Sensitive government e-mails leak through Tor exit nodes

Sensitive government e-mails leak through Tor exit nodes

Summary: The hacker behind the recent public disclosure of 100 sensitive government/embassy e-mail accounts says he aimed packet sniffers at five Tor exit nodes to capture the confidential information.

SHARE:

The hacker behind the recent public disclosure (Techmeme, Wired, SecurityFocus) of 100 sensitive government/embassy e-mail accounts says he aimed packet sniffers at Tor exit nodes to capture the confidential information.

Dan Egerstad, a computer consultant based in Sweden, said his packet sniffer focused entirely on POP3 and IMAP traffic coming through the Tor (The Onion Router) exit nodes.

Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like "gov, government, embassy, military, war, terrorism, passport, visa" as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

During the course of the experiment, Egerstad said he read about 1,000 e-mails belonging to international governments, including sensitive information like visa and passport information requests, a database of confidential user information on passport holders and details on government meetings.

[ SEE: Hacker builds tracking system to nab Tor pedophiles ]

"These governments told their users to use Tor, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not," Egerstad said. Egerstad published a list of Tor exit nodes that can be used to sniff traffic. The Tor exit node weakness is well known and documented on the anonymity tool's Frequently Asked Questions (FAQ) page.

Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the Internet.

This is why you should always use end-to-end encryption such as SSL for sensitive Internet connections.

As Egerstad explains, Tor is not the problem. The people who should be blamed for this exposure of sensitive data are the governnment network administrators that wrote the security policy for Tor usage. "These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!" he added.

Topics: Collaboration, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • And that is why you never send unencrypted emails....

    I don't get it, the government security folks apparently do not train their users on the weakness's of sending unencrypted emails.
    mrlinux
  • I don't know what TOR is, but ...

    I don't know what TOR is, but is sounds like knowledgeable admins
    do and should not be using it for sensitive information.

    This is akin to leaving cash deposits in a cardboard box outside
    a bank's front door at night.
    kd5auq
  • RE: Sensitive government e-mails leak through Tor exit nodes

    Tor is a way of doing something analagous to blocking caller ID on the Internet. Every communication you pass through the net identifies your geographic origin through your IP address, similar to a phone number.

    Tor obfuscates that, and because we do encrypt the first three hops, some people assume we provide end-to-end encryption, even though our web page, wiki, FAQ and documentation explain that we do not.

    If you wanted to come read this article via end-to-end encryption, you couldn't, because https://blogs.zdnet.com (note, https not http) will time out because this web site is not configured to deliver pages over encrypted connections.

    The sad thing is that most webmail isn't either. Most news sites aren't. In fact, most casual surfing on the net goes through http without an encrypted https alternative.

    When you pop a credit card on the page, you might look for https or a lock icon on your browser to know that your financial transaction is secure. But when you log into wired.com or theregister.co.uk, as examples, do you look to see if it's https? It's not. Do you use the same password for anything else sensitive? Your email? Your bank?

    Because if you ever log in to a site with http: pages for the username/password over an open, unencrypted wireless at a cafe -- you are just as exposed as these embassy folks. Anyone could sniff that off the wireless, and start trying it on amazon or other sites.

    It's not that using Tor is insecure. Tor is quite good at doing that "caller ID blocking" thing, what researchers call online anonymity.

    But it's as though someone were using a security suite that included backup but they never used it, because for some reason they thought virus protection was enough.

    Tor is only part of a security-conscious strategy that must include end-to-end encryption. And that's not just for embassy staff, that's for anyone whose priorities tip the scales at preserving the privacy of their data.

    Shava Nerad
    Development Director
    The Tor Project
    shava@...
  • btw, zdnet's login page is http, not https

    As a result, a person using Tor would have to reveal a username/password pair to comment on this story, because the web site admins don't allow a secure connection.

    yrs,
    Shava
    shava@...
    • Mickey Mouse.

      ZDNet is a Mickey Mouse operation. They don't care about security, only useless blogs. They used to have great news coverage but that too has gone to the way of blogs.
      bjbrock
  • RE: Sensitive government e-mails leak through Tor exit nodes

    I am so confused. So the computer geeks at our embassy used TOR? Why didn't they just stay within the governments on systems?

    This is over my head but what it tells me is this, when the government speaks of having a secure line, they don't really have a secure line.

    Are our spies incompetent?
    Sickthing
    • I think the guy using TOR...

      ...is trying to circumvent his own system monitoring. Like traffic analysis at the firewall. I read a story on ZD net about a professor using TOR to download music. The school prohibited that so he went through TOR/Vidalia to anonymize his activity. He was forced to stop doing that.
      wmlundine
  • don't you need physical network access?

    Hopefully, not anyone can just put a sniffer on the same local network as a TOR server. But it does point out that these emails are plain text. So someone that does have physical access to a another network backbone or ISP's network where one of these emails travel could intercept it.
    dletcher@...
  • Deja vu

    How many times are incidents such as this going to occur? Sometimes I feel like I'm reading the same story over again - just different names/dates.

    http://news.com.com/5208-1029_3-0.html?forumID=1&threadID=23814&messageID=222188&start=0
    ashleyw
  • Great tool for Spammer

    A good tool for spammer too, they can also use a modified TOR to collect all the email addresses that pass through it.
    kyawam
  • RE: Sensitive government e-mails leak through Tor exit nodes

    9/11 and after 6 years the government still doesn't have their shit together.Typical
    chrisleisure@...
  • Call for securty checks on network administrators

    "The people who should be blamed for this exposure of sensitive data are the government network administrators that wrote the security policy for Tor usage."

    So correct. In my own struggles with this, I find it all to common for the government network administrators to be non citizens. These individuals often have worked for decades at the government agencies and started work when security checks may not have been required. If you are going to work in IT at a government agency you had better start working on citizenship. On its face the foreign IT network administrator is a security risk. Why is it so hard for management to recognize this?
    mighetto