Hushmail Security Flaw - take note

[Strateg0s]

You might not know this about Hushmail, but I'm supposing that you might want to:

Message headers are NOT encrypted on their servers.

What are message headers? Nothing important: Sender, Receiver, Subject line, Date, ...

The right message headers --> justification for "further activity" by LE.

Check for yourself
"Message headers in storage on web server: Not encrypted"

-

Encrypted mails might have the body text of your messages encrypted and offshore, unable to be pulled up on demand, BUT quite a lot can be found out without seeing the body text of all of your messages.

Take care.

[Growinboy]

Good info- how many times have you sent out an email with "order" or "price list" in the subject line?

[H Bomb]

so is this just for the subject line or in the body of the email too??

thanks for the info

[Strateg0s]

Just the subject line, who it is from and going to, plus the date - not the text... but still, if a source's Inbox is viewable without much difficulty, that in and of itself could be probable cause for warrants, or other bad mojo.

I was putting this out there primarily for the benefit of sources. As to whether it could make or break them, if their Inbox is basically viewable on demand, then this could be used as grounds for warrants or looking into other inboxes, laying down webs of connections, who seems to order how many times from who, who does anyone talk to... it wouldn't take long to lay down the whole map. That could make or break a lot of people.

Now whether they are doing this, or how much of a legal barrier needs to be overcome at each remove from the original subject of investigation, that's a matter of speculation.

But it seems obvious that if they put in an order with Source@hushmail.com and that order gets filled, then they can have a warrant to look at that guy's InBox in about 10 minutes. (Which is to say that it is basically viewable on demand for sources who are not private). Then they can also probably get IP addresses of where the account was accessed from, and start going from there. Oh, Source'sBiggestCustomer@hushmail.com has 150 emails in Source@hushmail.com's InBox... that's grounds to look at his InBox, IP's, and payment/registration info if the account is Advanced.

Or Source'sPowderConnection@hushmail.com,
or Source'sRemailer#1@hushmail.com, #2, #3...

So yeah, I think it is pretty serious.

[H Bomb]

yeah that is serious. hope you don't mind me asking so many questions i just want to get it straight

so for instance if you wrote order or list in the subject they could see that but not the actual email??

[Strateg0s]

Yeah, that's right.
From: H Bomb
To: Source
Subject: Where's my 10k drol tabs you promised??
pofubvxl;icjp04unpvo9stjn;jdgj;os94utc;sosh ;dufishg48t;g;khfdkgh cs8y45wy3t;

You don't want anything like that showing up on anyone's monitor. Check my last post, and you'll see how easy it would be for them legally to go from inbox to inbox, collecting a whole shitload of info, just because people are careless.

Now if people aren't careless, they can still collect info, just not as easy. It's the low hanging fruit that are going to get picked.

I really think sources should establish different and temporary emails for dealing with repeat customers. "Hit me up at 20394609@hushmail.com from 340968540@hushmail.com and we'll talk about this transaction" -- that kind of thing. More work? Yeah. Safer? I'd say.

=======

Now I don't know all of this with absolute certainty, but Hushmail has it sitting there right on their own web page, a disclaimer of what is private and what isn't, saying that the headers ARE NOT encrypted and just sit on their server. So from there, just add successful steroid purchase + warrant for the records on the account = InBox access, IP records, registration info + whatever they can make of the contents of the InBox: subjects, to, from, dates... (and *probably* the deleted ones -- HOPEFULLY NOT -- so if a source has been using Source@hushmail.com for 5 years, that'd be a lotta info)

[H Bomb]

yeah damn that is crazy, i never really put anything crazy in a subject header but damn i will be saying hi mom from now on lol

thank you

[Strateg0s]

I just noticed this article also:
A security expert who exposed the passwords and login information for a number of embassies and foreign government organizations revealed today that the information was acquired by operating a Tor node.

Quote:

Last month, Swedish security specialist Dan Egerstad exposed the passwords and login information for 100 e-mail accounts on embassy and government servers. In a blog entry today, Egerstad disclosed his methodology. He collected the information by running a specialized packet sniffer on five Tor exit nodes operated by his organization, Deranged Security.

