Tor exit nodes face unusual activity, is Tor being raided or under hack attack? Popular Tor exit nodes look to be raided or hacked Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he’s called “unusual activity.” In a post on Tor mailing list Thomas said,”I have now lost control of all servers under the ISP and my account has been suspended.” The entire signed message is given below : Dear all, Many of you by now are probably aware than I run a large exit nodecluster for the Tor network and run a collection of mirrors (also onesavailable over hidden services). Tonight there has been some unusual activity taking place and I havenow lost control of all servers under the ISP and my account has beensuspended. Having reviewed the last available information of thesensors, the chassis of the servers was opened and an unknown USBdevice was plugged in only 30-60 seconds before the connection wasbroken. From experience I know this trend of activity is similar tothe protocol of sophisticated law enforcement who carry out a searchand seizure of running servers. Until I have had the time and information available to review thesituation, I am strongly recommending my mirrors are not used underany circumstances. If they come back online without a PGP signedmessage from myself to further explain the situation, exercise extremecaution and treat even any items delivered over TLS to be potentiallyhostile. The mirrors in concern are: https://globe.thecthulhu https://atlas.thecthulhu https://compass.thecthulhu https://onionoo.thecthulhu globe223ezvh6bps.onion atlas777hhh7mcs7.onion compass6vpxj32p3.onion 77.95.229.1177.95.229.1277.95.229.1477.95.229.1677.95.229.1777.95.229.1877.95.229.1977.95.229.2077.95.229.2177.95.229.2277.95.229.2377.95.224.18789.207.128.2415.104.224.15128.204.207.215 I will do my best to keep this list updated on the situation as itdevelops. If any of the mirrors or IPs do come back online, I wouldwelcome anyone who is capable of doing so checking for any maliciouscode to ensure they are not used to deploy any kind of statemalware/attacks against users should my theory prove to be the case. At this moment in time I am under no gagging orders or influence fromexternal parties/agencies. If no update is provided within 48 hoursyou may draw your own conclusions. Regards,T Soon after posting of the message by Thomas, tech and underground forums were agog with the rumours of raids by authorities. Tor has been in news for some time now since the revelation that FBI had exposed Tor users IP addresses to catch a criminal. However, at 23:54:32 UTC, Thomas posted another message to assuage the fears of Tor users of a possible raid by authorities and stop the rumour mongering going on in the forums and chats. The second message is given below : Ok now the dust has settled a little, a few updates on the situation: 1. The likelihood of this being the work of law enforcement seems tobe lower than originally anticipated. This is good in many ways butasks more questions than it solves right now. I am not going tocompletely exclude the possibility of law enforcement involvementthough as there simply isn’t enough information. 2. A large portion of our logs seem to be non-existent right now, I amnot sure how or why they have been cleared as this has not happenedbefore. When a bit of time has passed and I can be sure of no imminentraid on my property I will look into the logs in more detail and sharethem with people more qualified than myself to judge on the matter. Ifappropriate we will then also look to make them public assuming thereare no consequences for doing so. Furthermore as the time & date ofsome of the servers seem to have been skewed, what remaining infothere is may be unreliable. 3. The servers have been blacklisted and pose no danger to the Tornetwork or the users of it. I will refrain from putting these serversback online until a proper vetting and analysis of events has happened. 4. Support staff at the ISP have not yet commented on whether awarrant has been executed for the servers. At this stage it isn’tpossible to distinguish whether the person I talked to genuinelydoesn’t know or they are being told to refrain from commenting at thismoment in time. Therefore I won’t be drawing conclusions from that. 5. Support staff at the ISP have confirmed to me there has beenunauthorised access to my account. This could be down to the fact Iaccess the control panel often via Tor (yes, using TLS before anybodyasks), however it does raise the prospect of a non-LE person(s) beingbehind this but does not explain why a chassis intrusion was detectedfor example or anything else to do with on-board sensors. 6. No information was kept on the server in relation to users. Wefollow the best practice guidelines on running a Tor server to reduceany information stored on our hardware about the users of Tor. Theseevents in no way put users at risk who may have used our nodes in thepast or at the time the servers went offline. 7. Again, at this moment in time I am under no gagging orders orunreasonably withholding information under orders. 8. Tor isn’t broken. Stop panicking. The strength of Tor is that nosingle party has the power to critically damage the network or to putusers at risk. If I believe I come across any such vulnerability, thiswill be forwarded to the core developers immediately and patched. 9. One or two media groups/reps have contacted me. I appreciate yourinterest in Tor and these recent events but I am not a representativeof Tor and I don’t want to draw a conclusion right now as it would beno more than mere speculation really. If anything significant developsI am sure Tor Project will release the information in due course. Regards,T From these two messages by Thomas, one thing is clear that Thomas’s servers were under the control of a third party for a brief period. The third party had deleted the logs which would have given Thomas clues to who had the control of the servers during this period. Another thing that Thomas mentions is that he is not sure if this was a raid by the authorities. However he has not excluded the idea of a large scale raid by FBI on Tor exit nodes. The servers mentioned in the first message have been blacklisted by Thomas and will be put up only after proper vetting. He is in contact with the ISP providers for finding out the exact reasons behind this ‘unusual activity. In the meantime Thomas as asked all Tor users to be patient and reiterated that Tor is stronger to be broken by outage in few exit nodes. Resource : 1. Gmane 2. Tor Projects. bit.ly/1t0txLO - #TechnoTwittsdotcom - - #Swapnil
Posted on: Mon, 22 Dec 2014 11:35:57 +0000
Trending Topics
Recently Viewed Topics
© 2015