Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DRM Piracy Privacy Communications Security Windows

Windows DRM-Protected Files Used To Decloak Tor Browser Users (bleepingcomputer.com) 150

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.
This discussion has been archived. No new comments can be posted.

Windows DRM-Protected Files Used To Decloak Tor Browser Users

Comments Filter:
  • Umm... just WMVs? (Score:4, Interesting)

    by speedplane ( 552872 ) on Thursday February 02, 2017 @08:52PM (#53792587) Homepage
    So opening an WMV in windows media and phone-home to a server... couldn't the same be done with Adobe reader and PDFs? Or with countless pieces of software out there?
    • This is why the hapless Windows-using would-be criminal should be using something more idiot-resistant, not Windows and the Tor browser. Like Tails for example. That way the hapless offender's DRM-infested movie files, PDFs etc can be forced to phone-home through the Tor network. If the criminal is too hapless to evade law-enforcement, it's caveat emptor.
      • Re: (Score:3, Informative)

        by Burz ( 138833 )

        Better still is Whonix (VM isolation for both Tor and Torbrowser). TAILS may have a fancy configuration to attempt leak prevention, but privilege escalation attacks are a dime a dozen on Linux.

        • by AmiMoJo ( 196126 )

          Whonix runs in a VM on top of a host OS. VM escape flaws are a thing, and if malicious code gets out of the VM then it's running on your host OS. I guess you could have a dedicated host OS with nothing on it. Anyway, running code in a VM is not without risk.

          Booting Tails directly on the machine has a few advantages. Nothing saved to disk, no evidence you even ran it.

          Neither system is perfect and both have their advantages.

          • Neither system is perfect and both have their advantages.

            and *both* are vastly better than plain Tor on otherwise vanilla Windows host.
            -nB

          • by Burz ( 138833 )

            Running code isolated by a bare-metal VMM like Xen is much better than running it in bare-metal Linux from a security standpoint. Comparing Linux and Xen vulns, there is a stark contrast. And that is even before one subtracts DOS and vulns in superfluous Qemu components.

            So, yes, VM breakout "is a thing", but mainly on hypervisors that were designed to run on top of a complex OS and dedicated foremost to administrative convenience.

            Tails has the drawback that its vulnerable to DMA attacks, i.e. if your NIC or

    • Re:Umm... just WMVs? (Score:5, Informative)

      by Gadget_Guy ( 627405 ) on Thursday February 02, 2017 @10:48PM (#53793037)

      The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

      • And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.
        Maybe an esoteric proxy configuration that only works with a manually configured browser could do?

        But the easiest option is just to ditch windows if you're serious about security. And maybe also modern x86-based CPUs, since they usually contain ring -2 to -5 coprocessors with DMA, network access, and other niceties.
        • Re:Umm... just WMVs? (Score:5, Informative)

          by Gadget_Guy ( 627405 ) on Friday February 03, 2017 @02:49AM (#53793673)

          And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

          If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

          That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

          • i tested it against the telemetry traffic using an external capture, and it was all blocked. The complaint about that setup has always been that MS could tweak it at any time.
          • And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

            If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

            That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

            In Linux its fairly trivial to set up the firewall to block all egress except via a VPN; you configure so that only the VPN can egress via the physical network adaptor (eg eth0) restricting port and destination IP address. Then allow traffic via the tun device used by OpenVPN. In this way you can't accidentally leak anything outside the VPN.

            How do you do that in Windows? I never saw any ability to do firewalling by network adaptor.

            Thanks

            • How do you do that in Windows? I never saw any ability to do firewalling by network adaptor.

              You can limit any firewall rule to work on one or more interface types on the Advanced tab of the rule's properties. This isn't quite as good as specifying the adaptor if you have really complicated networks, but it does the trick for 99.9% of cases. The three interface types are (as copied from the help file for the firewall):

              Local area network
              The rule applies only to communications sent through wired local area network (LAN) connections that you have configured on the computer.

              Remote access
              The rul

        • Or you could trust your HARDWARE firewall, not the Windows OS firewall, to do that.
          • But how does the hardware firewall block specific applications from accessing the Internet?

            By granting internet access on a per application basis with the software firewall, I don't have to worry about bugs or unintended consequences of some program have network access that I didn't expect. My media player only ever plays files from my computer, so I have never needed to grant it permission to talk to arbitrary servers, so this trick would never have affected me. It's a great way of neutering malware and ba

          • by tepples ( 727027 )

            What pocket-size hardware firewall do you recommend for use with a laptop computer?

            • NextThingCo CHIP would be great for something like that. It's literally pocket sized, has built-in WiFi, and two interfaces at that - so one can connect to the external network, while the other one serves as an API, with the device serving as a bridge/firewall between the two. And it costs $10 (although you need to bring your own battery).

