Forgot your password?
typodupeerror
Communications Encryption Privacy Security The Internet

Black Hat Researchers Actively Trying To Deanonymize Tor Users 82

Posted by Soulskill
from the good-research-vs-bad-research dept.
An anonymous reader writes: Last week, we discussed news that a presentation had been canceled for the upcoming Black Hat security conference that involved the Tor Project. The researchers involved hadn't made much of an effort to disclose the vulnerability, and the Tor Project was scrambling to implement a fix. Now, the project says it's likely these researchers were actively attacking Tor users and trying to deanonymize them. "On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. ...We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service." They also provide a technical description of the attack, and the steps they're taking to block such attacks in the future.
This discussion has been archived. No new comments can be posted.

Black Hat Researchers Actively Trying To Deanonymize Tor Users

Comments Filter:
  • by i kan reed (749298) on Wednesday July 30, 2014 @10:51AM (#47566647) Homepage Journal

    But I have my doubts about about technological fixes to the jackboot/battering-ram/nightstick vulnerability.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The foundation of the internet is computers asking adjacent (as for as the network is concerned) computers to relay something to somewhere else. TOR is a well constructed obfuscation layer on top of that, but the low-level standards are very traceable. Without even going into TOR vulnerabilities or PEBCAK errors, a sufficiently determined opponent will be able to beat any obfuscation of intent by extensive analysis of addressing and timing of the encrypted packets.

      • There is nothing in a packet's headers that will indicate what route it took to get somewhere, no matter what sort of analysis you apply to it. The only 3 clues you have are the TTL, the source MAC address, and the source IP address.

        • And the thing is, when you're the government of a country, you can bust down every door, pull the mac address, look at the routing table, and head to the next door to bust down. It goes even faster when every ISP is freely complicit(they are in the US, China, Russia, and anywhere else notably stompy).

    • Didn't Russia just announce a bounty for anyone who could help them identify weaknesses and track TOR users? Maybe the presentation at the Black Hat conference was cancelled because the Russians pay more?

  • by jellomizer (103300) on Wednesday July 30, 2014 @10:57AM (#47566751)

    I find it kinda funny that TOR is used by many Black Hats is being hacked by Them. TO expose who they are...

    • Tragedy of the commons. If you're the person who broke Tor, you're(temporarily) the king of blackhats. Who cares that it screws over all the other blackhats. They'd screw you over just as fast.

      • by Ambvai (1106941)

        It's a bit like the endgame for the game Uplink-- if you go blackhat, you end up in a race to destroy the internet. If you succeed, the only thing that happens is that you get a 'connection terminated' notice.

    • Hard to tell who "them" is.

      It's being used by, and trying to be hacked by, many groups.

      University researchers, governments, MPAA/RIAA, computer security companies, etc.

      Seems the project should encourage as many people as possible attempting to hack it -- because that increases the odds that when people finds a hack, at least some of them will report the weakness back to the project.

      On the other hand, if the project discourages hacking attempts, only malicious groups will find the hacks.

    • Re: (Score:2, Interesting)

      by ganjadude (952775)
      *black hat* in this case simply means the NSA
      • Evidence?

        • by ganjadude (952775)
          if i had evidence i wouldnt be posting that comment from my work computer in the USA, but with everything going on with them do you doubt it?
          • Yes. I doubt everything that I don't have evidence of.

          • So your rationale for accusing the NSA of something is "They do other bad stuff, clearly they do this as well?"

    • What's interesting about this post being modded interesting is the number of people who apparently read it and thought "yep, nothing wrong with that logic". Or have never thought seriously, and apparently have no idea, what "black hat" hacker means.

    • by Anonymous Coward

      I think you're conflating terms here. Yes, a black hat hacker is someone who generally breaks into systems and otherwise acts outside of the scope of legality. However, Black Hat is a security conference held in Las Vegas on an annual basis, and while the atmosphere can be slightly different than DEFCON, it's...generally a similar convention. Black Hat Researchers referenced here, therefore, likely fall under that official umbrella, and thus likely would NOT necessarily fall under the general black hat

    • by medv4380 (1604309)
      There is no honor among thieves.
    • by wile_e_wonka (934864) on Wednesday July 30, 2014 @12:21PM (#47567675)

      If Black Hats don't hack it then the NSA will. But the NSA will quietly keep the vulnerability(ies) to themselves and use them to collect data. Whereas a Black Hat looking to rely on TOR will be best off figuring out its weaknesses in order to make it more effective.

