SA and GCHQ target Tor network that protects anonymity of web users

Top-secret documents detail repeated efforts to crack Tor
US-funded tool relied upon by dissidents and activists
Core security of network remains intact but NSA has some success attacking users
' computers
Bruce Schneier: the NSA's attacks must be made public
Attacking Tor: the technical details
'Peeling back the layers with Egotistical Giraffe'
document
'Tor Stinks' presentation
full document
Tor: 'The king of high-secure, low-latency anonymity'
James Ball, Bruce Schneier and Glenn Greenwald
The Guardian, Friday 4 October 2013 15.50 BST
NSA laptop
One technique developed by the agency targeted the Firefox web browser used with
Tor, giving the agency full control over targets' computers. Photograph: Felix
Clay
The National Security Agency has made repeated attempts to develop attacks again
st people using Tor, a popular tool designed to protect online anonymity, despit
e the fact the software is primarily funded and promoted by the US government it
self.
Top-secret NSA documents, disclosed by whistleblower Edward Snowden, reveal that
the agency's current successes against Tor rely on identifying users and then a
ttacking vulnerable software on their computers. One technique developed by the
agency targeted the Firefox web browser used with Tor, giving the agency full co
ntrol over targets' computers, including access to files, all keystrokes and all
online activity.
But the documents suggest that the fundamental security of the Tor service remai
ns intact. One top-secret presentation, titled 'Tor Stinks', states: "We will ne
ver be able to de-anonymize all Tor users all the time." It continues: "With man
ual analysis we can de-anonymize a very small fraction of Tor users," and says t
he agency has had "no success de-anonymizing a user in response" to a specific r
equest.
Another top-secret presentation calls Tor "the king of high-secure, low-latency
internet anonymity".
Tor
which stands for The Onion Router
is an open-source public project that boun
ces its users' internet traffic through several other computers, which it calls
"relays" or "nodes", to keep it anonymous and avoid online censorship tools.
It is relied upon by journalists, activists and campaigners in the US and Europe
as well as in China, Iran and Syria, to maintain the privacy of their communica
tions and avoid reprisals from government. To this end, it receives around 60% o
f its funding from the US government, primarily the State Department and the Dep
artment of Defense which houses the NSA.
Despite Tor's importance to dissidents and human rights organizations, however,
the NSA and its UK counterpart GCHQ have devoted considerable efforts to attacki
ng the service, which law enforcement agencies say is also used by people engage
d in terrorism, the trade of child abuse images, and online drug dealing.
Privacy and human rights groups have been concerned about the security of Tor fo
llowing revelations in the Guardian, New York Times and ProPublica about widespr
ead NSA efforts to undermine privacy and security software. A report by Brazilia
n newspaper Globo also contained hints that the agencies had capabilities agains
t the network.

including sever al relying on the large-scale online surveillance systems maintained by the NSA and GCHQ through internet cable taps. Such efforts to target or undermine Tor are likely to raise legal and policy con cerns for the intelligence agencies. they contain no detail as to how many. against internet users in the ions of the anonymity service is to hide g any attack could be hitting members of the NSA has acted. in the Tor system. While the documents confirm the NSA does indeed operate and collect traffic from some nodes in the Tor network. Another effort involves measuring the timings of messages going in and out of th e network to try to identify users. The efforts could also raise concerns in the State Department and other US gover nment agencies that provide funding to increase Tor's security as part of the Ob ama administration's internet freedom agenda to help citizens of repressive regi mes circumvent online restrictions. One prese ntation.While it seems that the NSA has not compromised the core security of the Tor sof tware or network. secure. deliberately or inad US when attacking Tor. One such technique is based on trying to spot patterns in the signals entering a nd leaving the Tor network. Several attacks result in implanting malicious code on the computer of Tor users who visit particular websites. The effort was bas ed on a long-discussed theoretical weakness of the network: that if one agency c ontrolled a large number of the "exits" from the Tor network. the future development of Tor. but these attacks c ould also hit journalists. Other efforts mounted by the agencies include attempting to direct traffic towar d NSA-operated servers. The agencies say they are targeting terrorists o r organized criminals visiting particular discussion boards. monitoring and control continue to a dvance and spread as the tools that oppressive governments use to restrict inter net access and to track citizen online activities grow more sophisticated. Material published online for a discussion event held by the State Department. titled 'Tor: Overview of Existing Techniques'. Foremost among those concerns is whether vertently. and scalable technologies are needed to continue to advance in ternet freedom. in conjunction wi th GCHQ. and there are no indications that the proposed de-anonymization technique was ever implem ented. The proof-of-concept attack demonstrated in the documents would rely on the NSA' s cable-tapping operation. to try to de-anonymise its users. researchers. they could identif y a large amount of the traffic passing through it." . and the agency secretly operating computers. Sophi sticated. one presentation stated that the success of this technique was "negligible" because the NSA has "access to very few nodes" and t hat it is "difficult to combine meaningfully with passive Sigint". One of the funct the country of all of its users. or 'node s'. f or example. A third attempts to degrade or disrupt the T or service. or those who accidentally stumble upon a targeted site. or attacking other software used by Tor users. forcing users to abandon the anonymity protection. the documents detail proof-of-concept attacks. described the importance of tools such as Tor. "[T]he technologies of internet repression. or influence. meanin Tor's substantial US user base. also refers to making ef forts to "shape". However.