              You'd have to set this all up yourself, though.

      • by sudon't ( 580652 ) on Friday February 03, 2017 @08:15AM (#53794471)

        The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

        And avoid both DRM and Windows like the plague, even if you're not doing something that would get you in trouble with your government.

      • Or use a TOR hardware device to make sure ALL traffic headed out your NIC is anonymized...

      • by chihowa ( 366380 )

        Speaking of firewalls, does anyone know of an application-level egress firewall, like Little Snitch [obdev.at], for Windows or Linux?

    • "Or with countless pieces of software out there?"

      Exactly! That's why one should use a VPN on top of TOR. (or under in this case:-)

      • "Or with countless pieces of software out there?"

        Exactly! That's why one should use a VPN on top of TOR. (or under in this case:-)

        VPN into Tor then VPN through Tor. Then use 7 proxies.

    • The issue here is that the DRM process pings a custom server. Most modern software doesn't randomly let the content creator reach the public internet. E.g doing this in acrobat would result in a confirmation being presented to the user that content is about to be retrieved from the internet.

      Most of this software also needs to be installed, whereas Windows just exists on many target devices already.

  • by Crashmarik ( 635988 ) on Thursday February 02, 2017 @08:55PM (#53792595)

    Of course that means the FBI has be able to host the files on the server, and has to have sufficient control to deliver a uniquely keyed file to the users they wish to target. Sort of implies you have hit a honeypot if they get you with that.

    • Or they can just host the file on the CP server and get a list of people who have downloaded it. That doesn't prove anything but it gives them leads in terms of people they should investigate. If I were a judge, I would consider this probably cause. An AC has pointed out a way that this could be abused by dishonest LE and I don't see a good solution for that, unfortunately. But I struggle with the idea that we object to every tool that law enforcement uses even when done judiciously.
      • I don't know that I am comfortable with that. Should everyone who bought a copy of the Anarchist's cookbook expect a higher level of surveillance ?

        • I don't know that I am comfortable with that. Should everyone who bought a copy of the Anarchist's cookbook expect a higher level of surveillance ?

          I don't think so...
          But if you downloaded it illegally?
          Well, it might be bad policy to short an Anarchist's royalty check...
          Oh, don't mess with the Alchemists either...

        • It seems to be heading that way, the general idea being why would you be downloading it in the first place if not to create explosives. Yes I know, curiosity and all that, besides the fact that there is a lot more to the cookbook than blowing stuff up.
        • Didn't you download that over Tor??
        • No, because buying the Anarchist's Cookbook isn't illegal. Setting up surveillance of people who bought the book is a form of harassment. This is more the equivalent of the police busting an illegal gun dealer and then writing down the license plates of people who show up there over the next few days. It doesn't mean those people are guilty but it does give them leads on who some of the customers might be. And they will investigate whoever shows up to buy an illegal gun.
  • Quick Workaround (Score:5, Interesting)

    by gavron ( 1300111 ) on Thursday February 02, 2017 @08:58PM (#53792601)

    1. Determine which TOR-nodes you're talking to. (Netstat or Ethereal)
    2. Remove default route through your ISPs router
    3. Add specific routes to the /32s the TOR-nodes are on through the ISP router

    Traffic routed through TOR will work fine.
    Traffic going outside of TOR will fail except for the local network (your home or office LAN).

    E

    • install Linux. Heck, in a VM if you're lazy.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        stop using IE (physically break it)
        stop using windows
        stop using .asf .wma .wmv files. seriously these formats should be erased from existence!!!
        deny all media players access to the web. seriously no video or music HAS to have access to the internet unless it has drm shit. and you should NEVEr buy drmed music or videos. if you want lyrics, open your browser.

        • by amiga3D ( 567632 )

          If all else fails you could try obeying the law.

          • by cdrudge ( 68377 )

            If all else fails you could try obeying the law.

            From the summary:
            "target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos"

            Last I checked, merely viewing propaganda videos, product demos, or news videos is not illegal. At least not yet.

        • by allo ( 1728082 )

          > stop using IE (physically break it)
          I am not sure, you know what physically means.

      • by Burz ( 138833 )

        install Linux. Heck, in a VM if you're lazy.

        In a VM if you're smart.... https://www.qubes-os.org/ [qubes-os.org]

      • It's sufficient to install a tor proxy in a VM and use that as the network VM. No more leaking.
    • Except you probably don't want to do this on the machine you are going to watch Netflix on while waiting for the download to complete.
      • by rtb61 ( 674572 )

        So watch netflix on your Android TV, whilst doing other stuff on your computer. I do this all of the time, well, not netflix, but streamed youtube et al, whilst gaming, shopping etc. and no, I do not want corporations spying on me, I do not want them to install software without my specific permission, nor do I want them to delete content without my permission. You can see it coming, the only copy of a wedding video, fresh from the camera, stored on windows and because ohh ahh copyrighted music for which the

    • by AHuxley ( 892839 )
      Revert back to an OS that will not live preview your files.
      Any file could have a link that gets used on any modern OS trying to help with a search by showing a preview of that file "live" during desktop search results.
    • Or just stop using Windows.

