The Embassy Password Scandal: New Dog, Old Trick.
Paper I wrote last year: The Faithless Endpoint: How Tor puts certain users at greater risk. News this week: Tor at the Heart of Embassy Password Breach.
The Register's article title is disingenuous. Tor wasn't at the heart of this -- plaintext authentication was. The same sort of attack can be done if you own some strategically-located routers, or operate rogue wireless access points, or set up a yagi and AirSnort in the right places in Washington DC or Brussels.
Allow me to quote the last paragraph of my tech report:
It is the lack of ubiquitous cryptography in network communication protocols that enables these attacks in the first place. Providers of network services should work to ensure that whenever possible, network communications are encrypted between the server and the client, and servers can be authenticated by the client, to avoid the potential for man-in-the-middle attacks in contexts where they are a likely threat.
It's just so much fun when people rediscover password sniffing. (And don't get me started on how much of an asshat this guy was for actually doing the attack. I mean, okay, perhaps performing the attack in such a way that the actual passwords aren't logged, or are only partially logged, in the style of the Wall of Sheep at DEFCON might be justified under the pretense that no one would take him seriously otherwise -- but grabbing the full username/password combos and publishing them? WTF? I highly doubt his belief that this was not illegal in at least one of the countries that has signed the Council of Europe Cybercrime Treaty -- but even if it was legal, it was certainly unethical.)
It's just so much fun when people rediscover password sniffing. (And don't get me started on how much of an asshat this guy was for actually doing the attack. I mean, okay, perhaps performing the attack in such a way that the actual passwords aren't logged, or are only partially logged, in the style of the Wall of Sheep at DEFCON might be justified under the pretense that no one would take him seriously otherwise -- but grabbing the full username/password combos and publishing them? WTF? I highly doubt his belief that this was not illegal in at least one of the countries that has signed the Council of Europe Cybercrime Treaty -- but even if it was legal, it was certainly unethical.)
This is shameful behavior for a Tor operator. (At the same time, it's naive to think that all operators of anonymity services are going to be saints. Mr. Egerstad appears to have had good intentions, or at least nothing more sinister than publicity grubbing. There's worse foes running Tor nodes -- you can count on that.)
[Edit: Nevertheless, while a malicious Tor operator is in the position to sniff your clear-text passwords and communications if he operates the exit node, unless he also operates enough of the other nodes you're using in your circuit, he can't break your anonymity, provided you're properly using end-to-end encryption for your sensitive, identity-revealing data (as you damn-well should be.) Again, the moral of the story: don't use clear-text for sensitive data on the Internet. It's not just Tor operators who have access to this data, but any hacker who has owned a switch on the route you're using for non-Tor communication, and so on.]
But back to the issue at hand: this appears to me to be nothing more than a publicity stunt. Personally, I'd be horrified if the first two pages of Google hits on my name came up with this. This is not exciting, or interesting. It's sad. He calls himself a researcher, but really, he's a run-of-the-mill black-hat with just enough tech savvy to set up a Tor node and a sniffer that used a regex filter.
I wrote my short tech report in the first place because I knew users are, have always been, and will always be clueless about security and about their threat models, and I was concerned that Tor might actually make things worse for a significant portion of its users, by routing their unencrypted traffic through nodes operated by people like Dan Egerstad. It was supposed to make the designers of these sorts of systems think about how to solve problems such as this, not encourage people to pull publicity stunts.
Let me be clear: I do not believe Tor is to blame here. Nor do I believe that blaming the users, however culpable they may be, is productive. Administrators need to disable non-SSL-protected services like IMAP and POP3 and SMTP and instead only allow their drop-in replacements such as IMAPS, SMTP with STARTTLS, etc. In my tech report, I suggest a few things Tor might do to mitigate these risks, but ultimately, the 1990s are over, and there's no excuse for clear-text authentication credentials anymore. This goes for Vox, too.
This sort of attack is something that the anonymity research community needs to be more concerned about, since plaintext authentication isn't going to go away anytime soon.
(BTW, the password sniffing is the kids stuff. Far more interesting would be the web-browsing habits of people at those embassies, or learning who is emailing whom. Traffic analysis is where the real information comes from. As a Tor operator, even you can be an arm-chair international espionage agent!)
[Edit: No, I don't think Mr. Egerstad was influenced by my paper. I doubt he read it -- the attack he executed is an obvious one. It's even in the Tor FAQ, and has been for a while (though it wasn't when I originally wrote my paper -- I recall checking to see if it was highlighted there at the time.)
