This is node joke. Tor battles to fend off swarm of Bitcoin-stealing evil exit relays making up about 25% of outgoing capacity at its height

Cash-strapped privacy devs face determined miscreants who keep coming back for more

The Tor Project has confirmed someone, or some group, is in control of a large number of Bitcoin-snaffling exit nodes in its anonymizing network, and it's battling to boot them off.

One observer reckons more than 23 per cent of the entire Tor network’s exit capacity was under the command of one miscreant, or one group of miscreants, at one point in May, with the end goal being the theft of people's cryptocurrency.

Tor works by randomly routing your connections through a network of nodes spread across the world. When you use the open-source Tor software to connect to a public website, the connection is relayed between a few nodes and out to the site via one of many exit nodes. All the site sees is a connection from that particular exit node, and can't trace you back to the IP address you used to enter the Tor network, and thus you're kept anonymous. The network is maintained in an ad-hoc manner, with nodes joining and leaving.

Crucially, whoever is running an exit node can access the traffic flowing through it. Thus it is wise to ensure your connections to websites and other services are wrapped in additional encryption, such as HTTPS or SSH, so that exit node operators cannot snoop on you and alter any information you send over the internet. (Connections are encapsulated in layers of encryption as they are routed through the Tor network.)

It's one thing to be mindful of a rogue exit node operator eavesdropping on you, it's another thing when someone successfully adds a large number of exit nodes to Tor, all under their control, because it means some kind of elaborate campaign is underway to undermine Tor's security.

In this case, it appears someone or some group is adding malicious exit nodes that perform a form of SSL stripping to eavesdrop on visitors to cryptocurrency websites – specifically, Bitcoin mixer services. If any Bitcoin wallet addresses are spotted in the passing unprotected traffic, the addresses are rewritten on the fly so as to funnel transactions into the miscreants' coffers, thus stealing victims' digital money.

Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want


The exit nodes take advantage of the fact that when you type in a URL like in your browser, it typically tries to connect first to the dotcom using non-encrypted HTTP, only to be redirected by the website's server on port 80 to the safer and encrypted HTTPS service on port 443. The malicious exit nodes intercept some of these insecure HTTP requests to prevent them being upgraded to HTTPS-encrypted connections, and tamper with the unprotected data in transit, namely any Bitcoin wallet addresses.

Yes, there are plugins like HTTPS Everywhere that force browsers to use encryption, but not everyone uses them, or they disable them after a while because the extensions complain too much when they can't establish a connection to non-HTTPS pages. And there are things like HSTS Preloading that can thwart this kind of attack, but not every website owner uses it. Thus, some folks using Tor may end up running unencrypted traffic through one of these bad nodes to a crypto-dosh mixer, and have their Bitcoins swiped.

This is all according to Nusenu, a developer who has been monitoring the Tor network's health for years. They revealed this month that, earlier in 2020, "roughly about one out of four connections leaving the Tor network were going through exit relays controlled by a single attacker."

Whoever is behind the spy nodes is determined and persistent, we're told. Even though the malicious group was detected at the end of May with more than 23 per cent of the network's exit capacity, and removed from the Tor network's directories, they returned in June with about 22 per cent, were discovered and banned again, only to return a few days later with about 20 per cent. Nusenu noted:

This also shows us how fast the malicious entity recovered from a single removal event and that we didn’t detect all of them at the same time. It took them less than 30 days to recover after a removal and reach 22 per cent exit probability again (starting at 4 per cent). It also gives us an idea that they apparently will not back off after getting discovered once. In fact they appear to plan ahead for detection and removal and setup new relays preemptively to avoid a complete halt of their operations.

"So far 2020 is probably the worst year in terms of malicious Tor exit relay activity since I started monitoring it about five years ago," Nusenu added. "As far as I know this is the first time we uncovered a malicious actor running more than 23 per cent of the entire Tor network’s exit capacity. Since Tor clients usually use many Tor exit relays over time the chance to use a malicious exit relay increases over time."

Ongoing war

The Tor Project confirmed to us it has been trying for months to get the bad actor off its network, including banning the malicious nodes in May and June only to see the surveillance menace return. We're told the Tor team is hampered right now due to being short-staffed. Back in April, the project had to drop 13 people, about a third of its staff, due to funding shortfalls amid the coronavirus pandemic and economic downturn. That means there's not enough people monitoring the anonymizing mesh for wrongdoers.

"We still have contributors watching the network and reporting malicious relays to be rejected by our directory authorities, but they cannot do this full time," a Tor Project spokesperson told The Register. "Our goal is to recover our funds to be able to get that Network Health team back in shape."

While the Tor Project said it is trying to mitigate the malicious operation, including considering disabling HTTP connections, it also has a more permanent solution in the works, once its thinly stretched staff is able to finalize the defense mechanism, which seeks to minimize the use of exit nodes that aren't trusted. That hopefully ought to take care of exit relays appearing out of nowhere that later turn out to be malicious.

"We also have a design proposal for how to improve the situation in a more fundamental way, by limiting the total influence from relays we don't 'know' to some fraction of the network," the spokesperson said. "Then we would be able to say that by definition we trust at least 50 per cent (or 75 per cent, or whatever threshold we pick) of the network."

In the meantime, use HTTPS Everywhere, be mindful of HTTPS downgrade attacks, and keep your internet traffic encrypted as it exits the Tor network. ®

Other stories you might like

  • Demand for PC and smartphone chips drops 'like a rock' says CEO of China’s top chipmaker
    Markets outside China are doing better, but at home vendors have huge component stockpiles

    Demand for chips needed to make smartphones and PCs has dropped "like a rock" – but mostly in China, according to Zhao Haijun, the CEO of China's largest chipmaker Semiconductor Manufacturing International Corporation (SMIC).

    Speaking on the company's Q1 2022 earnings call last Friday, Zhao said smartphone makers currently have five months inventory to hand, so are working through that stockpile before ordering new product. Sales of PCs, consumer electronics and appliances are also in trouble, the CEO said, leaving some markets oversupplied with product for now. But unmet demand remains for silicon used for Wi-Fi 6, power conversion, green energy products, and analog-to-digital conversion.

    Zhao partly attributed sales slumps to the Ukraine war which has made the Russian market off limits to many vendors and effectively taken Ukraine's 44 million citizens out of the global market for non-essential purchases.

    Continue reading
  • Colocation consolidation: Analysts look at what's driving the feeding frenzy
    Sometimes a half-sized shipping container at the base of a cell tower is all you need

    Analysis Colocation facilities aren't just a place to drop a couple of servers anymore. Many are quickly becoming full-fledged infrastructure-as-a-service providers as they embrace new consumption-based models and place a stronger emphasis on networking and edge connectivity.

    But supporting the growing menagerie of value-added services takes a substantial footprint and an even larger customer base, a dynamic that's driven a wave of consolidation throughout the industry, analysts from Forrester Research and Gartner told The Register.

    "You can only provide those value-added services if you're big enough," Forrester research director Glenn O'Donnell said.

    Continue reading
  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading

Biting the hand that feeds IT © 1998–2022