    • by AmiMoJo ( 196126 )

      Problem is Tor likes to switch nodes at least every 15 minutes.

      A better option is to route everything through a router running Tor. Nothing can avoid going through it, no matter how compromised your machine becomes nothing can bypass it to get your real IP address.

      • by pnutjam ( 523990 )
        Bingo, all this stuff should be at the router level. I have a very nice pfsense setup, with one active NIC. Any machine using it as a gateway goes right out the VPN, no other option. Anything pointed at the regular gateway, ignores the VPN and doesn't even know it's there.
    • by allo ( 1728082 )

      useful workaround:

      iptables -A OUTPUT -m user --uid vpnuser -d 127.0.0.1 --dport 9050 -j ACCEPT
      iptables -A OUTPUT -m user --uid vpnuser -j REJECT

      and tor running as another user.

      • If you are using firewalld and want a more permanent solution, you can add the following to /etc/firewalld/direct.xml

        <?xml version="1.0" encoding="utf-8"?>
        <direct>
        <chain table="filter" chain="NONET_DENY" ipv="ipv4"/>
        <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="0">--match owner '!' --gid-owner nonet --jump RETURN</rule>
        <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="1">--destination 127.0.0.1 --jump RETURN</rule>
        • by allo ( 1728082 )

          For a really sophisticated solution, have a look into "ip rule", the "fwmark" option of iptables and matching cgroups.

          The advantage: What is in a cgroup stays in a cgroup. Even when a program changes user, its process and children are still in the cgroup.
          Of course, who is able to control the cgroup(s) can reassign the processes. So you may consider root putting the process in a cgroup, which it cannot escape without root privileges.

  • by Anonymous Coward on Thursday February 02, 2017 @09:24PM (#53792693)

    So tired of these stories making reference to pedos. Sure they exist, but every time the govt is caught spying, the media trots out the pedophiles to justify it. Not everyone who views "questionable" content is a crook. I've read plenty of articles, and watched plenty of videos, on how to make bombs and explosives, yet have never actually made one. Nor do I ever plan to do so. Forbidden knowledge and all that.....

  • by maggotbrain_777 ( 450700 ) on Thursday February 02, 2017 @09:44PM (#53792759) Homepage Journal
    This is kind of no-brainer since it says, right in the Tor Browser FAQ [Section B], not to torrent while using the browser:

    "Don't torrent over Tor
    Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else."


    https://www.torproject.org/download/download.html.en#warning [slashdot.org]
    • by wbr1 ( 2538558 )
      Ummm... for this attack it does not matter whether the media file is hosted on a torrent or any other service. It is not the act of downloading it that de-anonymizes, it is opening the file and the player dials home for a DRM check.
  • by Somebody Is Using My ( 985418 ) on Thursday February 02, 2017 @09:45PM (#53792763) Homepage

    The Windows media player - at least through Windows 7 - had an option to "download usage rights automatically when I play or sync a file". I wonder if this "attack" still takes place if this feature is not enabled.

    • Re:WMP Settings (Score:4, Interesting)

      by The-Ixian ( 168184 ) on Friday February 03, 2017 @09:40AM (#53794975)

      I was thinking the same thing. I always uncheck all those boxes when I launch WMP for the first time.

      Though really, I don't think I have launched WMP in years... why bother when you have VLC?

      VLC is associated with all of the file media file types that Windows knows about so is the DRM laden WMV (or whatever) able to call WMP explicitly when you launch it? I don't think that is how it works. Even if it did, if you have never run WMP before, you will get the first run dialog which has the option you mention plain as day as a checkbox.

      Seems like this tracking mechanism is to catch total morons.

  • by zugmeister ( 1050414 ) on Thursday February 02, 2017 @09:52PM (#53792793)

    For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography.

    Apparently it's no longer even worth noting that representatives of the US government will run a child porn site offering downloads!
    Again.
    Yes, "pretending". So a honeypot without honey. That'll get real far now won't it?

    • by amiga3D ( 567632 )

      They're only skimming the most ignorant off the top of the cesspool.

    • I don't necessary support the practice but it does seem to be SOP that, when the government busts a CP site, they continue to run it for a period of time in hopes of catching the users. The honeypot will likely have honey in some cases. Well at least if one considers CP honey. I consider it poison.
    • by Anonymous Coward

      I'd like to see a slashdot article on honeytraps. No, I'm not an expert at identifying and avoiding them.

