I love the smell of dead fish, er, FUD, uhhhhhhh propaganda in the morning!

[J.A. Terranson]

Just look at all the odd claims in this article!  Wow!

-- 
Yours,
J.A. Terranson
sysadmin_at_mfn.org
0xBD4A95BF


What religion, please tell me, tells you as a follower of that religion to
occupy another country and kill its people? Please tell me. Does
Christianity tell its followers to do that? Judaism, for that matter?
Islam, for that matter? What prophet tells you to send 160,000 troops to
another country, kill men, women, and children? You just can't wear your
religion on your sleeve or just go to church. You should be truthfully
religious.

Mahmoud Ahmadinejad


The hack of the year

Patrick Gray
November 13, 2007
Advertisement

In August, Swedish hacker Dan Egerstad gained access to sensitive embassy, 
NGO and corporate email accounts. Were they captured from the clutches of 
hackers? Or were they being used by spies? Patrick Gray investigates the 
most sensational hack of 2007.

IT WASN'T supposed to be this easy. Swedish hacker Dan Egerstad had 
infiltrated a global communications network carrying the often-sensitive 
emails of scores of embassies scattered throughout the world. It had taken 
him just minutes, using tools freely available for download on the 
internet.

He says he broke no laws.

In time, Egerstad gained access to 1000 high-value email accounts. He 
would later post 100 sets of sensitive email logins and passwords on the 
internet for criminals, spies or just curious teenagers to use to snoop on 
inter-governmental, NGO and high-value corporate email.

The question on everybody's lips was: how did he do it? The answer came 
more than a week later and was somewhat anti-climactic. The 22-year-old 
Swedish security consultant had merely installed free, open-source 
software - called Tor - on five computers in data centres around the globe 
and monitored it. Ironically, Tor is designed to prevent intelligence 
agencies, corporations and computer hackers from determining the virtual - 
and physical - location of the people who use it.

"Tor is like having caller ID blocking for your internet address," says 
Shava Nerad, development director with the Tor Project. "All it does is 
hide where you're communicating from."

Tor was developed by the US Navy to allow personnel to conceal their 
locations from websites and online services they would access while 
overseas. By downloading the simple software, personnel could hide the 
internet protocol address of their computers - the tell-tale number that 
allows website operators or intelligence services to determine a user's 
location.

Eventually the navy realised it must take Tor beyond the armed forces. 
"The problem is, if you make Tor a tool that's only used by the military . 
. . by using Tor you're advertising that you're military," Nerad says.

So Tor was cast into the public domain. It is now maintained and 
distributed by a registered charity as an open-source tool that anyone can 
freely download and install. Hundreds of thousands of internet users have 
installed Tor, according to the project's website.

Mostly it is workers who want to browse pornographic websites anonymously. 
"If you analyse the traffic, it's just porn," Egerstad told Next by phone 
from Sweden. "It's kind of sad."

However, Dmitri Vitaliev, a Russian-born, Australian-educated computer 
security professional who lives in Canada, says Tor is a vital tool in the 
fight for democracy. Vitaliev trains human-rights campaigners on how to 
stay safe when online in oppressive regimes. "It's incredibly important," 
he said in a Skype chat from the unrecognised state of Transnistria, a 
breakaway region in Moldova where he's assisting a local group working to 
stop the trafficking of women. "Anonymity is a high advantage in countries 
that perform targeted surveillance on activists."

It's also used to bypass website censorship in more than 20 countries that 
censor political and human rights sites, he says.

Tor works by connecting its users' internet requests, randomly, to 
volunteer-run Tor network nodes. Anyone can run a Tor node, which relays 
the user's traffic through other nodes as encrypted data that can't be 
intercepted.

When the user's data reaches the edge of the Tor network, after bouncing 
through several nodes, it pops out the other side as unencrypted, readable 
data. Egerstad was able to get his mitts on sensitive information by 
running an exit node and monitoring the traffic that passed through it.

The problem, says Vitaliev, is some Tor users assume their data is 
protected from end to end. "As in pretty much any other internet 
technology, its vulnerabilities are not well understood by those who use 
it (and) need it most," he says.

The discovery that sensitive, government emails were passing through Tor 
exit nodes as unencrypted, readable data was only mildly surprising to 
Egerstad. It made sense - because Tor documentation mentions "encryption", 
many users assume they're safe from all snooping, he says.

"People think they're protected just because they use Tor. Not only do 
they think it's encrypted, but they also think 'no one can find me'," 
Egerstad says. "But if you've configured your computer wrong, which 
probably more than 50 per cent of the people using Tor have, you can still 
find the person (on) the other side."

