Our valued sponsor

Timing analyses by Law enforcement agencies undermine Tor anonymisation

gh0p

Network Samurai
Mentor Group Gold
Feb 13, 2024
67
151
18
Net
Register now
You must login or register to view hidden content on this page.
I didn't see anyone post or discuss the news about Tor here it is. Quoting ease of read and future preservation.

https://blog.torproject.org/tor-is-still-safe/
We are writing this blog post in response to an investigative news story looking into the de-anonymization of an Onion Service used by a Tor user using an old version of the long-retired application Ricochet by way of a targeted law-enforcement attack. Like many of you, we are still left with more questions than answers--but one thing is clear: Tor users can continue to use Tor Browser to access the web securely and anonymously. And the Tor Network is healthy.


Please note, that for the great majority of users worldwide that need to protect their privacy while browsing the Internet, Tor is still the best solution for them. We encourage all Tor users and relay operators to always keep software versions up to date.


From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the vanguards addon, which were introduced to protect users from this type of attack. This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022.


Vanguards-lite, released in Tor 0.4.7, protects against the possibility of combining an adversary-induced circuit creation with circuit-based covert channel to obtain a malicious middle relay confirmed to be next to the user's Guard. Once the Guard is obtained, netflow connection times can be used to find the user of interest. In this case, the netflow attack could proceed quickly, because the attacker was able to determine when the user was online and offline due to their Onion Service descriptor being available, combined with the low number of users on the discovered Guard.


Responsible Disclosure​


In contrast to the CCC, Chaos Computer Club, who was provided access to the documents related to the case and was able to analyze and validate the reporter's assumptions, we were only provided a vague outline and asked broad clarifying questions that left us with uncertainty of the facts, and questions of our own. While we appreciate the journalist contacting us, this same access was not given to the Tor Project.


Given the potential risk to our users, we decided to go public. We requested that anyone with additional information about the case share it with us. This would allow us to conduct our own analysis and determine the best course of action to protect our users.


To be clear, The Tor Project did not intend to ask for the sources of the story, but sought to understand what evidence existed for a de-anonymization attack to accurately respond to the investigating reporter's questions and assess our disclosure responsibilities. And we continue to have an interest in obtaining more information about how Onion Services users were de-anonymized. If we had access to the same documents as CCC, it would be possible to produce a report with more clarity regarding the actual state of the Tor network and how it affects the great majority of its users.


We need more details about this case. In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users.


We are calling for more information from you.​


If you have any information that can help us learn more about this alleged attack, please email [email protected].


If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Fingerprint: 835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41


Your assistance will help all of us take the necessary steps and precautions to keep Onion Services safe for the millions of users that rely on the protections Tor provides.


A healthy network​


It is important to note that Onion Services are only accessible from within the Tor network, which is why the discussion of exit nodes is irrelevant in this case. But we would like to share that the number of exit nodes has significantly increased over the past two years, with over 2,000 now available. To the best of our knowledge, the attacks happened between 2019-2021.


While it is fair to question the concentration of these nodes in certain countries or operations, this has very little to do with the described attack from what we learned in the articles published so far. The attacks occurred on an old version of the long-retired application Ricochet that lacked new features The Tor Project has released since to mitigate against the kind of 'timing' analysis described in the articles. The most current versions of Ricochet-Refresh have such protections in place.


Another important thing to mention is the longevity of the user connection for such 'timing' analysis to be successful. A Tor Browser user that does not maintain its connection for a long time, is less vulnerable to such analyses.


After the period of the attacks described to us, 2019-2021, our Network Health team has flagged thousands of bad relays which the Directory Authorities then voted to remove. Those included many that would come from a single operator or tried to enter the network in large scales. The Network Health team has implemented processes to identify possible large groups of relays that are suspected to be managed by single operators and bad actors and not allow them to join the network.


The Tor Project knows that diversity of relays is a pressing issue for the Tor community and we are having many conversations with our community and relay operators about this subject to understand how we can address common pain points together.


