Privacy: Tor Network Breached
From the Wall St. Journal:
Tor, a service used to cloak the identity of Internet users, says outsiders breached its network and tried to learn the identities of some users earlier this year.
The service says the attack was likely the work of researchers at Carnegie-Mellon University, who had planned to demonstrate a Tor hack at a conference next week. The talk was cancelled last week.
A Carnegie-Mellon spokesman said, “We don’t have anything to add.” The researchers couldn’t be reached for comment. Carnegie-Mellon lawyers previously said the research project wasn’t yet cleared for public release.
From the Tor Blog:
Unfortunately, it’s still unclear what “affected” includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.
Read the Complete Blog Post
About Gary Price
Gary Price (firstname.lastname@example.org) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.