Monday, September 10, 2007

Embassy password hacker reveals his technique

A Swedish hacker calling himself "DEranged" attracted media attention over the past couple weeks by posting a list of 100 government email usernames and passwords. His list included email accounts used by embassy officials from India, Russia, Iran, Hong Kong, and others. A few journalists verified that these credentials could indeed be used to access private email.

At the time of his original disclosure DEranged (his real name is Dan Egerstad) withheld details on how he came into possession of the passwords, instead writing that "there is no exploit to publish, no vendor to contact". Today he posted an entry on his blog describing how he used newer software to exploit an older problem.

Egerstad established several computers as nodes in the Tor network. As a part of this network, these computers would act as intermediary routers in the delivery of Internet traffic. By routing this traffic Egerstad also gained the capacity to capture and analyze any unencrypted packets sent through his systems. He then used this access to collect thousands of usernames and passwords transmitted to email servers in the clear.

I will not praise Egerstad due to his poor ethics in disclosing passwords in the manner that he did, but ultimately he is right in pointing out the serious shortcomings of protocols that still transmit unencrypted passwords.

There have been secure alternatives to POP3, such as POP3 over SSL, for some time. However, many companies and service providers fail to offer them, let alone make them the default setting. Organizations can only justify this continued practice because of the difficulty in detecting password capturing attacks. IT personnel can avoid responsibility by dismissing password thefts as a user problem resulting from phishing attacks or software trojans. This is an unacceptable response.

With the growing number of mobile users and wireless networks, the opportunities for password capture attacks will increase. If you are using POP3, Telnet, HTTP, FTP, or any other unencrypted protocol for transmitting passwords, look into alternatives today. People with more dangerous agendas than Egerstad will be watching to see if you do.

1 comment:

Shava said...

Dan's name is an anagram of "deranged" -- he goes by Dan in email he sent me. He's a security researcher, and his point that people should use more encryption couldn't be more to the point.

People in the security space have tried to make people aware of these issues over and over, but it always seems remote to the user. Although in some blogs and news stories, Tor is taking the brunt of this story, I hope we can all embrace it as a teachable moment, which I feel is the spirit of your story.

The Tor Network is set up with a security architecture that preserves anonymity to users who use end-to-end encryption and don't allow client-side tech to sidestep their privacy measures. We are set up so that even if some of our network is in the hands of bad players, the prudent user is protected.

However, we know all our users are not prudent. Despite all our notices on our download page, our FAQ, our wiki, our documentation, in our technical articles, in interviews, and so on...despite this, people do not use our software as part of a comprehensive strategy and/or policy to best protect privacy and security.

It took ages to get people in general to look for https or the lock icon on pages where they entered a credit card. How much longer will it take, do you think, until they do the same with a password?

Shava Nerad
Development Director
The Tor Project