Duo Tech Talks: Encryption Works: A Look at Tor and SecureDrop
At our August Duo Tech Talk, Runa A. Sandvik (@runasand) from the Freedom of the Press Foundation spoke about Tor and a tool called SecureDrop that allows anyone to set up their own whistleblower drop site.
Working with the Tor project, she spent a lot of time as a security developer and researcher, as well as training with journalists. She also did a forensic analysis of the Tor browser, to find out if your activity was traceable - she found that there would be no activity tracked, only that you had used Tor.
She recently joined the Freedom of the Press Foundation that allows donors to distribute donations to crowdfund different organizations that support journalists and the free press.
In case you missed our the Duo Tech Talk live at our office and livestreamed, we have a video available below and a description of the talk:
About Duo's Tech Talks
Welcome engineers and technologists in the Ann Arbor and SE Michigan. Whether you are a hands-on software engineer, l33t hax0r, or a person just interested in advanced technologies, Duo Tech Talks is for you!
Hosted monthly at Duo Security's Ann Arbor office, these talks will cover a variety of topics of strong interest to the local technology community. Speakers will be enlisted both from the local community and subject matter experts from across the country. Find out more and join our Duo Tech Talk Meetup group.
If you're not lucky enough to be in Ann Arbor, we're livestreaming our Duo Tech Talks and taking questions for our expert guests in real time, so be sure to join in!
OPSEC & Tor
She is also a contributing author to Forbes, in effort to set the record straight about the misuse of Tor. In Harvard Student Receives F For Tor Failure While Sending 'Anonymous' Bomb Threat, Runa pointed out that the identification of the student was due to his other sloppy security measures (logging in with his username/password to use Harvard’s wireless network to send the emails). Other publications falsely reported that Tor had been hacked or broken.
The student also didn’t realize that Tor doesn’t hide the fact that you’re using Tor - it only masks online activity. By reading the headers of the emails, school authorities were able to find emails sent using Tor, as well as easily narrow down the number of Tor users at the university.
Similarly, she referenced a talk at DEF CON this year that described how people used Tor to do sketchy things and got caught - the problem was never Tor itself, it was just that people screw it up somehow (I think she was referring to Touring the Darkside of the Internet. An Introduction to Tor, Darknets, and Bitcoin given by Metacortex & Grifter in the DEF CON 101 room, a talk I waited in line for but couldn’t get into).
This represents the need for good security (OPSEC) behavior when using Tor (shouldn’t use it at work or home, should use it from a random Wi-Fi source), which Runa said also ties into SecureDrop. Part of the problem may be that sources don’t think of themselves as whistle-blowers, therefore they don’t think they’re at risk, and they don’t seek out anonymous means of communication.
In 2009, Tor used to require downloading the Tor software, Firefox browser and the Tor button extension, then plugging in all three components to get them to work together. Since then, Runa said the Tor team has made it much more simple to use. Tor has been around for 12 years; originally sponsored by the U.S. Naval Research Laboratory with the U.S. Navy in mind as a way to protect government communications. By open-sourcing the code, the Tor software has grown to 6,000 relays with over 1 million users worldwide.
How Tor Works
Runa then gave a description of how Tor works from the user side, including the use of three randomly selected servers (relays) to build a circuit, or path (lasts 10 minutes or per TCP session) through each server to send you to the website you want to visit.
By wrapping your request in three layers of encryption, each server is only allowed to see certain bits of the data content as it is passed along from relay to relay. With this model, there’s no single hop in the chain that is privy to all of your information - including your identity, your location, the software you’re using (Tor) and your desired location.
When it comes to where these 6,000 relays are located throughout the world, the most relays are located in the United States and Germany. Tor prioritizes the use of the relays by the amount of bandwidth available. According to Runa, Tor is not illegal in any country, although certain encryption tools are supposedly illegal in Iran - she had also not heard of anyone arrested for only using Tor. Another good point is, simply using Tor may be a red flag to the government, as a group of journalists mentioned to Runa in her training in Istanbul.
Attacks on Tor
Someone in the crowd also mentioned that while in China, they may not target individual end-users of Tor, they will shut down relays and bridge-nodes when they can. Runa said that China and Iran are effectively attempting to block Tor.
In order to block someone from using Tor, you can block the website (prevent people from getting the software) - which Tor has attempted to get around by setting up mirrors and a website that will email the software directly to users.
Or you can block every single relay (the Tor client downloads the list of IP addresses that anyone can access and block). Tor came up with the concept of bridges that is the first hop with non-publicly listed IP addresses. Then China came up with a signature of the SSL handshake between the Tor client and the first server, and subsequently blocked that. Tor came up with pluggable transports to workaround this, but it does require more effort.
She also referenced a talk that was pulled from Black Hat that stated CMU (Carnegie Mellon) researchers found a way to de-anonymize users for $3k. However, CMU advocates talking to vendors before they talk about it publicly - Tor stated that they didn’t receive all of the information before the talk was pulled. She referenced a recent Tor blog that discusses the attacks as well as provides a very detailed technical description - Tor security advisory: "relay early" traffic confirmation attack.
From there, she addressed a number of questions and specific scenarios presented by the audience regarding attacks on relays, the Tor network and the Firefox browser, including how some users were served malware when they visited a certain site. She also gave recommendations on how to leverage OPSEC to protect oneself when using Tor.
According to PressFreedomFoundation.org, SecureDrop is an open-source whistleblower submission system managed by Freedom of the Press Foundation that media organizations use to securely accept documents from anonymous sources.
Visit the Freedom of the Press' SecureDrop site to review a comprehensive FAQ with a detailed diagram of how it works.
September Tech Talk
Our next Duo Tech Talk, Building a Modern Security Engineering Organization, will be led by Zane Lackey, Founder/CSO at Signal Sciences. Join & RSVP!
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering: practical advice for building and scaling modern AppSec and NetSec programs; lessons learned for organizations seeking to launch a bug bounty program; and how to run realistic attack simulations and learn the signals of compromise in your environment.
Join our Duo Tech Talk Meet Up group to stay informed about upcoming tech talks!
About Runa A. Sandvik
Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. She is a Forbes contributor, a technical advisor to the TrueCrypt Audit project, and a member of the review board for Black Hat Europe. Prior to joining the Freedom of the Press Foundation as a full-time technologist in June 2014, she worked with The Tor Project for four years.