A Swedish security professional that posted the usernames and passwords for 100 e-mail accounts belonging to various nations' embassies and political parties revealed on Monday that he exploited the improper usage of the Tor network -- a distributed system of computers that anonymizes the source of network traffic -- to collect the information.
Click here for Core!!
By volunteering his own servers to route traffic for the Tor Project, Dan Egerstad -- a Web developers and security professional based in Malmo, Sweden -- was able to collect the unencrypted data sent through the network. The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said.
"I found big companies -- Fortune 500 companies -- I mean really big companies doing this," Egerstad said. "Only a couple of users were using (Tor), but that is enough to compromise communications."
In total, Egerstad collected the e-mail credentials of more than 1,500 government workers, corporate employees and private individuals using the Tor network, he said. Because the technique is already known, Egerstad decided that fully disclosing the list of e-mail accounts and passwords for 100 of the government accounts was the best way to bring more attention to the issue.
"This is a not a problem with Tor," Egerstad said. "This problem is that people who use Tor are using it incorrectly."
...
In August, Egerstad attempted to contact some of the governments and corporations whose e-mail credentials he had sniffed, but he got back few responses, he said.
Following the posting of the information to his Web site, a few countries did respond. India, Iran and Uzbekistan were friendly and supported the manner in which he disclosed the issue, he said. China filed a criminal complaint over the posting, while U.S. authorities complained to his Texas Web provider and had his original Web site taken down, Egerstad said.
The Federal Bureau of Investigation could not immediately comment on the allegations.
Egerstad argued that, while his revelations may be embarrassing, others groups with less benevolent motives are also likely eavesdropping on the network. He pointed to exit nodes run by hacking groups as potential ways of getting information for identity fraud, while massive nodes located in Washington D.C. and at the Space Research Institute in Russia are possible intelligence gathering tools for the U.S. and Russian governments, respectively.
Egerstad stressed that its impossible to prove intentions, but that users should assume the worst.
"We found this kind of information on thousands of users, some of them being Fortune 500 companies and Nasdaq and New York-noted companies," he said on his Web site. "The information we gathered is not worth millions -- it’s worth billions in the right hands."
No comments:
Post a Comment