No stranger to scrutiny, the Tor network was dealt another set of blows this week when not only were two new proof-of-concept...
vulnerabilities disclosed, but also an alternative onion router network made the news.
Tor has received a bad rap lately; the anonymity network is often associated with illegal and illicit dealings alongside its legitimate ability to protect journalists, activists and oppressed users, as well as other privacy-seeking folks.
But it's not just a select group of Tor's estimated 2.5 million daily users causing the problem. Tor anonymity is now being called out by a group of researchers who claim they can -- with 88% accuracy -- determine the Tor services and websites a user accesses … all without breaking Tor's strong encryption.
In a proof-of-concept attack published this week, researchers from MIT and the Qatar Computing Research Institute claimed through traffic fingerprinting they were able to infer a hidden server's location and the source of information being accessed by Tor users -- all by analyzing the traffic patterns of encrypted data passing over the all-volunteer Tor network.
The attack only works, however, if an adversary's computer serves as the "guard" computer in a Tor circuit.
"For a while, we've been aware that circuit fingerprinting is a big issue for hidden services," said David Goulet, project developer at The Tor Project Inc. "This paper showed that it's possible to do it passively, but it still requires an attacker to have a foot in the network and to gather data for a certain period of time."
Researchers also found through traffic analysis that machine learning algorithms could with 99% accuracy determine whether the circuit was an ordinary Web-browser circuit, introduction-point circuit or rendezvous-point circuit.
The group also offered defense tactics. "We recommend that they mask the sequences so that all the sequences look the same," Mashael AlSabah, researcher at Qatar Computing Research Institute, said. "You send dummy packets to make all five types of circuits look similar."
According to the MIT News article, the fix was suggested to Tor project representatives, who may add it to a future version of Tor.
"We are considering their countermeasures as a potential improvement to the hidden service," Goulet said. "But I think we need more concrete proof that it definitely fixes the issue."
The research will be presented at the USENIX Security Symposium in August.
Tor anonymity erased with behavior profiling
Security researchers Per Thorsheim and Paul Moore separately published details about how behavior biometrics can threaten user privacy, throwing the promise of Tor anonymity out the window.
The pair developed Keyboard Privacy, a Google Chrome extension that "interferes with the periodicity of everything you enter into a website" to prevent behavioral profiling and help maintain privacy.
In his post, Moore described using the extension to protect an online banking profile created over Tor using the extension.
HORNET -- a Tor alternative?
In other Tor news, researchers from the Swiss Federal Institute of Technology and University College London introduced an alternative onion network dubbed HORNET. Short for high-speed onion routing at the network layer, it offers the same promise of anonymous browsing, but with better scaling, stronger privacy and higher speed -- researchers claimed it can process anonymous traffic at over 93 Gbps. Researchers also said each HORNET node can process anonymous traffic for "a practically unlimited number of sources."
Like Tor, HORNET uses a group of relay nodes to mix and encrypt traffic -- and hide users' locations and IP addresses -- in layers to ensure anonymity. However, researchers say it is not plagued with the decreased speed that Tor and other anonymity networks regularly experience.
The low-latency onion routing system "uses only symmetric cryptography for data forwarding, yet requires no per-flow state on intermediate nodes," researchers wrote.
"Unlike other onion routing implementations, HORNET routers do not keep overflow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.
"It is designed to be highly efficient; instead of keeping state at each relay, connection state -- such as onion layer decryption keys -- is carried within packet headers, allowing intermediate nodes to quickly forward traffic for large numbers of clients."
Because the system does not store per-session states, it also provides "stronger security guarantees" than other onion network options.
The researchers also claimed it is less vulnerable to identity-revealing attacks, such as session linkage and packet correlation. However, it is not completely immune to attack; confirmation attacks leveraging flow analysis, timing analysis and packet tagging can potentially be successfully executed to determine identity. "However," researchers wrote, "HORNET raises the bar of deploying such attacks for secretive mass surveillance: the adversary must be capable of controlling a significant percentage of ISPs often residing in multiple geopolitical boundaries, not to mention keeping such massive activity confidential."
Users should not jump on the bandwagon yet, however; HORNET has not yet been peer-reviewed.
