Tor attack tries to decloak anonymous users (Wired UK)


Tor, The onion router network for all your anonymous net needs

Shutterstock


Ars TechnicaOfficials with the Tor privacy service
have uncovered an attack that may have revealed identifying
information or other clues of people operating or accessing
anonymous websites and other services over a five-month span
beginning in February.

The campaign exploited a previously unknown vulnerability in the
Tor protocol to carry out two classes of attack that together may
have been enough to uncloak people using Tor Hidden Services, an advisory published Wednesday warned. Tor officials said the
characteristics of the attack resembled those discussed by a team
of Carnegie Mellon University researchers who recently canceled a presentation at next week’s Black Hat security
conference
on a low-cost way to deanonymize Tor users. But the
officials also speculated that an intelligence agency from a global
adversary might have been able to capitalize on the exploit.

Either way, users who operated or accessed hidden services from
early February through July 4 should assume they are affected. Tor
hidden services are popular among political dissidents who want to
host websites or other online services anonymously so their real IP
address can’t be discovered by repressive governments. Hidden
services are also favored by many illegal services, including the
Silk Road online drug emporium that was shut down earlier this
year
. Tor officials have released a software update designed to prevent the technique from working
in the future. Hidden service operators should also consider
changing the location of their services. Tor officials went on to
say:

“Unfortunately, it’s still unclear what “affected” includes. We
know the attack looked for users who fetched hidden service
descriptors, but the attackers likely were not able to see any
application-level traffic (e.g. what pages were loaded or even
whether users visited the hidden service they looked up). The
attack probably also tried to learn who published hidden service
descriptors, which would allow the attackers to learn the location
of that hidden service. In theory the attack could also be used to
link users to their destinations on normal Tor circuits too, but we
found no evidence that the attackers operated any exit relays,
making this attack less likely. And finally, we don’t know how much
data the attackers kept, and due to the way the attack was deployed
(more details below), their protocol header modifications might
have aided other attackers in deanonymizing users too.”

The first attack, known as a traffic
confirmation attack
, works when the adversary controls or
observes relays on both ends of a Tor circuit and compares traffic
timing, volume, or other characteristics to discover pairs of
relays on the same circuit. When the first relay in a circuit knows
the IP address of the user and the last relay knows the destination
of the Tor hidden service, the attacker can deanonymize the
user.

Worries about a “large intelligence
agency”


The attackers injected a signal into Tor protocol headers that
could be read by relays on the other end of a circuit. When Tor
users connected to an attacker-controlled hidden service relay, the
relay sent the hidden service name in an encoded format through the
circuit. When other attacking relays were randomly chosen as the
first hop of a circuit, they would learn which clients requested
information about a hidden service. The injection leaked
potentially privacy-breaking information that could be detected not
only by the attackers but also by anyone else who may have been
running a relay and looking for the encoded traffic. The advisory
stated:

“And we might also worry about a global adversary (e.g. a large
intelligence agency) that records Internet traffic at the entry
guards and then tries to break Tor’s link encryption. The way this
attack was performed weakens Tor’s anonymity against these other
potential attackers too — either while it was happening or after
the fact if they have traffic logs. So if the attack was a research
project (i.e. not intentionally malicious), it was deployed in an
irresponsible way because it puts users at risk indefinitely into
the future.”

The traffic confirmation attack was combined with a Sybil attack,
in which adversaries create large numbers of pseudonymous
identities on a targeted network to gain a disproportionately large
influence. The attack observed earlier this year wielded about 115
fast non-exit relays (all running on the IP blocks 50.7.0.0/16 or
204.45.0.0/16). Collectively, they acted as “entry guards” for a
“significant chunk of users over their five months of operation,”
the advisory explained.

One of the questions that remains unanswered, according to
Wednesday’s advisory, is “Was this the Black Hat 2014 talk that got
canceled recently?” The advisory went on to say: “We spent several
months trying to extract information from the researchers who were
going to give the Black Hat talk, and eventually we did get some
hints from them about how ‘relay early’ cells could be used for
traffic confirmation attacks, which is how we started looking for
the attacks in the wild. They haven’t answered our e-mails lately,
so we don’t know for sure, but it seems like that answer … is
‘yes.’ In fact, we hope theywerethe ones doing the attacks, since
otherwise it means somebody else was.”

Tor officials said they still don’t know if they have uncovered
all the malicious relays, if the malicious relays targeted points
outside of the Tor hidden services, and if the data collected has
been destroyed.

This article originally appeared on Ars Technica

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

31 July 2014 | 12:11 pm – Source: wired.co.uk

Leave a Reply

Your email address will not be published.