Amazing discoveries in plain-text Tor exit traffic.
December 4, 2007 6:04 PM Subscribe
This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes.
Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption.
From the Sydney Morning Herald article:
One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.
Here's the Tor FAQ, which tells you what it's good for and how to use it properly.
Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption.
From the Sydney Morning Herald article:
After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails.He later removed the information from his blog, says the hard drives are "long gone"; also, there don't appear to be any public mirrors of the data. Nonetheless, the incident got him arrested and his hardware confiscated.
If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking.
So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority."
Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers - and perhaps intelligence services - across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."
One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.
However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown.Here's Bruce Schneier's commentary on the case.
"The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."
Here's the Tor FAQ, which tells you what it's good for and how to use it properly.
And even for those servers that do support their content in https, there's nothing saying that the web pages they serve won't contain links (or even automatically loaded stuff like images) to other servers (or even themselves) in http.
posted by Flunkie at 6:23 PM on December 4, 2007
posted by Flunkie at 6:23 PM on December 4, 2007
...the only one to respond was Iran.
Surely this will launch World War III.
posted by DU at 6:27 PM on December 4, 2007
Surely this will launch World War III.
posted by DU at 6:27 PM on December 4, 2007
Good question. You can't generally do end-to-end encryption; the host has to support it.
posted by Anything at 6:29 PM on December 4, 2007
posted by Anything at 6:29 PM on December 4, 2007
Well for email you can encrypt it on your machine and send it, and the person who gets it decrypts it on their machine.
And yeah, this sounds like people misunderstood what tor was all about.
posted by chunking express at 6:32 PM on December 4, 2007
And yeah, this sounds like people misunderstood what tor was all about.
posted by chunking express at 6:32 PM on December 4, 2007
This is a great story and a great post.
posted by Samuel Farrow at 6:33 PM on December 4, 2007
posted by Samuel Farrow at 6:33 PM on December 4, 2007
Flunkie:
I'm not completely certain (and if I'm wrong I hope someone more knowledgeable will correct me), but I think what they mean is that if you're sending personally identifiable information over TOR, it's not protected from snooping unless you're sending it over an encrypted connection. So you should be able to use TOR to anonymously visit websites that don't support encryption, as long as you don't, say, give them your email address.
The problem with the embassies in the article seems to be that they were sending their personally identifiable information- logins, passwords, documents- without encryption. If they had just been visiting porn websites, all you'd be able to tell from the traffic at the end node was that they were visiting porn websites, not who was visiting the website, nor where that person was located.
-nzero
posted by nzero at 6:44 PM on December 4, 2007
I'm not completely certain (and if I'm wrong I hope someone more knowledgeable will correct me), but I think what they mean is that if you're sending personally identifiable information over TOR, it's not protected from snooping unless you're sending it over an encrypted connection. So you should be able to use TOR to anonymously visit websites that don't support encryption, as long as you don't, say, give them your email address.
The problem with the embassies in the article seems to be that they were sending their personally identifiable information- logins, passwords, documents- without encryption. If they had just been visiting porn websites, all you'd be able to tell from the traffic at the end node was that they were visiting porn websites, not who was visiting the website, nor where that person was located.
-nzero
posted by nzero at 6:44 PM on December 4, 2007
That tor network is so slow I can't imagine someone using it without explicitly wanting to be anonymous. It seems like it would be ridiculous for someone to use it to for anything else and especially for logging into a sensitive account of any kind. Of course, there are those that don't know what the hell they're doing. Still seems far-fetched to me though.
posted by puke & cry at 6:50 PM on December 4, 2007
posted by puke & cry at 6:50 PM on December 4, 2007
Flunkie: And even for those servers that do support their content in https, there's nothing saying that the web pages they serve won't contain links (or even automatically loaded stuff like images) to other servers (or even themselves) in http.
In Firefox, you can turn on warnings for when you're leaving to an unencrypted page, or when an otherwise encrypted page uses some unencrypted information.
posted by Anything at 6:50 PM on December 4, 2007
In Firefox, you can turn on warnings for when you're leaving to an unencrypted page, or when an otherwise encrypted page uses some unencrypted information.
posted by Anything at 6:50 PM on December 4, 2007
chunking express: Well for email you can encrypt it on your machine and send it, and the person who gets it decrypts it on their machine.
Just remember that encrypting messages is one thing, and encrypting the login is another. This is often only a concern when receiving mail though, since many systems don't require you to log in when sending mail. Any reasonable mail client can be configured to require an encrypted login.
posted by Anything at 7:01 PM on December 4, 2007
Just remember that encrypting messages is one thing, and encrypting the login is another. This is often only a concern when receiving mail though, since many systems don't require you to log in when sending mail. Any reasonable mail client can be configured to require an encrypted login.
posted by Anything at 7:01 PM on December 4, 2007
TOR is an IP address anonymizer, not an encrypter. That's ALL it is.
The way it works is this: you connect to a TOR node, and then route your net traffic over TOR. The traffic is encrypted and anonymized. It travels over the TOR network and then emerges at some random point, at which point it's in 'cleartext' again, and goes to your final destination.
All this does is hide where you are. That's ALL. If your traffic isn't encrypted, it's quite easy to sniff and extract data from, as this particular hacker demonstrated. He can't tell what IP address it originally came from, any more than a government agency can, but if you're sending a web form that has your name and address, that won't matter very much.
So, when would you use TOR? When you're not transmitting data that is, itself, traceable to you, but which you don't want associated with the IP address you use. With normal traffic, even encrypted, it's obvious that your IP address is sending a lot of data to other IP addresses. Even if snoopers can't tell what the data actually is, the fact that you 'had a conversation' at all can be of interest to certain entities. (like, say, the Chinese government, or perhaps the American government these days.) TOR lets you break the direct link between the two sides of a conversation.
What's really interesting about this story isn't "oh gee, the government agencies were stupid to use TOR". It looks like they weren't. Rather, it looks like these accounts were already compromised, and it was HACKERS using the TOR network.... the logins weren't traceable to them, so they were using the TOR network as it's designed -- as an anonymizer. there's no way the governments involved can track the username/password usage to any particular entity, which is why they were using TOR.
This guy basically did these agencies a favor; they just didn't know it. They're shooting the messenger.
posted by Malor at 7:07 PM on December 4, 2007 [5 favorites]
The way it works is this: you connect to a TOR node, and then route your net traffic over TOR. The traffic is encrypted and anonymized. It travels over the TOR network and then emerges at some random point, at which point it's in 'cleartext' again, and goes to your final destination.
All this does is hide where you are. That's ALL. If your traffic isn't encrypted, it's quite easy to sniff and extract data from, as this particular hacker demonstrated. He can't tell what IP address it originally came from, any more than a government agency can, but if you're sending a web form that has your name and address, that won't matter very much.
So, when would you use TOR? When you're not transmitting data that is, itself, traceable to you, but which you don't want associated with the IP address you use. With normal traffic, even encrypted, it's obvious that your IP address is sending a lot of data to other IP addresses. Even if snoopers can't tell what the data actually is, the fact that you 'had a conversation' at all can be of interest to certain entities. (like, say, the Chinese government, or perhaps the American government these days.) TOR lets you break the direct link between the two sides of a conversation.
What's really interesting about this story isn't "oh gee, the government agencies were stupid to use TOR". It looks like they weren't. Rather, it looks like these accounts were already compromised, and it was HACKERS using the TOR network.... the logins weren't traceable to them, so they were using the TOR network as it's designed -- as an anonymizer. there's no way the governments involved can track the username/password usage to any particular entity, which is why they were using TOR.
This guy basically did these agencies a favor; they just didn't know it. They're shooting the messenger.
posted by Malor at 7:07 PM on December 4, 2007 [5 favorites]
> It wasn't clear to me then, and it's not clear to me now: how do I generally do end-to-end encryption?
You can't do single-ended end-to-end encryption. Got to have some cooperation on the other end.
posted by jfuller at 7:10 PM on December 4, 2007
You can't do single-ended end-to-end encryption. Got to have some cooperation on the other end.
posted by jfuller at 7:10 PM on December 4, 2007
There's one issue I think I should also have pointed out, which also isn't very clear from the articles: this is not just a failure on part of the users, but also on part of the hosts that allow plain-text logins in the first place!
Admins, get your asses to the 21st century!
posted by Anything at 7:10 PM on December 4, 2007 [2 favorites]
Admins, get your asses to the 21st century!
posted by Anything at 7:10 PM on December 4, 2007 [2 favorites]
... but what makes this an interesting failure on part of the users is that they seem to be knowledgeable enough to use Tor, but also ignorant enough to use plaintext logins. and note: this goes for any third-party attackers as well (Assuming that the host supports encryption at least as an option. If that's not the case, this is a massive failure on the host side.)
posted by Anything at 7:20 PM on December 4, 2007
posted by Anything at 7:20 PM on December 4, 2007
You can't do single-ended end-to-end encryption. Got to have some cooperation on the other end.Yes, I understand that. In fact, my confusion came from the fact that I understood that.
The warnings were all written as if there were some easy way to just "do" encryption, as if all webservers accepted https or some equivalent that I didn't know about.
posted by Flunkie at 8:06 PM on December 4, 2007
Yeah, I think one of the articles stated that the Tor people intend to clarify their documentation as a consequence of the affair.
posted by Anything at 8:12 PM on December 4, 2007
posted by Anything at 8:12 PM on December 4, 2007
... although in one sense you can have encrypted communications with any host you log in to: ask the admins to enable encryption, or you won't log in.
posted by Anything at 8:26 PM on December 4, 2007
posted by Anything at 8:26 PM on December 4, 2007
And I think one of the points in the story is that sending plain-text passwords through Tor is in a certain sense even worse than sending them as regular internet traffic: in the latter case the attacker would have to either infiltrate an ISP between you and the host or tap the line somewhere. The Tor case doesn't involve any such detectable mischief.
posted by Anything at 8:39 PM on December 4, 2007
posted by Anything at 8:39 PM on December 4, 2007
That's not the only scenario. Depending on what you normally communicate through unprotected channels, your IP address may be linked to your person without your ISP ever ratting you out. If you then want to communicate with some host without that host finding out who you are, Tor might give you adequate protection.
posted by Anything at 12:01 AM on December 5, 2007
posted by Anything at 12:01 AM on December 5, 2007
Malor writes "This guy basically did these agencies a favor; they just didn't know it. They're shooting the messenger."
And why ? Well , one reason : covering up incompetency, keeping claws firmly on the funds given to do their "homerland securitaeh" kind of work. Security theatre, that is, but the hax0r did the cardinal sin of not shutting the fuck up and exposing them as useless idiots, the worst kind of idiots ; while simultaneously pissing off these who saw an opportunity in sniffing TOR.
Similarly in private companies , the introduction of MP3 was dreaded but inevitable. The problem was keeping the lid of it as much as possible, preventing it from becoming widespread, as it would have by its very existence suggested that copying can be extremely unexpensive and it quite difficult to justify even a mere $10 charge for shuffling a dozen track-songs ( a bunch of bytes ) from one point of the net to your mp3 usb player. It also suggests that archiving thousands of songs can be unexpensive and so on.
What if, for instance, it was exposed that much of our fears are baseless and much of the inefficiency out there isn't casual, but is _caused_ for the benefit of few ?
posted by elpapacito at 2:43 AM on December 5, 2007
And why ? Well , one reason : covering up incompetency, keeping claws firmly on the funds given to do their "homerland securitaeh" kind of work. Security theatre, that is, but the hax0r did the cardinal sin of not shutting the fuck up and exposing them as useless idiots, the worst kind of idiots ; while simultaneously pissing off these who saw an opportunity in sniffing TOR.
Similarly in private companies , the introduction of MP3 was dreaded but inevitable. The problem was keeping the lid of it as much as possible, preventing it from becoming widespread, as it would have by its very existence suggested that copying can be extremely unexpensive and it quite difficult to justify even a mere $10 charge for shuffling a dozen track-songs ( a bunch of bytes ) from one point of the net to your mp3 usb player. It also suggests that archiving thousands of songs can be unexpensive and so on.
What if, for instance, it was exposed that much of our fears are baseless and much of the inefficiency out there isn't casual, but is _caused_ for the benefit of few ?
posted by elpapacito at 2:43 AM on December 5, 2007
Swedish hacker Dan Egerstad had infiltrated a global communications network carrying the often-sensitive emails of scores of embassies scattered throughout the world.
I'm guessing this means the UN's inter-embassy network & not the US State Dept's NIPRNet. Either way, funny. Brings me back to reading through the database for the Internet's first anonymizing service, the anon.penet.fi remailer. Quite a few .gov, .mil & even a couple .int addresses were users of that one. Little's changed since then, eh?
posted by scalefree at 4:51 AM on December 5, 2007
I'm guessing this means the UN's inter-embassy network & not the US State Dept's NIPRNet. Either way, funny. Brings me back to reading through the database for the Internet's first anonymizing service, the anon.penet.fi remailer. Quite a few .gov, .mil & even a couple .int addresses were users of that one. Little's changed since then, eh?
posted by scalefree at 4:51 AM on December 5, 2007
> these accounts were already compromised, and it was HACKERS using the TOR network
...which makes me wonder why it isn't standard for login pages to display a "your last login was on" timestamp, so as to make it easier for the user to tell if their account's being used.
posted by niloticus at 12:20 PM on December 5, 2007
...which makes me wonder why it isn't standard for login pages to display a "your last login was on" timestamp, so as to make it easier for the user to tell if their account's being used.
posted by niloticus at 12:20 PM on December 5, 2007
odinsdream: Seems like the most interesting aspect of this story is the possibility that this was an intelligence-gathering operation rather than just accidental.
To me, the most interesting aspect (and this is another thing I should've highlighted in the post; I've got to learn to be more patient in constructing FPPs, so they come up intelligible) is that these passwords and emails and other data were intercepted in a way such that anyone with internet access could do the same without getting caught!
posted by Anything at 1:55 PM on December 5, 2007
To me, the most interesting aspect (and this is another thing I should've highlighted in the post; I've got to learn to be more patient in constructing FPPs, so they come up intelligible) is that these passwords and emails and other data were intercepted in a way such that anyone with internet access could do the same without getting caught!
posted by Anything at 1:55 PM on December 5, 2007
On the other hand, running a Tor exit node will bring other kinds of trouble, if users do abusive things via your node.
posted by Anything at 2:01 PM on December 5, 2007
posted by Anything at 2:01 PM on December 5, 2007
To me, the most interesting aspect (and this is another thing I should've highlighted in the post; I've got to learn to be more patient in constructing FPPs, so they come up intelligible) is that these passwords and emails and other data were intercepted in a way such that anyone with internet access could do the same without getting caught!
Everything old is new again.
posted by scalefree at 3:27 PM on December 5, 2007
Everything old is new again.
posted by scalefree at 3:27 PM on December 5, 2007
« Older Freaky Flicks | the blob invades prague! Newer »
This thread has been archived and is closed to new comments
It wasn't clear to me then, and it's not clear to me now: how do I generally do end-to-end encryption?
It's not as simple as just typing "https" instead of "http". Many web servers don't support their content in https.
Are they just saying "only use TOR to go to websites that support https" (and such)? Or is there some "encrypt my traffic" tool that webservers in general recognize and support?
posted by Flunkie at 6:18 PM on December 4, 2007