In other news
- The state of Android security took multiple hits this week, but a new report found the issue may not be as bad as some make it out to be. In a blog post published Monday, seven flaws collectively known as the Google Stagefright Media Playback Engine Multiple Remote Code Execution vulnerabilities were described, all of which affect an Android device's media playback component called Stagefright. Exploitation of any of the seven flaws involves an adversary sending specially crafted media files via MMS to targets. If successful, the attack could result in remote code execution. The scary part of the flaw, said Joshua Drake, researcher at Zimperium zLabs, is that only a telephone number is needed to complete the attack -- victims don't need to take any action. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," Drake wrote. "Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual -- with a trojaned phone." Drake notified Google of the flaws in April and May; Google subsequently released a patch on May 8. However, devices are still at risk until carriers and manufacturers roll out the patch. Users are urged to disable automatic retrieval of multimedia messages, exercise caution when opening multimedia messages and apply patches as soon as they are received. Approximately 95% of Android devices -- or 950 million -- are reportedly exposed to the flaw. Drake's research will be presented at Black Hat on August 5 and at DEF CON on August 7.
- Similar to the Stagefright vulnerabilities, Trend Micro Inc. researchers separately published a blog post this week describing a new Android vulnerability that renders a device "apparently dead -- silent, unable to make calls, with a lifeless screen." The vulnerability lies in the mediaserver service Android uses to index media files. If mediaserver attempts to process a Matroska file, the device could potentially crash. Devices can be infected by downloading a malicious app or through a specially crafted website. The flaw, caused by an integer overflow, leaves victim devices "totally silent and non-responsive" -- no ring tone, text tone or notification sounds, a low or non-responsive user interface, and -- if the phone is locked -- it won't unlock. The flaw affects Android 4.3 through 5.1.1, which account for approximately half of all Android devices in use today. Trend Micro researchers reported the issue to Google in May. While the company acknowledged the flaw as a low-vulnerability risk, it has not yet released a patch. Users are urged to boot devices in safe mode and use on-device security technology to prevent the threat until a patch is released.
- Not all on the Android horizon is grim, at least not when backed with research from the Q2 2015 Malware and Vulnerability Report released by 360 Mobile Security Limited this week. In analysis of more than 200 million Android devices, researchers found only one out of every 100 devices -- or 1.4% -- across the globe was affected by malware. This finding is consistent with Google's research in the Android Security Report released in April. The 360 Mobile researchers also concluded that only .2% of devices in the U.S. were infected by malware in Q2 2015. However, of the .2% of devices infected, 62% contained privacy-stealing malware. The report also highlighted the importance of upgrading to recent versions of the Android OS; despite low malware infections, researchers found Android devices are subject to other vulnerabilities if not kept up to date. For example, 81.2% of all Android devices version 4.4 and earlier are exposed to the TowelRoot Linux bug, while 38.1% of all Android devices version 4.3 and earlier are exposed to the AOSP Browser vulnerability, and 38.1% exposed to Masterkey vulnerability.
- The Xen Project released an update to fix a host escape flaw in Xen hypervisor. If exploited, the flaw dubbed CVE-2015-5154 could potentially allow a privileged guest to bypass security controls, as well as infiltrate and execute code on the host operating system. The flaw involves the CD-ROM drive emulation feature of QEMU, an open source emulator used by Xen, KVM and other virtualization platforms. While not as serious as the similar VENOM vulnerability disclosed and patched in May, Xen Project researchers recommend updating the issue as soon as possible. All systems running x86 HVM guests without stubdomains are vulnerable; systems not configured to emulate a CD-ROM drive inside the OS are not affected. Xen Project researchers suggest avoiding the use of emulated CD-ROM devices altogether, or enabling stubdomains.
- The U.S. government's proposed amendments to the Wassenaar Arrangement are being sent back to the drawing board after a meeting with industry stakeholders Wednesday. A U.S. Department of Commerce spokesman told Reuters that "a second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn." The changes -- which aimed to limit the export of technologies related to intrusion and traffic inspection -- were met with much criticism by the security community after a 60-day comment period was announced in May. The Commerce Department spokesman, who declined to give his name, told Reuters the comments received will be "carefully reviewed and distilled" in a process that will likely "take months."
Does Tor use pose an enterprise risk? Find out here