Phishing attacks on Tor anonymisation network

It seems the recently publicised list containing the log-in credentials of e-mail accounts of embassies and government institutions was gathered due to insecure usage of the Tor anonymisation network. The Swede Dan Egerstad, who has also posted the list on his blog, has now explained how he gained access to the 100 log-ins and passwords: he has equipped five Tor exit nodes with password sniffers to analyse the data traffic routed through these nodes. While the Tor network provides IP address anonymisation, it is by no means trustworthy, since anybody can operate an exit node. Although the data is encrypted within the Tor network, the exit nodes have unencrypted access to the data, assuming Tor users send their data without encrypting it themselves. Of course, this behaviour not only affects e-mail log-ins, but also web pages and other data routed through the Tor network.

26 Tor exit notes running in Beijing

In the Tor documentation, Tor users are informed repeatedly that they must secure “the last mile” to the target server themselves through a suitable end-to-end encryption mechanism (e.g., SSL, TLS or HTTPS). While this is generally well understood by technically “savvy” users, many inexperienced Tor users are unaware of this requirement or have not addressed it; they do not encrypt their e-mails and other web applications. Related risks for community networks such as Tor are considerably higher than for unencrypted surfing from a DSL connection at home.

Significant amounts of unencrypted sensitive data are sent via the exit nodes, and malicious operators may exploit this lack of security for large scale phishing attacks. In addition to passwords for embassies, Egerstad claims to have also gained access to the e-mail log-in credentials of renowned Fortune 500 corporations, thousands of individuals and to other confidential data, which he does not intend to publicise. He says that he chose the 100 embassy accounts in order to increase public awareness and drive appropriate action. All account owners – even users of undisclosed accounts – have been informed. Except for the 100 embassy accounts, the log-in data are said to have been deleted. Egerstad also claims that his server, which is hosted in Sweden, has been taken off-line temporarily at the instigation of US investigators.

Egerstad insinuates that some nodes he has examined are operated by government circles in China, Russia and the US, and also by large corporations and illegal hacker groups. The bare facts at least partially support his theory. The number of active Tor exit nodes in the US and China has increased dramatically over the last year. About a year back, when heise Security made its first survey, most of the 200 running exit nodes operated worldwide were located in Germany. The number of German locations has not changed significantly since. However, the number of nodes in the US has now increased to 175, about twice as many as in Germany today. And while last year the number of Chinese exit nodes could be counted on the fingers of one hand, there are 77 such nodes today, 26 of which are located in the metropolitan area of Beijing.

A more secure way of anonymous surfing is to exchange sensitive data only via encrypted TLS or SSL connections (HTTPS) and to disable cookies, JavaScript and Flash. However, many webmail providers automatically switch to an unencrypted HTTP connection after an HTTPS-encrypted log-in for performance reasons.

See also:

• Time to reveal…, blog entry by Dan Egerstad
• [ticker:uk_95262 Passwords to government mail accounts publicised], heise Security news
• Can exit nodes eavesdrop on communications? Information from the Tor developers on manipulated exit nodes

(mba)