Tor, the network used specifically for privacy and anonymity, just warned users of an attack meant to deanonymise people on the service. Anyone who used Tor from February 2014 through this July 4 can assume they were impacted.
This is very bad news for Tor, which is heralded for its ability to conceal users from surveillance.
Tor believes this attack came from researchers at Carnegie Mellon’s Computer Emergency Response Team, not an identity thief (or, uh, the government). CERT researchers abruptly canceled a highly anticipated talk they were going to give about the possibility of deanonymising Tor at the Black Hat conference this year, kicking off speculation that they’d successfully pulled it off. Now it looks like they did. (We’ve contacted CERT for confirmation and will update if they fess up.)
It’s not clear how much data the attacks received and stored, but it’s scary stuff. Tor can’t say for sure exactly what the attackers unearthed, but it’s not looking good. “If this attack was in fact related to the research done by CERT/CMU for Black Hat, then – judging by the abstract the researchers wrote for their presentation – the attack did successfully deanonymise users and hidden services,” advocate for the Tor Project Runa Sandvik told me.
If this is the handiwork of CERT, it’s about as good as a successful attack is going to get, because the researchers aren’t using it to dox Tor users. But the fact that this went down means a malicious agent could’ve gone to town on Tor… and maybe they already have. Ideally, this issue will help Tor shore up its security to prevent that from happening; Russia is already trying to deanonymise the network.
If you use Tor, this is reason to be very concerned. You should make sure you’re using a version that’s no longer vulnerable. There are recommended upgrades available that will close the security loophole.