Attacking a ToR .network
gAtO hAs– found that there are a few ways to attack a secure network some is old fashion technology and some more modern. The FBI and Secret Service and other international law enforcement have used these technique and they have been de-classified:
UPDATE: -5-21-2012 -0900 There a re few more attack vectors that I recently found in the .onion network – let’s just say attack from within that – If you are a legit-legal Security Researcher please write me. I want to keep those secret for now —
The Cold Boot Attacks
One of the problems with encryption is that in order for it to work, your computer has to know the private key and any other information needed for decryption. This information is stored in memory and while memory isn’t a good place to store things long term, it does store data for an amount of time from seconds to minutes after your machine has been turned off. An adversary, knowing that they are facing a locked down machine with lots of encryption, may perform a cold boot attack. This involves turning off your computer, spraying your memory with liquid nitrogen (or something to keep it cold), and then recovering your encryption key from memory. Once frozen, data in memory can be retained (and then further reconstructed) for hours. Countermeasures: If you feel this is a risk, you need to implement physical security measures that deal with the possible threat. This could be as simple as a laser tripwire on a door that triggers a shutdown.
Radio Leakage, TEMPEST, etc.
All electronics create radio interference as a consequence of their operation. While this radio interference is often useless it can also provide valuable information for your adversary. For instance, the radio interference generated by keyboards can divulge your passwords to an adversary sitting across the street from your house. RF shielding is the only solution for this problem and involves surrounding your machine in some type of metal. This isn’t all though, as the power pull generated when you use the keyboard, etc. can also be monitored through your wall socket. I don’t know of any solutions to this. One idea would be to lock your machine in a box with a UPS to filter the electricity and a security scheme similar to the one used to prevent cold boot attacks but I’m not sure how effective this would be. Countermeasures: Get some chicken wire and build a faraday cage for all your secure computing equipment. What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the EMF.
An adversary may put a camera, microphone, or some other recording device in the room with your hidden service machine. If they capture your encryption passphrase, your data will be compromised. Recently the FBI and Secret Service used this technique against a bust of the ShadowCrew carding board and it’s been used for a long time by both law enforcement and intelligence. While using a blanket will deter a camera, the audio generated by your keyboard may not be sufficiently muffled to stop a microphone from knowing what’s going on. Countermeasures: Always be careful of anyone coming into the place were your computing equipment or office. Remember that todays technology has WiFi cameras and all kinds of devices. Also check you router to see any weird connections to it and remember the logs they will show failed attempts to access your network. Another way is to scan for SSID with Kismet or NetStumbler you may be able to scan for the device. And for microphones : What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the from the noise.
If your adversary suspects you run a hidden service, they can watch your internet connection and try to use traffic analysis to determine if the hidden service is run on your network. If your adversary downloads a few 50 megabyte files from your server and every time around 50MB of encrypted traffic goes across your network, it’s pretty good evidence. Combine that with shutting off the power to your machine and watching the hidden service go down and you’ve got somebody who knows what’s going on. Countermeasures: There are creative ways of dealing with this such as cover traffic, UPSs, redundant servers, and physical security.
a government censor can render it moot by simply blocking the relays
gAtO hopes that this will help you understand that the ToR network a little better and don’t worry the Tor Project is working hard on Traffic Correlation attacks. – gAtO oUt