Tor points finger at US researchers after possible compromise of service

Was attack connected to cancelled Black Hat presentation?

In a year, Tor has turned from a celebrated global anonymity service into a full-scale privacy battleground, under attack from suspicious Feds, abused by criminals while last week we learned that even the Russian Government hates it.

The latest sign of trouble revealed by a Tor's overseers in a blog on Wednesday is news of a sophisticated and possibly successful attempt to unmask the identity of people using the service that they have laid at the door of "irresponsible" researchers connected to the US Government.

In a post on the Project's website, Tor's techies attempt an explanation of what they think happened after a clutch of rogue relays - now disconnected - joined the service on 30 January 2014, and who might have been behind it.

Their best guess is that the attackers were somehow connected to a presentation by Alexander Volynkin and Michael McCord that was due to have been given at the forthcoming Black Hat security conference by two researchers from Carnegie Mellon's Software Engineer Institute (SEI) that was cancelled without explanation earlier this month.

Why the presentation was nixed is not clear but Black Hat's organisers were reportedly told that it had not been approved by Carnegie Mellon University. At that time, Tor said it was aware of weaknesses exploited during the research.

Tor said it still couldn't be absolutely sure who was behind the attack so the CMU connection remains a hunch and not a fact, we shoud make clear.

"We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how 'relay early' cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild," said Tor's organisers in the blog on the topic.

"They haven't answered our emails lately, so we don't know for sure [] in fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was."

In other words, the type of compromise being worked on bears some resemblance to that which was detected by Tor. It's far from conclusive.

The bad news is that Tor isn't even sure exactly what might have been compromised by the attack, simply that it happened between 30 January and the moment it was stopped on 4 July, a potential window of several months.

The Project's explanation is fairly technical but involves two types of incursion; a 'traffic confirmation attack' and a 'Sybil' attack.

The "neat" confirmation attack is most simply described as an attempt to add rogue relays to Tor in order to use them to work out which user IP addresses are using the service. According to Tor, this can't be used to detect which sites were visited or the content of those sites. But because the rogues operated for several months, anyone who used Tor during this time could in theory have been unmasked.

The 'Sybil' attack was an attempt to insinuate a block of 115 relays as 'guard' relays as the system rotated them into use. Because this block accounted for around 6.4 percent of Tor's guard capacity, they would have been used by a large number of users over time.

"While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected," Tor's post said. "Unfortunately, it's still unclear what 'affected' includes."

The enemy here is uncertainty. Tor knows it was attacked and roughly how but can't work out what effect this might have had on users. Tor said it would form a group to devote more time to looking for malicious relays as well as issuing a software update for relays themselves to reduce the system's vulnerability.

Last week The Russian Interior Ministry announced an £111,000 bounty for anyone who can come up with a compromise method to use against Tor. This was interpreted as a hopeful punt; a compromise as fundamental as the one the Russians would like to find looks highly unlikely and would be incredibly hard for even well-resourced organisations to find.

The NSA and FBI would also reportedly like to find a way in even though, ironically, the service is indirectly funded by US Government agencies.

"If this was in fact the work of CMU researchers, I would hope that in the future they choose to contribute to security knowledge without jeopardizing public safety," commented Tripwire security researcher Craig Young.

Join the CSO newsletter!

Error: Please check your email address.

Tags TorPersonal TechTripwiresecurity

More about FBIMellonNSATripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place