[e-privacy] Ancora su Tor che sniffa password

Marco A. Calamari marcoc1 at dada.it
Sat Sep 15 11:30:28 CEST 2007 

Sul newsgroup APAS (che merita sempre un'occhiata,
 ma che e' notoriamente popolato da troll,
 impostori di Scientology, pazzi, esponenti
 di TLA, oltre che da pochi remops seri) e'
 passato questo post anonimo probabilmente appartenente
 all'autore dell'intera operazione.

Ve lo allego perche' e' interessante.

Enjoy

==============================================

You always get what you pay for :-) 


TAANSTAFL 


This is going to be a long post, several important things needs to be 
said. It?s important you read it to the end. 


We choose to wait this long before posting the whole story to give not 
only governments time to secure themselves but also to protect private 
users and businesses. The affected on the list has by now figured out 
that we had passwords to many more than just the 100 we posted and 
secured ALL their accounts. Many of the private/company users have by 
now received our e-mails warning them, few responses though. Remember 
that we found this kind of information on thousands of users, some of 
them being fortune 500 companies and Nasdaq and New York noted 
companies. The information we gathered is not worth millions, it?s
worth 
billions in the right hands. So anyone questioning my actions can go 
fuck yourself, I didn?t make a penny of this except getting myself in 
trouble. 


No accounts have been hacked, you have been actively exposing them 
yourself not only to us but to about 1000 others all over the world, 
every day. This has been told about many times before which you choose 
to ignore. The team behind the product is completely open with this 
security threat but they probably should have made a bigger warning
text 
I guess. For us to publish yet another warning or for the vendor to
tell 
you again would have gotten no effect once more. 


We choose to publish 100 sensitive accounts for Governments in full 
disclosure to get heads turned. Remember that it still was thought of
as 
a hoax from both users and admins everywhere until a crazy journalist
in 
India started publishing stuff from some accounts. Posting parts of 
passwords and we would still be having denials and no actions today. 


Did the account owners know about it? Of course they did! Most 
journalists had already talked to the embassies about the expose and
got 
told that the security was fine and no one could know the passwords. 
This long before it started spreading and people starting using the 
accounts. 


Having Governments all over the world working against me is fun to 
follow. Trying to pull focus away from themselves being idiots and over 
to me by using the term ?hacker?. The journalist loves that word and I 
see it more and more next to my name. I?m not a hacker and haven?t 
broken into anything illegally. Whoever says that is welcome to prove 
it, probably easier to prove that I killed JFK. I?m a security 
specialist doing this stuff every day, always under controlled terms
and 
completely legal. However being a bit DEranged I sometimes walk in the 
gray zone, exactly what it takes get stuff done. I fight criminals but 
when we have to play by the rules and they don?t it?s a tuff battle. 
Computer Crimes are real, they are everywhere and they are using your 
ignorance! 


Alright, with the boring stuff said this is how we did it: 


#1 Five ToR exit nodes, at different locations in the world, equipped 
with our own packet-sniffer focused entirely on POP3 and IMAP traffic 
using a keyword-filter looking for words like ?gov, government,
embassy, 
military, war, terrorism, passport, visa? as well as domains belonging 
to governments. This was all set up after a small experiment looking 
into how many users encrypt their mail where one mail caught my eye and 
got me started thinking doing a large scale test. Each user is not only 
giving away his/her passwords but also every mail they read or download 
together with all other traffic such as web and instant messaging. 


Did you get it? These governments told their users to use ToR, a 
software that sends all your traffic through not one but three other 
servers that you know absolutely nothing about. Yes, two are getting 
encrypted traffic but that last exit node is not. There are hundreds of 
thousands ToR-users but finding these kinds of accounts was? hmm? 
chocking! The person who wrote the security policy on these accounts 
should reconsider changing profession, start cleaning toilets! These 
administrators are responsible for giving away their own countries 
secrets to foreigners. I can?t call it a mistake, this is pure
stupidity 
and not forgivable! 


ToR isn?t the problem, just use it for what it?s made for. 


#2. I?ll have a lot of people to thank for helping me here, you all
know 
who you are white-hats and friends out there. ToR has about 1000 nodes 
set up to handle exit-traffic (unencrypted). These are the servers all 
you traffic is going to be sent through. Of course you know everything 
about them, right? I had five running during this test that no one knew 
about, who owns the others? 


Just to give you something to think about we did look into a few
servers 
out of 1000 we thought looked interesting. We aren?t trying to tell you 
what to think, you will have to do that yourself. 


Example of Exit-nodes that can read your traffic: 


? Nodes named devilhacker, hackershaven? 
? Node hosted by an illegal hacker-group 
? Major nodes hosted anonymously dedicated to ToR by the same 
person/organization in Washington DC. Each handling 5-10TB data every
month. 
? Node hosted by Space Research Institute/Cosmonauts Training Center 
controlled by Russian Government 
? Nodes hosted on several Government controlled academies in the US, 
Russia and around Asia. 
? Nodes hosted by criminal identity stealers 
? Node hosted by Ministry of Education Taiwan (China) 
? Node hosted by major stock exchange company and Fortune 500 financial 
company 
? Nodes hosted anonymously on dedicated servers for ToR costing the 
owner US$100-500 every month 
? Node hosted by China Government official 
? Nodes in over 50 countries with unknown owners 
? Nodes handling over 10TB data every month 


We can prove all this but not the intentions of each server. They might 
be very nice people spending a lot of money doing you a favor but it 
could just as well be something else. We don?t however think it?s weird 
that Universities are hosting nodes, just that you need to be aware of 
it. Criminals, hackers and Governments are running nodes, why? 


This experiment has proven another major problem regarding Computer 
Security. Even though I haven?t broken into anything which people blame 
me for, it?s obvious that laws for computer crimes are problematic.
Laws 
don?t work over boarders but the Internet and the criminals do. 


This world experiment has never been done before, what would happen if 
someone was DEranged enough to post a list completely public worth 
millions exposing Governments. We got this message out to at least 157 
countries and billions of people in just a week. I?ll have to say that 
even it if took 5 days to get 70% fixed that was fast compared to what 
I?m used to. 


I would like to say special thanksto the people of India, Iran and 
Uzbekistan who has been extremely supporting. And fuck all of you who 
are filing police reports on me, you are idiots and are only proving 
that you haven?t understood anything. 


PS: Data and hard drive on each node is destroyed and I forgot 
everything somehow ;-) 


?There is no eeeeeeeeeeennnnnnndddddd to the possibilites? 


//D 

-- 

+--------------- http://www.winstonsmith.info ---------------+
| il Progetto Winston Smith: scolleghiamo il Grande Fratello |
| the Winston Smith Project: unplug the Big Brother          |
| Marco A. Calamari marcoc at marcoc.it  http://www.marcoc.it   |
| DSS/DH:  8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B |
+ PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 ----------+

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://lists.winstonsmith.org/pipermail/e-privacy/attachments/20070915/15b659d5/attachment.pgp>

More information about the E-privacy mailing list