Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Tor Security Talk Cancelled at Black Hat Conference

A presentation on cracking the anonymity of the TOR network scheduled to be held at the upcoming Black Hat USA conference in Las Vegas has been cancelled.

A presentation on cracking the anonymity of the TOR network scheduled to be held at the upcoming Black Hat USA conference in Las Vegas has been cancelled.

The presentation, titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’, has been pulled from the schedule – a relatively rare but not unheard of occurrence at the security conference. The research was performed by CERT/Carnegie Mellon researchers Alexander Volynkin and Michael McCord.

According to a posting on the Black Hat Website, the conference organizers were informed late last week by the legal counsel of the Software Engineering Institute (SEI) and Carnegie Mellon University (CMU) that Volynkin would not be able to speak at the conference because the content of the talk had not yet been approved by CMU or SEI for public release.

Short for ‘The Onion Router’, Tor works by directing Internet traffic through a network of thousands of relays in order to conceal a user’s location and activity. Though it was originally sponsored by the U.S. Naval Research Laboratory, it is now under the province of the Tor Project.

In the now deleted description of the talk, Volynkin and McCord wrote that they discovered that a persistent adversary with a handful of powerful servers and a few gigabit links can deanonymize hundreds of thousands of Tor clients and thousands of hidden services in a couple months – all with a budget of just $3,000.

In a post on the ‘Tor-Talk’ mailing list, Tor Project Leader Roger Dingledine stated that the Tor Project did not ask Black Hat or CERT (Computer Emergency Response Team) to cancel the talk, though the project did have questions for the presenter about aspects of the research. The Tor Project had been informally shown some materials in response to its questions, he added, but never received slides or any description of what would be in the talk itself beyond what was available on the Black Hat webpage.  

“We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks,” he wrote Monday. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.”

He also added that the organization was working with CERT to do a coordinated disclosure of the details of the talk. In another posting to the list, he explained that he believes he has a “handle” on what the researchers did and how to fix it, but feels it would have been smoother if they had opted to tell the project everything.

“The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find,” he wrote. “I’m currently waiting for them to answer their mail so I can proceed.”

“Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found,” he wrote. “The bug is a nice bug, but it isn’t the end of the world. And of course these things are never as simple as ‘close that one bug and you’re 100% safe’.”

The Black Hat conference will run from Aug. 2 to Aug. 7 at Mandalay Bay Hotel and Casino, with the briefings occurring on the 6th and 7th.

*This story was updated with additional commentary and information.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.