Monday 17 November 2014

Tor users' anonymity at risk from network analysis attacks

Fresh concerns erupt about Tor privacy
The Tor Project has moved to counter fresh research suggesting that hackers and law enforcement could identify over 80 percent of Tor users by mounting network analysis attacks.
Professor Sambuddah Chakravarty, from the Indraprastha Institute of Information Technology in Delhi, reported the finding in a research paper entitled On the Effectiveness of Traffic Analysis Against Anonymity Networks using Flow Records.
"A powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections," read the paper.
The specific network analysis technique used in the research reportedly works by "identifying pattern similarities in the traffic flows entering and leaving the Tor network using statistical correlation".
Chakravarty's research team reported that tests on a public Tor relay showed the technique could identify most users.
"Our method revealed the actual sources of anonymous traffic with 100 percent accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4 percent for the real-world experiments, with an average false positive rate of 6.4 percent," read the paper.
The research caused concerns in the Tor community and led project member 'Arma' to publish a blog post allaying their fears.
The post pointed out that the Tor Project has been aware of the threat posed by network analysis attacks and has already implemented adequate safety measures.
"People are starting to ask us about a recent tech report from Sambuddah's group about how an attacker with access to many routers around the internet could gather the netflow logs from these routers and match up Tor flows," read the post.
"It's great to see more research on traffic correlation attacks, especially on attacks that don't need to see the whole flow on each side. But it's also important to realise that traffic correlation attacks are not a new area."
The research follows wider concerns about possible security holes in the Tor network after law enforcement agencies successfully tracked and shut down several dark web services earlier in November.
The method used by law enforcement to track the services remains unknown, although Arma said it is unlikely that the agencies used traffic analysis attacks.
"We don't have any reason to think that this attack, or one like it, is related to the recent arrests of a few dozen people around the world," read the post.

Hacker Hammond's laptop protected by pet password

Former LulzSec member Jeremy Hammond - once the FBI's most wanted and charged with hacking security firm Stratfor - seems to have failed to prevent police accessing his laptop due to a poor password.
During a police raid in March 2012 he raced through a friend's Chicago home to shut and lock his laptop.
But the effort appeared in vain Hammond, 29, told the Associated Press, as his password was both short and likely predictable: 'Chewy123', taken from the name of his cat.
"My password was really weak," Hammond said from Manchester Federal Prison.
That password according to one password strength tool had 25.6 bits of entropy and was graded as very weak. It was made weaker still given that passwords of a personal nature made guessing easier.
Hammond, who was undone by fellow LulzSec hacker turned FBI informant Hector Xavier Monsegur, was sentenced to the maximum 10 years prison under his guilty plea deal.
Hammond says the Stratfor hack involved a dozen people, including the still-unnamed instigator. A cache of 5.2 million emails and account data on 860,000 people, along with 60,000 credit cards, leaked to the web.
It revealed alleged surveillance by the intelligence contractor on Occupy Wall Street protesters, explosive diplomatic and military allegations including that Israel and Russia exchanged drone and missile codes sold to Georgia and Iran, and corporate spying on activists.
Hammond recapped his motivations for his activism and later hacking of corporate and government infrastructure and pondered the harm brought by trained state-sponsored hackers considering the damage done by the small but talented LulzSec hacker outfit.
"If I was capable of doing these things on my own or with my team, what about a well-financed team that trained for years?"

