igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Researchers uncover malicious probing of Tor hidden services

Researchers discovered attempts to snoop on dark web servers through malicious changes to Tor Project hidden services directories.

Researchers discovered as many as 3% of Tor hidden services directories, used as gateways to access hidden servers on the dark web, have been modified in an attempt to decloak hidden servers.

The researchers -- Amirali Sanatinia, Ph.D. student, and Guevara Noubir, professor at Northeastern University in Boston -- created what they call honey onions, or honions, "to expose when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts." During the 72 days the honions were deployed, the researchers detected and identified at least 110 of the snooping relays.

"Tor's security and anonymity is based on the assumption that the large majority of the relays are honest and do not misbehave," the researchers wrote. "Particularly, the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs)."

Although the Tor Project has its own system for detecting bad relays -- relays that either don't work properly or tamper with connections -- Tor Project co-founder Roger Dingledine praised Sanatinia and Noubir's work. "It's especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage," Dingledine wrote on the Tor blog.

"As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways -- they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services," Dingledine wrote. "The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays."

Dingledine stressed the new research focuses on detecting activity by attackers that would permit the attackers to discover new onion addresses, and that activity "does not impact the anonymity of hidden services or hidden service clients."

Other Tor troubles

Meanwhile, Tor Project Executive Director Shari Steele reported the results of its investigation into allegations of inappropriate behavior by its former developer and privacy activist, Jacob Appelbaum.

Steele, in a blog post, wrote: "Many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied and frightened by Jacob, and several experienced unwanted, sexually aggressive behavior from him."

As a result of the investigation, Steele said, two other people were identified "as having engaged in inappropriate conduct, and they are no longer involved with the Tor Project."

In the wake of the investigation, Steele stated, "The Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints and an internal complaint review process."

"I also want to note that the Tor Project board just elected a slate of new board members, with significant governance and executive leadership experience. This was a bold and selfless decision by the outgoing board, to whom I am grateful. I am confident the new board will be a key source of support for the Tor Project going forward."

In other news:

  • Two security researchers reported a new way to bypass the Windows User Account Control (UAC) that allows attackers to run malicious dynamic link libraries on Windows 10. UAC is a Windows security tool that administrators can use to enter their authentication credentials in a regular user's Windows session to perform administrative tasks. But Matt Nelson and Matthew Graeber, researchers employed by Veris Group LLC, a cybersecurity consultancy based in Vienna, Va., reported that they discovered a scheduled task, named SilentCleanup, which was configured by default on Windows 10 "to be launchable by unprivileged users, but to run with elevated [or] high-integrity privileges." Nelson and Graeber said Microsoft did not consider the method a vulnerability because "UAC isn't a security boundary, so this doesn't classify as a security vulnerability." They noted their bypass "does allow an attacker an alternate method to move to high integrity that differs from previous bypasses and introduces one more location or chokepoint that must be monitored to observe attacker behavior."
  • SentinelOne, a cybersecurity startup based in Palo Alto, Calif., plans to roll out a cyber threat protection guarantee program, offering its customers "financial support of $1,000 per endpoint, or up to $1 million per company, securing them against the financial implications of a ransomware attack, if the company indeed suffers an attack and SentinelOne is unable to block or remediate the effects," the company stated. The terms and conditions of the guarantee specify that customers hit by ransomware can recover only the actual cost of the ransom, and only if the ransom payment leads to successful recovery of data; business disruption or other "soft costs" are excluded -- and only Windows-based endpoint or servers on which the SentinelOne Endpoint Protection Platform product is deployed will be covered.
  • New research points to an even gloomier outlook for cloud app compliance with the recently approved General Data Protection Regulation (GDPR) in the European Union. According to Blue Coat Systems' Elastica Cloud Threat Labs' 1H 2016 Shadow Data Report, more than 15,000 cloud apps and 108 million documents were analyzed, and the firm discovered 99% of cloud apps were not GDPR-ready because they fail to provide enough security, compliance controls or features to protect enterprise cloud data. "The vast majority of business cloud apps we analyzed do not meet enterprise standards for security and can put companies at risk for compromise, even though virtually every enterprise uses them," said Aditya Sood, director of security and Elastica Cloud Threat Labs at Blue Coat, based in Sunnyvale, Calif. "This is troubling when you think about the financial risks faced by enterprises due to insecure or noncompliant apps. Understanding which cloud applications your employees are adopting and using is an important step to identifying which apps are business-ready and which apps need to be replaced with more secure alternatives." With the GDPR set to take effect in May 2018, companies that do business in the EU, or process personal data related to any person residing in the EU, must comply with the GDPR or face financial penalties as high as 20 million euros (approximately $22 million) or 4% of the enterprise's annual global turnover -- whichever is higher.
  • The European Data Protection Supervisor, an independent European Union supervisory authority whose objective is ensuring EU institutions and bodies respect privacy rights, released an opinion about the ePrivacy Directive that condemned encryption backdoors. "The EDPS recommends that the new provisions for ePrivacy clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications. The EDPS further recommends, as also suggested by the [Article 29 Working Party], that decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited," the agency wrote. Furthermore, the EDPS recommended the use of end-to-end encryption should be encouraged, "and when necessary, mandated, in accordance with the principle of data protection by design."
  • In a text dump on Pastebin, the Petya ransomware gang has apparently released 3,500 keys to unlock files encrypted by the Chimera ransomware project. The dump included a message, which stated, "We now release about 3,500 decryption keys from Chimera," along with a link to another file-sharing website, where the keys were posted in a zip file. The message continued: "It should not be difficult for antivirus companies to build a decrypter with this informations [sic]." In a blog post about the dump, Malwarebytes Labs wrote: "Checking if the keys are authentic and writing a decryptor will take some time -- but if you are a victim of Chimera, please don't delete your encrypted files, because there is hope that soon you can get your data back."

Next Steps

Find out more about why Tor Project vulnerabilities could make the dark web too risky for black markets.

Read about what kind of security risk Tor poses to enterprises.

Learn about the reasons for preventing employee use of Tor.

Dig Deeper on Data privacy issues and compliance