Feeds

Tor attack nodes RIPPED MASKS off users for 6 MONTHS

Traffic confirmation attack bared users' privates - but to whom?

Secure remote control for conventional and virtual desktops

The Tor Project has warned users about a subtle attack aimed at partially uncloaking their activities on the anonymising network.

The attack, which ran from late January until early July, when it was thwarted, bears hallmarks attributed to a an attack slated for description in a cancelled Black Hat conference presentation.

However, there's been no confirmation of this from the Carnegie-Mellon University team behind the cancelled Black Hat talk, so this crucial point remains unclear.

The university pulled the hotly anticipated talk on the advice of its lawyers and the researchers behind it have been silent ever since.

The Tor Project has removed the attacking relays from its network as well as pushing out software node and client updates to prevent the same type of attack from happening again. A lot of questions remain unanswered for now, but the developers behind the anonymisation network have at least been able to put together a broad overview of what seems to have happened, as explained in an advisory (extract below).

On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).

The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.

News about the new attack - which may be related to security research - comes days after the Russian government set a $110,000 bounty for cracking Tor. Anonymous internet usage in Russia is surging and the Russian Interior Ministry is looking for partners skilled enough to decipher information about users on the network. Only those accredited to work on government projects need apply.

Lance Cottrell, founder and chief scientist Anonymizer.com (an “anonymiser” that precedes the Tor project), said the vulnerability at the heart of the attack was typical of its type.

“This is just another vulnerability that allows hostile Tor node operators to compromise user anonymity. It's inevitable given the architecture," Cottrell said. "Tor attempts to improve user privacy by having a large number of volunteers running their servers, and sending traffic through chains of three servers so no one person need be trusted.

“Unfortunately anyone can set up servers, and well funded attackers could set up large numbers of them. Using vulnerabilities in the Tor protocol and modified servers these attackers have and will continue to be able to unmask Tor users and hidden Tor services," he added.

The more servers an attacker owns, the greater the potential for a successful attack, the privacy expert added.

“Tor generally chooses its chains of servers randomly. If an attacker controls a large number of servers, then there is a reasonable chance that they will control both the first and last server in the chain. This allows them to quickly identify traffic flowing through Tor and connect the users with their activity.

“The last Tor node in the chain can see the direct connection to websites. If those connections are insecure or vulnerable, the attacking exit node can modify the content to send malware or trackers to the user," he concluded. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.