While browsing interesting stories on Slashdot.org I found reference to an astonishing blog entry over at derangedsecurity.com; in this blog, the author gives out a list of 100 government e-mail accounts and their passwords. Mainly belonging to Asian and Eastern European embassies, the account details were captured by simply sniffing unencrypted network traffic. Following the story further, the Web site hosting the blog was taken offline at the request of U.S. law enforcement officials! Interesting, seeing as no details of U.S. accounts were divulged! Later on, the author explained how he had collected the information without any hacking, cracking, or decryption. The data had exited the anonymous routed network known as Tor in plain text!

What is Tor? Tor is a free software application that uses an onion-routing system, enabling users to communicate anonymously on the Internet. Users run a Tor proxy on their machine; this creates an encrypted connection to the Tor server where the connection passes from router to router and finally out to the Internet via an exit node. As the exit node does not know who owns the outgoing connection, the user is able to anonymously access Internet services. The server hosting Internet services or anyone in between the two will only see the connection coming from a Tor exit node, not the end user who will remain hidden.

Tor has a few vulnerabilities that may enable the identity of a user to be traced. If traffic is being watched on both sides of the connection, then statistical analysis could be used to verify the identity a match. It is usually only governments and ISP’s who would have this power. If the users’ client is poorly configured, then DNS queries may be sent out directly rather than proxied via Tor; this could easily undermine any anonymity the network has provided.

What interested me about this particular breach was that it underlines people’s misapprehension of ‘anonymous‘ and ‘secure‘. As the blog at derangedsecurity points out, methods used to collect the information in question did not involve any hacking, cracking, or decryption. Tor exit nodes can be hosted by anyone and the owner of an exit node can easily analyse the traffic that passes through. Simple tools like tcpdump, driftnet, and dsniff are more than adequate for the purpose, and I would be very surprised if the majority of exit node owners were not keeping an eye on what their server is being used for. This is all very well and, in itself, does not breach the anonymity of the Tor network-while it may mean that somebody knows what is being accessed, they cannot work out who is accessing it.

The real issue highlighted by derangedsecurity’s blog is the assumption that ‘anonymity means secure‘; as we can see, it very obviously does not! If the users accessing these e-mail accounts had been using a secure protocol like POP3S, IMAPS, or HTTPS then their login information and accompanying data would have been protected as the exit nodes would be handling encrypted data-streams rather than login details being transported as plain text!

There doesn’t seem to be any doubt that both government agencies and criminals are both using the Tor network: exit nodes are known to be hosted by:

  • An ‘anonymous’ organisation in Washington DC handling well in excess of 10TB data per month.
  • A space research institute controlled by the Russian Government.
  • Various underground hacking groups and identity thieves.
  • The Chinese government.
  • Taiwanese Ministry of Education.

I wonder whether the people accessing these accounts at the times their credentials were captured were the official users or some other people who should not have been accessing them at all? The Tor network would certainly be a good way of hiding their identity should one of the institutions discover the unauthorised access. I’ll be keeping a lookout for any official statements made by the institutions involved; if you come across any then please leave a comment and let me know.