GoshaG
Container Vulnerability Auditor
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Internet security and how special serves can find you
Imagine a situation: you are a secret service officer, and your task is to find a particularly dangerous blackmail criminal who appears on the network periodically and only for data transmission. For criminal activity, he started a separate laptop, from which he "cut out" the microphone, speakers and camera. A reasonable decision, considering that the speakers can listen too.
It uses Tails as the operating system, although for maximum anonymity it would be worth using Whonix. One way or another, all traffic goes through Tor, he does not trust VPN, and he still needs Tor to work on the Darknet.
For communication, he uses Jabber with PGP encryption, he could have delivered Telegram, but this is a representative of the old school of criminals. Even if you have access to the Jabber server, you can only get encrypted data and Tor IP addresses. This is useless information.
The criminal works on the principle of "silence is gold", he won't say too much, he won't open a link or file. It is only known that he must be in the same country with you. It would seem that there is no chance to establish his identity, but this is an illusion, it is possible to establish his identity despite all the measures he takes.
The described case is ideal for using a timing attack on a messenger. The first step is a program that will track and record all user inputs and outputs. He appeared on the network - the system immediately notes the time, left - the system recorded the time of the exit.
Now you have a log of its activity in your hands for several days, it's time to use the ORM system (operational search measures). Such systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who connected to the Tor network during these +/- 5 minutes in your country.
We know that the target to be deanonymized connected on 04/22/2018 at 11:07 am and disconnected at 12:30 pm. At the same time points (+/- 5 minutes) in the country, 3,000 people connected to the Tor network and disconnected from it. We take these 3000 and see which of them reconnected at 14:17 and disconnected at 16:54, how many people do you think will remain?
So, step by step, the circle narrows, and in the end you will be able to calculate the place where the criminal enters the network. The more often he logs into the network and the fewer other users at this time, the faster the timing attack will work.
What can interfere with the timing attack.
The constant change of the exit points to the network makes such an attack pointless. If the target periodically changes exit points, this can make it difficult to find, but it is a valid option in advance and is not capable of confusing the system.
We hope that our readers do not belong to wanted criminals and they do not have to wander from one cafe with public Wi-Fi to another. However, everyone should take advantage of the second tip against timing attacks. We are talking about disabling the transmission of information about the status at the level of the messenger or establishing a permanent status "offline". Most instant messengers provide one of these features.
If it is possible to hide information about your status in your messenger, hide this information.
An additional tool to protect against timing attacks can be the termination of the inclusion of the messenger along with the connection to the network. As you can understand from the description of the attack, the time of entry / exit to the network and the appearance in connection / leaving offline in the messenger are checked. An error is allowed, but it should not be very large. If the target of the attack connects to Tor and starts the messenger only an hour later, it will be very difficult to link the network login and the status in the messenger. In addition, timing attacks are completely useless against the anonymous messenger Bitmessage.
Imagine a situation: you are a secret service officer, and your task is to find a particularly dangerous blackmail criminal who appears on the network periodically and only for data transmission. For criminal activity, he started a separate laptop, from which he "cut out" the microphone, speakers and camera. A reasonable decision, considering that the speakers can listen too.
It uses Tails as the operating system, although for maximum anonymity it would be worth using Whonix. One way or another, all traffic goes through Tor, he does not trust VPN, and he still needs Tor to work on the Darknet.
For communication, he uses Jabber with PGP encryption, he could have delivered Telegram, but this is a representative of the old school of criminals. Even if you have access to the Jabber server, you can only get encrypted data and Tor IP addresses. This is useless information.
The criminal works on the principle of "silence is gold", he won't say too much, he won't open a link or file. It is only known that he must be in the same country with you. It would seem that there is no chance to establish his identity, but this is an illusion, it is possible to establish his identity despite all the measures he takes.
The described case is ideal for using a timing attack on a messenger. The first step is a program that will track and record all user inputs and outputs. He appeared on the network - the system immediately notes the time, left - the system recorded the time of the exit.
Now you have a log of its activity in your hands for several days, it's time to use the ORM system (operational search measures). Such systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who connected to the Tor network during these +/- 5 minutes in your country.
We know that the target to be deanonymized connected on 04/22/2018 at 11:07 am and disconnected at 12:30 pm. At the same time points (+/- 5 minutes) in the country, 3,000 people connected to the Tor network and disconnected from it. We take these 3000 and see which of them reconnected at 14:17 and disconnected at 16:54, how many people do you think will remain?
So, step by step, the circle narrows, and in the end you will be able to calculate the place where the criminal enters the network. The more often he logs into the network and the fewer other users at this time, the faster the timing attack will work.
What can interfere with the timing attack.
The constant change of the exit points to the network makes such an attack pointless. If the target periodically changes exit points, this can make it difficult to find, but it is a valid option in advance and is not capable of confusing the system.
We hope that our readers do not belong to wanted criminals and they do not have to wander from one cafe with public Wi-Fi to another. However, everyone should take advantage of the second tip against timing attacks. We are talking about disabling the transmission of information about the status at the level of the messenger or establishing a permanent status "offline". Most instant messengers provide one of these features.
If it is possible to hide information about your status in your messenger, hide this information.
An additional tool to protect against timing attacks can be the termination of the inclusion of the messenger along with the connection to the network. As you can understand from the description of the attack, the time of entry / exit to the network and the appearance in connection / leaving offline in the messenger are checked. An error is allowed, but it should not be very large. If the target of the attack connects to Tor and starts the messenger only an hour later, it will be very difficult to link the network login and the status in the messenger. In addition, timing attacks are completely useless against the anonymous messenger Bitmessage.