HomeBlogskillswitch's blog

Adversary Resistant Systems

22 July, 2015 - 11:56 — killswitch

The world has been shaken in 2015. First the Office of Personnel Management lost everything it had on four million Americans with security clearances. Then Italy's Hacking Team lost control of the entire contents of their corporate systems. Then in quick succession NYSE and United Airlines were down, around the same time an outsider managed to send commands to a Turkish Patriot missile battery deployed in the field.

Among the Hacking Team treasures was the source code for Remote Control System, a piece of second string espionageware, not quite as capable as Duqu or Flame, but still quite dangerous in the hands of an entity with good operating discipline. Along with the C&C (command & control) the world also got to see the range of methods used to compromise target systems. Among these was an appliance for man on the side attacks – a Corruptor-Injector Network tool.

We started to understand how dangerous things had truly become thanks to Snowden's leak in 2013. Now with the Hacking Team intrusion we can see the full spectrum of tools and methods employed by a small but skilled surveillance dragnet operator. No amount of legislation or law enforcement is going to fix problems like this unless it also utterly breaks the good stuff the Internet does.

What the world needs are Adversary Resistant Systems, and there are a number of grassroots projects that already provide quite a bit of functionality.

Adversary Resistant Computing:

There are three well known adversary resistant computing platforms which you could download and start using today.

TAILS is short for The Amnesiac Incognito Live System, a live CD/USB system that enforces use of the Tor anonymization network and which, as the name implies, keeps nothing locally between sessions. This distro is about 900 megs and built to run on the smallest Atom based netbooks.

Whonix is another Tor focused system but it is served up as a pair of 1.5 gig virtual machines in OVA format, suitable for import into the free VirtualBox type two hypervisor. The gateway VM provides routing, firewall, and the Tor anonymizing network. The workstation, completely separate from any network duties, can not provide any information about the host OS such as public IP or actual MAC address. This thwarts both geolocation and equipment purchase tracking.

Qubes is a type one hypervisor, a 'bare metal' solution based on Linux + Xen. This system boots to a graphical environment that has no network connection at all, connectivity is provided by a NetVM that accesses hardware, a ProxyVM that implements services such as Tor or a VPN, and workstations. Templates are provided so users can create workstations from a Fedora or Debian install and there is an alpha grade port of the Whonix system which is currently in need of a maintainer.

Adversary Resistant Networking:

There are two well known anonymizing networks supported by both TAILS and Whonix, namely Tor, The Onion Router, and I2P, the Invisible Internet Project. Cryptostorm's Zero Customer Knowledge VPN service is the third worthy contender in this category.

Tor was created at the U.S. Naval Research Laboratory and released to the public in 2004. This system provides a local SOCKS5 proxy that can access the clearnet via about 400 volunteer run Tor exit nodes. There is an internal addressing scheme where site operators can create .onion domains and these sites are used for all sorts of hosting, most notably for the dozen dark net markets that have sprung up in the wake of the takedown of the first two iterations of Silk Road, an online cybercrime/drug/weapons market.

I2P, the Invisible Internet Project, is similar to Tor in some ways, but there is no generalized access to the clearnet, so the primary function is for operators to create eepsites, which are similar to Tor hidden services, but ending with the extension .i2p instead of .onion. This network is a purely grassroots effort so it isn't nearly as large or as fast as Tor, but it has become more hidden site operator friendly with the publication of headless I2P software meant for virtual servers.

Cryptostorm provides a service that is superficially similar to other VPN providers, but there are important differences. These include:

Zero Customer Knowledge – instead of a userid/password subscribers purchase digital tokens, then use the hashed token as their username and no password. Other VPNs vow that they do not log, Cryptostorm simply avoids ever having enough information about its subscribers to do that.

Value added access and filtering – when the webrtc/STUN leak became public in early 2015 Cryptostorm had modifications to block this exposure within thirty six hours. When it became the Certificate Revocation Lists (CRLs) were being used to attack browsers they were immediately 100% filtered across the network. It is a testament to the hazard they CRLs represent that this change went entirely unnoticed by subscribers.

Hidden service in the Tor and I2P networks may be accessed directly via the Cryptostorm network, thanks to built in application proxies that translate requests for subscribers. There is room to debate the value of that versus local installation of Tor and I2P, but the service is present and no other VPN provider can make that claim.

Adversary Resistant Hosting:

Hardening operating systems is offering a tool, network transport for encrypted traffic is providing a service without being aware of the content, but hosting is an entirely different matter. Content may be politically provocative or even outright criminal in some jurisdictions. Servers are in datacenters, subject to law enforcement seizure and continued operation as watering hole attack locations against visitors.

There have long been “bullet proof” hosting companies, located in jurisdictions with permissive laws and little enforcement, promising that operators will never be shut down due to administrative action. Existing at the fringes of polite society, they are as likely to rootkit and rob interesting sites as provide them the promised service level. Tor's ability for hidden services to conceal what a server actually does has cut into the business of such companies, making it possible to host questionable content at major providers like Rackspace, OVH, or Digital Ocean.

The shining example of journalism/whistleblower oriented adversary resistant hosting is Secure Drop, an architecture created by the late Aaron Swartz, who committed suicide after being subject to overzealous prosecution. The system is now maintained by Freedom of the Press Foundation.

Two other notable hosting service developers are Thomas White of CthuluSec and LulzSec veteran Donncha O'Cearbhaill, both of whom do research on hardening hidden services in the Tor network.

Conclusion

The militarization of cyberspace has been creeping up on us for a number of years now. The United States has pursued a failed strategy in the construction of CYBERCOM, attempting to build a deterrent, an analog to the role nuclear weapons played during the Cold War.

The Soviet Union's denied areas of the 1970s, thanks to satellite imagery and social media, are now accessible in a way the CIA could only dream of forty years ago. The shining example is Bellingcat's crowdsourced effort to identify who shot down MH17, and the grubby example is the smash & grab job on Hacking Team, who richly deserved such treatment.

The problems the Internet faces today will not be solved using lessons we learned in the Cold War. The only remedy when facing a network threat is to build a better network to face it.