their own relevance and survival. Put terrorism back into perspective. It simply is nowhere near as threatening to US lives, or as damaging to world affairs as the intel agencies make out. With help from a compliant media, terrorism is being used to justify massive expenditures going to intel agency heads who know many of them would have been retired but for the dog an pony show so many Americans have fallen for.

MycosOctober 9, 2013 8:13 PM

@Privacy King
Btw. To follow up on what I wrote above, Scooter Libby and Dick Cheney were tasked, along with Wolfowitz and Gen. Colin Powell, to first create the white paper leaked to the Times, then to revise it in ways they hoped would be more acceptable to the public once the 92 DPG became public knowledge (as they knew it must after the leak of the Wolfowitz-Cheney paper that brazenly called for creating a US military empire. In this way they hoped to forestall growing calls for a drawdown of US military bases that would to pay for the "peace" ("Arggh!!"screamed Cheney. ;-) dividend many then felt was due to taxpayers for voluntarily underwriting whatever the Pentagon, CIA, NSA had asked them for.

Mike the goatOctober 10, 2013 6:17 AM

Dirk: I guess we all have to just play the numbers. If you want to, say encrypt something using PGP then used an airgapped machine. I'd recommend an 80386 but there is no reason why you can't go even earlier - hell, even an 8086 or a Z80.

Going back to my 80386 example, sure 32 bit Linux or *BSD will run reasonably well on a machine of that vintage (minus X of course) but why not use FreeDOS. The kernel isn't too big and the code is auditable. Of course this doesn't rule out a compiler bug but when the code is this small then there isn't much space to hide anything too elaborate.

If you were playing the odds then an early copy of MS or DR DOS might also be suitable but you don't have the liberty of source review and you just have to trust that in this era nobody was really thinking about dragnet surveillance. Even always on networking was an oddity.

There are implementations of GNUPG that will run on DOS, or you can use an old version of Zimmerman's actual PGP but read up on this as a few versions had bugs that you should know about.
.

GeraldoOctober 10, 2013 10:06 PM

No, I meant the original article by Schneier. Do you really think the NSA secret weapon is perl scripts? The japanese spam was probably the only real sensible stuff here, and now it's gone. Doubtly aleatory.

mcjtomOctober 11, 2013 2:18 AM

If Tor hidden services are used outside of a browser (e.g. TorChat), are there any indications what NSA could do to exploit such communications?

Jerry2KDOctober 11, 2013 12:06 PM

Scott,

I ran into the site you spoke of, and was concerned when it correctly identified my TBB browser every time. However, I eventually realized that it would recognize anyone running an unmodified TBB as me. TBB isn't trying to hide so much as to make it nearly impossible for someone to identify you in the crowd. Which is the reason, incidentally, that they decided to leave js on by default. I hope they will reconsider that decision in the near future.

J2

Mike the goatOctober 12, 2013 7:28 AM

mcjtom » I guess you'd go back to exploits on the application level - buffer overflows in common IRC clients, etc. There may also be a benefit in terms of traffic correlation attacks for clients which maintain a consistent long term connection (like an IRC bot or a user that keeps their connection active 24/7) as the connections around it come and go.

Daira HopwoodOctober 17, 2013 6:18 PM

[MITM or man-on-the-side attacks] are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The diagram shows the NSA attacker logging into a router and changing a static route. Why does that require a privileged network position for the intercepting server? (I can well believe that such a position is useful for some attacks, but that diagram doesn't seem to be a relevant supporting document.)

Stupid GiraffeNovember 11, 2013 6:28 PM

Does anyone know how to verify that your firmware is fine (assuming there is good firmware out there and a hash to check it with?)

That is, BIOS packages, those for wireless access/routers, maybe even CPU (check how an instruction behaves for example?)

Do you think it's possible to get around these man in the middle/side attacks and Fox Acid tags perhaps with a module that intercepts network traffic? Perhaps a network module that checks route information, verifies DNS information by going to root servers first and having them do the rest, stomping on all cookies by wiping packets clean as they go in and out, JS that might have been injected, that sort of thing?

I thought of writing a kernel network extension for Mac OS X for my own use, to intercept traffic and report statistics, but if snoopers can get to the kernel by exploit or they are there first, presumably it would be possible to make the new code compiled in go haywire, overwrite bits with NOP instructions, that sort of thing...

WaelNovember 11, 2013 8:35 PM

@ Stupid Giraffe
Try this for a starter:
https://sites.google.com/site/pinczakko/

Also note that when BIOS code runs, the OS is preempted for example when an SMI handler runs. This means your custom kernel will have to account for that ;)

My computers were stolen, so I am using my cell phone...

JohnNovember 21, 2013 12:27 AM

The NSA definitely has hooks in manufacturers. I personally know about a (less than intelligent) Middle East group who sent an HP printer for factory service, and it was promptly repaired and returned good as new. Of course everything sent through it after that, and presumably networked to it, popped up in MD.

2014 januaryJanuary 29, 2014 9:16 PM

baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html looks like a spam farm domain and url. i wouldn't visit it.
But maybe I'm missing the pont...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..