Tor is an onion routing service that facilitates anonymous Internet communication. Originally developed by the US Naval Research Laboratory and currently funded by the Electronic Frontier Foundation, Tor is designed to protect users from traffic analysis and other kinds of network surveillance. It works by relaying connections through a series of distributed network servers. When a Tor user visits a web site, the IP address detected and logged by that site will be the IP address of one of the Tor nodes rather than the actual user. This makes it possible for users to obscure their identity under certain circumstances.

Unfortunately, many Tor users do not realize that all of their network traffic is being exposed to Tor nodes. Tor users who do not use encryption are broadly exposing themselves to identity theft. Egerstad was originally doing a study on e-mail encryption, but during the course of the research project, he decided to create the packet sniffer and expose sensitive e-mail login data in order to increase awareness of the fact that Tor exposes sensitive information when not used with encryption.

Egerstad believed that privately disclosing his findings to the organizations whose passwords he obtained would not convince them to change their practices. He also knew that it was only a matter of time before others with malicious intent would perform the same kind of experiment, so he felt that broad public disclosure was the only way he could generate enough attention to force people to think about the problem.

"Experience tells me that even if I would contact everyone on this list most are not going to listen," Egerstad wrote when he released the login information last month. "So f*** it! Here is everything you need to read classified email and f*** up some serious International business. Hopefully this will put light on the security problems that are never talked about and get at least this fixed with a speed that you never seen your government work before. As a Swedish citizen I can't give this information to anyone without getting into trouble, so instead I'm giving it to everyone."

After publicly releasing the information, Egerstad's site was taken down at the request of US law enforcement officials. After it was brought back earlier this week, Egerstad expressed frustration and pointed out that the information was already spreading across the Internet. Taking down Egerstad's site only served to silence his message about security and did not prevent dissemination of the sensitive data. "I've seen people saying that the US would be angry now that we forced foreign countries to tighten their security so NSA or whatever can't read their secrets any longer. To me it sounds like bulls*** taken out of a bad book but after this silly little stunt I'm reconsidering. Is there any reason you DO NOT want people to secure their systems?" asked Egerstad.

According to Egerstad, the information disclosed is only a fraction of what he collected. He continues to argue that the responsibility for exposing the login information rests on the organizations that failed to use encryption and that he simply drew attention to information that was essentially already public. "ToR isn't the problem, just use it for what it's made for," Egerstad notes. "[The system administrators for the organizations whose passwords were exposed] are responsible for giving away their own countries secrets to foreigners. I can't call it a mistake, this is pure stupidity and not forgivable!"

Egerstad also points out that very little is known about the intentions and activity of other Tor exit node operators, some of whom are already known to be associated with malicious hacker groups and foreign governments.

Quote:

this is how we did it:

#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

Did you get it? These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!

ToR isn’t the problem, just use it for what it’s made for.

#2. I’ll have a lot of people to thank for helping me here, you all know who you are white-hats and friends out there. ToR has about 1000 nodes set up to handle exit-traffic (unencrypted). These are the servers all you traffic is going to be sent through. Of course you know everything about them, right? I had five running during this test that no one knew about, who owns the others?

Just to give you something to think about we did look into a few servers out of 1000 we thought looked interesting. We aren’t trying to tell you what to think, you will have to do that yourself.

Example of Exit-nodes that can read your traffic:

• Nodes named devilhacker, hackershaven…
• Node hosted by an illegal hacker-group
• Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month.
• Node hosted by Space Research Institute/Cosmonauts Training Center controlled by Russian Government
• Nodes hosted on several Government controlled academies in the US, Russia and around Asia.
• Nodes hosted by criminal identity stealers
• Node hosted by Ministry of Education Taiwan (China)
• Node hosted by major stock exchange company and Fortune 500 financial company
• Nodes hosted anonymously on dedicated servers for ToR costing the owner US$100-500 every month
• Node hosted by China Government official
• Nodes in over 50 countries with unknown owners
• Nodes handling over 10TB data every month

We can prove all this but not the intentions of each server. They might be very nice people spending a lot of money doing you a favor but it could just as well be something else. We don’t however think it’s weird that Universities are hosting nodes, just that you need to be aware of it. Criminals, hackers and Governments are running nodes, why?

Take home messages:
If you care about your security, do not use Tor unencrypted, and take extra steps to send mail if you want it to be secure instead of "secure".