Information Security News: The hack of the year

[InfoSec News <alerts () infosecnews org>]

http://www.theage.com.au/news/security/the-hack-of-the-year/2007/11/12/1194766589522.html

November 13, 2007
Next

A Swedish hacker tells how he infiltrated a global communications 
network used by scores of embassies over the world, using tools freely 
available on the internet.

In August, Swedish hacker Dan Egerstad gained access to sensitive 
embassy, NGO and corporate email accounts. Were they captured from the 
clutches of hackers? Or were they being used by spies? Patrick Gray 
investigates the most sensational hack of 2007.

IT WASN'T supposed to be this easy. Swedish hacker Dan Egerstad had 
infiltrated a global communications network carrying the often-sensitive 
emails of scores of embassies scattered throughout the world. It had 
taken him just minutes, using tools freely available for download on the 
internet.

He says he broke no laws.

In time, Egerstad gained access to 1000 high-value email accounts. He 
would later post 100 sets of sensitive email logins and passwords on the 
internet for criminals, spies or just curious teenagers to use to snoop 
on inter-governmental, NGO and high-value corporate email.

The question on everybody's lips was: how did he do it? The answer came 
more than a week later and was somewhat anti-climactic. The 22-year-old 
Swedish security consultant had merely installed free, open-source 
software - called Tor - on five computers in data centres around the 
globe and monitored it. Ironically, Tor is designed to prevent 
intelligence agencies, corporations and computer hackers from 
determining the virtual - and physical - location of the people who use 
it.

"Tor is like having caller ID blocking for your internet address," says 
Shava Nerad, development director with the Tor Project. "All it does is 
hide where you're communicating from."

Tor was developed by the US Navy to allow personnel to conceal their 
locations from websites and online services they would access while 
overseas. By downloading the simple software, personnel could hide the 
internet protocol address of their computers - the tell-tale number that 
allows website operators or intelligence services to determine a user's 
location.

Eventually the navy realised it must take Tor beyond the armed forces. 
"The problem is, if you make Tor a tool that's only used by the military
. . . by using Tor you're advertising that you're military," Nerad says.

So Tor was cast into the public domain. It is now maintained and 
distributed by a registered charity as an open-source tool that anyone 
can freely download and install. Hundreds of thousands of internet users 
have installed Tor, according to the project's website.

Mostly it is workers who want to browse pornographic websites 
anonymously. "If you analyse the traffic, it's just porn," Egerstad told 
Next by phone from Sweden. "It's kind of sad."

However, Dmitri Vitaliev, a Russian-born, Australian-educated computer 
security professional who lives in Canada, says Tor is a vital tool in 
the fight for democracy. Vitaliev trains human-rights campaigners on how 
to stay safe when online in oppressive regimes. "It's incredibly 
important," he said in a Skype chat from the unrecognised state of 
Transnistria, a breakaway region in Moldova where he's assisting a local 
group working to stop the trafficking of women. "Anonymity is a high 
advantage in countries that perform targeted surveillance on activists."

It's also used to bypass website censorship in more than 20 countries 
that censor political and human rights sites, he says.

Tor works by connecting its users' internet requests, randomly, to 
volunteer-run Tor network nodes. Anyone can run a Tor node, which relays 
the user's traffic through other nodes as encrypted data that can't be 
intercepted.

When the user's data reaches the edge of the Tor network, after bouncing 
through several nodes, it pops out the other side as unencrypted, 
readable data. Egerstad was able to get his mitts on sensitive 
information by running an exit node and monitoring the traffic that 
passed through it.

The problem, says Vitaliev, is some Tor users assume their data is 
protected from end to end. "As in pretty much any other internet 
technology, its vulnerabilities are not well understood by those who use 
it (and) need it most," he says.

The discovery that sensitive, government emails were passing through Tor 
exit nodes as unencrypted, readable data was only mildly surprising to 
Egerstad. It made sense - because Tor documentation mentions 
"encryption", many users assume they're safe from all snooping, he says.

"People think they're protected just because they use Tor. Not only do 
they think it's encrypted, but they also think 'no one can find me'," 
Egerstad says. "But if you've configured your computer wrong, which 
probably more than 50 per cent of the people using Tor have, you can 
still find the person (on) the other side."

Initially it seemed that government, embassy, NGO and corporate staffers 
were using Tor but had misconfigured their systems, allowing Egerstad to 
sniff sensitive information off the wire. After Egerstad posted the 
passwords, blame for the embarrassing breach was initially placed on the 
owners of the passwords he had intercepted.

