STE WILLIAMS

Using blade systems to cut costs and sharpen efficiencies

The Tor Project has warned users about a subtle attack aimed at partially uncloaking their activities on the anonymising network.

The attack, which ran from late January until early July, when it was thwarted, bears hallmarks attributed to a an attack slated for description in a cancelled Black Hat conference presentation.

However, there’s been no confirmation of this from the Carnegie-Mellon University team behind the cancelled Black Hat talk, so this crucial point remains unclear.

The university pulled the hotly anticipated talk on the advice of its lawyers and the researchers behind it have been silent ever since.

The Tor Project has removed the attacking relays from its network as well as pushing out software node and client updates to prevent the same type of attack from happening again. A lot of questions remain unanswered for now, but the developers behind the anonymisation network have at least been able to put together a broad overview of what seems to have happened, as explained in an advisory (extract below).

On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Unfortunately, it’s still unclear what “affected” includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).

The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely.

News about the new attack – which may be related to security research – comes days after the Russian government set a $110,000 bounty for cracking Tor. Anonymous internet usage in Russia is surging and the Russian Interior Ministry is looking for partners skilled enough to decipher information about users on the network. Only those accredited to work on government projects need apply. ®

Boost IT visibility and business value

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/07/30/tor_decloaking_attack/