New Details Support Tor Spying Theory

Submitted by MacRonin on December 2, 2007 - 7:19pm

New Details Support Tor Spying Theory - Via Threat Level:

You'll recall the story about the Swedish security researcher who stumbled upon unencrypted embassy e-mail traffic that was passing through five Tor exit nodes he set up. The researcher, Dan Egerstad, told me before the Swedish feds raided his apartment that he was certain that others were grabbing such traffic through Tor exit nodes in the same way that he was. Government and intelligence agencies were presumed to be some of the spies tapping into the Tor network.

Well the TeamFurry researchers decided to examine the configuration of a few Tor exit nodes to see what they might be up to and found some interesting results -- exit nodes that were configured to accept only unencrypted IMAP, AIM, VNC, Yahoo IM and MSN Messenger traffic, among a few other things, and to reject all other traffic.

Another node set up in Germany was configured to accept only unencrypted telnet, POP3, and nntp traffic. Here's a look at one of the configurations:


accept *:143 <- Accept unencrypted IMAP traffic to anywhere
accept *:5190 <- Accept unencrypted AIM traffic to anywhere
accept *:5050 <- Accept unencrypted Yahoo IM traffic to anywhere
accept *:5900 <- Accept unencrypted VNC traffic to anywhere
accept *:5901 <- Accept unencrypted VNC traffic to anywhere
accept *:1863 <- Accept unencrypted MSN Messenger traffic to anywhere

reject *:* <- reject all other traffic.

Of course there's no telling who the exit node owners are (bored hackers, industrial spies or intelligence agencies) or what they're doing for sure, but as TeamFurry notes, the configurations sure look suspicious.

They also found another exit node in Germany that appears to be doing man-in-the-middle attacks on HTTPS connections.

See also:

(Read Original Article - Via Threat Level.)

Bookmark/Search this post with: