Friday, February 19, 2016

 Agent Staining is a technique that
involves writing a unique marker (or stain)
onto a target machine. Each stain is
visible in passively collected SIGINT
and is stamped into every packet, which
enables all the events from that stained
machine to be brought back together to
recreate a browsing session.”
  
http://cryptome.org/2013/10/gchq-mullenize.pdf
  
http://s3.documentcloud.org/documents/801762/mullenize-28redacted-29.pdf
  
¤ Packet Staining ::
  
http://prezi.com/p5et9yawg2c6/ip-packet-staining/
http://tools.ietf.org/html/draft-macaulay-6man-packet-stain-00
http://tools.ietf.org/html/draft-macaulay-6man-packet-stain-01
http://cryptome.org/2013/10/packet-stain/packet-staining.htm
  
¤ NSA Peeling Back the Layers of Tor ::
  
http://cryptome.org/2013/10/nsa-egotisticalgiraffe.pdf
http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption
  
¤ NSA ; Tor Source Code Vulnerabilities ::
  
 “We have seen several targets using Tor.
Our goal was to analyze Tor source code
and determine any vulnerabilities in
the system. We set up an internal Tor
network to analyze Tor traffic, in the
hopes of discovering ways to passively
identify it. We also worked to create
a custom Tor client which allows the
user finer control.” ... ...
  
 “This accomplishes several things.
Most basically, the Tor servers, many
of which are listed on publicly advertised
directory servers, are chosen to act as
a series of proxies. This may seem to
be excessively complex, as a single
proxy server can be used to hide one’s
location, but a single-hop proxy is
vulnerable in two ways. First, by
analyzing the pattern of the traffic
going to and from the proxy server,
it is possible to deduce which clients
are making which requests. Second, if
an attacker owns the proxy server, then
it certainly knows who is asking for what,
and anonymization is ruined. By using
multiple hops, Tor is much more resistant
to both of these attacks. Traffic analysis
becomes extraordinarily difficult, as it
must be coordinated across several machines,
and an attacker must own all the hops
along the circuit in order to trace
requests back to the originating client.”
  
... ...
  
 “In our time in the lab, we found that
running an nmap on a node that is offering
a hidden service will turn up the port
that the hidden service is using to deal
with incoming connections. It can then be
directly connected to, outside of Tor.”
  
... ...
  
 “We would have to try to connect to
each of the ports we see open on a
machine to determine if there is a
hidden service being run. We would not
even know which protocol the hidden
service is running. It may be an HTTP
server, an FTP server, an SMTP server,
etc. The only thing we know is that
the protocol must run over TCP. It is
not enough to attempt to connect once
to each port, using an HTTP GET request.
Several protocols must be tried.”
  
... ...
  
 “It may also be useful to study Tor
directory servers in more detail. Our
work focused solely on the client, but
many attacks would be much easier with
access to more Tor servers. The directory
servers ultimately control which Tor
servers are used by clients. We have found
that a server can put itself on a directory
server multiple times; all it takes is the
server running several Tor processes, each
having a different nickname, open port,
fingerprint, and LOG FILE. This only
requires different configuration files
for the different processes, which are
easy to set up. That machine will handle
a disproportionate amount of traffic,
since it is listed several times. This
increases the density of friendly servers
in the cloud without increasing the number
of servers we have set up. Unfortunately,
each listing has the same IP address,
which would be very noticeable to anyone
who inspecting the directories.”
  
http://cryptome.org/2013/10/nsa-tor.pdf
http://s3.documentcloud.org/documents/802061/ces-summer-2006-tor-paper-28redacted-29-1.pdf
http://www.washingtonpost.com/world/national-security/secret-nsa-documents-show-campaign-against-tor-encrypted-network/2013/10/04/610f08b6-2d05-11e3-8ade-a1f23cda135e_story.html
  
¤ NSA ; Types of IAT ::
  
http://cryptome.org/2013/10/nsa-iat-tor.pdf
  
¤ NSA Link Removed by Guardian ::
  
http://cryptome.org/2013/10/nsa-link-removed.htm
  

No comments: