A Swedish security researcher, Dan Egerstad, recently highlighted a flaw in the way many folks are using Tor, a tool for internet anonymity. He said that he had captured user names and passwords for at least 1000 email accounts, posting the details for 100 of those. Ten days after the initial disclosure, he followed up with information on how he captured the data.
Tor (aka The Onion Router) is a system designed to hide the source and destination of internet traffic by routing it through a few intermediate nodes. Software is available for most operating systems and can run in either client or server mode. The Tor network consists of many server nodes that can route this traffic, but it also has special nodes, called "exit nodes" that are the endpoints for traffic within the Tor network. Exit nodes are the ones that actually talk to the server the client was trying to reach, thus they see any traffic exactly as it will be presented to the destination.
A Tor client picks a random path through the network, using a directory server to get a list of active nodes. For each hop along that path, it negotiates a separate session key. It encrypts the packet data, along with a destination address, once per node in the path, building up a packet with multiple layers of encrypted information. Each layer can only be decrypted by the proper intermediate node. Each intermediate node only knows about its predecessor, the destination, and the key, so with more than a few nodes, the source and ultimate destination are hidden. The exit node is the last layer of the onion, what it decrypts is the data bound for the destination.
Running an exit node for Tor has some risks associated with it, as all traffic that goes to a destination site appears to originate from the exit node host. If the destination gets attacked by a denial of service or other exploit, the exit node operator would seem to be the guilty party. For this reason, Tor servers can determine whether or not they are willing to be exit nodes. What Egerstad did was to volunteer five servers as exit nodes and monitor the traffic that went by.
What his exit nodes saw was the traffic bound for various servers, much of it in the clear. He collected authentication for email servers from many users, with the ones he released being embassy workers and members of human rights organizations. He monitored the POP3 and IMAP protocols, specifically looking for keywords associated with governments. By looking at those two protocols, he not only was able to capture passwords, his exit nodes also saw all of the email stream by as it was delivered to the users.
This should come as no real surprise, unencrypted email protocols are a security hazard; they should probably go the way of telnet, and be banished from internet usage. What is more surprising, but perhaps shouldn't be, is that people are using Tor to retrieve their email. Tor is not supposed to be a complete privacy solution, and it is not presented that way, but the difference between anonymity and privacy seem to have gotten lost.
It is a near certainty that others are doing just what Egerstad did. Governments and criminals – though it can be hard to distinguish between the two at times – both have an interest in monitoring this kind of traffic. Egerstad lists a number of suspicious exit nodes in the Tor network, any or all of which could be scanning the cleartext traffic that streams by.
In some ways, Tor is really no different than the myriad routers that internet traffic passes through; each of those presents a point where traffic could be intercepted. Tor is better in that regard, perhaps, because all but the last leg (which, of course, traverses any number of routers) are encrypted. If an encrypted protocol, SSL or an ssh tunnel for example, were used end-to-end, Egerstad's monitoring would not have worked. With proper certificate/key handling, no intermediate node, Tor or router, can decrypt the traffic.
It is a bit ironic that one would use a service meant to provide anonymity to log in to a system using credentials that are intended to restrict access to a particular user. It is a bit like renting a room at the No-Tell Motel using your credit card. Presumably, the users had Tor installed and running for other reasons and either didn't know or forgot to turn it off when retrieving their email. Perhaps their email client helpfully retrieves their email every few minutes without their intervention.
It should be noted that Tor does not do anything above the protocol level to anonymize traffic. Cookies, browser identification strings and other information can be used to identify who is using the connection to anyone with access to the traffic. Obviously, logging in makes that even easier. Another known threat to anonymity using Tor, even with end-to-end encryption, is timing analysis. If someone can monitor the timing of the packets at the client and those at the server, they can make a statistical correlation between the two.
Tor achieved another kind of notoriety, recently, as some of the storm worm spam started pushing it as a solution for internet anonymity. Unfortunately, users who followed the link landed on a fake Tor download page. Downloading the software did not result in any increase in their privacy, it simply installed one of the storm worm variants. It is certainly not the publicity that Tor wanted, but it could, perhaps, lead a few users to the real Tor. It is a dubious honor, but the storm worm herders must believe that the Tor name has some credibility in order to use it this way.
Tor is an excellent tool for what it does, but it certainly is not a solution to all internet communication privacy issues. As with most things, users need to understand what they are doing before they can gain the benefits of Tor. By managing the higher level identifying information correctly (perhaps by using something like Privoxy), one can use internet services anonymously with a reasonable level of comfort. Using end-to-end encryption makes it that much better.
|Created:||September 7, 2007||Updated:||December 8, 2009|
|Description:||A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message.|
|Created:||September 7, 2007||Updated:||September 12, 2007|
|Description:||Sumit I. Siddharth discovered that Gforge, a collaborative development tool, performs insufficient input sanitizing, which allows SQL injection.|
|Package(s):||jffnms||CVE #(s):||CVE-2007-3189 CVE-2007-3190 CVE-2007-3191 CVE-2007-3192|
|Created:||September 12, 2007||Updated:||September 12, 2007|
|Description:||jffnms, a web-based network management system, suffers from a cross-site scripting vulnerability, multiple SQL injection vulnerabilities, and an authentication bypass problem.|
|Created:||September 12, 2007||Updated:||October 8, 2007|
|Description:||From the Fedora advisory: Lighttpd (1.4.17 and earlier) is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application.|
|Package(s):||gnome-ssh-askpass openssh||CVE #(s):||CVE-2007-4752|
|Created:||September 11, 2007||Updated:||August 25, 2008|
|Description:||OpenSSH in versions prior 4.7 could use a trusted X11 cookie if the creation of an untrusted cookie failed.|
|Package(s):||phpmyadmin||CVE #(s):||CVE-2006-6942 CVE-2006-6944 CVE-2007-1325 CVE-2007-1395 CVE-2007-2245|
|Created:||September 10, 2007||Updated:||March 19, 2009|
|Description:||Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325: The PMA_ArrayWalkRecursive function in libraries/common.lib.php does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions.
CVE-2007-2245: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via (1) the fieldkey parameter to browse_foreigners.php or (2) certain input to the PMA_sanitize function.
CVE-2006-6942: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the newname parameter to db_operations.php, the (4) query_history_latest, (5) query_history_latest_db, and (6) querydisplay_tab parameters to (c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944: phpMyAdmin allows remote attackers to bypass Allow/Deny access rules that use IP addresses via false headers.
|Created:||September 10, 2007||Updated:||October 8, 2007|
|Description:||Not only does QGit construct a predictable file name here, and doesn't check if the files already exist, which can be leveraged into information leak or arbitrary file overwrite in case they're symlinks, but later on executes one of them. This is not just problem when /tmp is mounted with noexec option, but might be exploited into arbitrary code execution under time-dependent race condition.|
|Created:||September 12, 2007||Updated:||November 15, 2007|
|Description:||From the Samba advisory: When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.|
|Created:||September 12, 2007||Updated:||September 12, 2007|
|Description:||Wordpress 2.2.3 has been released to fix a security problem. The project has not gone out of its way to describe this problem, but, from the fixed bug list, one concludes that it is possible for users without the requisite privileges to post arbitrary HTML.|
|Created:||September 10, 2007||Updated:||January 24, 2008|
|Description:||Aaron Plattner discovered a buffer overflow in the Composite extension of the X.org X server, which can lead to local privilege escalation.|
Page editor: Jake Edge
Next page: Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds