TOP SECRETHCOMINTHRELTO USA FVEY Tracking Targets Through Proxies 8 Anonymizers and the air speed velocity of an unladen swallow Also known as PaAatasvoaus CLASSIFICATION Classi cation ofthis brie ng is SEYES TOP REL TO USA FVEY Agenda Items _he issue at hand proxies anonymizers oh my What we do about and how we approach this Ssue A couple examples of tracking targets through anonymizers AnchorFree Tor Closing remarks and questions TOP USA FVEY Up Front Caveat Before we begin this brie ng I want to set the stage by saying that there is no silver bullet for tracking target communications through anonymizers Any methodology set forth in this brie ng requires both manual analysis and generally lucl With that out of the TOP USA FVEY The issue at anon mizers Tor oh Targets generally don t like to have their communications tracked by government agencies or ltered by national rewalls Itthey are tech savvy enough they will use anonymizers to try to mask their real location This generally makes for sad TOP USA FVEY What we do about the issue at hand The only way to track communications through anonymizers is if you understand how those anonymizers work If you don t know what the traf c looks like how will you recognize it in Generally our process is as follows Identify new proxy anonymizer Research use anonymizer document what happens what does traf c look like what client traf c does it pass through if any Create ngerprints in SIGINT to identify such proxy traf c Correlate proxy traf c with known target activity TOP USA FVEY Anchorfree TOP USA FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet TOP USA FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet Then you have a user that downloads Hotspot I Shield to proxy their traf c TOP USA FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet Then you have a user that downloads Hotspot I We ll pretend Shield to proxy their want to 80 to a 00 traf c 1' or whereever else TOP USA FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet I I We'll pretend they want to go to Yahoo or whereever else I When the user starts HSS their browser sets up an connection to a randomly picked - I I TOP USA FVEY Anchorfree AnchorFree owns a bunch of servers on the Internet We'll pretend they want to go to Yahoo or whereever else I I When the user starts HSS their browser sets up an connection to a randomly picked Then they access the webpage from the AnchorFree IP address - I I TOP USA FVEY Anchorfree From testing the IP address that the user connects to and the IP they show up as are NOT the same But there is a direct correlation between the two I I I I I When the user starts HSS their browser sets up an connection to a randomly picked Then they access the webpage from the AnchorFree IP address - I I TOP USA FVEY what We can bui d Static mappings So when we see a target access between the inside tunnel lP the account fPom an I address and the they Show AnchorFree lP we know which IP to go look for tunnel connections up 3 to In order to nd their real client I IP We can also write XKS ngerprints to look for AnchorFree tunnels en masse from interesting locations Inn '- I I I TOP USA FVEY I I i I TOR user I Face bookcom TOP USA FVEY I the user selects 3 relatively random Tor nodes to use I TOR user Face bookcom TOP USA FVEY i I Tor I the user selects 3 relatively random Tor nodes to use 2 The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop a a a I 1 TOR user TOP USA FVEY Face bookcom Tor I the user selects 3 relatively random Tor nodes to use 2 The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hopTOP USA FVEY TOR user Tor I the user selects 3 relatively random Tor nodes to use 2 The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop a a a TOR user TOP USA FVEY Face bookcom Tor I the user selects 3 relatively random Tor nodes to use 2 The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop a a a I TOR user TOP USA FVEY Face bookcom Tor I the user selects 3 relatively random Tor nodes to use 2 The user then sets up layers of SSL tunnels through them all to get to facebook A layer is stripped off along each hop a a a TOR user TOP USA FVEY Face bookcom Interesting tidbits about Tor TOR uses SSL tunnels for we are able to identify what their SSL certi cates look like which allows us to identifyTor circuits in SIGINT GOLDENFORTIN dataset and exit node traf c TOP USA FVEY And now for something completely A lot of research we do on anonymizers consists of open source research The Interwebz forums 20 Circumvention Tool Usage Report etc Trial and Error Wireshark Basically about how stuff works and translating that to the SIGINT system TOP USA FVEY Contact Info TOP EC CO RE TO USA FVEY Questions NOBODY EXPECTS THE SPANISH
OCR of the Document
View the Document >>