the president of the Tor project. A similar but less complex exploit against the Tor network was revealed by secur ity researchers in July this year. The governments of both these countries have attempted to curtail Tor's use: Chi na has tried on multiple occasions to block Tor entirely. Yet GCHQ documents show a disparaging attitude towards Tor users. According to the documents provided by Snowden. At the time. Rather. however. led to speculation it had b een built by the FBI or another US agency. designed to make it easy for people to install and use the software. Among these is a ve rsion of the Firefox web browser. and connect people around the world in support of freedom and democra cy" through networks such as Voice of America. the NSA does not attack the Tor system directly. but subsequently admitted in a hearing in an Irish court that it had operated the m alware to target an alleged host of images of child abuse though the attack did also hit numerous unconnected services on the Tor network. In reality. The older exploits would. detailed in a top-secret presentation titled 'Peeling back the layers of Tor with EgotisticalGiraffe'. I t involves exploiting the Tor browser bundle. Another presentation remarks: "Very naughty people use Tor". Tor continues to receive federal funds through Radio Free Asia. the particular vulnerabilities u sed in this type of attack were inadvertently fixed by Mozilla Corporation in Fi refox 17. said the NSA's efforts serve . but says "we're interested as bad people use Tor". while one of the motiv es behind Iranian efforts to create a "national internet" entirely under governm ent control was to prevent circumvention of those controls. including its purpose and which servers it passed on victims' details to. Tor is maintained by an independent foundation. a US freedom of expression group. the documents show. still be usable against many Tor users who ha d not kept their software up to date.The Broadcasting Board of Governors. it can be used for "c ircumvention of nation state internet policies" and is used by "dissidents" in " Iran. Roger Dingledine. Under this approa ch. a federal agency whose mission is to "infor m. engage. released in November 2012 a fix the NSA had not circumvented by Januar y 2013 when the documents were written. The trick. One presentation notes that amon g uses of Tor for "general privacy" and "non-attribution". also supported Tor's development until October 2012 to ensure that people in countries such as Iran and China cou ld access BBG content. China. etc". which is funded by a federal grant from BBG. targets are identif ied as Tor users and then the NSA attacks their browsers. The NSA's own documents acknowledge the service's wide use in countries where th e internet is routinely surveilled or censored. a collection of programs. The technique developed by the NSA to attack Tor users through vulnerable softwa re on their computers has the codename EgotisticalGiraffe. The presentation continues by noting that "EFF will tell you there are many pseu do-legitimate uses for Tor". though has in the past received funding from the EFF. Details of the exploit. identified website visitors who were using the protective software and only executed its attack which took advantage of vulner abilities in an older version of Firefox against those people. the FBI refused to comment on whether it was behind the attack. One presentati on acknowledges Tor was "created by the US government" and is "now maintained by the Electronic Frontier Foundation (EFF)".

regardless of the technical means u sed by those targets or the means by which they may attempt to conceal their com munications. It read: "In carrying out its signals intelligence mission. cybercriminals. or desktop is still the easiest way to learn about the human behind the keyboard. need to keep working on better security for brows ers and other internet-facing applications. These attacks make it clear that we. Throu ghout history. meaning there's no indic ation they can break the Tor protocol or do traffic analysis on the Tor network." The Guardian asked the NSA how it justified attacking a service funded by the US government. how it ensured that its attacks did not interfere with the secure b rowsing of law-abiding US users such as activists and journalists. and whether t he agency was involved in the decision to fund Tor or efforts to "shape" its dev elopment.as a reminder that using Tor on its own is not sufficient to guarantee anonymit y against intelligence agencies but showed it was also a great aid in combating mass surveillance. t he broader internet community." But he added: "Just using Tor isn't enough to keep you safe in all cases. Browse r exploits. NSA collects only th ose communications that it is authorized by law to collect for valid foreign int elligence and counter-intelligence purposes." This article was amended on 4 October after the Broadcasting Board of Governors pointed out that its support of Tor ended in October 2012. "The good news is that they went for a browser exploit. human traffickers and others use technology to hide their activities. " Dingledine said. NSA has unmatched technical capabilities to accomplish its lawful m ission. "Infecting the laptop. The agency did not directly address those questions. they have to be a lot more selective about which Tor users they spy on. "Tor still helps here: you can target individuals with browser exploits. everywhere. "As such. and general user security are all challeng ing topics for the average internet user. He has not been involved in any discussions on funding. instead providing a stateme nt. Bruce Schneier is an unpaid member of the Electronic Frontier Foundation's board of directors. nations have used various methods to protect their secrets. So even if the NSA aims t o surveil everyone. Our intelligence community would not be doing its job if we did not try to counter that. phone. but if you attack too many users. it should hardly be surprising that our intelligence agencies seek way s to counteract targets' use of technologies to hide their communications. . somebody's going to notice. large-scale surveillance. and t oday terrorists.