However, the entire Tor network cannot be deemed safe just like the internet in general.
Snooping attempts on Tor nodes are actually not surprising occurrences with bad exit nodes discovered now and then, as presented by constant updates from security researchers.
Last year, an experiment done by researcher Chloe unraveled that bad guys were trying to take advantage of Tor users by sniffing traffic through exit nodes.
Early 2014, Karlstad University researchers Stefan Lindskog and Philipp Winter, revealed results of a 4-month study they conducted.
25 Tor nodes were identified and found to have been tampering with web traffic and decrypting it.
The traced sneaky behavior to an unspecified Russian entity eavesdropping nodes in the Tor network.
The latest update pertained to relays of the Tor network which allows people to visit dark web sites anonymously.
These were not exit nodes, but ordinary nodes that sorted through the traffic that passes through it.
A Tor user typically reaches out to HSDirs, which function to store descriptors for various hidden services for the purpose of getting to the dark web site they intend to visit.
There are approximately more than 3,1000 nodes bearing the HSDir flag, in accordance with figures given by the non-profit Tor Project who maintains the Tor software.
If properly set, these directories do not record or log addresses of the services themselves, thus allowing Tor-hidden sites to remain undiscovered.
Now, this has become something they could only hope for because people can sometimes intentionally modify their HSDir to track all the dark web sites it spots.
Snoop Tor HSDir Nodes Spotted
Guevara Noubir, College of Computer and Information Science professor, and Ph.D. candidate Amirali Sanatinia, both from Northeastern University, discovered a fleet of Tor hidden service directories spying on dark web sites.
The two security experts conducted the study wherein they setup honeypots in the Tor network.
They created what they called “honey onions” or “honions” unknown to anyone, and someone visiting the site was a good indication that their service was picked up by a malicious node.
These modified nodes allowed the people running them to find the addresses of websites which are supposedly hidden.
Noubir stated that those who want to hunt dark web sites would basically go through the code, perform the modifications in order to log the .onions prior to visiting them in the Tor browser.
Sanatinia said that the hunters look for web server vulnerabilities such as cross-site scripting attacks, SQL-injection opportunities, or search for the server’s status page which may contain interesting, potentially identifying site information.
For a period of 72 days, the pair ran 4,500 honions and not only did they uncover 110 nosy nodes spying on dark web sites, but found out that some actors were not merely sniffing traffic as passive observers, but mostly reemerged to aggressively probe the Tor-hidden services.
They tried common exploits and sought to compromise the server-software to eventually take over.
In August, their research that ultimately led them to spot the armada of more than a hundred malicious HSDirs will be presented at the Def Con Hacking Conference.
Who’s Playing Spy?
No one can tell who exactly is running the spy nodes. They could be run by criminals or hackers who have just gotten themselves an exceptional tool for hunting new targets.
They would then attack and penetrate servers once they are discovered.
Perhaps it is the authorities and law enforcement officials, or the government’s “infowar” weapons private suppliers. Cops can make use of it to track down new child exploitation sites.
It could even be other independent researchers themselves or those doing scholarly research which doesn’t normally include hacking attempts on servers.
A majority of the dodgy HSDirs were hosted in the US, Germany, France, and other European countries.
But of course, this doesn’t necessarily mean the operators are based on the same countries since anyone can whip up a remote server from almost anywhere in the globe.
Moreover, over half of the 110 malicious nodes were hosted on the cloud, which makes it even challenging to pin down whose prying eyes are running them.
The people behind the modified HSDirs are a theoretical problem for the Tor project.
The non-profit’s co-founder Roger Dingledine expressed that the key thing to understand is that the relays are in fact not in the Tor network altogether at the same time.
Few or none at all can be existing at the moment he spoke.
He further added that the Tor Project has likewise recently uncovered malicious nodes.
They successfully kicked the modified HSDirs out of the Tor network, and that the recent research mirrored some of the work they’ve already been doing internally.
The team had also just undertaken a rearchitecturing of their hidden service system to prevent such attacks from taking place.
For now, Tor is still the best option in terms of privacy and anonymity as Dingledine has defended the network in 2015, where he acknowledged as well that there’s always room for improvement.
The ultimate fix? It’s their plan to re-do onion services, which Tor users are yet to see and experience.
Latest posts by Richard (see all)
- Wide Range of Job Ads Available on the Dark Web - November 5, 2018
- Continuous Exploit of RDP Pushes FBI to Issue Warning to Potential Targets - October 29, 2018
- Ross Ulbricht’s Fifth Year in Jail - October 10, 2018