Lizard Squad Targets Tor

mrspoonsi tips news that Lizard Squad, the hacker group who knocked Xbox Live and the PlayStation Network offline on Christmas morning, has now turned its attention to Tor. After tweeting that they were targeting a Tor-related zero-day flaw, the group is now in control of 3,000 exit nodes — almost half of them. "If one group is controlling the majority of the nodes, it could be able to eavesdrop on a substantial number of vulnerable users. Which means Lizard Squad could gain the power to track Tor users if it infiltrates enough of the network."

Zero-Day Flaw?

They set up their botnet as tor nodes. How exactly is that a zero-day flaw?

Re:Zero-Day Flaw?

I don't understand the target, I used to use TOR for torrents, mostly just to anonymize my traffic for my ISP (I know, I'm a dick). Most exit nodes were European, so the NSA was already archiving everything I was doing anyway.
Are these guys gathering information for the government now or something?

Re:Zero-Day Flaw?

[Zanadou]

(I know, I'm a dick).

Yes, yes you are.

This is why we can't have nice things.

Re:Zero-Day Flaw?

[Kythe]

They want attention. That's it.

Re:Zero-Day Flaw?

[MrL0G1C]

NSA is pissed because their tor nodes only make up half of the remaining nodes and this makes it difficult for them to eaves drop. ;-)

Re:Zero-Day Flaw?

[sudon't]

They're not gathering information. Perhaps the targets will make more sense once you understand that the perpetrators are tweeny- and teeny-boppers. Squeakers, and griefers, desperate for attention and approval from their peers. Their message is: "See what we can do? LOL! Please think we are cool."

As for you, please get a VPN.

Re:Zero-Day Flaw?

short of folks using Tor for personalized information, which even without the hack is a big no-no, controlling an exit node allows somebody to see what's being passed through it, but not necessarily it's origin because Tor bounces traffic around its network. Theoretically it's possible to introduce mal-ware & viruses by controlling an exit node to the original user, but that's where AV & anti-spyware / malware tools kick in, another must for using Tor to begin with.

So it's zero day because they were able to add themselves to the network too easily, but as far as it's impact goes... most folks don't understand the dos & don'ts of Tor, so ya some personal information is going to get intercepted.

Re:Zero-Day Flaw?

[ultranova]

This is why we can't have nice things.

Of course we can. Reality - including human nature - simply sets the design parameters for those nice things. For example, would it be possible to fit major torrent clients with built-in (non-exit) Tor nodes? That way, torrent traffick would not swamp exit nodes and would actually help hide the kind of traffick Tor was originally designed for.

Re:Zero-Day Flaw?

I believe they are likely referring to the point that, if you control enough of the nodes, you can statistically analyse the traffic in order to match the entry traffic with the exit and thus unveil the user.

The TOR Project was well aware of this a while ago

[muphin]

As reported by /. http://tech.slashdot.org/story...
so i believe they are working on a fix.

Oops

They have just kicked the hornets nest..... people who have the ability to track them down and take their revenge

Re:Oops

[JohnVanVliet]

no kidding
there ARE groups you just DO NOT PISS OFF

the non govt. professionals like the ones behind offensive security and like
are not to be messed with lightly

Re:Oops

[Earthquake+Retrofit]

no kidding there ARE groups you just DO NOT PISS OFF

the non govt. professionals like the ones behind offensive security and like are not to be messed with lightly

I'm more concerned about dissidents in dangerous places and the reporters who cover such places. They deserve to have secure channels. I hope the community can come up with something.

Re:The TOR Project was well aware of this a while

[fustakrakich]

It must have been happening already for that 'prediction' to be so accurate.

Sybil attack?

[jhantin]

I haven't seen any explanation of how this is a zero-day exactly; so far, this looks more like a Sybil attack.

Re:Sybil attack?

It's probably a similar combo of the flaw+sybil attack less then a year ago. Which then they only needed to stand up 115 (6% of the total) relays.
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

Not really an 0day exploit

[El_Muerte_TDS]

Either way, @LizardMafia's Tor relay attack isn't new. There's a paper on how Tor loses anonymity if over 50% of relays are compromised.

https://twitter.com/kaepora/st...

I was going to go with botnet, but many LizardNSA relay IPs appear to route back to Google Cloud. Thousands of tiny VMs at low bandwidth?

https://twitter.com/kaepora/st...

You can see this whole list of tor nodes here: https://torstatus.blutmagie.de...
All Lizard nodes resolve to *.bc.googleusercontent.com

Re:Not really an 0day exploit

Interesting, filter by LizardNSA.* and you get 3346 nodes, that's 32.58% of the network.