Over the last year alone, we've launched a number of new initiatives such as the EFF's Tor University Challenge and the introduction of the Tor's network health API at DEF CON 32 earlier this year. Tor's bandwidth has actually increased substantially in recent years, as shown in this link: Traffic – Tor Metrics. This means the Tor network is faster than it has ever been. And we continue to conduct outreach campaigns and efforts to grow the network.


You can help​


We encourage those who can to volunteer and contribute bandwidth and relays to grow and diversify the Tor network. By ensuring hardware, software, and geographic diversity of the Tor network, we can continue to significantly minimize the potential for abuse and surveillance on the Tor network--and make guard attacks even harder to execute. As far as the Tor community is concerned, the best way to ensure network health, protect users and relay operators is keeping Tor software up to date and following the guidance that we publish on the Tor Project's official channels.


It is important to remember that Tor is one of the few alternatives that provide a vision and actionable model for a decentralized Internet that make this sort of attack impractical for those who seek to surveil a large portion of internet users. Yet, as of today, Tor is still bound by the limitations of an internet ecosystem that is predominantly owned and governed by only a handful of large corporations.
The reports mentioned are these two links

Investigations in the so-called darknet: Law enforcement agencies undermine Tor anonymisation


Stand: 18.09.2024 11:25 Uhr

The Tor network is considered the most important tool for surfing the internet anonymously. Law enforcement agencies have apparently begun to infiltrate it in order to expose criminals. They have been successful in at least one case.


von Robert Bongen and Daniel Moßbrucker


The journalists Daniel Moßbrucker and Robert Bongen. © Screenshot
Panorama reporter Daniel Moßbrucker and Robert Bongen.
Law enforcement agencies in Germany sometimes have servers in the Tor network surveilled for months in order to deanonymise Tor users. Sites on the so-called darknet are particularly affected. This is revealed by research conducted by the ARD political magazine Panorama and STRG_F (funk/NDR). According to the research, the data obtained during surveillance is processed in statistical procedures in such a way that Tor anonymity is completely cancelled out. Reporters from Panorama and STRG_F were able to view documents that show four successful measures in just one investigation. These are the first documented cases of these so-called ‘timing analyses’ in the Tor network worldwide. Until now, this was considered practically impossible.


Largest anonymisation network in the world


Tor is the world's largest network for anonymous internet browsing. Tor users route their connection via servers, known as Tor nodes, to disguise what they are doing: Using the Tor browser, they can navigate websites on the internet anonymously or access pages on the so-called darknet. There are currently almost 8,000 Tor nodes in operation in around 50 countries. Around two million people use it every day.


It is popular among journalists and human rights activists, especially in countries where the internet is censored. In Germany too, media organisations, including NDR, operate anonymous ‘mailboxes’ on the Tor network so that whistleblowers can transmit data securely. Deutsche Welle, for example, has made its website accessible on the darknet in order to escape censorship in some countries.


Infiltration of the Tor network


However, anonymity also attracts criminals who use Tor to carry out cyber attacks or operate illegal marketplaces on the darknet, for example. For years, Tor has been a technically almost insurmountable hurdle for investigative authorities. Research by Panorama and STRG_F has now revealed that they have apparently recently expanded their strategy to overcome Tor. This requires surveilling individual Tor nodes, sometimes for years.


The logic behind the measure, which experts call ‘timing analysis’: The more nodes in the Tor network are surveilled by the authorities, the more likely it is that a user will attempt to disguise their connection via one of the monitored nodes. By timing individual data packets, anonymised connections can be traced back to the Tor user, even though data connections in the Tor network are encrypted multiple times.


‘Ricochet’ chat service as a trap


According to research by Panorama and STRG_F, the German Federal Criminal Police Office (BKA) and the Public Prosecutor General's Office in Frankfurt am Main were successful with this method: in the investigation against the paedocriminal darknet platform ‘Boystown’, they succeeded several times in identifying Tor nodes that were used by one of the people behind the operation to anonymise themselves.


