Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,570 --> 00:00:09,180
This is not cool written by Bruce Schneier published in The Guardian October 2013 but still very valid
2
00:00:09,240 --> 00:00:11,160
and worth reading.
3
00:00:11,160 --> 00:00:19,860
It provides information on the quantum system and faux acid the platforms used by the NSA to de anonymize
4
00:00:19,860 --> 00:00:20,950
Tor uses.
5
00:00:21,000 --> 00:00:28,740
Even if you don't consider the NSA or GCH Q The Five Eyes your adversary it is a good read to understand
6
00:00:28,740 --> 00:00:28,850
.
7
00:00:28,920 --> 00:00:30,940
How tall is attacked.
8
00:00:31,050 --> 00:00:38,910
It is all of the methods by which we have gone through it provide some context in relation to an agency
9
00:00:38,910 --> 00:00:39,060
.
10
00:00:39,120 --> 00:00:45,540
You can read it yourself now or you can listen to it now as it read back on the video if you want to
11
00:00:45,540 --> 00:00:46,740
read it yourself.
12
00:00:46,740 --> 00:00:50,880
My conclusions are at the end after about 10 minutes.
13
00:00:50,910 --> 00:00:56,430
The online anonymity network tour is a high priority target for the National Security Agency.
14
00:00:56,460 --> 00:00:58,870
The work of attacking Tor is done by the NSA.
15
00:00:58,890 --> 00:01:04,830
Application vulnerabilities branch which is part of the system's intelligence directorate or suit.
16
00:01:04,980 --> 00:01:10,620
The majority of NSA employees work in state which is tasked with collecting data from communications
17
00:01:10,620 --> 00:01:16,680
systems around the world according to a top secret NSA presentation provided by the whistleblower Edward
18
00:01:16,680 --> 00:01:17,550
Snowden.
19
00:01:17,550 --> 00:01:23,220
One successful technique the NSA has developed involves exploiting the Tor browser a bundle a collection
20
00:01:23,220 --> 00:01:27,590
of programs designed to make it easier for people to install and use the software.
21
00:01:27,600 --> 00:01:32,460
The trick identified all users on the Internet and then executes an attack against their Firefox web
22
00:01:32,460 --> 00:01:33,300
browser.
23
00:01:33,300 --> 00:01:38,730
The NSA refers to these capabilities or see any computer network exploitation.
24
00:01:38,730 --> 00:01:43,050
The first step of this process is finding tool users to accomplish this.
25
00:01:43,050 --> 00:01:47,670
The NSA relies on its vast capability to monitor large parts of the Internet.
26
00:01:47,670 --> 00:01:53,400
This is done via the agency's partnership with U.S. telecoms firms under programs code named storm Brochu
27
00:01:53,580 --> 00:01:55,700
Fairview oxter and blenny.
28
00:01:55,710 --> 00:02:01,470
The NSA creates fingerprints that detect age TTP requests from that or network to particular servers
29
00:02:01,470 --> 00:02:01,680
.
30
00:02:01,680 --> 00:02:07,980
These fingerprints are loaded into NSA database systems like xcuse score a bespoke collection and analysis
31
00:02:07,980 --> 00:02:13,650
tool which NSA boasts allows its analysts to see almost everything a target does on the Internet using
32
00:02:13,650 --> 00:02:18,860
powerful data analysis tools with code names such as turbulence turmoil and tumult.
33
00:02:18,900 --> 00:02:24,210
The NSA automatically sift through the enormous amount of Internet traffic that it sees looking for
34
00:02:24,270 --> 00:02:25,410
all connections.
35
00:02:25,410 --> 00:02:31,350
Last month Brazilian TV news show Fantastico showed screen shots of an NSA tool that had the ability
36
00:02:31,350 --> 00:02:34,790
to identify all users by monitoring Internet traffic.