Initially it seemed that government, embassy, NGO and corporate staffers 
were using Tor but had misconfigured their systems, allowing Egerstad to 
sniff sensitive information off the wire. After Egerstad posted the 
passwords, blame for the embarrassing breach was initially placed on the 
owners of the passwords he had intercepted.

However, Egerstad now believes the victims of his experiment may not have 
been using Tor. It's quite possible he stumbled on an underground 
intelligence gathering exercise, carried out by parties unknown.

"The whole point of the story that has been forgotten, and I haven't said 
much about it, (is that) many of these accounts had been compromised," he 
says. "The logins I caught were not legit users but actual hackers who'd 
been reading these accounts."

In other words, the people using Tor to access embassy email accounts may 
not have been embassy staff at all. Egerstad says they were computer 
hackers using Tor to hide their origins from their victims.

The cloaking nature of Tor is appealing in the extreme to computer hackers 
of all persuasions - criminal, recreational and government sponsored.

If it weren't for the "last-hop" exit node issue Egerstad exposed in such 
a spectacular way, parties unknown would still be rifling the inboxes of 
embassies belonging to dozens of countries. Diplomatic memos, sensitive 
emails and the itineraries of government staffers were all up for grabs.

After a couple of months sniffing and capturing information, Egerstad was 
faced with a moral dilemma: what to do with all the intercepted passwords 
and emails.

If he turned his findings over to the Swedish authorities, his experiment 
might be used by his country's intelligence services to continue 
monitoring the compromised accounts. That was a little too close to 
espionage for his liking.

So Egerstad set about notifying the affected governments. He approached a 
few, but the only one to respond was Iran. "They wanted to know everything 
I knew," he says. "That's the only response I got, except a couple of 
calls from the Swedish security police, but that was pretty much all the 
response I got from any authority."

Frustrated by the lack of a response, Egerstad's next step caused high 
anxiety for government staffers - and perhaps intelligence services - 
across the globe. He posted 100 email log-ins and passwords on his blog, 
DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to 
put it online and see what happens'."

The news hit the internet like a tonne of bricks, despite some initial 
scepticism. The email logins were quickly and officially acknowledged by 
some countries as genuine, while others were independently verified.

US-based security consultant - and Tor user - Sam Stover says he has mixed 
feelings about Egerstad's actions. "People all of a sudden (said) 'maybe 
Tor isn't the silver bullet that we thought it was'," Stover says. 
"However, I'm not sure I condone the mechanism by which that sort of 
information had to be exposed in order to do that."

Stover admits that he, too, once set up a Tor exit node. "It's pretty easy 
. . . I set it up once real quick just to make sure that I could see other 
people's traffic and, sure enough, you can," he says. "(But) I'm not 
interested in that sort of intelligence gathering."

While there's no direct evidence, it's possible Egerstad's actions shut 
down an active intelligence-gathering exercise. Wired.com journalist Kim 
Zetter blogged the claims of an Indian Express reporter that he was able 
to access the email account for the Indian ambassador in China and 
download a transcript of a meeting between the Chinese foreign minister 
and an Indian official. In addition to hackers using Tor to hide their 
origins, it's plausible that intelligence services had set up rogue exit 
nodes to sniff data from the Tor network.

"Domestic, or international . . . if you want to do intelligence 
gathering, there's definitely data to be had there," says Stover. "(When 
using Tor) you have no idea if some guy in China is watching all your 
traffic, or some guy in Germany, or a guy in Illinois. You don't know."

Egerstad is circumspect about the possible subversion of Tor by 
intelligence agencies. "If you actually look in to where these Tor nodes 
are hosted and how big they are, some of these nodes cost thousands of 
dollars each month just to host because they're using lots of bandwidth, 
they're heavy-duty servers and so on," Egerstad says. "Who would pay for 
this and be anonymous?"

While Stover regards Tor as a useful tool, he says its value is greatly 
overestimated by those who promote and use it. "I would not use or 
recommend the tool to hide from people between you and your endpoint. It's 
really purely a tool to hide from the endpoint," he says.

As a trained security professional, Stover has the nous to understand its 
limitations, he says. Most people don't.

The lesson remains but the data Egerstad captured is gone, the Swedish 
hacker insists. He's now focusing on his career as a freelance security 
consultant. "I deleted everything I had because the information I had was 
belonging to so many countries that no single person should have this 
information so I actually deleted it and the hard drives are long gone," 
he says.

Patrick Gray's interviews with Dan Egerstad and Sam Stover can be heard in 
his podcast from http://ITRadio.com.au/security.

This story was found at: 
http://www.smh.com.au/articles/2007/11/12/1194766589522.html