, SecurityFocus 2007-09-10
Story continued from Page 1
The eavesdropping experiment started as a smaller project designed to find out whether Tor users were encrypting their messages and Web traffic.
While encrypting communications is a necessary step on the network to ensure security, most users -- more than 90 percent, Egerstad estimates -- were browsing the Web and downloading e-mail through the network without any sort of encryption to hide their information from prying eyes.
Three months ago, with the statistic he wanted, Egerstad prepared to shut down his experiment. Then, a subject line on one of the e-mail messages caught his eye.
"Right before I was about to shut it down, by accident, I saw an e-mail about the Australian military -- sent between two embassies," Egerstad told SecurityFocus. "I only saw the subject line, but it raised questions."
The knowledge that governments, political groups and corporations were passing sensitive data over the Tor network with no encryption convinced Egerstad that he needed to broaden the experiment, he said. With his five exit servers in place, he filtered out everything but e-mail traffic and searched for messages containing keywords, such as "military," and coming from certain domains, he said. He then proceeded to collect data for more than two months.
In August, Egerstad attempted to contact some of the governments and corporations whose e-mail credentials he had sniffed, but he got back few responses, he said.
Following the posting of the information to his Web site, a few countries did respond. India, Iran and Uzbekistan were friendly and supported the manner in which he disclosed the issue, he said. China filed a criminal complaint over the posting, while U.S. authorities complained to his Texas Web provider and had his original Web site taken down, Egerstad said.
The Federal Bureau of Investigation could not immediately comment on the allegations.
Egerstad argued that, while his revelations may be embarrassing, others groups with less benevolent motives are also likely eavesdropping on the network. He pointed to exit nodes run by hacking groups as potential ways of getting information for identity fraud, while massive nodes located in Washington D.C. and at the Space Research Institute in Russia are possible intelligence gathering tools for the U.S. and Russian governments, respectively.
Egerstad stressed that its impossible to prove intentions, but that users should assume the worst.
"We found this kind of information on thousands of users, some of them being Fortune 500 companies and Nasdaq and New York-noted companies," he said on his Web site. "The information we gathered is not worth millions -- its worth billions in the right hands."
If you have tips or insights on this topic, please contact SecurityFocus.