37
00:02:34,800 --> 00:02:40,310
The very feature that makes Tor a powerful anonymity service and the fact that all users look alike
38
00:02:40,320 --> 00:02:44,900
on the Internet makes it easier to differentiate two users from other web users.
39
00:02:44,940 --> 00:02:50,400
On the other hand the anonymity provided by it all makes it impossible for the NSA to know who the user
40
00:02:50,400 --> 00:02:53,350
is or whether or not the user is in the US.
41
00:02:53,370 --> 00:02:59,280
After identifying an individual to use around the Internet the NSA uses its network of secret internet
42
00:02:59,280 --> 00:03:05,010
servers to redirect those users to another set of secret internet servers with the code name fox Hassid
43
00:03:05,220 --> 00:03:07,290
to infect the user's computer.
44
00:03:07,290 --> 00:03:13,230
Fox says it is an NSA system designed to act as a matchmaker between potential targets and attacks developed
45
00:03:13,230 --> 00:03:18,990
by the NSA giving the agency opportunity to launch prepared attacks against their systems.
46
00:03:18,990 --> 00:03:25,470
Once the computer is successfully attacked it secretly calls back to Fox assayed server which then performs
47
00:03:25,470 --> 00:03:31,110
additional attacks on the target computer to ensure that it remains compromised long term and continues
48
00:03:31,110 --> 00:03:36,270
to provide eavesdropping information back to the NSA exploiting the Tor browser bundle.
49
00:03:36,270 --> 00:03:41,720
Tor is a well-designed and robust anonymity tool and successfully attacking it is difficult.
50
00:03:41,730 --> 00:03:47,520
The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox
51
00:03:47,520 --> 00:03:50,580
browsers and not that your application directly.
52
00:03:50,580 --> 00:03:56,910
This too is difficult to users often turn off vulnerable services like scripts and flash when using
53
00:03:56,910 --> 00:04:00,160
it or making it difficult to target those services.
54
00:04:00,180 --> 00:04:06,780
Even so the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle
55
00:04:06,780 --> 00:04:06,960
.
56
00:04:06,960 --> 00:04:13,050
According to the training presentation provided by Snowden Engo testicle giraffe exploits the type confusion
57
00:04:13,050 --> 00:04:18,090
vulnerability any for x which is an acceptable extension for javascript.
58
00:04:18,090 --> 00:04:26,760
This vulnerability exists in Firefox 11.0 sixteen point zero two as well as Firefox 10.0 ESR.
59
00:04:26,820 --> 00:04:30,600
The Firefox version used until recently in the Tor browser bundle.
60
00:04:30,660 --> 00:04:36,330
According to another document the vulnerability exploited by ago testicle giraffe was inadvertently
61
00:04:36,330 --> 00:04:42,150
fixed when Motsinger removed the 4 x library with the vulnerability and when Tor added that Firefox
62
00:04:42,150 --> 00:04:44,090
version into the Tor browser bundle.
63
00:04:44,190 --> 00:04:49,650
But NSA were confident that they would be able to find a replacement Firefox exploit that worked against
64
00:04:49,650 --> 00:04:52,170
version 17 point zero ESR.
65
00:04:52,170 --> 00:04:56,510
The quantum system to trick targets into visiting a fox Hassid server.
66
00:04:56,580 --> 00:05:02,610
The NSA relies on its secret partnerships with U.S. telecoms companies as part of the turmoil system
67
00:05:02,790 --> 00:05:08,790
the NSA places secret servers codenamed quantum at key places on the Internet backbone.
68
00:05:08,790 --> 00:05:14,380
This placement ensures that they can react faster than other Web sites can by exploiting that speed
69
00:05:14,380 --> 00:05:19,840
difference these servers can impersonate visited Web site to the target before the legitimate Web site
70
00:05:19,870 --> 00:05:26,200
can respond thereby tricking the target's browser to visit a Fox censored server in the academic literature
71
00:05:26,220 --> 00:05:26,320
.
