Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Hackers to take down Tor on 3 Grand Budget

  • 06-07-2014 1:40pm
    #1
    Closed Accounts Posts: 1,260 ✭✭✭


    http://www.dailydot.com/business/tor-hackers-break/
    Is Tor, one of the most popular and powerful anonymity tools on the Internet, broken?
    Two hackers are promising to show how they’re able to deanonymize Tor users with a measly $3,000 budget at Black Hat 2014, a major hacking conference in Las Vegas next month.



    “In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity,” the presenters, Alexander Volynkin and Michael McCord, explain.


    The briefing is titled, “You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.”
    With “a handful of powerful servers and a couple gigabit links”—easily within the resources of the world’s major intelligence agencies, criminal collectives, hacktivist groups, private companies, and more—thousands of Tor clients and hidden services can be revealed “within a couple of months,” the pair says.


    Volynkin, a research scientist, and McCord, a software vulnerability analyst, haven’t revealed many specifics to the public yet, but many Tor community members are hoping that they’ve followed responsible disclosure practices and have notified Tor’s developers of any potential exploits that can put the anonymity of millions of users at risk.
    No one has yet seen or reviewed the talk, so it’s impossible to verify the presenters’ claims. Even though the Tor community has been talking at length about the $3,000 demonstration, no official Tor developer has given comment.


    The demonstration will cover “the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places,” the presenters say.


    Black Hat USA 2014 takes play Aug. 2-7 in Las Vegas.


Comments

  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49



    If they want to succeed where the NSA failed good luck to them! :)


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    If they want to succeed where the NSA failed good luck to them! :)
    Talk on cracking Internet anonymity service Tor withdrawn from conference
    A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.
    A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49



    Thanks RF,

    Must confess I was skeptical. After all the resources the Chinese government threw into surveillance, the most they could do was block attempts to connect over tor, and even this isn't totally effective.

    Of course there are vulnerabilities from monitoring the end points, browser fingerprinting and so on so there's no harm in being vigilant.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Thanks RF,

    Must confess I was skeptical. After all the resources the Chinese government threw into surveillance, the most they could do was block attempts to connect over tor, and even this isn't totally effective.

    Of course there are vulnerabilities from monitoring the end points, browser fingerprinting and so on so there's no harm in being vigilant.
    Seems they had a "nice" bug after all.

    They were afraid of getting sued for violating peoples privacy.

    http://www.bbc.co.uk/news/technology-28447023

    The co-creator of a system designed to make internet users unidentifiable says he is tackling a "bug" that threatened to undermine the facility.
    The Tor (the onion router) network was built to allow people to visit webpages without being tracked and to publish sites whose contents would not show up in search engines.


    Earlier this month two researchers announced plans to reveal a way to de-anonymise users of this "dark web".
    They were later prevented from talking.
    Alexander Volynkin and Michael McCord - two security experts from Carnegie Mellon University's computer emergency response team (Cert) - had been scheduled to reveal their findings at the Black Hat conference in Las Vegas in August.


    However, a notice published on the event's website now states that the organisers had been contacted by the university's lawyers to say the talk had been called off.


    "Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release," the message said.


    Roger Dingledine, one of Tor's creators, subsequently posted a message to a mailing list confirming that he and his colleagues had "no idea the talk would be pulled".
    But he added that the Tor Project - the organisation that provides free software to make use of Tor - had been "informally" shown some of the materials that would have been presented.
    "I think I have a handle on what they did, and how to fix it," he added in a follow-up post.

    "We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything.
    "Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world."

    Tor was originally developed by the US Naval Research Laboratory and was later funded by the Electronic Frontier Foundation digital rights group, Google and the US National Science Foundation, among others. It attempts to hide a person's location and identity by sending data across the internet via a very circuitous route. Encryption applied at each hop along this route makes it very hard to connect a person to any particular activity.
    Its users include the military, law enforcement officers and journalists - who use it as a way of communicating with whistle-blowers - as well as members of the public who wish to keep their browser activity secret.
    But it has also been associated with illegal activity.


    The description given for the pulled talk itself noted that Tor "has also been used for the distribution of child pornography, illegal drugs, and malware".


    The researchers had promised to reveal how a piece of kit worth $3,000 (£1,760) could be used to "exploit fundamental flaws in Tor design and implementation" to reveal the internet address of its users and the computer servers used to host their hidden services.
    "We know because we tested it in the wild," they added.
    Christopher Soghoian, a tech expert at the American Civil Liberties Union, has speculated that the university might have feared the risk of a criminal prosecution or being sued by Tor users who felt their privacy had been violated.


    "Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes," he tweeted.
    However, a spokeswoman for the university told the BBC: "We don't have anything further to add to the statement that was already released by the Black Hat conference."

    While the details of the alleged flaw have yet to be disclosed, there have been several reports of other efforts by authorities to overcome its protections.

    German broadcaster ARD reported earlier this month that cyberspies at the US National Security Agency (NSA) were actively monitoring two Tor directory servers in Germany to scoop up the net addresses of people using them.


    An alleged leaked list of GCHQ's hacking tools indicated that the agency had developed its own Tor browser.


    And in 2013, the FBI acknowledged making use of a flaw in the Firefox browser help it identify Tor users as part of an effort to tackle child abuse images posted to hidden sites. That exploit has since been fixed.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    .
    Your fave, Tails, has a hole now to.