Re:Not really an 0day exploit

[Iamthecheese]

They'll never get over 50%: more than half are NSA nodes.

Re:Not really an 0day exploit

Parent AC here, forgot to filter by Exit node status; 1167 exit nodes currently. Wont take them long to top that number.

Re:Not really an 0day exploit

[cbiltcliffe]

You can see this whole list of tor nodes here: https://torstatus.blutmagie.de...
All Lizard nodes resolve to *.bc.googleusercontent.com

That's not the whole list. I've been running a node for years, and it's not listed on that page.

Re:Not really an 0day exploit

only the second part is true

Re:The TOR Project was well aware of this a while

[Frosty+Piss]

Almost certainly the US Three Letter Agencies as well as foreign intel have known about this flaw - and how to leverage it - for a long time. Clearly, tor is not secure and hasn't been for awhile.

Wonder what 0 days are in use...

If someone is able to kick down half the TOR nodes out there, it must be a 0-day, or a combination of 0-days in use. It would be interesting to find out what OS has the bug, and preferably where it lies, so it can be addressed. If it is an issue with the TOR software, that is a completely different bag of worms, and it might be that the source code might need an audit similar to TrueCrypt's to find potential security holes.

Re:Wonder what 0 days are in use...

[carlhaagen]

They haven't been kicked down. LQ set up 3000 new rogue nodes.

Eavesdropping...

[Savage-Rabbit]

If one group is controlling the majority of the nodes, it could be able to eavesdrop on a substantial number of vulnerable users.

I'm willing to bet the NSA has prior art on this.

Re:Eavesdropping...

[bill_mcgonigle]

I'm willing to bet the NSA has prior art on this.

You think the Lizard Squad is teenagers? The conspiracy theorists have been warning us that the NSA is run by the NWO and Lizard People for decades.

Re:Eavesdropping...

I'm willing to bet the NSA has prior art on this.

You think the Lizard Squad is teenagers? The conspiracy theorists have been warning us that the NSA is run by the NWO and Lizard People for decades.

OMG! I Knew Hulk Hogan was in on this.. Been Saying it for Years!!

Re:The TOR Project was well aware of this a while

[OverlordQ]

Not the same issue at all. All this is is IdiotSquad starting up a bunch of Google Compute VMs as tor exit nodes.

Headline is wrong and sensationalistic

[carlhaagen]

They haven't taken over 3000 Tor relays - they have set up 3000 new relays of their own, thus having control of over 50% of the available relays.

Re:Headline is wrong and sensationalistic

You do realize what site you're on right? I'm pretty sure the only reason the logo bore the "news for nerds slogan" was that "wrong and sensationalistic" would be too honest and too hard for the editors to spell properly.

Re:Headline is wrong and sensationalistic

You're correct, they seem to be bringing up new tor nodes in an attempt to intercept traffic, but they are hardly routing anything at all.

Re:The TOR Project was well aware of this a while

> Clearly, tor is not secure and hasn't been for awhile.

If by "clearly" you mean "innuendo, rumors, and undocumented third-party hearsay" you would be correct.

Re:The TOR Project was well aware of this a while

Not the same issue at all. All this is is IdiotSquad starting up a bunch of Google Compute VMs as tor exit nodes.

True, but if they are able to compromise TOR anonymity it still is an issue.

pfff

Making DDoS attacks and deploying relay nodes for Tor. Huh how superchaker they are. Only 3000 bots? The gotta be real losers.

time to drop TOR, eh? and switch

to what ?

Oh, that's right; there's nothing left to switch to, IS THERE?

Re: time to drop TOR, eh? and switch

There are quite a few alternatives. Use that Gogol thing to find them.

On an unrelated note

What the hell is up with slashdot when running through nodes based in France? Combined with the lack of 'new circuit' function it's really goddam annoying.

Re: On an unrelated note

Some French communists cookie law.

Re:The TOR Project was well aware of this a while

This is a standard Sybil attack.

Anyone in network security who looked at Tor would immediately have come up with it. Distributed system? Check. Exit nodes chosen essentially randomly? Check. Well duh, introduce n malicious exit nodes such that the probability of a malicious one being selected increases beyond some threshold.

This is seriously one of the first things anyone in security would have thought up. This is the kind of question you'd get on the first page of an exam in network security.

Re:The TOR Project was well aware of this a while

Keep believing your US Government honeypot is "secure". The rest of us will be laughing when you get arrested for browsing your pedo sites.