72
00:05:26,410 --> 00:05:31,420
These are called Man in the middle attacks and have been known to the commercial and academic security
73
00:05:31,420 --> 00:05:32,500
communities.
74
00:05:32,500 --> 00:05:36,380
More specifically they are examples of man on the side attacks.
75
00:05:36,430 --> 00:05:42,250
They are hard for any organization other than the NSA to reliably execute because they require the attacker
76
00:05:42,250 --> 00:05:47,620
to have a privileged position on the Internet backbone and exploits a race condition between the NSA
77
00:05:47,620 --> 00:05:49,730
server and the legitimate Web site.
78
00:05:49,750 --> 00:05:56,320
This top secret NSA diagram made public last month shows a quantum server impersonating Google and this
79
00:05:56,320 --> 00:06:03,340
type of attack the NSA uses these vast quantum servers to execute a packet injection attack which surreptitiously
80
00:06:03,340 --> 00:06:06,030
redirects the target to the Fox Asad server.
81
00:06:06,040 --> 00:06:12,010
An article in the German magazine Spiegel based on additional top secret Snowden documents mentions
82
00:06:12,000 --> 00:06:17,440
an NSA developed attack technology with the name of contemn insert that performs redirection attacks
83
00:06:17,450 --> 00:06:17,610
.
84
00:06:17,660 --> 00:06:23,090
Another top secret Tor presentation provided by Snowden mentions Kwanten cookie to force cookies onto
85
00:06:23,090 --> 00:06:28,200
a target browsers and another quantum program to degrade denied disrupt Tor access.
86
00:06:28,240 --> 00:06:33,250
The same technique is used by the Chinese government to block its citizens from reading censored Internet
87
00:06:33,250 --> 00:06:38,020
content and has been hypothesized as a probable NSA attack technique.
88
00:06:38,020 --> 00:06:43,330
The Fox censored system according to various top secret documents provided by Snowden.
89
00:06:43,330 --> 00:06:49,660
Fox says it is the NSA codename for what the NSA calls an exploit orchestrator an Internet enabled system
90
00:06:49,660 --> 00:06:53,550
capable of attacking target computers in a variety of different ways.
91
00:06:53,560 --> 00:06:59,650
It is a Windows 2003 computer can forget with custom software and a series of Perl script.
92
00:06:59,650 --> 00:07:04,660
These servers are run by the NSA is Tennet access operations or t group.
93
00:07:04,690 --> 00:07:08,300
Tao is another subgroup of the systems intelligence directorate.
94
00:07:08,320 --> 00:07:10,300
The servers are on the public Internet.
95
00:07:10,330 --> 00:07:15,370
They have normal looking domain names and can be visited by any browser from anywhere.
96
00:07:15,370 --> 00:07:18,930
Ownership of those domains cannot be traced back to the NSA.
97
00:07:19,030 --> 00:07:25,560
However if a browser tries to visit a Fox-Allen server with a special you are now called asset tag.
98
00:07:25,660 --> 00:07:31,120
The server attempts to infect that browser and then the computer in an effort to take control of it
99
00:07:31,120 --> 00:07:31,330
.
100
00:07:31,330 --> 00:07:37,630
The NSA can track browsers into using that you are using a variety of methods including the race condition
101
00:07:37,620 --> 00:07:40,530
attack mentioned above and frame injection attacks.
102
00:07:40,650 --> 00:07:46,180
Foxcatcher tags are designed to look innocuous so that anyone who sees them would not be suspicious
103
00:07:46,180 --> 00:07:46,360
.
104
00:07:46,360 --> 00:07:52,630
An example of one such tag link removed is given in another top secret training presentation provided
105
00:07:52,620 --> 00:07:53,620
by Snowden.
106
00:07:53,620 --> 00:07:56,820
There is no currently registered domain name by that name.
107
00:07:56,830 --> 00:08:00,560
It is just an example for internal NSA training purposes.
