Pierluigi Paganini July 26, 2014

The co-creator of the Tor network confirmed that the Tor Project team is working to identify and fix the bug announced by researchers at Carnegie Mellon.

Tor network is a system designed to anonymize user’s experience on the web, allowing the publishing of content in the part of web non indexed by search engines, dubbed DeepWeb.

A few weeks ago, researchers  from Carnegie Mellon University’s computer emergency response team (Cert), Alexander Volynkin and Michael McCord, announced that they are able to de-anonymise users Tor users and planned to reveal their discovery during the next Black Hat Conference in August.

We were all waiting for the presentation when the organization of the BlackHat had been contacted by the university’s lawyers which informed it that the researchers will not participate in the event.

“Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release,” states the message posted on the official website of the event.

“In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the BlackHat Webpage.”

“I think I have a handle on what they did, and how to fix it. We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything. The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find. I’m currently waiting for them to answer their mail so I can proceed.” “Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world.” he added.

Christopher Soghoian, principal technologist with the American Civil Liberties Union, has speculated that the researchers might have feared to be sued by criminal prosecution for illegal monitoring of Tor exit traffic.

“Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes,” he added.

The reality is that law enforcement agencies and intelligence all over the world are trying to develop capabilities to track users in the deepweb, and in particular on Tor networks. Hacking Tor is a goal for many Intelligence agencies as demonstrated also by the collection of documents leaked by Edward Snowden, that explicitly refers to a project named ‘Tor Stinks’ which has the scope to track Tor users.

Last year the FBI exploited a zero-day flaw in the Firefox browser to identify Tor users for its investigation on child-pornography. The exploit was based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

The security expert and exploit developer Vlad Tsyrklevich analyzed the JavaScript code’s payload noting that it connects to a server to send back the user’s data.

“Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.“

The code is considered the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Recently German broadcaster ARD reported that NSA experts were monitoring two Tor directory servers in Germany to de-anonymize IP addressed of Tor users using them.

What’s about Russians?

Russia’s Interior Ministry has posted a tender to recruit companies and organization which are interested to “study the possibility of obtaining technical information about users (user equipment) TOR anonymous network”.

We will never know why these researchers have cancelled their participation to the BlackHat, but the unique certainty is that government are spending a huge effort to track users on anonymizing network and probably they have exploited and are exploiting zero-day flaws in these systems.

Pierluigi Paganini

Security Affairs –  (Tor, hacking)