Tor Project suffers hack attack

Tor Project suffers hack attack

Summary: Hackers broke into two of Tor Project servers and used the CPU and bandwidth to launch additional attacks.

SHARE:
45

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Dingledine writes:

We took the services offline as soon as we learned of the breach. It appears the attackers didn't realize what they broke into -- just that they had found some servers with lots of bandwidth. The attackers set up some ssh keys and proceeded to use the three servers for launching other attacks. We've done some preliminary comparisons, and it looks like git and svn were not touched in any way.

We've been very lucky the past few years regarding security. It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the CPU capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.

The attackers did not meddle with the Tor source code, he said.  "We made fresh identity keys for the two directory authorities, which is why you need to upgrade," Dingledine added.

Users are strongly encouraged to upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha.

ALSO SEE:

    Topics: Security, Hardware, Servers

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    45 comments
    Log in or register to join the discussion
    • Why is Tor Project running on Windows?

      We all know that only Windows can be hacked so if
      Tor was hacked, it must be running on Windows.
      Please Tor Project, immediately host your services
      on Linux machines. Thanks.
      NonZealot
      • good point

        the got what they deserved
        Linux Geek
        • Well, LG

          it looks like they [i]are[/i] running in on Linux.

          So did they still get what they deserved?
          John Zern
          • Well, Johnny ...

            ... are you <em>still</em> surprise a Linux shop uses IE 6?


            ^o^
            <br>
            n0neXn0ne
            • Huh? Since when does IE6 run on Linux?

              Or am I missing something?
              de-void-21165590650301806002836337787023
            • Since IEs4Linux?

              [b] [/b]
              AzuMao
            • More Excuses? Well, what can we expect from you

              Nothing but excuses for Linux.

              Again.

              v0v
              John Zern
          • You know LG is an undercover MS shill, don't you?

            [b] [/b]
            AzuMao
            • I doubt even MS

              would pay Linux Geek for his posts. :)
              John Zern
      • Nice straw man as usual.

        Nobody ever said using a Linux based OS automatically prevents you from ever doing anything to get your computer compromised.

        Heck, the article doesn't even say how it happened. For all anyone knows it was some vulnerability in a script for their website.



        Also, isn't it nice how they fixed this right away instead of waiting 7 months, as opposed to a certain company you love?
        AzuMao
        • Linux 'fixes' have a history of breaking programs

          So what is your point? I would rather have the 7-month thing where it has been COMPLETELY TESTED to make sure that it won't interfere with most programs, rather than a 'quick and dirty' fix that breaks a lot of stuff, as is the history with Linux.
          Lerianis10
          • Completely tested..

            ..you mean like Vista? That didn't break anything at all, right? Because they spent so many years testing it before releasing it, it didn't interfere with your programs?

            And again, nowhere in the article does it say anything about a vulnerability in Linux. Stop assuming things randomly
            AzuMao
          • It's Windows "fixes" that break things for users

            @Lerianis10
            You have that backwards when you say that Linux "fixes break a lot of stuff". You meant Windows. For instance, I learned this week that certain webcams are having problems with Windows 7 now, after a recent update. It's not a surprise to me. I have come to expect nothing from the folks at Redmond.
            MS patches break things due to the fact that some updates require reboot, which opens up the system to the possibility of being rooted. Linux updates come much more frequently, not waiting months or weeks as was typical in the past, and usually do not require reboot unless it's a kernel update, and even then, reboot is not required. While it's true that Linux has vulns, as all systems do, as a developer, I have experienced nasty viruses being shipped by the good folks at Redmond through their Developer Network media. The truth is that while the folks at MS do test, they don't test nearly as well as they should, and when they do find something, often they wait for it to be discovered before announcing that they are working on a fix. MS also has a history of blaming the user, which I find deplorable. The default settings for Windows are *not* secure, and I won't use it for that reason. I have not had an intrusion or data lost since switching to Redhat/Fedora Linux in 1999, and I don't intend to. Windows users should demand better testing, more prompt updates that don't break stability, and a more secure system by default. For the record, I support the Tor Project for porting their code to the Windows platform and I wish them success. Maybe they became complacent what with Tor's abilities.
            Renifer
          • That's the same thing that can happen with windows, too.

            Windows' malaise is called "DLL Hell". Linux has its own comparable problems.

            Linux is open source and anybody can stick their hands into the process.

            What's microsoft's excuse for their sloppiness?
            HypnoToad72
      • Windows is always insecure

        Hence the name 'Windows' get it glass...

        :)
        no_barry_2012
        • Wrong, Windows is no more secure or insecure than OSX or Linux

          PWN2OWN.... need I keep on saying it before you idiots get the message?
          Lerianis10
          • Keep spinning that, maybe someday someone will believe you

            OSs are not all born equal.
            The Mentalist
            • I agree

              Now, you keep with that spin machine of yours, and maybe [i]somebody[/i] will believe that the Tor Project's Linux box really wasn't hacked.
              John Zern
            • Your remark was completely non sequitur..

              ..unless you're saying that there are two mutually exclusive and collectively exhaustive polar opposites (as insecure as Windows, and 100% perfectly secure in every way even
              against user error), in which case you simply have no grasp on reality.
              AzuMao
          • Windows default setting are the least secure of any OS

            @Lerianis10,
            Come on now. Repeating something doesn't make it true.
            Windows OS is not secure by default. That's no secret.
            Even Linux has to be hardened somewhat to withstand a production web server environment.
            Windows is the least secure OS, by default, that I have worked with.
            Renifer