State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED

The State Department has suspended its unclassified email system in response to a suspected hacking attack.
The unprecedented shutdown on Friday was reportedly applied to give technicians an opportunity to repair possible damage, as well as to apply security improvements. A senior department official said possible problems were detected at around the same time as a previously reported attack on the White House computer network in late October.
Classified systems were NOT affected, according to the unnamed official, who was not authorised to speak and requested anonymity.
However, access to public websites from the State Department's main unclassified system have been affected. The official US State Department website is up and running.
The extent of the possible breach, much yet who might be behind it, remains unclear from early reports (CNN, NY Times, following up on an initial report by AP). The State Department reportedly expects to have the system back up and running by either Monday or Tuesday.
In the two weeks or so since the White House attack became public other US government agencies, including the US Postal Service and the National Weather Service, have reported attacks.
Russian hackers are the main suspects in the White House breach while the breaches at NOAA and the Postal Service are thought by some to be the work of Chinese hackers. Security watchers suspect the hidden hand of nation states is behind the run of attacks on US government systems.
"To me this looks like hacking groups - either independent or state sponsored - in reconnaissance phase, probing government agency networks to identify vulnerabilities and what data they can access," Ken Westin, a security researcher at security tools firm Tripwire writes. "Although no damage has been inflicted on these systems, the outages do have an impact and could be a precursor to a more organised attack."

Fasthosts outage blamed on DDoS hack attack AND Windows 2003 vuln

Fasthosts' five-hour collapse today has been blamed on a Distributed Denial of Service attack and a security flaw spotted on its Windows 2003 shared web server kit.
The company explained the torrid morning it had suffered in an emailed statement to The Register.
Earlier today, after we reported that Fasthosts had gone titsup, Reg reader x2uk suggested that the firm had been targeted by hackers.
"Some of our customers' domains seem to have been shifted onto their DNS overnight which may mean something nefarious is afoot," he told us.
Fasthosts finally responded to our questions just as it was telling its biz customers on Twitter that the service was coming back to life.
It said:
As a result of a denial-of-service attack, Fasthosts shared hosting customers experienced a loss of DNS performance, and as a result, periods of website downtime.
In accordance with its procedures, Fasthosts acted swiftly to resolve the root cause, and has now implemented measures to return the majority of its hosting customers back to full performance.
We apologise for any disruption incurred by our customers this morning as a result of this issue. If any customer has outstanding issues, we ask that they contact our technical support team who will assist them.
Incredibly, the company's strife didn't end there: it has also been battling a serious security hole in its Microsoft servers. Fasthosts said:
As a result of our routine and extensive security monitoring, Fasthosts today identified a vulnerability specific to part of its Windows 2003 shared web server platform.
The small affected proportion of our large hosting platform was immediately isolated, and work is being undertaken to investigate and fix the issue as swiftly as possible.
As a precautionary measure, some shared hosting servers on this specific platform have been taken offline, resulting in a small proportion of our hosting customers experiencing downtime. All efforts are being focused on returning this platform to service.
Fasthosts added that "the security of our customer data remains of paramount importance to us." It claimed to have "excellent levels of security monitoring, systems and resources to keep our customers’ data safe from threats."
However, the company made no mention of compensation for businesses affected by Monday morning's outage.
"We apologise unreservedly for the inconvenience caused to those customers affected today, and we remain committed to providing the highest possible standards of service," Fasthosts said.

Three WireLurker suspects arrested in China – reports

Three people suspected of involvement in the WireLurker malware campaign have been arrested in China, according to reports.
The suspects – whom the Beijing Public Security "internet" unit named only as Chen, Lee and Wang – were apparently arrested in the Beijing area following an investigation assisted by local security firm Qihoo 360.
A brief statement from the Beijing Municipal Public Security Bureau on the arrests is here (in Mandarin).
WireLurker is a hybrid malware strain that targets either Mac OS X or Windows users with a malicious binary that poses as an app. It then hops from an infected host onto a iOS device via a USB connections.
It is able to propagate to the iOS device (even if they are not jailbroken) by leveraging enterprise provisioning profiles to bypass other iOS security checks. It can also infect jailbroken iThings.
The malware, first discovered by security researchers at Palo Alto Networks, harvests data from infected iPads or iPhones before uploading it to a command & control server on the Miyadi iOS App store. Data snaffled included phone book addresses, numbers, Apple ID, UDIDs and data from the device storage.
The command node was quickly pulled. Although Trojanised apps that spread WireLurker were downloaded hundreds of thousands of times, the actual number of infections recorded by security firms such as Kaspersky Lab were relatively few.
WireLurker shattered the conventional wisdom that non-jailbroken iThings are incapable of being infected by malware.