[liberationtech] BBC: Tor users may have been unmasked going back 5 months

Wed Jul 30 13:28:35 PDT 2014

http://www.bbc.com/news/technology-28573625?ocid=socialflow_twitter
30 July 2014 Last updated at 16:16 ET Share this pagePrint

Tor attack may have unmasked dark net users
By Leo Kelion
Technology desk editor
Eye data graphic
The ability to unmask Tor's users would undermine the reason people use
the service

Developers of software used to access Tor - an otherwise hard-to-reach
part of the internet - have disclosed that an attack on the network may
have unmasked users for five months.

The Tor Project said that it believed the assault was designed to
de-anonymise the net addresses of people operating or visiting hidden
sites.

However, it said it was not sure exactly how users had been "affected".

The project added that it believed it had halted the attack on 4 July.

Tor allows people to visit webpages without being tracked and to publish
sites whose contents would not show up in search engines.

The Tor Project said it believed that the infiltration had been carried
out by two university researchers, who claimed at the start of July to
have exploited "fundamental flaws" in Tor's design that allowed them to
unmask the so-called dark net's users.

The two security experts, Alexander Volynkin and Michael McCord, had
been due to give a talk at the Black Hat conference in Las Vegas next
week. However, the presentation was cancelled at the insistence of
lawyers working for their employer, Carnegie Mellon University.

Tor web page
The Tor Project offers web browser software that can access the hidden
sites on the Tor network
"We spent several months trying to extract information from the
researchers who were going to give the Black Hat talk, and eventually we
did get some hints from them... which is how we started looking for the
attacks in the wild," wrote Roger Dingledine, one of the network's
co-creators, on the Tor Project's blog.

"They haven't answered our emails lately, so we don't know for sure, but
it seems likely that the answer to [whether they were responsible] is
yes.

"In fact, we hope they were the ones doing the attacks, since otherwise
it means somebody else was."

A spokesman from Carnegie Mellon University declined to comment.

Illegal activity
Tor attempts to hide a person's location and identity by sending data
across the internet via a very circuitous route involving several
"nodes" - which, in this context, means using volunteers' PCs and
computer servers as connection points.

Encryption applied at each hop along this route makes it very hard to
connect a person to any particular activity.

To the website that ultimately receives the request it appears as if the
data traffic comes from the last computer in the chain - known as an
"exit relay" - rather than the person responsible.

Tor graphic
Tor hides a user's identity by routing their traffic through a series of
other computers
Tor's users include the military, law enforcement officers and
journalists - who use it as a way of communicating with whistle-blowers
- as well as members of the public who wish to keep their browser
activity secret.

But it has also been associated with illegal activity, allowing people
to visit sites offering illegal drugs for sale and access to child abuse
images, which do not show up in normal search engine results and would
not be available to those who did not know where to look.

Two-pronged attack
The Tor Project suggests the perpetrator compromised the network via a
"traffic confirmation attack".

This involves the attacker controlling both the first part of the
circuit of nodes involved - known as the "entry relay" - as well as the
exit relay.

By matching the volumes and timings of the data sent at one end of the
circuit to those received at the other end, it becomes possible to
reveal the Tor user's identity because the computer used as an entry
relay will have logged their internet protocol (IP) address.

The project believes the attacker used this to reveal hidden-site
visitors by adding a signal to the data sent back from such sites that
included the name of the hidden service.

Because the sequence of nodes in a Tor network is random, the
infiltrator would not be able to track every visit to a dark net site.

Onion
Tor can be likened to an onion because of the many layers through which
it sends data
Tor also has a way of protecting itself against such a danger: rather
than use a single entry relay, the software uses a few relays chosen at
random - what are known as "entry guards".

So, even if someone has control of a single entry and exit relay, they
should only see a fraction of the user's traffic, making it hard to
identify them.

However, the Tor Project believes the perpetrator countered this
safeguard by using a second technique known as a "Sybil attack".

This involved adding about 115 subverted computer servers to Tor and
ensuring they became used as entry guards. As a result, the servers
accounted for more than 6% of the network's guard capacity.

Black Hat
Two researchers had planned to reveal a way to unmask Tor users at the
Black Hat conference
This was still not enough to monitor every communication, but was
potentially enough to link some users to specific hidden sites.

"We don't know how much data the attackers kept, and due to the way the
attack was deployed, their... modifications might have aided other
attackers in de-anonymising users too," warned Mr Dingledine.

Several government agencies are interested in having a way to unmask
Tor's users.

Russia's interior ministry is currently offering a 3.9m roubles
($110,000; £65,000) prize to anyone who cracks such identities. It says
it wants to protect the country's "defence and security".

A report by the German broadcaster ARD suggests US cyberspies working
for the NSA have also made efforts to overcome Tor's system, despite the
fact the Tor Project is partly funded by other US government
departments.

And leaked documents released by whistleblower Edward Snowden also
indicate the UK's GCHQ has attempted to track Tor users.