Tor Project on the hunt for how cops can ‘decloak’ dark net

The Tor Project hopes to discover exactly how law enforcement uncovered ‘dark net’ sites like Silk Road 2.0 that should have remained cloaked by The Onion Router (Tor) network.

After last week’s seizure of Silk Road 2.0 and dozens of other ‘hidden services’, the Tor Project — which maintains the software behind the Tor network — wants to know exactly how law enforcement were able to identify and locate web servers that should not have been visible.

The ‘dark web’ is made up of websites that rely on Tor and have a URL that ends in .onion, known as hidden services. While Tor helps users maintain their anonymity when navigating the internet by bouncing their IP address around a relay of servers, it affords operators of web servers the same protection, negotiating encrypted ‘meeting points’ between the site and end-user. Facebook recently launched its own onion address to support users that access the social network through Tor from nations ruled by oppressive governments.

The Tor Project on Sunday said it has no idea how law enforcement were able to identify the servers that were taken down last week as part of the European-US operation "Onymous". A spokesperson for the project "Phobos" said it was "not contacted directly or indirectly by Europol nor any other agency involved."

The update from the Tor Project follows two reports that emerged over the weekend from relay services that happened to be taken down at the same time as last week's dark net seizures. One of the reports comes from an operator of one of 27 seized hidden services who was not arrested, who said that law enforcement may have lused a distributed denial of service (DDoS) attack to reveal the server’s true IP address.

The Tor Project wants to find out how the seized hidden services were located and whether law enforcement exploited a weakness which could be used by criminals or governments.

While the project does not know how law enforcement identified the concerned servers, it offers several explanations as to how the feat may have been pulled off.

The first is that the Tor network itself was attacked. Assuming that Tor relays were seized as part of operation Onymous, it could mean law enforcement exploited unknown weaknesses in the network. The project points to one previous attack on Tor itself, thought to be carried out by US CERT (the jSoftware Engineering Institute at Carnegie Mellon University), that may have managed to uncloak some hidden services.

Another is an attack on the “guard node” of a hidden service, which could reveal a hidden service’s real IP address.

“The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service,” the Tor Project explained.

The DDoS attack however appears to be the most plausible explanation, since there are several documented techniques that can be used to achieve de-anonymise a hidden service.

“If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client,” the project warned.

A less likely possibility is that law enforcement remote exploited a bug in the Tor software itself.

Other possibilities include that an operator of a hidden service has introduced their own vulnerabilities through operational security blunders — such as the ones that allegedly led to the downfall of Silk Road 2.0, whose operator Blake Benthall used real name email addresses to manage the site’s hidden services.

Another is Bitcoin uncloaking. “Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks,” the project speculated.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags directors for CSO AustraliaThe Onion Router (Tor)US CERTjSoftwarehidden serviceslaw enforcementend-userPhobosBlake BenthallFacebookEnex TestLabEuropol.onionOnymousddosTOR ProjectdecloakCSO AustraliaSilk Road 2.0

More about CSOEnex TestLabEuropolFacebookMellonPhobos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place