    The Tails operating system is one of the most trusted platforms in cryptography, favored by Edward Snowden and booted up more than 11,000 times per day in May. But according to the security firm Exodus Intelligence, the program may not be as secure as many thought. The company says they've discovered an undisclosed vulnerability that will let attackers deanonymize Tails computers and even execute code remotely, potentially exposing users to malware attacks. Exodus is currently working with Tails to patch the bug, and expects to hand over a full report on the exploit next week.
    "You can't trust any of these systems 100 percent."
    "We're hesitant to release any technical details because we don't want anyone to be able to reproduce [the exploit]," Exodus co-founder Aaron Portnoy told The Verge. After announcing the discovery in a tweet yesterday,

    http://www.theverge.com/2014/7/22/5927917/the-worlds-most-secure-os-may-have-a-serious-problem


  • Advertisement
  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    bedlam wrote: »
    i2p has a bug in it, i2p is included in Tails but off by default. It also requires js to be enabled (on by default though) so quite a small scope.

    How do you know this? Is this the bug from article above?


  • Posts: 0 [Deleted User]


    itoopie_bigger.png

    zzz on i2p
    Reported vuln. is JS+XSS. Noscript or disabling JS should prevent. Continuing investigation.
    7/24/14, 3:29 AM
    https://twitter.com/i2p/status/492134415934697473


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    03.30 today.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49



    Thanks RF, but given the alternatives I'll take my chances pending an update! :)

    Edit : All joking aside, there is much to recommend TAILS over the regular Tor browser inasmuch as your entire connection is Torified and also as a "live" system traces of your browsing activity will disappear minutes from the time you shut down the machine, unless of course you choose to save files elsewhere e.g onto an encrypted USB stick.

    Perhaps a discussion for another thread but as I'm sure you all know it's helpful to take a layered approach to your security.

    I have a dedicated smartphone with a pay as you go SIM chip inside it, which I use to connect to Tor. I buy a new SIM chip every month and load it up with cash. This is by no means a perfect system as many stores have security cameras and also I have to buy new SIM chips in bulk from eBay which is potentially traceable but compared to using public WIfi (ugh!) or my home connection, it's much more preferable.

    I've said it before in the PRISM thread that the fact that exploits and vulnerabilities are found in privacy tools isn't a reason to burst into tears over our morning porridge and go live in a cave somewhere - 100% security isn't realistic but then neither is 100% surveillance of everyone at all times.

    As such, your theoretically insecure methods for staying anonymous can be perfect in practice.

    All the same I think it's about time TAILS was updated! :)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    bedlam wrote: »
    portal > tails/liberte > tbb > browser

    Tails still has the possibility of leaking data as we've seen. With an appliance doing the Tor in front of your computer it is much harder to leak your whereabouts.



    What is the point in this? By the sounds of it you are still the same phone with all these SIMs so you've now got one IMEI associated with a constant changing list of SIMs. Burner phone + SIM or don't bother.

    Hi bedlam,

    I'd rather not go into too many details but suffice it to say the IMEI isn't a problem! If you want more details, feel free to send me a private message, I'd be happy to tell you more.

    When you say an 'appliance doing the tor in front of your computer', how do you mean? You mean a separate device like an Android tablet or similar? It's certainly worth considering, although I like the idea of no data persistence.


  • Advertisement
  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    bedlam wrote: »
    Why not here, PM or here, none of it's exactly private?



    I mean a portable Tor router, you connect the appliance to the network which is set up to Torrify all traffic, The appliance is used as your device(s) gateway and as a result all traffic is routed over Tor

    Portal
    PortalofPi
    PortalofRasbian
    Video explanation




    There's nothing to stop you using a bootable OS to connect through portal

    Hi bedlam,

    I'm afraid this is something I can't discuss on here as changing your IMEI is technically illegal. As a moderator, I'm sure you understand. :)

    I think the idea of a Tor router is an excellent one - I saw the article a few months back about a Raspberry Pi router but sadly haven't the time, would be a very fun project though.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    bedlam wrote: »

    Why not here, PM or here, none of it's exactly private?
    Edit: scratch that, don't want to be encouraging the posting of changes to a phone that may be a grey area legally.

    Good man. :)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    bedlam wrote: »
    Thanks, but it was not as a result of your comment, it was a ninja edit <30 seconds after posting.

    In any case it's unnecessary to do it if you have your own Tor router! :)


  • Registered Users Posts: 203 ✭✭industrialhorse


    http://news.sky.com/story/1307456/russia-offers-reward-to-anyone-who-cracks-tor

    This may be proof that all is not so well between the Russian authorities and Edward Snowden, as he is an outspoken champion of the technology.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    http://news.sky.com/story/1307456/russia-offers-reward-to-anyone-who-cracks-tor

    This may be proof that all is not so well between the Russian authorities and Edward Snowden, as he is an outspoken champion of the technology.

    Perhaps if they have a reward program for finding bugs it will prove an incentive for people to keep Tor safer?

    As mentioned above it seems the NSA had no joy with decrypting Tor, it would also seem that GCHQ in the UK have developed a bespoke version of it so I'm optimistic the Russians won't succeed any time soon. Still, constant vigilance and all that! :-)


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard




Advertisement