108
00:08:00,610 --> 00:08:05,740
The training materials states that merely trying to visit the home page of a real Fox-Allen server will
109
00:08:05,740 --> 00:08:09,820
not result in any attack and that a specialized jurez is required.
110
00:08:09,820 --> 00:08:15,610
This you are l would be created by Tao for a specific NSA operation and unique to that operation and
111
00:08:15,610 --> 00:08:16,350
Target.
112
00:08:16,360 --> 00:08:21,430
This allows the folks that observe it to know exactly who the target is when his computer contacts it
113
00:08:21,430 --> 00:08:21,600
.
114
00:08:21,610 --> 00:08:27,490
According to Snowden Fox says it is a general see any system used for many types of attacks other than
115
00:08:27,490 --> 00:08:29,410
that tour attacks described here.
116
00:08:29,410 --> 00:08:34,930
It is designed to be modular with flexibility that allows town to swap and replace exploits if they
117
00:08:34,930 --> 00:08:39,780
are discovered and only run certain exploits against certain types of targets.
118
00:08:39,790 --> 00:08:43,590
The most valuable exploits are saved for the most important targets.
119
00:08:43,600 --> 00:08:48,820
Low value exploits are run against technically sophisticated targets where the chance of detection is
120
00:08:48,820 --> 00:08:49,380
high.
121
00:08:49,480 --> 00:08:55,810
Tao maintains a library of exploits each based on a different vulnerability in a system different exploits
122
00:08:55,810 --> 00:09:01,410
are authorized against different targets depending on the value of the target the target the technical
123
00:09:01,410 --> 00:09:06,030
sophistication the value of the exploit and other considerations.
124
00:09:06,040 --> 00:09:12,100
In the case of Tor users Foxtel might use that go testicle giraffe against their Firefox browsers.
125
00:09:12,150 --> 00:09:17,950
According to a top secret operational management procedures manual provided by Snowden once the target
126
00:09:17,950 --> 00:09:23,530
is successfully exploited it is infected with one of several payloads to basic payloads mentioned in
127
00:09:23,530 --> 00:09:28,900
the manual are designed to collect configuration and location information from the target computer.
128
00:09:28,890 --> 00:09:32,530
So an analyst can determine how to further infect the computer.
129
00:09:32,530 --> 00:09:37,920
These decisions are made in part by the technical sophistication of the target and the security software
130
00:09:37,920 --> 00:09:45,120
installed on the target computer called personal security products or PSP and the manual for says payloads
131
00:09:45,120 --> 00:09:48,250
are updated regularly by t for example.
132
00:09:48,310 --> 00:09:55,780
The manual refers to version 8 to 1 1 of one of them Foxcatcher servers also have sophisticated capabilities
133
00:09:55,780 --> 00:09:59,900
to avoid detection and to ensure a successful infection of its targets.
134
00:09:59,910 --> 00:10:05,170
The operations manual states that are accessing payload with the code named scolloped can circumvent
135
00:10:05,160 --> 00:10:10,530
commercial products that prevent malicious software from making changes to a system that survive a reboot
136
00:10:10,540 --> 00:10:11,470
process.
137
00:10:11,470 --> 00:10:17,800
The NSA also uses phishing attacks to induce users to click on Foxcatcher tags traditionally uses for
138
00:10:17,800 --> 00:10:24,040
Sassa to exploit callbacks which is the general term for a computer infected by some automatic means
139
00:10:24,220 --> 00:10:29,740
calling back to the NSA for more instructions and possibly to upload data from the target computer.
140
00:10:29,740 --> 00:10:35,470
According to a top secret operational management procedures manual Foxit said servers can forget to
141
00:10:35,470 --> 00:10:39,500
receive call Zha code named Froogle shot after a call back.
142
00:10:39,550 --> 00:10:44,860
The Fox-Allen server may run more exploits to ensure that the target computer remains compromised long
143
00:10:44,860 --> 00:10:48,270
term as well as install implants designed to exfiltrate.
