Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Tor Used To Collect Embassy Email Passwords

Posted by kdawson on Tue Sep 11, 2007 12:57 PM
from the getting-their-attention dept.
Security Privacy
Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

Related Stories

[+] Swede Hacks Embassy Account Information From Around the World 92 comments
paulraps writes "A Swedish IT consultant has caused a stir in diplomatic circles after publishing a list of secret log-in details belonging to 100 embassies, public authorities and political parties around the world. Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles. Instead he claimed that publishing the list was easier than contacting the organizations individually — and that if he had handed it to the Swedish authorities then that would have been spying."
Firehose:Tor used to collect government email passwords by shamborfosi (902021)
This discussion has been archived. No new comments can be posted.
Tor Used To Collect Embassy Email Passwords | Log In/Create an Account | Top | 99 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Raising the question... (Score:3, Interesting)

    by InvisblePinkUnicorn (1126837) on Tuesday September 11, @01:01PM (#20557915)
    (http://filer.case.edu/~bct4)
    Why are embassy officials using Tor? Trying to hide something?

  • This reminds me... (Score:5, Interesting)

    by betterunixthanunix (980855) on Tuesday September 11, @01:01PM (#20557923)
    ...of a guy in a class I took who had packet sniffed our network, then reported my university e-mail password to me. Why? Because the university refused to enable SSL-secured POP3. A quick email reveals that, in fact, they were never planning to, and that I am just SOL.

  • Heh (Score:3, Funny)

    by dada21 (163177) <adam.dada@gmail.com> on Tuesday September 11, @01:03PM (#20557961)
    (http://www.unanimocracy.com/about.html | Last Journal: Tuesday April 04 2006, @12:04PM)
    Of course something originally designed by the US Naval Research Laboratory and then spun off to an "independent pro-privacy group" such as the EFF would have loopholes, insecurities, and unwieldly aspects of it.

    One thing that doesn't make sense to me: why does Tor operate MOSTLY over primary networks with non-tor functions? Doesn't it make sense that people who rely on Tor-offered anonymity would only operate the network bound to a specific NIC, a specific router and a specific network connection, separate from their main non-anonymous one? If anonymity is that important, why even bother trying to maintain an anonymous network connection concurrent with your non-anonymous one, with both utilizing the same single-point of exit/entry?

    Doesn't make sense.
    • Re:Heh by charlesnw (Score:3) Tuesday September 11, @01:20PM

      • Re:Heh (Score:5, Informative)

        by kebes (861706) on Tuesday September 11, @01:59PM (#20559257)
        (Last Journal: Monday January 08 2007, @02:45PM)
        Indeed. This isn't a problem with TOR per se. If I'm reading the blog post correctly, the security issue he is really identifying is: "don't mix an anonymizer with identifiable actions."

        Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.

        However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.

        Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.

        The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
        1. When browsing in a non-identifiable way, use TOR if you want anonymity.
        2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
        3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).

        This is, at least, my understanding. Corrections and clarifications are welcome.
        [ Parent ]

        • Re:Heh (Score:5, Informative)

          by HTH NE1 (675604) on Tuesday September 11, @02:33PM (#20559929)
          You can use it in a personally identifying way if what you want to conceal is not your identity but rather your location, or you have a need to communicate securely at your local end so that others at your end won't know where you're going.

          There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.
          [ Parent ]
        • Re:I'd find it easier to take seriously ... by QuickFox (Score:2) Wednesday September 12, @01:04AM
        • 2 replies beneath your current threshold.
    • Re:Heh by Veinor (Score:1) Tuesday September 11, @02:09PM
    • Re:Heh by discord5 (Score:2) Tuesday September 11, @03:39PM

  • Unencrypted traffic is always unencrypted (Score:5, Funny)

    by eknagy (1056622) on Tuesday September 11, @01:04PM (#20557981)
    Well, the embassies should have used this new technology called "encryption". I heard that in the future, even browsers will support it...

    eknagy

  • Why would gov'ts be using Tor? (Score:1)

    by Enlarged to Show Tex (911413) on Tuesday September 11, @01:04PM (#20557991)
    Oh, wait. This is how the feds set up their kiddy porn honeypots...

  • Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).

    Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.

  • Is it still called a man-in-the middle attack (Score:5, Interesting)

    by joeflies (529536) on Tuesday September 11, @01:07PM (#20558075)
    if you voluntary place the said man in the middle?

  • Lo dudo (Score:5, Insightful)

    by Anonymous Coward on Tuesday September 11, @01:11PM (#20558173)
    I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.

    -AC
    • Re:Lo dudo by fastest fascist (Score:2) Tuesday September 11, @02:08PM
      • 1 reply beneath your current threshold.

  • Why are they using Tor? (Score:2)

    by MikeRT (947531) on Tuesday September 11, @01:13PM (#20558227)
    (http://www.codemonkeyramblings.com/)
    I would be surprised to find that this is an acceptable policy in most governments. The US government, for example, is pretty restrictive with its systems, and Tor would not be tolerated if you got caught. Sounds to me like the biggest move that needs to be made is reprimanding or firing employees, not policy.
  • Unencrypted POP3 logins? Sheesh, even my Grandma uses SSL to check her mail.

  • This proves securty. (Score:2, Insightful)

    by rubypossum (693765) on Tuesday September 11, @01:23PM (#20558471)
    If governments and embassies are using it then it's likely the system is relatively secure. What's likely to have happened is the Tor code was audited by said government(s) and found to be legit. Then the clueless diplomats were told "Hey, we've setup an anonymous browsing system for you. Browse away." Then the said diplomats go out and start browsing, thinking they're completely secure (i.e. don't need encryption, it's anonymous right?) The rest is history.

    I wonder about the intelligence of sniffing Tor exit ports, then mentioning you've found some (unnamed) diplomats browsing with it. I mean, you may feel like James Bond but getting loaded into the back of a van in the middle of the night isn't any fun. Neither is having the skin peeled off your fingers one at a time.

    Just saying.

  • and? (Score:3, Informative)

    by tomstdenis (446163) <tomstdenisNO@SPAMgmail.com> on Tuesday September 11, @01:44PM (#20558933)
    (http://libtom.org/)
    I thought it was common knowledge that most exit routes were owned by the very people, people think they need to keep secrets from.

    Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts ... but then again I grew up in Canada, not Bosnia or whatever :-)

  • The summaries don't add much? (Score:2)

    by Trillan (597339) on Tuesday September 11, @01:55PM (#20559189)
    (http://pyile.com/ | Last Journal: Tuesday December 19 2006, @01:33PM)
    The summaries don't add much? Really? How about an explanation of what Tor actually is? Ars explains, Egerstad doesn't.

  • What? No! Can't be! Impossible! (Score:5, Insightful)

    by Opportunist (166417) on Tuesday September 11, @01:59PM (#20559255)
    Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!

    Which reminds me, /. should implement irony tags.

    Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.

    I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!

    Sometimes I really wonder...

  • don't blame Tor (Score:2)

    by m2943 (1140797) on Tuesday September 11, @02:56PM (#20560347)
    The problem here is not that people are using Tor, the problem is that many services use unencrypted connections and unencrypted passwords. Tor is merely a convenient way of exposing this, but the problem would exist even without Tor.

    So, don't blame Tor, blame service providers that use unencrypted authentication, and blame people using these kinds of services.

  • Agencies would recomend using TOR for... (Score:2)

    by droopycom (470921) on Tuesday September 11, @07:12PM (#20564263)
    ... editing Wikipedia entries ;)

  • That's exactly what he did. (Score:5, Insightful)

    by Valdrax (32670) on Tuesday September 11, @01:50PM (#20559077)
    Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.

    That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.
    [ Parent ]

  • Re:Please explain (Score:2)

    by HTH NE1 (675604) on Tuesday September 11, @03:04PM (#20560477)
    Or where Megabyte lived [geocities.com].
    [ Parent ]
  • 5 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.