Sensitive government e-mails leak through Tor exit nodes

Summary:The hacker behind the recent public disclosure of 100 sensitive government/embassy e-mail accounts says he aimed packet sniffers at five Tor exit nodes to capture the confidential information.

The hacker behind the recent public disclosure (Techmeme, Wired, SecurityFocus) of 100 sensitive government/embassy e-mail accounts says he aimed packet sniffers at Tor exit nodes to capture the confidential information.

Dan Egerstad, a computer consultant based in Sweden, said his packet sniffer focused entirely on POP3 and IMAP traffic coming through the Tor (The Onion Router) exit nodes.

Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like "gov, government, embassy, military, war, terrorism, passport, visa" as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

During the course of the experiment, Egerstad said he read about 1,000 e-mails belonging to international governments, including sensitive information like visa and passport information requests, a database of confidential user information on passport holders and details on government meetings.

[ SEE: Hacker builds tracking system to nab Tor pedophiles ]

"These governments told their users to use Tor, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not," Egerstad said. Egerstad published a list of Tor exit nodes that can be used to sniff traffic. The Tor exit node weakness is well known and documented on the anonymity tool's Frequently Asked Questions (FAQ) page.

Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the Internet.

This is why you should always use end-to-end encryption such as SSL for sensitive Internet connections.

As Egerstad explains, Tor is not the problem. The people who should be blamed for this exposure of sensitive data are the governnment network administrators that wrote the security policy for Tor usage. "These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!" he added.

Topics: Collaboration, Government, Government : US


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.