, SecurityFocus 2007-09-10
A Swedish security professional that posted the usernames and passwords for 100 e-mail accounts belonging to various nations' embassies and political parties revealed on Monday that he exploited the improper usage of the Tor network -- a distributed system of computers that anonymizes the source of network traffic -- to collect the information.
By volunteering his own servers to route traffic for the Tor Project, Dan Egerstad -- a Web developers and security professional based in Malmo, Sweden -- was able to collect the unencrypted data sent through the network. The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said.
"I found big companies -- Fortune 500 companies -- I mean really big companies doing this," Egerstad said. "Only a couple of users were using (Tor), but that is enough to compromise communications."
In total, Egerstad collected the e-mail credentials of more than 1,500 government workers, corporate employees and private individuals using the Tor network, he said. Because the technique is already known, Egerstad decided that fully disclosing the list of e-mail accounts and passwords for 100 of the government accounts was the best way to bring more attention to the issue.
"This is a not a problem with Tor," Egerstad said. "This problem is that people who use Tor are using it incorrectly."
The Tor Project's software routes data through a distributed network, where each computer only keeps track of enough information to send incoming data to one of its peers. Such a system, commonly called onion routing, hides the data's source if at least three independent servers are used to route the traffic. The final server, known as the exit node, decrypts the data and sends the information to its destination on the Internet.
It's those final servers that allowed Egerstad to eavesdrop on some of the traffic that traversed the Tor network. The security professional loaded the Tor software onto three servers in Sweden, one in the U.S. and one in Asia and volunteered the systems as exit nodes.
"You download the software from the Web site, and you put in your settings," he said.
While he controlled only five servers out of an estimated 1,000 exit nodes, he still collected a great deal of information, he added.
"If the last hop were not in the clear, there would be no way for the web server to understand the encrypted data," Shava Nerad, director of development for The Tor Project, said in a statement issued over the weekend. "We warn about this on our web pages, but in the case of people with truly sensitive data, such as embassy staff, someone should be educating these folks as to basics of never giving a password to an http (unencrypted Web) page."
This is not the first security problem to be pointed out on the Tor network. Earlier this year, a security researcher proposed a way to track people who download or exchange child pornography using Tor.