It's more and more becoming clear

that the "Lizard Squad" is just the U.S. gov cyber squad. I think they - the U.S. - were responsible for hacking Sony, and conveniently blamed it on North Korea.

Re:It's more and more becoming clear

that the "Lizard Squad" is just the U.S. gov cyber squad. I think they - the U.S. - were responsible for hacking Sony, and conveniently blamed it on North Korea.

I agree 100% they have to find a way to blame all this on Obama!

Flag them all as bad

... and be done with it. Isn't this what the BadExit flag is for?

Re:Flag them all as bad

How do we know which nodes they are?

Prove it.

[buckfeta2014]

I'm tired of hearing about these "anonymous" "hacking" "groups" and their supposed "achievements". I don't care if you get arrested. Prove to me that you're legit.

Re:Prove it.

They already proved it. Take a glance on this list. The "LizardNSA" nodes are theirs.

What is bullshit is calling this a Tor 0day. From what I read on the subject, which, admittedly, isn't much, they don't seem to have found an unknown flaw on Tor and are just throwing a bunch of relays at it - which was a "flaw" known since day 1.

Re:Prove it.

And an easily counteracted flaw at that - most of their nodes had been blacklisted before the Directory Authorities even knew about them, so weren't (and won't) carry any traffic.

Having realised they're a bunch of teenagers without a clue, they've instead decided to DDoS toproject.org

Re:Prove it.

They already proved it.

No, they did not prove they are legit. Launching a DDOS and then changing pace and deploying a bunch of fake Tor nodes doesn't make you legit. It's a gradeschool level action that can be done by anybody with enough bitcoin to rent a botnet for a few days.

It's like shitposting all over the comments section of some forum and then acting like it's some kind of achievement.

Re:The TOR Project was well aware of this a while

[Frosty+Piss]

Keep believing your US Government honeypot is "secure". The rest of us will be laughing when you get arrested for browsing your pedo sites.

Considering the type of attack in question, tor can be anyone's honeypot.

That it is "sold" as something like a "darknet" is shameful.

Re:The TOR Project was well aware of this a while

[lgw]

This is seriously one of the first things anyone in security would have thought up

Ah, the /. 30-second expert. Indeed, the TOR guys did think of that too.

Malicious exit nodes do not per se compromise TOR, though they are in a position to take advantage of some potential exploits (also, exit nodes are irrelevant to .onion servers) It's been known since the start that if an attacker both controlled the exit node and could directly tap your line, there'd be and endless stream of exploits possible - and IIRC the NSA had just such attacks in its arsenal. But that doesn't scale - you have to be actively monitoring a specific target to de-anonimize them, you can't do it to everyone. If the NSA actually got warrants when they did that to Americans [pause for laughter] I think it's a fine system.

TFA seems to be about taking over more than half of all TOR nodes, which can hardly be done in secret, and really makes 0-days in the TOR bundle visible.

Far more worrying, especially for the conspiracy theorist, is the never-ending stream of vulnerabilities in .onion servers allowing the operators to be de-anonymized. It's hard to believe TOR wasn't designed that way. TOR seemed designed from the start as a system to let Chinese dissidents use American servers safely, but not allow Silk Road-style sites (servers illegal in the US) to stay up. That IMO would be pretty cool if the US itself weren't growing ever more repressive.

Re:The TOR Project was well aware of this a while

[Frosty+Piss]

Malicious exit nodes do not per se compromise TOR...

What other obvious use would there be?

I need a car analogy, damn it...

Re:The TOR Project was well aware of this a while

[aliquis]

It was made for them.
Also they found out who was running that drug store.

Re:The TOR Project was well aware of this a while

[I'm+New+Around+Here]

Malicious exit nodes do not per se compromise TOR...

What other obvious use would there be?

I need a car analogy, damn it...

Ok, Ok, how's this?

What if you were driving down the road, and lost control of your car, and plowed into an onion patch?

How may onions have to be run over for the field to considered compromised?

Clip art squad

[greg1104]

Each time this group makes the news, the sales of lizard stock art skyrockets. I'm starting to think the whole thing is a PR stunt funded by Getty Images.

Re:The TOR Project was well aware of this a while

[Frosty+Piss]

Ok, Ok, how's this?

What if you were driving down the road, and lost control of your car, and plowed into an onion patch?

How may onions have to be run over for the field to considered compromised?

Depends on the number of onion plants. If it's around 6000 onion plants, maybe around 3000 or so?

