Security researcher intercepts embassy passwords from Tor

A security researcher who collected thousands of sensitive e-mails and passwords from the embassies of countries such as Russia and India blamed systems administrators on Monday for not using encryption to shield their traffic from snooping.

Dan Egerstad, a 21-year-old security researcher, revealed on Monday he was able to capture the information by setting up his own node in a peer-to-peer network used by the embassies to make their Internet traffic anonymous.

The embassies relied on a volunteer network of servers using software called Tor (The Onion Router) to hide their Internet traffic and make it anonymous. Traffic sent through a Tor node is transmitted through a randomly selected series of other Tor nodes before exiting the network for its intended destination, so as to disguise the source and destination of the traffic.

But although traffic between nodes in a Tor network is encrypted by default, traffic entering and exiting the system is not, so anyone wanting to hide not only who are they are communicating with, but what they are saying, must apply an extra layer of encryption themselves. Embassies and companies neglected to do this, which left their information open for Egerstad to collect.

Anyone can run a Tor server and add it to the network. Egerstad, who runs his own consulting company in Malmo, Sweden, did just that as part of his security research, and monitored the traffic exiting the Tor network through it.

To his surprise, he found that more than 99 percent of the traffic -- including requests for Web sites, instant messaging traffic, and e-mails -- were transmitted unencrypted.

"By accident, I saw one really sensitive e-mail," Egerstad said in a telephone interview. "I thought 'What is that doing there?""

Using specially designed software to search that traffic for keywords, Egerstad was soon collecting usernames, passwords, and e-mail sent by embassies around the world, as well as large companies.

Late last month, Egerstad published the usernames and passwords for around 100 embassies.

Egerstad said the process of snooping on the traffic is trivial. The problem is not with Tor, which still works as intended, but with users' expectations: the Tor system is designed to merely anonymize Internet traffic and does not perform end-to-end encryption.

"If they are using encryption -- no problem, it doesn't matter," Egerstad said.

Organizations running other Tor nodes could also be snooping on traffic exiting the network there, Egerstad warned.

For example, several Tor nodes in the Washington, D.C., area can handle up to 10TB of data a month, a flow of data that would cost at least $5,000 a month to run, and is likely way out the range of volunteers who run a node on their own money, Egerstad said.

"Who would pay for that?" Egerstad said.

Egerstad said he read a lot of the e-mail he collected but has since wiped the hard drives and deleted the information. After he posted the usernames and passwords to his Web site, he said he received an e-mail from the U.S. company hosting the site informing him that it would be shut down. He has since created a new site.

Egerstad said what he did is not illegal, as the e-mail and passwords he collected were contained on his own computer. He said he did not use the usernames and passwords to log into any accounts, although one journalist in India did.

The point of his work is to raise awareness of security concerns, he said: "Go ahead and use Tor, but you better be sure you have good encryption."