[e-privacy] TOR anonymisation network phished, part 2

Andrea Glorioso andrea at digitalpolicy.it
Thu Nov 22 11:58:02 CET 2007 

http://www.heise-security.co.uk/news/99333

TOR anonymisation network phished, part 2

By publishing his TOR hack, Swedish researcher Dan Egerstadt recently
provided users with a timely reminder that The Onion Router (TOR)
anonymisation network should be enjoyed with caution. By setting up
five exit-nodes, Egerstad sniffed out large amounts of e-mail access
data from embassies and government agencies and published some of this
data on the internet. Since a user cannot know who operates the
individual exit-node through which his traffic passes, TOR users are
advised to always make use of additional encryption.

Members of the Teamfurry community got curious and took a look at the
advertised configurations of a few randomly selected TOR
exit-nodes. They stumbled on some extremely interesting results. There
are, for example, exit-nodes which only forward unencrypted versions
of certain protocols. One such node only accepts unencrypted IMAP and
POP connections (TCP ports 143 and 110) and only forwards messenger
connections from AIM, Yahoo IM and MSN Messenger if they are received
on ports on which traffic is handled as plain text. The same procedure
is applied to Telnet and VNC connections, used for remote access to
systems. Further, there are systems which are only interested in
specific destinations and, for example, exclusively forward HTTP
packets bound for MySpace and Google. HTTPS traffic to these
destinations is, however, blocked.

These peculiar configurations invite speculation as to why they are
set up in this way. The Teamfurry blog declines to go so far as to
impute nefarious motives to these nodes. Nevertheless, the report does
raise the question of whether users should route personal data via
such nodes. It is certainly generally believed that Chinese, Russian
and American government agencies operate TOR exit-nodes. Large
companies and illegal hacker groups are also thought to operate
exit-nodes. Looking through the list of TOR exit-nodes, it is striking
that the number of exit-nodes in China and the US has increased
disproportionately over the last year.

Employing channel encryption may also be of little help. The Teamfurry
blog reports the existence of an exit-node in Germany which apparently
attempts to hitch itself into an SSL connection using a
man-in-the-middle attack. A certificate forwarded via an SSL
connection running through this node is returned as a fake,
self-signed certificate. This generally produces an error message, but
users will often ignore this. This 'phishing node' has since
disappeared from the network.

Into exactly whose hands any stolen data has fallen is not
known. However, Dan Egerstad last week found out what happens if you
publish such data on the internet, when he received a visit from
Swedish law enforcement agencies. Following a complaint, they turned
his apartment upside down and interrogated him for several hours. The
source of the complaint is not known, but it is thought it may have
come from a foreign government agency whose e-mail details had been
published by Egerstad.

+++

Ciao,

--
      Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/
          M: +32-488-409-055         F: +39-051-930-31-133
  "Italy is a nation of octogenarian lawmakers elected by 70-year-old 
     pensioners. Everyone else is unconsequential" (Bernhard Warner)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.winstonsmith.org/pipermail/e-privacy/attachments/20071122/fb468a01/attachment.pgp>

More information about the E-privacy mailing list