Tor users are being urged to upgrade after two of the seven directory authority severs were compromised. In addition to the moria1 and gabelmoo servers falling victim to the breach, a third server, used for metrics data and graphs, was hit as well.
Tor users told to update after security incident. (IMG: Tor Project)
Roger Dingledine, who leads the Tor project and serves as the current director, said in a email posting that the compromise was discovered earlier this month, and that in response new identity keys were created for moria1 and gabelmoo, prompting the need for users to update.
“Moria also hosted our [Git] repository and [SVN] repository. We took the services offline as soon as we learned of the breach. It appears the attackers didn't realize what they broke into - just that they had found some servers with lots of bandwidth…We've done some preliminary comparisons, and it looks like [Git] and [SVN] were not touched in any way,” Dingledine said in his post.
“To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the [CPU] capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.”
The investigation shows that no source code was altered, and Dingledine noted that the breach could not be used to mach users to destinations. This, Dingledine explained, is because the authority servers do not know enough to “match a user and traffic or destination.”
“The attacker(s) were sloppy, so we know some things like the name of the local-to-root exploit they used (which by its name works on a surprisingly wide spread of kernel versions...). I still don't know how they got in to moria originally, though. Too much was going on that machine,” Dingledine said, while answering list questions about the nature of the attack.
The mailing list discussion is here. Users can download the updated versions of Tor here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story