, SecurityFocus 2007-03-08
Story continued from Page 1
The Torment project, which Moore first unveiled at a meeting of the Austin Hacker's Association in August, consists of modified client code, a domain name service (DNS) server, and SQL schema. The current version of the code is based on an outdated version of Tor, he said. A ZDNet blog first reported on the project on Wednesday.
In an e-mail to SecurityFocus, Moore explained how his system--basically a form of Web bug--works.
The modified server software uses scripts to process data before sending it back to the targeted Tor user. The patched software, dubbed Torment, uses the Ruby scripting language to match certain parameters and then allows, modifies or drops the packet.
When specific keywords are detected, the Torment software will inject some HTML into the Web request, causing the browser to load an applet on the targeted user's computer to help identify that user. The code includes a unique identifier to track the users. The code requests that the victim's browser resolve a unique host name containing the identifier, a request that will end up being sent to the DNS server run by the attacker, and in so doing, disclose the victim's Internet service provider.
"The only difference between this and a standard IMG (image) tag is the multiple correlation points that it uses to identify users," Moore told SecurityFocus. "By combining standard HTTP requests with a custom DNS server, a Java applet, and a database, it can abuse client-side information leaks to pinpoint a user's real IP address."
The attack also relies on the attacker's ability to have its server become an exit node for the Tor network. Exit nodes are key servers that act as the drop point for encrypted data cells from the Tor network, which are translated into unencrypted network packets and sent out to the Internet. Responses are processed by the same server, translated back into data cells, and sent through the Tor network back to the user.
In a paper released in February, computer scientists from the University of Colorado at Boulder outlined a method to dramatically increase the chance of a malicious server being selected as an exit node by the Tor network's algorithms. However, the technique would leave recognizable fingerprints that the Tor service could identify, the Tor group stated in a blog post at the time.
And, that's not the only hurdle that Moore's attack would have to leap.
Tor servers meet the definition of an Internet service provider, which means that operators are not required to know what data passed through the server, said Kevin Bankston, staff attorney with the Electronic Frontier Foundation (EFF), which hosts the Tor Project's site. While it is possible for the operator of an exit node to see the data, it would likely increase their liability, because if the operator became aware of illegal activity, they would have to report it, he said.
"In the ordinary course of operation of a Tor node, there is no reason for someone to become aware of what content is traversing that node," Bankston said. "If you do become aware of specific child pornography images transiting your network, you do face a legal obligation to inform the authorities, but that does not translate to some over-duty to monitor your customers' communications."
Moreover, anyone who implement's Moore's tools could be violating federal wiretap laws, Bankston said.
For his part, Moore intends to turn the tools over to law enforcement for their own use, he said.
"I agree that evidence collected in this fashion may not be admissible in court, but my end goal is to provide a software package to law enforcement, not stream evidence directly to the agencies," the researcher said in an e-mail to SecurityFocus.
The Tor Project has already taken steps to inform its users. On Thursday, the project added a warning to its documentation and further outlined what users need to do to protect their anonymity online.
"Tor by itself is NOT all you need to maintain your anonymity," the site read. "There are several major pitfalls to watch out for."
The list of threats is not small: misconfigured applications, using any of a number of browser plugins, visiting sites that have set cookies, and a lack of encryption from the Tor network to the destination server.
If nothing else, the list underscores that, in the digital world, anonymity is not easy.