      In other words, people who rely on TOR would be completely stupid to not try to hack it to determine its vulnerabilities. The only odd thing about this isn't really odd at all when you think about these hackers are--they're exposing vulnerabilities in a particularly spectacular fashion.

      • by oursland (1898514)
        The NSA isn't the only boogieman here, so don't call only them out. There's a lot of value to cracking Tor open, and it would be wise to quickly identify and resolve the weaknesses.
  • I wonder how feasible it would be to modify tor, or maybe make a tor version 2 protocol so that the onion layers are determined packet by packet, instead of by the stream.

    I'm not all that knowledgeable when it comes to the tor protocol, but it sounds like each stream is bounced off a series of relays.. If you could change that to each packet, or split the stream into a few other streams that took different routes (and let the stream get reassembled from packets from multiple streams at the destination), the

    • by ArcadeMan (2766669) on Wednesday July 30, 2014 @11:10AM (#47566913)

      If we're talking about onion layers, please call it "Ogre" instead of "Tor 2".

    • I wonder how feasible it would be to modify tor, or maybe make a tor version 2 protocol so that the onion layers are determined packet by packet, instead of by the stream.

      I think that might fall apart at the exit node, since expecting the server to receive response packets from 2 different IPs isn't TCP/IP compliant. You could certainly build sites that work with that expectation, but it would essentially require all layers to be designed to support TOR.

    • Tor is designed to be low-latency. Such complicated routing would definitely make a large latency tradeoff, since you'd have several routes, all of different latencies, which would mean the packets would arrive out of order and you'd need to delay to determine if you'd actually received a complete set before reconstructing an in-order stream to the final destination.

    • The packets would still have to use the same exit node, since the final hop to the destination has to use the original TCP (one source, one destination) so it likely wouldn't add too much. The packets are already encrypted, so the intermediate nodes can't see what you're doing in any case, so I don't think there's an added benefit to doing that. Might just slow things down since the packets have to be assembled at the end anyway. Of course Tor hidden services don't take that last unencrypted hop, but it
  • Fascinating. If they can detect suspicious fraud nodes, TOR could build into their project a blacklist support that they publish and honor in their code. Then it becomes a whack-a-mole issue, which is better han the current situation.

    Ummm...what with Russia trying to de-anonymize TOR and all. Bad Rooskies.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Tor *does* have blacklist support: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays

  • by damn_registrars (1103043) <damn.registrars@gmail.com> on Wednesday July 30, 2014 @11:27AM (#47567101) Homepage Journal
    The first time I saw the headline I thought it said

    Black Hat Researchers Actively Trying to Demonize Tor Users

    Then I thought it was perhaps

    Black Hat Researchers Actively Trying to Deamonize Tor Users

    Before I figured out they meant

    De-anonymize

    • by Anonymous Coward

      I think they meant Dean-omize. Turn Tor users into Deans of well respected Universities/Colleges, probably to help increase the adoptomization and respectomization of Tor.

      • I think they meant Dean-omize. Turn Tor users into Deans of well respected Universities/Colleges, probably to help increase the adoptomization and respectomization of Tor.

        If instead you meant Dean-omize as in "turn them into Howard Dean", then in this crowd that would have the exact same effect as demonization.

        • by idontgno (624372)

          I was actually hoping that we'd be turned into Dean Martin. Even if he's long dead, he's cooler than the entire TOR user community and node operator community combined.

  • apparently 3 proxies aren't enough, should rather be 7 :-)

  • It's because Russia's offering $$$ for a TOR hack...
    http://www.themoscowtimes.com/... [themoscowtimes.com]

    on the bright side, TOR will be better in the end because of it.

  • I see many naysayers & detractors here querying why black-hats would want to break the very services they rely on, but surely that's exactly what they should be doing?

    If you want to rely on a service for your own security, it's in your best interests to find all the weaknesses - especially with open source projects, which rely on the community to find & fix faults.

  • "We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to Q1 is "yes"."

    Fucking slashdot, can't even be bothered to RTFA to check the headline. It's only suspe

  • I think the answer lies in figuring out how to increase throughput on bitmessage networks.

The greatest productive force is human selfishness. -- Robert Heinlein

Working...