[Strateg0s]

I just noticed this article also:
A security expert who exposed the passwords and login information for a number of embassies and foreign government organizations revealed today that the information was acquired by operating a Tor node.

Quote:

Last month, Swedish security specialist Dan Egerstad exposed the passwords and login information for 100 e-mail accounts on embassy and government servers. In a blog entry today, Egerstad disclosed his methodology. He collected the information by running a specialized packet sniffer on five Tor exit nodes operated by his organization, Deranged Security.

Tor is an onion routing service that facilitates anonymous Internet communication. Originally developed by the US Naval Research Laboratory and currently funded by the Electronic Frontier Foundation, Tor is designed to protect users from traffic analysis and other kinds of network surveillance. It works by relaying connections through a series of distributed network servers. When a Tor user visits a web site, the IP address detected and logged by that site will be the IP address of one of the Tor nodes rather than the actual user. This makes it possible for users to obscure their identity under certain circumstances.

Unfortunately, many Tor users do not realize that all of their network traffic is being exposed to Tor nodes. Tor users who do not use encryption are broadly exposing themselves to identity theft. Egerstad was originally doing a study on e-mail encryption, but during the course of the research project, he decided to create the packet sniffer and expose sensitive e-mail login data in order to increase awareness of the fact that Tor exposes sensitive information when not used with encryption.

Egerstad believed that privately disclosing his findings to the organizations whose passwords he obtained would not convince them to change their practices. He also knew that it was only a matter of time before others with malicious intent would perform the same kind of experiment, so he felt that broad public disclosure was the only way he could generate enough attention to force people to think about the problem.

"Experience tells me that even if I would contact everyone on this list most are not going to listen," Egerstad wrote when he released the login information last month. "So f*** it! Here is everything you need to read classified email and f*** up some serious International business. Hopefully this will put light on the security problems that are never talked about and get at least this fixed with a speed that you never seen your government work before. As a Swedish citizen I can't give this information to anyone without getting into trouble, so instead I'm giving it to everyone."

After publicly releasing the information, Egerstad's site was taken down at the request of US law enforcement officials. After it was brought back earlier this week, Egerstad expressed frustration and pointed out that the information was already spreading across the Internet. Taking down Egerstad's site only served to silence his message about security and did not prevent dissemination of the sensitive data. "I've seen people saying that the US would be angry now that we forced foreign countries to tighten their security so NSA or whatever can't read their secrets any longer. To me it sounds like bulls*** taken out of a bad book but after this silly little stunt I'm reconsidering. Is there any reason you DO NOT want people to secure their systems?" asked Egerstad.

According to Egerstad, the information disclosed is only a fraction of what he collected. He continues to argue that the responsibility for exposing the login information rests on the organizations that failed to use encryption and that he simply drew attention to information that was essentially already public. "ToR isn't the problem, just use it for what it's made for," Egerstad notes. "[The system administrators for the organizations whose passwords were exposed] are responsible for giving away their own countries secrets to foreigners. I can't call it a mistake, this is pure stupidity and not forgivable!"

Egerstad also points out that very little is known about the intentions and activity of other Tor exit node operators, some of whom are already known to be associated with malicious hacker groups and foreign governments.

Quote:

this is how we did it:

#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

Did you get it? These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!

ToR isn’t the problem, just use it for what it’s made for.

#2. I’ll have a lot of people to thank for helping me here, you all know who you are white-hats and friends out there. ToR has about 1000 nodes set up to handle exit-traffic (unencrypted). These are the servers all you traffic is going to be sent through. Of course you know everything about them, right? I had five running during this test that no one knew about, who owns the others?

Just to give you something to think about we did look into a few servers out of 1000 we thought looked interesting. We aren’t trying to tell you what to think, you will have to do that yourself.

Example of Exit-nodes that can read your traffic:

• Nodes named devilhacker, hackershaven…
• Node hosted by an illegal hacker-group
• Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month.
• Node hosted by Space Research Institute/Cosmonauts Training Center controlled by Russian Government
• Nodes hosted on several Government controlled academies in the US, Russia and around Asia.
• Nodes hosted by criminal identity stealers
• Node hosted by Ministry of Education Taiwan (China)
• Node hosted by major stock exchange company and Fortune 500 financial company
• Nodes hosted anonymously on dedicated servers for ToR costing the owner US$100-500 every month
• Node hosted by China Government official
• Nodes in over 50 countries with unknown owners
• Nodes handling over 10TB data every month

We can prove all this but not the intentions of each server. They might be very nice people spending a lot of money doing you a favor but it could just as well be something else. We don’t however think it’s weird that Universities are hosting nodes, just that you need to be aware of it. Criminals, hackers and Governments are running nodes, why?

Take home messages:
If you care about your security, do not use Tor unencrypted, and take extra steps to send mail if you want it to be secure instead of "secure".