Slashdot Mirror

← Back to Stories (view on slashdot.org)

Black Hat Researchers Actively Trying To Deanonymize Tor Users

Posted by Soulskill on from the good-research-vs-bad-research dept.

An anonymous reader writes: Last week, we discussed news that a presentation had been canceled for the upcoming Black Hat security conference that involved the Tor Project. The researchers involved hadn't made much of an effort to disclose the vulnerability, and the Tor Project was scrambling to implement a fix. Now, the project says it's likely these researchers were actively attacking Tor users and trying to deanonymize them. "On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. ...We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service." They also provide a technical description of the attack, and the steps they're taking to block such attacks in the future.

13 of 82 comments (clear)

  1. I'd like to believe weakness are temporary... by i+kan+reed · · Score: 4, Insightful

    But I have my doubts about about technological fixes to the jackboot/battering-ram/nightstick vulnerability.

    1. Re:I'd like to believe weakness are temporary... by Anonymous Coward · · Score: 2, Interesting

      The foundation of the internet is computers asking adjacent (as for as the network is concerned) computers to relay something to somewhere else. TOR is a well constructed obfuscation layer on top of that, but the low-level standards are very traceable. Without even going into TOR vulnerabilities or PEBCAK errors, a sufficiently determined opponent will be able to beat any obfuscation of intent by extensive analysis of addressing and timing of the encrypted packets.

  2. Black Hats shoot themselves in the foot. by jellomizer · · Score: 4, Interesting

    I find it kinda funny that TOR is used by many Black Hats is being hacked by Them. TO expose who they are...

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Black Hats shoot themselves in the foot. by i+kan+reed · · Score: 2

      Tragedy of the commons. If you're the person who broke Tor, you're(temporarily) the king of blackhats. Who cares that it screws over all the other blackhats. They'd screw you over just as fast.

    2. Re:Black Hats shoot themselves in the foot. by ron_ivi · · Score: 4, Insightful
      Hard to tell who "them" is.

      It's being used by, and trying to be hacked by, many groups.

      University researchers, governments, MPAA/RIAA, computer security companies, etc.

      Seems the project should encourage as many people as possible attempting to hack it -- because that increases the odds that when people finds a hack, at least some of them will report the weakness back to the project.

      On the other hand, if the project discourages hacking attempts, only malicious groups will find the hacks.

    3. Re:Black Hats shoot themselves in the foot. by Opportunist · · Score: 2

      Yeah: "Prison statistics: 4 out of 5 people like gang rape"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Black Hats shoot themselves in the foot. by wile_e_wonka · · Score: 4, Insightful

      If Black Hats don't hack it then the NSA will. But the NSA will quietly keep the vulnerability(ies) to themselves and use them to collect data. Whereas a Black Hat looking to rely on TOR will be best off figuring out its weaknesses in order to make it more effective.

      In other words, people who rely on TOR would be completely stupid to not try to hack it to determine its vulnerabilities. The only odd thing about this isn't really odd at all when you think about these hackers are--they're exposing vulnerabilities in a particularly spectacular fashion.

  3. Re:Changes to the protocol? by ArcadeMan · · Score: 3, Funny

    If we're talking about onion layers, please call it "Ogre" instead of "Tor 2".

    --
    Get free satoshi (Bitcoin) and Dogecoins
  4. Yeah, Roo-see-uh by Impy+the+Impiuos+Imp · · Score: 2

    Fascinating. If they can detect suspicious fraud nodes, TOR could build into their project a blacklist support that they publish and honor in their code. Then it becomes a whack-a-mole issue, which is better han the current situation.

    Ummm...what with Russia trying to de-anonymize TOR and all. Bad Rooskies.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Yeah, Roo-see-uh by Anonymous Coward · · Score: 2, Informative

      Tor *does* have blacklist support: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays

  5. Can we get a hyphen? by damn_registrars · · Score: 5, Funny
    The first time I saw the headline I thought it said

    Black Hat Researchers Actively Trying to Demonize Tor Users

    Then I thought it was perhaps

    Black Hat Researchers Actively Trying to Deamonize Tor Users

    Before I figured out they meant

    De-anonymize

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  6. Re:Oh really ? by Qzukk · · Score: 3, Insightful

    And sure as hell it is impossible to develop a mixnet that will generate Camouflage traffic

    It would have to generate traffic in equal amounts for every flow, which would halve network speed to give an attacker a 50/50 chance of guessing the correct flow. Those fake flows would also have to be carried to something that looks like a reasonable endpoint as well.

    PRISM-level metadata collection makes it trivial to see which computer sent the original 682-byte request (recurse as necessary until the 800 byte request starts at the "sender") as well as which computer the multi-megabyte response was sent to (recurse as necessary until the multi megabyte response returns to the requesting computer). Camouflage traffic can't fix this on its own, it's easy to exclude the data that wasn't requested from the analysis.

    I think that Tor's best bet while maintaining performance at this point would be to round all packets up to the nearest MTU (lets say 1400 to account for PPPoE, VPNs, and other layers on ethernet), so every request and response becomes a multiple of 1400 bytes, would make most tracking rely on packet timing. The next step would be to introduce packet delays at each hop, but that will slow the already slow network down.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. Re:Oh really ? by Qzukk · · Score: 2

    Since you're not sharing, I'm guessing you're imagining some sort of multiplexing scheme where the node would take say 100 bytes from 14 different sources and combine them into one packet and send that. It's an intriguing idea that would slow down metadata analysis but it would have a lot of overhead to keep track of, but that "keeping track of" becomes an attack vector again especially with subverted nodes, since node B will need to know that the next 8 packets from node A will have 100 bytes of data that need to be kept together and sent on to node C.

    If the network is busy it should actually not be bad for interactive small-packet connections. If the network is idle there could be a timer before the node fills unfilled slots with random data and sends it.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.