The website Boys Town. © Screenshot
In the investigation against the pedo-criminal darknet platform "Boystown" the German Federal Criminal Police Office (BKA) managed to identify Tor nodes that helped one of the people behind it to anonymize themselves.
For example, the BKA twice investigated Tor nodes used by platforms operated by the then ‘Boystown’ administrator Andreas G. to connect to the Tor network. This involved, for example, a chat in which leading members of various paedocriminal forums exchanged information. On two occasions, it was also possible to identify so-called ‘entry servers’ from the chat service ‘Ricochet’, which G. used - it was a breakthrough for the BKA. For the final identification, the district court (Amtsgericht) of Frankfurt am Main finally obliged the provider Telefónica to find out from all o2 customers which of them connected to one of the identified Tor nodes. The investigation led to the arrest of Andreas G. in North Rhine-Westphalia. In December 2022, he was sentenced to many years in prison. The judgement is not yet final.


Increasing international cooperation


The BKA received crucial information in the ‘Boystown’ case from the Netherlands. Apparently no coincidence: In Germany, the Netherlands and the USA the most Tor nodes are operated. The responsible public prosecutor's office in Frankfurt am Main said on enquiry that it would neither confirm nor deny a ‘timing analysis’ in the ‘Boystown’ case. The Federal Criminal Police Office (BKA) also declined to comment.


However, reporters from Panorama and STRG_F were able to speak to people who have independent knowledge of the widespread monitoring of such Tor servers. The number of surveilled Tor nodes in Germany is said to have risen sharply in recent years. The recorded data also suggests that these are likely to be used for ‘timing analyses’. Experts who were able to view research documents from Panorama and STRG_F independently confirmed the research results. Matthias Marx, one of the spokespersons for the Chaos Computer Club (CCC), explains: ‘The documents in conjunction with the information described strongly suggest that law enforcement authorities have repeatedly and successfully carried out timing analysis attacks against selected Tor users for several years in order to deanonymise them.’


A major blow for the Tor Project


The revelations are a major blow for the Tor Project. The non-profit organisation based in the USA, which aims to ensure the maintenance of the anonymisation network, stated on request that it was not aware of any documented cases of ‘timing analysis’. So far, however, there was nothing to suggest that the Tor browser had been attacked, a spokesperson of the organization said: ‘Tor users can continue to use Tor Browser to access the web securely and anonymously.’ A representative of ‘Ricochet’, which is now called ‘Ricochet Refresh’, said that she was not aware of any other cases of deanonymized users. The software has been improved in recent years and is one of the safest ways to communicate online, she said.


Matthias Marx from the CCC warns of the consequences of the measure: ‘This technical possibility exists not only for German law enforcement authorities to prosecute serious criminal offences, but also for unjust regimes to persecute opposition members and whistleblowers. The Tor project is therefore now under pressure to improve anonymity protection.’

Tor lists [tor-relays] [Important] Update on an upcoming German broadcasting story about Tor/Onion Services


A lot of instances where Tor and Tor onion services have been located are unexplained from high profile cases to less known ones. If we combine some of the attacks on Monero too (This is how Monero transactions are traced) suddenly a Tor+Monero solution doesn't cut it for anyone but the completely regular Tor user. High and higher value targets who expect scrutiny from the upper echelons of law enforcement or corporate surveillance teams with deep pockets, shouldn't be surprised when each individually or both together are put under intense breaking efforts.

Back when I launched GH0P Security & Business I provided a sample text which encompasses very well the current situation and is absolutely true then and is now.

Tor is not as secure as you might think. Enabling VPNs or proxies doesn't solve the problem. XMR (Monero) is not as secure as you might think if you are a big target. Reference: Breaking Monero series.

