Microsoft MVP (Enterprise Security) Microsoft Certified Trainer (18 years) Founder: Cybercrime Security Forum! Winner: Microsoft Speaker Idol 2006 Author: The Seventh Day Andy Malone (United Kingdom) Follow me on

What is TOR and how does it keep me anonymous? Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business

TOR: A Tale of Two Sides Freedom from Censorship, No Restrictions, Private Communication, Many US UK Agencies use similar private channels The Dark Web: Drugs, Guns, Malicious Software, Pedophiles. Slavery, Black Market

Tails TOR Browser TOR Atlas Stem (Development Environment) Orbot (Android) ARM (Shell) Pluggable Transports TOR Cloud

“There are no conspiracies. We don’t do things we don’t want to. No backdoors ever!” Jacob Appelbaum: TOR (2013) TOR: Key Principle

Home Users can protect themselves when online Activists can anonymously report abuses from danger zones Whistleblowers can use Tor to safely report on corruption Journalists use Tor to protect their research and sources online Military and law enforcement can protect communications, investigations, and intelligence (No IP Trace)

TOR Node Encrypted Alice Bob Jane Unencrypted Each OR maintains a TLS / AES connection to every other OR Users run an onion proxy (OP) to fetch directories, establish circuits across the network Each OR maintains a long & short term onion identity key (10 mins) Used to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth,etc Port 9001 Port 9090 Port 443

TOR Node Encrypted Alice Dave Bob Jane Unencrypted Step 1: Alice’s TOR Client obtains a list of TOR Clients from a directory server Port 9001 Port 9030

TOR Node Encrypted Alice Dave Bob Jane Unencrypted Step 2: Alice’s TOR Client picks a random path to a destination server. Green links are encrypted, red links are in the clear Port 443 Port 80

TOR Node Encrypted Alice Dave Bob Jane Unencrypted Step 3: If at a later time Alice connects to a different resource then a different, random route is selected. Again Green links are encrypted, red links are in the clear Port 80 Port 443

Onion Routing: Peeling back the Layers Alice builds a two-hop circuit and begins fetching a web page.

TOR Node TLS Encrypted Control cells: interpreted by the nodes that receive them Relay cells: which carry end-to-end stream data. Has an additional header on front of the payload containing streamID Integrity checksum Length of payload and relay command. Header circuit identifier or circutID Instruction Payload Command Payload Data Fixed-sized cells 512 bytes with a header and a payload

Onion Routing: Cell Commands

Exploring the TOR Project

A Journey Inside the Darknet

Controlled substance marketplaces Armories selling all kinds of weapons Child pornography Unauthorized leaks of sensitive information Money laundering Copyright infringement Credit Card Fraud

DynamicUnlinkedPrivate Site Contextual Varied access pages with differing ranges of client IP addresses Limited Access Limited technically (e.g. using Robots Exclusions, CAPTCHAs. Or no- cache Pragma HTTP headers, which prohibit browsing & caching Scripted Accessible through links produced by JavaScript Content dynamically downloaded via Flash or Ajax Non HTML/Text

Exploring the Darkweb

Timing Attack Entry Monitoring Intersection Attack Ddos Attack Predecessor Attack (Replay) Exit node Sniffing

TOR Node Encrypted Bob Unencrypted Criminal posts anonymous content out to Compromised Server Compromised Node Police Law Enforcement Monitor suspects client machine (Entry Point)

TOR Node Encrypted Target Unencrypted Criminal posts anonymous content onto Server Compromised Node Infected with malicious code Police Law Enforcement Monitors Target client machine (Exit Point) An exit node has complete access to the content being transmitted from the sender to the recipient If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internet

TOR Node Encrypted Bob Unencrypted Criminal posts anonymous content out to Compromised Server Compromised Node Police Network Analysis Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis Offline Node

TOR Node Encrypted Unencrypted Security Agencies TOR is a key technology in the fight against organized crime on the internet Illegal Site Agency IP Address Hidden from Site owner

TOR

Looks like regular HTTPS Traffic on port 443…

The Truth is revealed

Obtain list of TOR Servers

Then create an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list

Add output to IP Address tables * Additional links on slides

Blocking TOR – Application Aware Firewalls

Regular I.E 11 Browser

Privacy IE 11 Browser

Older TOR

Updated TOR

Other Privacy Solutions

Proxy Heaven

Encrypted Unencrypted Eavesdropper: Skype Video Traffic Bob: TOR traffic disguised via OpenWRT compatible modem Alice Bob Alice: TOR traffic disguised via OpenWRT compatible modem

What is TOR and how does it keep me anonymous? Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business

The Extras… & Get my OneDrive Link

blogs.technet.com/security trustedcloud