Feeds

Tor attack nodes RIPPED MASKS off users for 6 MONTHS

Traffic confirmation attack bared users' privates - but to whom?

Providing a secure and efficient Helpdesk

The Tor Project has warned users about a subtle attack aimed at partially uncloaking their activities on the anonymising network.

The attack, which ran from late January until early July, when it was thwarted, bears hallmarks attributed to a an attack slated for description in a cancelled Black Hat conference presentation.

However, there's been no confirmation of this from the Carnegie-Mellon University team behind the cancelled Black Hat talk, so this crucial point remains unclear.

The university pulled the hotly anticipated talk on the advice of its lawyers and the researchers behind it have been silent ever since.

The Tor Project has removed the attacking relays from its network as well as pushing out software node and client updates to prevent the same type of attack from happening again. A lot of questions remain unanswered for now, but the developers behind the anonymisation network have at least been able to put together a broad overview of what seems to have happened, as explained in an advisory (extract below).

On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).

The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.

News about the new attack - which may be related to security research - comes days after the Russian government set a $110,000 bounty for cracking Tor. Anonymous internet usage in Russia is surging and the Russian Interior Ministry is looking for partners skilled enough to decipher information about users on the network. Only those accredited to work on government projects need apply.

Lance Cottrell, founder and chief scientist Anonymizer.com (an “anonymiser” that precedes the Tor project), said the vulnerability at the heart of the attack was typical of its type.

“This is just another vulnerability that allows hostile Tor node operators to compromise user anonymity. It's inevitable given the architecture," Cottrell said. "Tor attempts to improve user privacy by having a large number of volunteers running their servers, and sending traffic through chains of three servers so no one person need be trusted.

“Unfortunately anyone can set up servers, and well funded attackers could set up large numbers of them. Using vulnerabilities in the Tor protocol and modified servers these attackers have and will continue to be able to unmask Tor users and hidden Tor services," he added.

The more servers an attacker owns, the greater the potential for a successful attack, the privacy expert added.

“Tor generally chooses its chains of servers randomly. If an attacker controls a large number of servers, then there is a reasonable chance that they will control both the first and last server in the chain. This allows them to quickly identify traffic flowing through Tor and connect the users with their activity.

“The last Tor node in the chain can see the direct connection to websites. If those connections are insecure or vulnerable, the attacking exit node can modify the content to send malware or trackers to the user," he concluded. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.