On Wednesday, Tor Project announced that they had discovered an attack earlier this month which may have been used to identify anonymous users.
Despite the extensive security measures put in place to safeguard the anonymity of Tor users, the “early relay” attacks may have compromised the identities of some users.
The attackers had allegedly joined the Tor network in January and were consequently removed following the discovery of the attack on 4 July, 2014. Tor notes that anyone using the network throughout this time may have been affected.
“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application traffic (e.g. what pages were loaded or even whether users visited the hidden services they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” the Tor Project stated on their blog.
The attack comes in the wake of a cancelled Black Hat conference in conjunction with researchers from CERT division of the Software Engineer Institute (SEI) at Carnegie Mellon University, who were to give a talk exposing ways to deanonymize Tor users.
The CERT division of the SEI at Carnegie Mellon University “works closely with the [US] Department of Homeland Security,” as noted on their website.
“We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how “relay early” cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven’t answered our emails lately, so we don’t know for sure, but it seems likely that the answer to Q1 is ‘yes’. In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was,” the Tor Project reported.
Meanwhile, in a bid to find a way to reveal the identities of anonymous web surfers using the Tor Browser, Russia has launched a competition for cyber security researchers with a cash prize of 3.9 million roubles ($110,000 USD).