144
00:10:48,280 --> 00:10:55,080
Later by 2008 the NSA was getting so much Fox-Allen callback data that they needed to build a special
145
00:10:55,090 --> 00:10:57,120
system to manage it all.
146
00:10:57,130 --> 00:11:03,060
So there you are without even having the advantage of this and the information I would have already
147
00:11:03,070 --> 00:11:09,850
assumed these methods would be used by Nation-State especially United States and the United Kingdom
148
00:11:09,860 --> 00:11:09,910
.
149
00:11:09,930 --> 00:11:16,800
These are pretty crafty methods but nothing anyone who understands security wouldn't have sketched out
150
00:11:16,810 --> 00:11:18,940
after about 10 minutes of thought.
151
00:11:18,930 --> 00:11:25,920
Man in the middle a man in side attacks attacking the browser frame injection attacks injecting cookies
152
00:11:26,020 --> 00:11:33,450
D-grade deny disrupt Tor access which could be used in timing attacks for the anonymization.
153
00:11:33,550 --> 00:11:40,740
Pretty standard stuff if you understand security the security mitigations in the course all the address
154
00:11:40,750 --> 00:11:40,790
.
155
00:11:40,810 --> 00:11:45,140
All these methods and hopefully future methods too.
156
00:11:45,150 --> 00:11:51,220
The article highlights the need for protection against stored injected super cookies which we do through
157
00:11:51,310 --> 00:11:59,950
any number of methods of non-persistent like live operating systems and evidence elimination which we
158
00:11:59,950 --> 00:12:00,640
cover.
159
00:12:00,630 --> 00:12:07,420
It highlights the need to be able to contain a browser exploit all zero day vulnerability that you cannot
160
00:12:07,410 --> 00:12:10,220
patch and expected attack vector.
161
00:12:10,240 --> 00:12:16,990
We mitigate this through isolation and compartmentalisation techniques such as sandboxes Vians physical
162
00:12:16,990 --> 00:12:25,510
isolation browser hardening reducing the attack surface hiding unique hardware IDs not using Flash Java
163
00:12:25,540 --> 00:12:33,240
JavaScript active content using Tolgay ways and or using the Tor browser on its highest security settings
164
00:12:33,630 --> 00:12:34,650
and so on.
165
00:12:34,680 --> 00:12:42,690
And as always through good operational security deals with telcos are required as part of these attack
166
00:12:42,700 --> 00:12:52,030
methods to find Tor users or they need to have access to boxes spread across the Internet which presumably
167
00:12:52,210 --> 00:12:59,110
they will need to have hacked in order to get access to which we know the Five Eyes do and so will most
168
00:12:59,110 --> 00:13:00,760
nation states as well.
169
00:13:00,760 --> 00:13:03,210
So potentially your adversary.
170
00:13:03,220 --> 00:13:11,460
This means that attempting to escape your adversaries fear of influence is or could be a valid mitigation
171
00:13:11,800 --> 00:13:13,540
against this type of attack.
172
00:13:13,600 --> 00:13:21,040
As long as doing that doesn't make you stand out further meaning rooting through places dark to your
173
00:13:21,040 --> 00:13:28,120
adversary with say for example play nested VPN would mitigate the type of attacks mentioned in this
174
00:13:28,170 --> 00:13:29,160
article.
175
00:13:29,400 --> 00:13:32,920
You have to know what you're doing when you add complexity.
176
00:13:32,950 --> 00:13:36,400
You could increase your risk if you get it wrong.
177
00:13:36,390 --> 00:13:42,840
See the section on nesting anonymizing services against a nation state like the NSA.
178
00:13:42,880 --> 00:13:50,410
You have to assume that everywhere you visit is a potential bad actor and you have to mitigate accordingly
179
00:13:50,420 --> 00:13:50,620
.
180
00:13:50,800 --> 00:14:02,470
And that goes the same for any powerful adversary white or of the likes of the NSA.
21039
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.