And you better be driving a big 'ol redneck Haus pickup truck with a cow catcher on the bumper.

Why are the Loser Squad still walking free?

"Lizard Squad" has been DOS'ing game servers, twitch.tv, and more for months. Surely the NSA has tracked these idiots down, and the FBI has had more than enough time to parallel construct a plausible investigation that didn't involve getting tipped off by NSA. Right? So why are these morons still sitting around in their parents' houses interfering with millions of regular people who are just trying to play games or browse the web? Big companies are being targeted, lots of money is being lost through the game server outages, why haven't these morons been put under the jail by now? They threw the entire weight of the federal government at Aaron Swartz for downloading a bunch of PDF files and yet the Loser Squad has been DOS'ing many companies for months with impunity? Makes me wonder if NSA et. al. aren't the ones behind the attacks.

Re:Why are the Loser Squad still walking free?

False Flag territory. Deny access to entertainment services for a little while, public up in arms, governments get to implement more snooping. They've used terrorism, children, and now they're scraping the barrel to hook in the remaining tech savvy people.

Re:Why are the Loser Squad still walking free?

[marcello_dl]

They should not bother being behind the attacks. They can just wait a lil longer until auntie and nephew both agree when a politician comes up on TV shouting: Damn hackers! we need internet regulation!

The (cyber) antagonists, are likely useful idiots when two things occur:
1- their target is made of mostly normal people, and does not involve structural damage or structural revolution of the status quo.
2- their act gets lots of attention in the media.

One would be really antagonist if you made useful FOSS, new ways of generating energy, 3d printing breakthroughs, direct democracy schemes.

Re:Why are the Loser Squad still walking free?

Maybe, just maybe, the "Lizard Squad" are actually US government employees.

Think about it for a minute. The Sony hack. Tons of corporate information all thrown out there for everyone to see and within a day or two, Obama is talking about pushing "CISPA-style laws" to fight the new "threat" they've just created. Sony wins too of course, look at their box office figures -- a shitty comedy by shitty comedians, that otherwise would have bombed like a burning Spitfire, yet it makes $1 million on a day when most people are usually staying at home. Sony couldn't buy that kind of publicity and it makes them look like the victim while they're raking in the cash.

They saw the uprising against CISPA and SOPA that was even supported by major US tech companies and decided the best way to deal with it would be to attack the public...take away their entertainment and shiny toys by DDoSing the hell out of game servers for months. They bring attention to the "issue" that they've created, then offer a revised version of CISPA as a "remedy" for that issue. If you're willing to believe that North Korea has state-sponsored hackers capable of infiltrating the US, what's so farfetched about state-sponsored US hackers doing the same thing? Hell, they even have the home advantage, they have the NSA on their payroll...and the entire Internet at their fingertips.

Open your eyes, people.

Re:Why are the Loser Squad still walking free?

It was my understanding that xmas day was one of the biggest days of the year for theaters. So even if most people you know stay home on that day - there are a crap ton of movie goers.

All suspect nodes must be blacklisted

[Karmashock]

You have to be able to control which exit nodes you use.

Re:The TOR Project was well aware of this a while

No, you missed the analogy. You lost control of your car. The drive by wire accelerator, brake, steering and handbrake don't work.

Just consider yourself lucky you didn't "accidentally" drive into a pole.

There is something to be said for E2E encryption

[ihtoit]

the outward node has a public key, the receiving node has the private key, nothing in between gets anything useful.

I mean, why overcomplicate shit?

Hell, for that matter - airgap it.

Re:The TOR Project was well aware of this a while

[ihtoit]

that depends, how much tyre rubber needs to be deposited before you can't taste onion anymore?

fruit loops

[sgt+scrub]

Are they the lizardsquad or the lowest hanging fruit squad? If they had skills they'd do something that isn't totally gay.

Re:fruit loops

You're looking at this all wrong. It's a simple purchase of virtual servers to run as exit nodes by a benevolent joker. To force the next evolution of designed-as-secure mesh communications software, you have to soundly discredit the fake imposer in the room. TOR's a great theory, but imperfect. It feels evil on the receiving end, but it really IS for our own good. Thank you, Lizard Overlord. And no, it's not a broken window fallacy. It's whistle-blowing. TOR is broken. Make a better TOR and it CAN'T happen again.

