Tor hints at possible U.S. government involvement in recent attack

Anonymity network hacked with sophisticated traffic correlation technique.

Hackers attacked the infrastructure of Tor, the anonymizing service, earlier this month in an incident that may have compromised a number of hidden services, according to an announcement posted today by the Tor Project's director, Roger Dingledine.

Dingledine said that it's possible the attack wasn't carried out with malicious intent, although the effect is harmful in any case, potentially weakening Tor's encryption and making it more vulnerable to a state actor attempting to compromise it.

"If the attack was a research project, it was deployed in an irresponsible way because it puts users at risk indefinitely into the future," he said, suggesting that the researchers behind a recently-cancelled talk scheduled for Black Hat 2014 may be behind the attack.

"In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was," Dingledine wrote.

The researchers in question are part of a team at Carnegie Mellon University that "works closely with the Department of Homeland Security," according to a Washington Post report by Andrea Peterson from last week on the cancellation of the Black Hat talk.

Tor operates as a large-scale proxy network, encrypting and routing web communications through a series of randomized hosts around the world to protect the identities of users and obfuscate their activities from surveillance. Tor also provides the option of so-called hidden services, which uses servers configured to only accept incoming connections from the Tor network, allowing for secure email and the like.

Tor is reliant on volunteers to host relay nodes, allowing anyone to sign up and turn their computer into a part of the network. The attackers took advantage of this facet of Tor, adding relays running malicious software to the system, specifically targeting hidden services. Malicious relays sent specially encoded extra data in signal headers, allowing other attacking nodes to identify which users were requesting which hidden service.

It's a type of traffic correlation attack, according to Tor -- the principle is to modify the message sent into the system and watch for a message with that modification coming out the other end. It's a bit more sophisticated than previous attempts, however, which targeted application-level payloads, rather than headers.

"Those attacks don't work in the other direction (from the exit relay back towards the client), because the payload is still encrypted at the entry guard," Dingledine wrote. "But because this new approach modifies ('tags') the cell headers rather than the payload, every relay in the path can see the tag."

The Tor project has since removed the offending nodes, and pushed a software update that prevents the specific type of attack used from functioning. The principle, however, remains intact, and Dingledine warned that similar techniques are likely viable.

"So the good news is traffic confirmation attacks aren't new or surprising," he said. "But the bad news is that they still work."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityTOR Projectgovernment

More about Carnegie Mellon University AustraliaMellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jon Gold

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place