However, Egerstad now believes the victims of his experiment may not 
have been using Tor. It's quite possible he stumbled on an underground 
intelligence gathering exercise, carried out by parties unknown.

"The whole point of the story that has been forgotten, and I haven't 
said much about it, (is that) many of these accounts had been 
compromised," he says. "The logins I caught were not legit users but 
actual hackers who'd been reading these accounts."

In other words, the people using Tor to access embassy email accounts 
may not have been embassy staff at all. Egerstad says they were computer 
hackers using Tor to hide their origins from their victims.

The cloaking nature of Tor is appealing in the extreme to computer 
hackers of all persuasions - criminal, recreational and government 
sponsored.

If it weren't for the "last-hop" exit node issue Egerstad exposed in 
such a spectacular way, parties unknown would still be rifling the 
inboxes of embassies belonging to dozens of countries. Diplomatic memos, 
sensitive emails and the itineraries of government staffers were all up 
for grabs.

After a couple of months sniffing and capturing information, Egerstad 
was faced with a moral dilemma: what to do with all the intercepted 
passwords and emails.

If he turned his findings over to the Swedish authorities, his 
experiment might be used by his country's intelligence services to 
continue monitoring the compromised accounts. That was a little too 
close to espionage for his liking.

So Egerstad set about notifying the affected governments. He approached 
a few, but the only one to respond was Iran. "They wanted to know 
everything I knew," he says. "That's the only response I got, except a 
couple of calls from the Swedish security police, but that was pretty 
much all the response I got from any authority."

Frustrated by the lack of a response, Egerstad's next step caused high 
anxiety for government staffers - and perhaps intelligence services - 
across the globe. He posted 100 email log-ins and passwords on his blog, 
DEranged Security. "I just ended up (saying) 'Screw it, I'm just going 
to put it online and see what happens'."

The news hit the internet like a tonne of bricks, despite some initial 
scepticism. The email logins were quickly and officially acknowledged by 
some countries as genuine, while others were independently verified.

US-based security consultant - and Tor user - Sam Stover says he has 
mixed feelings about Egerstad's actions. "People all of a sudden (said) 
'maybe Tor isn't the silver bullet that we thought it was'," Stover 
says. "However, I'm not sure I condone the mechanism by which that sort 
of information had to be exposed in order to do that."

Stover admits that he, too, once set up a Tor exit node. "It's pretty 
easy . . . I set it up once real quick just to make sure that I could 
see other people's traffic and, sure enough, you can," he says. "(But) 
I'm not interested in that sort of intelligence gathering."

While there's no direct evidence, it's possible Egerstad's actions shut 
down an active intelligence-gathering exercise. Wired.com journalist Kim 
Zetter blogged the claims of an Indian Express reporter that he was able 
to access the email account for the Indian ambassador in China and 
download a transcript of a meeting between the Chinese foreign minister 
and an Indian official. In addition to hackers using Tor to hide their 
origins, it's plausible that intelligence services had set up rogue exit 
nodes to sniff data from the Tor network.

"Domestic, or international . . . if you want to do intelligence 
gathering, there's definitely data to be had there," says Stover. "(When 
using Tor) you have no idea if some guy in China is watching all your 
traffic, or some guy in Germany, or a guy in Illinois. You don't know."

Egerstad is circumspect about the possible subversion of Tor by 
intelligence agencies. "If you actually look in to where these Tor nodes 
are hosted and how big they are, some of these nodes cost thousands of 
dollars each month just to host because they're using lots of bandwidth, 
they're heavy-duty servers and so on," Egerstad says. "Who would pay for 
this and be anonymous?"

While Stover regards Tor as a useful tool, he says its value is greatly 
overestimated by those who promote and use it. "I would not use or 
recommend the tool to hide from people between you and your endpoint. 
It's really purely a tool to hide from the endpoint," he says.

As a trained security professional, Stover has the nous to understand 
its limitations, he says. Most people don't.

The lesson remains but the data Egerstad captured is gone, the Swedish 
hacker insists. He's now focusing on his career as a freelance security 
consultant. "I deleted everything I had because the information I had 
was belonging to so many countries that no single person should have 
this information so I actually deleted it and the hard drives are long 
gone," he says.

Patrick Gray's interviews with Dan Egerstad and Sam Stover can be heard 
in his podcast from http://ITRadio.com.au/security.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/