Network News

X My Profile
View More Activity

Attacks Prompt Update for 'Tor' Anonymity Network

One of the best-known and free services for helping Internet users maintain their anonymity online - a network known simply as "Tor" -- suffered an attack this past week that may have exposed the identities of thousands of users. The good news, however, is that the vulnerability in Tor that permitted the attack is now plugged with a software patch.

Tor president and co-founder Roger Dingledine received word of the attack as he was delivering a talk at the Black Hat security conference in Las Vegas this past week regarding security and privacy built into the Tor network.

Originally funded and developed by the U.S. Naval Research Laboratory, Tor has been touted as a key method for bypassing China's Great Firewall, a state-sponsored censorship project designed to block Chinese citizens from visiting unapproved Web sites and forums. The Tor site is currently being hosted by the Electronic Frontier Foundation.

Dingledine said that for several hours leading up to his speech, someone was testing out an exploit that caused obvious Web browsing problems for at least several hundred people surfing the Internet with Tor.

Thanks to a researcher I was introduced to who had special knowledge of the attack but asked to remain anonymous, Dingledine and Tor developers were able to quickly cobble together a patch that plugged the security hole. This specific vulnerability allowed a remote attacker on the network to overwrite any Tor users' configuration file. With that level of access, the attacker could easily force a Tor user's computer to identify its true numeric Internet address, the very information Tor is meant to protect.

Tor is designed to run on most operating systems, including Linux, Mac OS X, and Windows. If you have a version of Tor installed on any of these systems and plan to continue using it, you'd be well-advised to update to the latest iteration, as this attack is now probably well-understood by a number of folks who may not have the network's best interests at heart. The latest version is available from this link here.

By Brian Krebs  |  August 8, 2007; 2:00 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Watch Out for Fake Tax 'Rebate' Sites
Next: There's a Black Tuesday on the Rise


hehe, what 3-letter agency does that "researcher" work for or is that more secret
than Valerie Plame's real job ?

Posted by: Winston | August 20, 2007 8:45 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company