Re:The TOR Project was well aware of this a while

Actually the parent appears to be correct- they aren't actually taking over relays. There's a 5 hour old tweet on the torproject's twitter with the following statement:

"This looks like a regular attempt at a Sybil attack: the attackers have signed up
many new relays in hopes of becoming a large fraction of the network.
But even though they are running thousands of new relays, their relays
currently make up less than 1% of the Tor network by capacity. We are
working now to remove these relays from the network before they become
a threat, and we don't expect any anonymity or performance effects based
on what we've seen so far."

Re:There is something to be said for E2E encryptio

[Dwedit]

You know the senders and receivers. That's what Tor tries to stop.

Re:The TOR Project was well aware of this a while

[ToasterMonkey]

you have to be actively monitoring a specific target to de-anonimize them, you can't do it to everyone. If the NSA actually got warrants when they did that to Americans [pause for laughter] I think it's a fine system.

You laugh, but at what point in an investigation would you be aware of the target's nationality?
Do you know the nationalities of the Lizard Squad members, for example? When would you, before or after this process?
Am I an American citizen? I can't get a driver's license without something like three forms of proof I live here, so tell me how does this work on the Internet?

Warrants for de-anonimizing Americans on the Internet... explain that paradox.
IP addresses are not people, the Internet has no borders, information wants to be free, etc.

IMO, there are no rights on the Internet UNTIL it has borders.

Re:The TOR Project was well aware of this a while

Tor-users have nothing to fear. Incompetent and/or lazy Tor .onion operators should be worried. Right now there is no idiot-proof solution to easy and secure deployment of Tor .onion servers. There is for end-users. It's called Tails (at least for those fairly competent and reasonably tech savvy).

Close enough to the truth as makes no difference.

[westlake]

They haven't taken over 3000 Tor relays - they have set up 3000 new relays of their own, thus having control of over 50% of the available relays.

If you capture over half of the traffic that moves over Tor haven't you for all practical purposes taken control of the network?

dem haxxorz

dey be haxxin'.

Stupid and sad ...

[janoc]

Bunch of bored kids over Christmas break that got fed up with CounterStrike and Call of Duty, so they are wreaking havoc for fun and getting way too much news time for it. I have almost gagged when I have seen a reporter saying on TV with a straight face that "it is not confirmed whether the attackers are linked to North Korea" and that "The attack is not thought to be a terrorist attack". *double facepalm*

I am not sure what is more sad, whether these jerks getting off on griefing others or the mom of one kid who couldn't play XBox over Christmas because of the DDOS and she lamented on camera - "What is he going to do now? He has nothing else to do!" I don't know - like going outside for a while?

Our society is really going downhill :(

Re: Stupid and sad ...

Given the cute reaction of mainstream media, this looks like the work of American arms industry, actually.

Re: Stupid and sad ...

Don't be silly.

Re:Close enough to the truth as makes no differenc

[Rakhar]

They have half of the nodes, but 1-2% of the traffic. They set up a bunch of new nodes, not took over existing nodes. As a result, they have a bunch of nodes that not many people are using. As the issue gets more attention, more of their new nodes are cut out of the loop.

Re:The TOR Project was well aware of this a while

You didn't READ TFA. Typical for a low-ID user I suppose, your brain has rotted away from trying to parse so many fake-article-ads that you discuss an article without even knowing what it contains. They aren't "taking over" anything, they set up 3000 NEW nodes in an attempt to funnel traffic through some of their own exits.

That's not to say that TOR can't be exploited in some way, just about every piece of software more than a few thousand lines long has some sort of security problem in it. Do yourself a favour and actually read some of the articles before you comment on them though, makes you look like less of a fucktard. Well, less of a fucktard than usual, but that's about the best a long time, low ID loser can hope for.

Re:There is something to be said for E2E encryptio

[ihtoit]

I don't get it. I mean, what would be the point of an anonymous broadcaster if you don't know where to go to authenticate the information? Yes, that'd be a valid use-case IMO, but it falls on its arse when it comes to actually validating stuff.

I have information that *needs* to be out there, but I'm not going to broadcast it and not stand by it, that nullifies its value completely. I will stand by what I say, I will claim right when I piss people off because I will offer what they will not: evidence.

When I'm transmitting information that isn't for general consumption*, I will airgap it and/or I will encrypt it. I won't broadcast it over a fucking anonymiser.

*for measurement of "general consumption" read: stuff the Ears already have I don't particularly care if they know I've got it, they already know I'll fucking use it.

Re:The TOR Project was well aware of this a while

[rthille]

"low-ID"? WTF are you talking about?

Re:The TOR Project was well aware of this a while

They were the the ones that broke Enigma after all...

(Seriously, over 30 minutes timeout event for a crappy one-liner?)