August - Sept 2007
Dan Egerstad, the Swedish computer security
obtained log-in and password information for 1,000 e-mail accounts belonging to foreign embassies, corporations and human rights organizations
when he posted on his web site the log-in information and passwords for 100 of the 1,000 e-mail accounts for which he obtained log-ins and passwords. (His site is no longer online). He posted the information, he said, because he felt it would be the most effective way to make the account owners aware that their communication had been compromised., including one corporation that does more than $10bn in annual revenue., request of American law enforcement agencies
Initially, Egerstad refused to disclose how he obtained the log-ins and passwords. But then in September he revealed that he'd intercepted the information through five exit nodes that he'd set up on the Tor network in Asia, the US and Europe
Tor is used by people who want to maintain privacy and don't want anyone to know where they go on the web or with whom they communicate. Tor traffic is encrypted while it's enroute, but is decrypted as it leaves the exit node and goes to its final destination. Egerstad simply sniffed the plaintext traffic that passed through his five exit nodes to obtain the user names and passwords of e-mail accounts., #1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.
Egerstad didn't hack any systems to obtain the data and therefore says he didn't break any laws, but once he posted the log-in details for the accounts online he provided others with all the information they needed to breach the accounts and read sensitive correspondence stored in them.
what he could read, Victims of Egerstad's research project included embassies belonging to Australia, Japan, Iran, India and Russia. Egerstad also found accounts belonging to the foreign ministry of Iran, the United Kingdom's visa office in Nepal and the Defence Research and Development Organization in India's Ministry of Defence., In addition, Egerstad was able to read correspondence belonging to the Indian ambassador to China, various politicians in Hong Kong, workers in the Dalai Lama's liaison office and several human-rights groups in Hong Kong.
But Egerstad remains convinced he did the right thing, saying it was the only way to call attention to problem that Tor officials have already warned about previously.
withheld details on how he came into possession of the passwords, instead writing that "there is no exploit to publish, no vendor to contact".
But Egerstad says that many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren't taking the precautions they need to take to protect their web activity.
"I am absolutely positive that I am not the only one to figure this out," Egerstad says. "I'm pretty sure there are governments doing the exact same thing. There's probably a reason why people are volunteering to set up a node.", For example, several Tor nodes in the Washington, D.C., area can handle up to 10T bytes of data a month, a flow of data that would cost at least US$5,000 a month to run, and is likely way out the range of volunteers who run a node on their own money, Egerstad said. "Who would pay for that?" Egerstad said
To his surprise, he found that more than 99 percent of the traffic -- including requests for Web sites, instant messaging traffic and e-mails -- were transmitted unencrypted., but it can't encrypted, unless you have some UDP SSL thing
Egerstad said the process of snooping on the traffic is trivial. The problem is not with Tor, which still works as intended, but with users' expectations: the Tor system is designed to merely anonymize Internet traffic and does not perform end-to-end encryption.
know where to sniff, Yes of course end-to-end encryption would have fixed this, but without it Onion routing actually exacerbates the risk of packet sniffing., The fact Onion routing was used is the only way this "researcher" (that leaves a bad taste) could get access to those packets in the first place - with regular routing he'd need to have access to the embassy's ISP's network, or their upstream networks, to sniff those packets.
house raided on Monday by Swedish officials, who took him in for questioning
While three of them took him to the local police headquarters for questioning, the other two agents ransacked his house and hauled away three computers, external hard drives, CDs, notebooks and various papers
Egerstad hasn't been charged with anything but is under suspicion for breaking into computers, which he says he never did. Egerstad said the agents told him they were investigating him because he had "pissed off some foreign countries."
The posting of 100 official embassy passwords has made Egerstad a pariah in many circles. Publishing information that allows any old criminal to infiltrate sensitive government networks is a touchy thing, and many, including several Reg readers, have denounced it.
As Egerstad and I discussed the problem in August, we both came to the conclusion that the embassy employees were likely not using Tor nor even knew what Tor was. Instead, we suspected that the traffic he sniffed belonged to someone who had hacked the accounts and was eavesdropping on them via the Tor network. As the hacked data passed through Egerstad's Tor exit nodes, he was able to read it as well.
it's NOT a problem within Tor. Tor is meant for privacy, not confidentiality!!!! I'm a bit amazed governments and companies are using this as a security measure.
It's not a written law but it is a guideline in having a responsible disclosure. I think he did a responsible disclosure. Was it legal? He did intercept traffic that was not destined for him. So probably "no" depending on Swedish law. Is our society a safer place after the disclosure. Yes, I think it is. Instead of arresting him, the government should have offered him a job.
And what did we learn today? Don't report a security hole, sell it to Russia. Just kidding, but do check legal council before doing a disclosure.
Wired article, again
Security For all blog, again
Shava Nerad Development Director, The Tor Project, A connection through Tor can be encrypted end-to-end -- but only if one is communicating with a secure protocol -- https: or encrypted chat both would be examples of this., more sensible comments, be sensible, use encryption
from the ToR site itself
Under Tor's architecture, administrators at the entry point can identify the user's IP address, but can't read the content of the user's correspondence or know its final destination. Each node in the network thereafter only knows the node from which it received the traffic, and it peels off a layer of encryption to reveal the next node to which it must forward the connection. (Tor stands for "The Onion Router.")
Tor works by using servers donated by volunteers around the world to bounce traffic around en route to its destination. Traffic is encrypted through most of that route, and routed over a random path each time a person uses it.
downloaded from the Tor website to configure several servers designed to bounce sensitive traffic around the internet before it ultimately is routed to its destination. The Tor servers try to make it harder to trace the originator of traffic in much the same way an agent under surveillance might quickly drive in and out of a parking garage to throw off pursuers.
Tor has taken pains to warn its users that people running so-called exit nodes - which are the last Tor servers to touch a packet before sending it on its way - "can read the bytes that come in and out there." They go on to say: "This is why you should always use end-to-end encryption such as SSL for sensitive Internet connections."
Unless they're surfing to a website protected with SSL encryption, or use encryption software like PGP, all of their e-mail content, instant messages, surfing and other web activity is potentially exposed to any eavesdropper who owns a Tor server. This amounts to a lot of eavesdroppers -- the software currently lists about 1,600 nodes in the Tor network., but then not anonymous!
has a slew of beneficial uses: Human-rights workers, the military and journalists all use the system. However, the anonymity of Tor has also attracted seedier elements as well: digital pirates, online criminals and, quite possibly, child pornographers
TOR (The Onion Router) is a network of proxy nodes set up to provide some privacy and anonymity to its users. Originally backed by the US Naval Research Laboratory, TOR became an Electronic Frontier Foundation (EFF) project three years ago. The system provides a way for whistleblowers and human rights workers to exchange information with journalists, among other things. The system also provides plenty of scope for mischief.
Tor has hundreds of thousands of users around the world, according to its developers. The largest numbers of users are in the United States, the European Union and China.
The first is the use by embassies of the Tor product to obfusticate their communications. This is a reasonable response to the assumed traffic monitoring by the host country.
data from exit node eavesdropping
exit node man-in-the-middle attacks, response
SPAM impersonation of Tor by Storm