TOR anonymisation network phished, part 2
By publishing his TOR hack, Swedish researcher Dan Egerstadt recently provided users with a timely reminder that The Onion Router (TOR) anonymisation network should be enjoyed with caution. By setting up five exit-nodes, Egerstad sniffed out large amounts of e-mail access data from embassies and government agencies and published some of this data on the internet. Since a user cannot know who operates the individual exit-node through which his traffic passes, TOR users are advised to always make use of additional encryption.
Members of the Teamfurry community got curious and took a look at the advertised configurations of a few randomly selected TOR exit-nodes. They stumbled on some extremely interesting results. There are, for example, exit-nodes which only forward unencrypted versions of certain protocols. One such node only accepts unencrypted IMAP and POP connections (TCP ports 143 and 110) and only forwards messenger connections from AIM, Yahoo IM and MSN Messenger if they are received on ports on which traffic is handled as plain text. The same procedure is applied to Telnet and VNC connections, used for remote access to systems. Further, there are systems which are only interested in specific destinations and, for example, exclusively forward HTTP packets bound for MySpace and Google. HTTPS traffic to these destinations is, however, blocked.
These peculiar configurations invite speculation as to why they are set up in this way. The Teamfurry blog declines to go so far as to impute nefarious motives to these nodes. Nevertheless, the report does raise the question of whether users should route personal data via such nodes. It is certainly generally believed that Chinese, Russian and American government agencies operate TOR exit-nodes. Large companies and illegal hacker groups are also thought to operate exit-nodes. Looking through the list of TOR exit-nodes, it is striking that the number of exit-nodes in China and the US has increased disproportionately over the last year.
Employing channel encryption may also be of little help. The Teamfurry blog reports the existence of an exit-node in Germany which apparently attempts to hitch itself into an SSL connection using a man-in-the-middle attack. A certificate forwarded via an SSL connection running through this node is returned as a fake, self-signed certificate. This generally produces an error message, but users will often ignore this. This 'phishing node' has since disappeared from the network.
Into exactly whose hands any stolen data has fallen is not known. However, Dan Egerstad last week found out what happens if you publish such data on the internet, when he received a visit from Swedish law enforcement agencies. Following a complaint, they turned his apartment upside down and interrogated him for several hours. The source of the complaint is not known, but it is thought it may have come from a foreign government agency whose e-mail details had been published by Egerstad.
- On TOR, blog entry from Teamfurry
- TOR exit-node doing MITM attacks, blog entry from Teamfurry
- Phishing attacks on Tor anonymisation network, report by heise Security