  • by AHuxley ( 892839 ) on Thursday February 02, 2017 @10:07PM (#53792857) Journal
    Why not just get a list of all this weeks files of interest found on the net. All the files of interest created and shared over a few days.
    Give the checksums to all the big US OS brands to add to their new OS AV efforts.
    Recored every IP that responds to a checksum as part of anti virus spread tracking if the user "allowed" such self reporting to the OS.
    Use the advanced and near instant indexing on most modern OS to report the file when it is opened and have the users OS report that file on the OS brand?
    Remove and replace the checksum list for next week so it will not slow any modern computer down.
    Any advance user could test the file in any way and find no issue.
    A new OS AV update of a few megabytes spread over a few days per week could hold how many new file checksums per week every week?
    The OS would do all the reporting on an average user who trusted the OS brand with AV.
    • by Anonymous Coward on Thursday February 02, 2017 @11:01PM (#53793091)

      Next? There's a high likelihood this is already happening in Windows 10. Every time you open a file, Windows 10 is sending unknown "telemetry" back to the mother ship. Those Windows Defender and Microsoft Security Essentials updates you get every day? They're hash lists. You can bet your ass those lists contain more than just virus signatures, and matches are being recorded somewhere.

  • Opsec (Score:4, Insightful)

    by Orgasmatron ( 8103 ) on Thursday February 02, 2017 @10:58PM (#53793081)

    If you require perfect opsec all the time, you are doomed eventually.

    Also, who the hell does this? The only sane way to use TOR for something dangerous is on a machine that has never and will never be connected to the internet directly or through NAT. And that computer's only network jack should be plugged into a disposable router running a bootable live system that does all-TOR all-day.

    In other words, even if the client computer is trying to turn you in, which it is, it shouldn't know anything other than the reserved/private IP that your router gives it and the IP or onion address your browser is visiting.

  • But if you're doing anything interested on the 'net, you should use a more secure system (I'd recommend not-Windows, but etc.) that would've indicated this attempt so articles like this aren't necessary to protect your browsing history. I've heard so many people outside the computer industry decry our attempts to tell them that the Internet, much like the real world, isn't a nice place. Well, the present is always evolving, so have faith if you will, but this is the current landscape.
  • Law enforcement should be not allowed to host child porn, even if it is trapped. It is clearly entrapment. IMO this is clearly a serious breach of the laws. If the material is illegal, then law enforcement should not be allowed to present it to the public. It presents a danger to the casual web surfer that is artificially implanted. The material is illegal. Period. No honeypots should be allowed.

    • I'm down to entertain the conspiratorial, but I assume that the U.S. federal agencies infiltrated hosts with illegal material and then protected the files in a way as to record hosts that opened the file. I'm not a lawyer, but there's probably an argument to be made dependent on whether someone creates or assumes control of this entrapping honeypot. They probably didn't take out advertising or publish original material.
    • Distributing child porn, when done by the FBI, may be illegal. I don't feel like reading the statute right now, many laws have exceptions for law enforcement in the course of their duties.

      That, however, has nothing whatsoever to do with entrapment. Entrapment is when a person with no intention of committing any crime is induced to do so by the police.

      If a person decides of their own free will to go to a child porn site and start downloading videos called "12 year old fucked.wmv" there is no entrapment. The

    • It's not entrapment, because they're not inducing people to do something they wouldn't already do. Just like if they have a fake prostitute or drug-dealer who is actually a cop. If you walk up and ask for services, you're busted. If they don't approach you and start offering rather enthusiastically, it's not entrapment.

      Now if they start sending people with banner ads "hey come to nasty site X", running sketchy redirects from legit adult sites, etc, then THAT is entrapment. People who went to the site willin

  • I find it funny how all the work arounds listed no one suggested the best work around. Use linux, don't use windows.

    • by AHuxley ( 892839 )
      Depends on a few files can be added in a long list of files in the one gets the past any software outgoing firewall as it looks like its "part" of the OS?
      Download an archive of many, many files. 10 files don't work out of many?
      One phones home on OS X, Windows, Linux when clicked on or opened or searched for and a live preview is created with spotlight?
    • by ruir ( 2709173 )
      Have you ever heard about systemd? Seems an excellent idea...
  • trusting your tor traffic to a closed source OS?

    what could possibly go wrong...

  • This has the usual problem.

    It assumes an IP address can be traced to a particular user and only that user, this is not the case,

    There could be openwireless.org nodes, Tor exit nodes, proxies, malware, badly secured/open access points or god knows what else.

    The idea that an IP address is evidence of identity of the downloader has always been problematic at best.
  • Malware makers have used DRM'd WMVs to launch IE to the exploit page of their choice for more than a decade, maybe two. The only media player I know dumb enough to load it by default is Microsoft's own, if you use VLC or really any other player you're safe.

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...