A Swedish security researcher who publicly posted 100 embassy, government and Fortune 500 e-mail passwords in late August has revealed that he used The Onion Router, or ToR, exit nodes outfitted with a packet sniffer to catch the unencrypted e-mail messages and passwords.
Ironically enough, ToR is a free tool distributed by the Electronic Frontier Foundation thats supposed to allow users to communicate anonymously. According to the researcher, Dan Egerstad, the governments whose e-mail and passwords he intercepted have instructed personnel to use ToR, "a software that sends all your traffic through not one but three other servers that you know absolutely nothing about," he said in a blog post.
While two of the servers used by ToR encrypt traffic, the last exit node does not, Egerstad said—meaning that there are "hundreds of thousands" of ToR users whose e-mail passwords can easily be cherry-picked.
It has long been known that ToR is vulnerable to what are known as correlation attacks carried out by attackers watching both ends of a users connection. Researchers Steven J. Murdoch and George Danezis from University of Cambridge in a 2005 paper presented traffic-analysis techniques that show how unrelated traffic streams could be linked to one sender and how, even if the attacker only has a partial view of the network, he or she can infer the nodes being used to relay anonymous streams, thus greatly reducing ToRs anonymity.
Egerstad says he used five ToR exit nodes spread throughout the world to snag his targets. His firm, DEranged Security, equipped the nodes with a packet sniffer focused exclusively on POP3 and IMAP traffic. The sniffer employed a keyword filter that looked for words such as "gov, government, embassy, military, war, terrorism, passport and visa" as well as domains belonging to governments.
Egerstad said this large-scale test was done after an e-mail caught his eye while he was running a "small experiment" to see how many users encrypt e-mail. The small experiment revealed that users are not only giving away passwords but every e-mail they read or download, along with other traffic such as Web and instant messaging.
Being ignored was his experience, which made awareness the aim of posting the e-mail passwords. "Experience tells me that even if I would contact everyone on this list, most are not going to listen or perhaps just blame me for being an evil hacker and that no one else would ever find this out. WTF does it take for people to learn!?" he said. "We [chose]to publish 100 sensitive accounts for governments in full disclosure to get heads turned. Remember that it still was thought of as a hoax from both users and admins everywhere until a crazy journalist in India started publishing stuff from some accounts. Posting parts of passwords and we would still be having denials and no actions today."
Romney campaign laptops are stolen. Click here to read more.
He posted the information on Aug. 30. By Sept. 6, the U.S. government had shut him down, Egerstad said, requesting that his site be taken offline.
In fact, there was no "hacking" involved to prosecute, Egerstad maintains.
"No accounts have been hacked, you have been actively exposing them yourself not only to us but to about 1,000 others all over the world, every day. This has been told about many times before, which you choose to ignore," he said.
Not that this is the ToRs team fault, he noted—this is purely the case of improper use of the technology without the end-to-end encryption it needs. "The team behind the product is completely open with this security threat, but they probably should have made a bigger warning text I guess," he said
At this point, Egerstad said, governments, embassies and Fortune 500 companies have finally started to respond to his warnings and to secure the traffic they send through ToR nodes. But to underscore how dangerous sending unencrypted traffic through these nodes can be, Egerstad listed some server names. Without knowing the intentions of whoever maintains the nodes, just the names alone of some of these exit nodes that can read traffic should give pause: for example, "devilhacker" and "hackershaven."
In addition, Egerstad points to one node hosted by the Space Research Institute/Cosmonauts Training Center, controlled by the Russian government; nodes hosted on several government-controlled academies in the United States, Russia and Asia; and nodes hosted by known identity thieves.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.