[Infowarrior] - Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

[Richard Forno]

http://www.wired.com/politics/security/news/2007/09/embassy_hacks


Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise
By Kim Zetter Email 09.10.07 | 2:00 AM

A security researcher intercepted thousands of private e-mail messages sent
by foreign embassies and human rights groups around the world by turning
portions of the Tor internet anonymity service into his own private
listening post.

A little over a week ago, Swedish computer security consultant Dan Egerstad
posted the user names and passwords for 100 e-mail accounts used by the
victims, but didn't say how he obtained them. He revealed Friday that he
intercepted the information by hosting five Tor exit nodes placed in
different locations on the internet as a research project.

Tor is a sophisticated privacy tool designed to prevent tracking of where a
web user surfs on the internet and with whom a user communicates. It's
endorsed by the Electronic Frontier Foundation and other civil liberties
groups as a method for whistleblowers and human-rights workers to
communicate with journalists, among other uses.

It's also used by law enforcement and other government agencies to visit
websites anonymously to read content and gather intelligence without
exposing their identity to a website owner.

But Egerstad says that many who use Tor mistakenly believe it is an
end-to-end encryption tool. As a result, they aren't taking the precautions
they need to take to protect their web activity.

He believes others are likely exploiting this oversight as well.

"I am absolutely positive that I am not the only one to figure this out,"
Egerstad says. "I'm pretty sure there are governments doing the exact same
thing. There's probably a reason why people are volunteering to set up a
node."

Victims of Egerstad's research project included embassies belonging to
Australia, Japan, Iran, India and Russia. Egerstad also found accounts
belonging to the foreign ministry of Iran, the United Kingdom's visa office
in Nepal and the Defence Research and Development Organization in India's
Ministry of Defence.

In addition, Egerstad was able to read correspondence belonging to the
Indian ambassador to China, various politicians in Hong Kong, workers in the
Dalai Lama's liaison office and several human-rights groups in Hong Kong.

Egerstad says it wasn't just e-mail that was exposed but instant messages
passed internally between workers and any other web traffic that crossed the
network. Among the data he initially collected was e-mail from an Australian
embassy worker with the subject line referring to an "Australian military
plan."

"It kind of shocked me," he says.

Tor has hundreds of thousands of users around the world, according to its
developers. The largest numbers of users are in the United States, the
European Union and China.

Tor works by using servers donated by volunteers around the world to bounce
traffic around en route to its destination. Traffic is encrypted through
most of that route, and routed over a random path each time a person uses
it.

Under Tor's architecture, administrators at the entry point can identify the
user's IP address, but can't read the content of the user's correspondence
or know its final destination. Each node in the network thereafter only
knows the node from which it received the traffic, and it peels off a layer
of encryption to reveal the next node to which it must forward the
connection. (Tor stands for "The Onion Router.")

But Tor has a known weakness: The last node through which traffic passes in
the network has to decrypt the communication before delivering it to its
final destination. Someone operating that node can see the communication
passing through this server.

The Tor website includes a diagram showing that the last leg of traffic is
not encrypted, and also warns users that "the guy running the exit node can
read the bytes that come in and out of there." But Egerstad says that most
users appear to have missed or ignored this information.

Unless they're surfing to a website protected with SSL encryption, or use
encryption software like PGP, all of their e-mail content, instant messages,
surfing and other web activity is potentially exposed to any eavesdropper
who owns a Tor server. This amounts to a lot of eavesdroppers -- the
software currently lists about 1,600 nodes in the Tor network.

Egerstad discovered the problem about two months ago when he signed up five
servers he owns in Sweden, the United States and Asia to be Tor nodes, and
started peeking at the traffic. He was surprised to discover that 95 percent
of the traffic that passed through his Tor nodes was not encrypted.

Even more surprising was the number of embassies and other government
agencies that were using Tor, and using it incorrectly.

That prompted Egerstad to narrow his search to e-mail correspondence with a
focus on government agencies. He wrote a script to search for .gov domains
and keywords such as "embassy," "war" and "military," and focused on
sniffing port-25 traffic, the port through which e-mail passes.

He collected between 200 and 250 accounts belonging to embassies and
government agencies that were sending passwords and the content of
correspondence in the clear. None of them belonged to U.S. embassies or
government agencies.

Among the data he found in the correspondence was a spreadsheet listing
passport numbers and personal information about the passport holders, as
well as sensitive details about meetings and activities among government
officials.

Egerstad contacted one account holder about his vulnerability but was
ignored, he says. So on Aug. 30 he posted 100 of the accounts and passwords
online to get the word out, but kept largely mum about how he'd obtained the
information.

Since posting the data, he says only one victim has contacted him to find
out what they were doing wrong and learn how to fix it: Iran. In addition to
Iran's Ministry of Foreign Affairs, the country's embassies in Ghana, Kenya,
Oman and Tunisia were swept up by Egerstad's experimental surveillance.

Shava Nerad, the development director for the nonprofit group that supports
Tor, admits the group needs to produce better documentation for users to
make the risks of the system clearer. But she adds that people in high-risk
environments, such as embassies, should understand those risks already and
should be encrypting their communication on their own.

"If you're in a position like that handling sensitive data and you're
working for the government," she says, "it is irresponsible to send that
data unencrypted. They should institute practices that educate their users
and ensure the privacy of the data by going through encrypted VPNs."

Egerstad says he has shut down his Tor nodes.