The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Tor

Play

Rotten onion

Right after the Lizard Squad finished with a DDOS attack on the PSN and XBOX networks, they launched an attack against the Tor anonymity system. The attack was simple, set up enough Tor relays to be able to identify a significant fraction of Tor users and connect them with their activity. They got caught because they were bozos (perhaps intentionally). They did the attack hard and fast, which made it easy to identify the rogue relays, and they bragged about it (which told people to look for the attack). (more…)

· · · · · ·

Play

Tor webpage

Two new attacks on Tor were recently announced.

The first involves using an exit node to automatically modify software patches to include malware. This one is being seen in the wild already. (more…)

· · · · ·

TorAppLogo

Tor just announced that they have detected and blocked an attack that may have allowed hidden services and possibly users to be de-anonymized.

It looks like this may be connected to the recently canceled BlackHat talk on Tor vulnerabilities. One hopes so, otherwise the attack may have been more hostile than simple research.

Tor is releasing updated server and client code to patch the vulnerability used in this attack. This shows once again one of the key architectural weaknesses in Tor, the distributed volunteer infrastructure. On the one hand, it means that you are not putting all of your trust in one entity. On the other hand, you really don’t know who you are trusting, and anyone could be running the nodes you are using. Many groups hostile to your interests would have good reason to run Tor nodes and to try to break your anonymity.

The announcement from Tor is linked below.

Tor security advisory: “relay early” traffic confirmation attack | The Tor Blog

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Jul/14

29

Russia puts a bounty on Tor's head

TorAppLogo

The Russian Ministry of Internal Affairs recently announced a contest to create a method to identify Tor users, with a prize of about $114,000.

Clearly the government is worried about the ability of Tor to allow people to bypass the increasingly draconian Internet laws that have been put in place. This puts a big target on Tor, but people have been working on breaking Tor for years. This year a talk at Black Hat on cracking Tor anonymity was pulled without explanation after it was announced and scheduled.

Being free and well established, Tor has the largest user base of any privacy service, so it is the obvious first target. Its distributed design also introduces paths for attack not available in other designs like Anonymizer Universal.

It will be interesting to see if this move drives Tor users to other services, and whether that in turn leads to expanded efforts to crack those tools.

Fancy $110,000? Easy! Just be Russian and find a way of cracking Tor | HOTforSecurity

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Mar/14

19

Check your phone for evil Tor app

TorAppLogo

Fake Tor browser for iOS laced with adware, spyware, members warn | Ars Technica

There are a number of different Tor anonymity service apps in the Apple iOS app store. According to several people at Tor, one of them is unofficial and loaded with adware and spyware.

The bad one is “Tor Browser”. If you have it, you should un-install it immediately.

Apple has been requested to remove the app from the store, but no action has been taken so far.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

· · · ·