No technology gives bulletproof or fool-proof security. Understanding that is critical in my opinion as it can give you a way to create stronger security by for example one of the core principles I teach which is layering. Security layering for a user or business can't only give multiple fail-safes but hedge risk on multi-dimensional field, create a stacking security advantage in any domain including forensics and last but not least utilize the limits of known technology which ultimately results in peace of mind. An example there are things one can do to protect against a combined Tor+Monero attack be it through timing analysis or global eye netflow. Every layer is important and in the instance one, two or three extra protection points would make a huge difference in traceability aspect.

I recommend everyone support with what they can Tor, Monero and other security/anti-surveillance projects. The world is moving fast and safety is becoming a bigger building block than ever to any business or personal desire for true privacy.
 
Last edited:
computer science is a very complex topic, which is divided in two basic areas:
- software
- hardware

working in security means that you have to cover everything.
covering everything, no matter how bad it sounds, is not possible for one person, no matter someone tells you.
the best minds works at universities (with some exceptions), universities are controlled by forces that have unlimited resources. if someone tells you that they, due to their talent, can just overpass all that...you can nearly be sure it is "snake oil".

same goes for medical science.

@0xDEADBEEF, @wellington, @mraleph shared quite interesting information over the last 6 months(you can check it your self, if you search old posts).
i would love to hear somethings from you too, if you are willing to share.

if we had to pick something that is our actual guard for privacy (even though it is a mix of factors), that's cryptography (math). after all, you shared your public key in one of your messages.

i am not good at this, for sure, but what I did is I did my best to inform my self as much as I could without actual scientific knowledge. no reason to question if you guys are better or not, since you are.
instead of watching movies, i like to read about this.
correct what ever I said wrong (any where regarding cybersec, computer science).
 
TOR is multi-hop overlay network.

Like single-hop networks, neither TOR protects traffic at entry and exit - that's design and not a flaw. So, a traffic analysis can be performed with plethora of methods.

This is not a novel matter and was a known known in the industry and not only from

https://css.csail.mit.edu/6.858/2023/readings/tor-traffic-analysis.pdf
It's in public focus because investigative journalists reported it

https://www.ndr.de/fernsehen/sendun...es-undermine-Tor-anonymisation,toreng100.html
To claim that TOR is not usable - no. Not secure and compromised - no. But, users should be advised of its design limitations and act accordingly - and balance between safety and comfort.
 
Last edited:
I didn't see anyone post or discuss the news about Tor here it is. Quoting ease of read and future preservation.

https://blog.torproject.org/tor-is-still-safe/
The reports mentioned are these two links


Tor lists [tor-relays] [Important] Update on an upcoming German broadcasting story about Tor/Onion Services


A lot of instances where Tor and Tor onion services have been located are unexplained from high profile cases to less known ones. If we combine some of the attacks on Monero too (This is how Monero transactions are traced) suddenly a Tor+Monero solution doesn't cut it for anyone but the completely regular Tor user. High and higher value targets who expect scrutiny from the upper echelons of law enforcement or corporate surveillance teams with deep pockets, shouldn't be surprised when each individually or both together are put under intense breaking efforts.

Back when I launched GH0P Security & Business I provided a sample text which encompasses very well the current situation and is absolutely true then and is now.



No technology gives bulletproof or fool-proof security. Understanding that is critical in my opinion as it can give you a way to create stronger security by for example one of the core principles I teach which is layering. Security layering for a user or business can't only give multiple fail-safes but hedge risk on multi-dimensional field, create a stacking security advantage in any domain including forensics and last but not least utilize the limits of known technology which ultimately results in peace of mind. An example there are things one can do to protect against a combined Tor+Monero attack be it through timing analysis or global eye netflow. Every layer is important and in the instance one, two or three extra protection points would make a huge difference in traceability aspect.

I recommend everyone support with what they can Tor, Monero and other security/anti-surveillance projects. The world is moving fast and safety is becoming a bigger building block than ever to any business or personal desire for true privacy.
Have send a few DM's to you without any response ?