Microsoft expert: Tor security compromised by NSA

News by Steve Gold

Andy Malone, head of Microsoft's Enterprise Security, claims that the TOR (The Onion Router) network does not provide the anonymity that its many users think it does.

Speaking at Microsoft's TechEd North America event earlier this week, the founder of the Cyber Crime Security Forum said that hackers and government agencies can now compromise the security of the TOR network.   

First set up in September 2002, TOR was originally conceived as means for Internet users from those countries with oppressive regimes to side step any state monitoring and similar controls on the web. 

The software-enabled service, which relies on benevolent providers of Internet switching around the world, ostensibly provides high degrees of anonymity by re-routing IP streams and stripping other identifiers from the TCP/IP data transmissions. 

Russia Today quotes Malone as saying that TOR leaks do occur through third-party apps and add-ons, like Flash. 

Bob Tarzey, an analyst and director with the Quocirca research house, said that, as the IT industry has seen with Open SSL, the term `free' can mean that rigorous testing is not the same as you would expect with commercial software. 

"That could include NSA backdoors being overlooked. That said, if a commercial provider bows to the demands of security services, then it makes little difference, except that with a commercial provider you have someone to push back on - that includes commercial distributions of open source - which you do not get with free open source," he explained. 

Peter Wood, CEO of pen-testing specialist First Base Technologies, said intercepting a VPN transmission - using a man-in-the-middle attack - can assist in cracking a VPN data stream, as it gives the interceptor access to the digital keys. 

"You could then automate the decryption process, but only if you have the keys," he told 

The security of the TOR network, he went on to say, can be compromised in a number of ways, including monitoring two of the server streams. At this point, he says, it becomes possible to deduce the origin points – and other information - of the data stream. 

This technique was documented in 2012 by a team of researchers from the University of California, who named their approach LASTor, and explained that the compromise - though complex - was entirely achievable. 

Wood, meanwhile, said that man-in-the-middle attacks can be spotted by users when they realise the certificate for the session is not valid.

"The problem here is that users on a smartphone or mobile device might not see the certificate owing to the limited real estate on the screen of these devices," he said. 

James Lyne, the EMEA director of the SANS Institute, said that there have been a series of challenges with the security of TOR, but - frankly - more broadly crypto underpinning trust and Internet privacy plus security have been through something of a rough patch lately. 

"Most recently the Heartbleed OpenSSL issue and the revelations of more advanced government schemes to compromise these mechanisms. These impact consumers, but have been shown in corporate security deployments too," he explained. 

Lyne said it would be easy to throw your hands in the air and give up on the notion of privacy and encrypting your information, but that would have unpleasant side effects. 

"Undoubtedly there will be further issues with such solutions, but for the average user this doesn't invalidate such security controls. It is one thing to be concerned about nation states spying on your traffic and another to prevent an attacker - even an amateur - slurping up your data casually as you browse the Web at your local coffee shop," he said. 

"Of course such tunnels should be resistant to all monitoring, but when things go wrong that doesn't mean users should give up and post their usernames plus passwords on public Web sites with a tone of `I have nothing to hide'," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews