November 13, 2007
A Swedish hacker tells how he infiltrated a global communications
network used by scores of embassies over the world, using tools freely
available on the internet.
In August, Swedish hacker Dan Egerstad gained access to sensitive
embassy, NGO and corporate email accounts. Were they captured from the
clutches of hackers? Or were they being used by spies? Patrick Gray
investigates the most sensational hack of 2007.
IT WASN'T supposed to be this easy. Swedish hacker Dan Egerstad had
infiltrated a global communications network carrying the often-sensitive
emails of scores of embassies scattered throughout the world. It had
taken him just minutes, using tools freely available for download on the
He says he broke no laws.
In time, Egerstad gained access to 1000 high-value email accounts. He
would later post 100 sets of sensitive email logins and passwords on the
internet for criminals, spies or just curious teenagers to use to snoop
on inter-governmental, NGO and high-value corporate email.
The question on everybody's lips was: how did he do it? The answer came
more than a week later and was somewhat anti-climactic. The 22-year-old
Swedish security consultant had merely installed free, open-source
software - called Tor - on five computers in data centres around the
globe and monitored it. Ironically, Tor is designed to prevent
intelligence agencies, corporations and computer hackers from
determining the virtual - and physical - location of the people who use
"Tor is like having caller ID blocking for your internet address," says
Shava Nerad, development director with the Tor Project. "All it does is
hide where you're communicating from."
Tor was developed by the US Navy to allow personnel to conceal their
locations from websites and online services they would access while
overseas. By downloading the simple software, personnel could hide the
internet protocol address of their computers - the tell-tale number that
allows website operators or intelligence services to determine a user's
Eventually the navy realised it must take Tor beyond the armed forces.
"The problem is, if you make Tor a tool that's only used by the military
. . . by using Tor you're advertising that you're military," Nerad says.
So Tor was cast into the public domain. It is now maintained and
distributed by a registered charity as an open-source tool that anyone
can freely download and install. Hundreds of thousands of internet users
have installed Tor, according to the project's website.
Mostly it is workers who want to browse pornographic websites
anonymously. "If you analyse the traffic, it's just porn," Egerstad told
Next by phone from Sweden. "It's kind of sad."
However, Dmitri Vitaliev, a Russian-born, Australian-educated computer
security professional who lives in Canada, says Tor is a vital tool in
the fight for democracy. Vitaliev trains human-rights campaigners on how
to stay safe when online in oppressive regimes. "It's incredibly
important," he said in a Skype chat from the unrecognised state of
Transnistria, a breakaway region in Moldova where he's assisting a local
group working to stop the trafficking of women. "Anonymity is a high
advantage in countries that perform targeted surveillance on activists."
It's also used to bypass website censorship in more than 20 countries
that censor political and human rights sites, he says.
Tor works by connecting its users' internet requests, randomly, to
volunteer-run Tor network nodes. Anyone can run a Tor node, which relays
the user's traffic through other nodes as encrypted data that can't be
When the user's data reaches the edge of the Tor network, after bouncing
through several nodes, it pops out the other side as unencrypted,
readable data. Egerstad was able to get his mitts on sensitive
information by running an exit node and monitoring the traffic that
passed through it.
The problem, says Vitaliev, is some Tor users assume their data is
protected from end to end. "As in pretty much any other internet
technology, its vulnerabilities are not well understood by those who use
it (and) need it most," he says.
The discovery that sensitive, government emails were passing through Tor
exit nodes as unencrypted, readable data was only mildly surprising to
Egerstad. It made sense - because Tor documentation mentions
"encryption", many users assume they're safe from all snooping, he says.
"People think they're protected just because they use Tor. Not only do
they think it's encrypted, but they also think 'no one can find me',"
Egerstad says. "But if you've configured your computer wrong, which
probably more than 50 per cent of the people using Tor have, you can
still find the person (on) the other side."
Initially it seemed that government, embassy, NGO and corporate staffers
were using Tor but had misconfigured their systems, allowing Egerstad to
sniff sensitive information off the wire. After Egerstad posted the
passwords, blame for the embarrassing breach was initially placed on the
owners of the passwords he had intercepted.
However, Egerstad now believes the victims of his experiment may not
have been using Tor. It's quite possible he stumbled on an underground
intelligence gathering exercise, carried out by parties unknown.
"The whole point of the story that has been forgotten, and I haven't
said much about it, (is that) many of these accounts had been
compromised," he says. "The logins I caught were not legit users but
actual hackers who'd been reading these accounts."
In other words, the people using Tor to access embassy email accounts
may not have been embassy staff at all. Egerstad says they were computer
hackers using Tor to hide their origins from their victims.
The cloaking nature of Tor is appealing in the extreme to computer
hackers of all persuasions - criminal, recreational and government
If it weren't for the "last-hop" exit node issue Egerstad exposed in
such a spectacular way, parties unknown would still be rifling the
inboxes of embassies belonging to dozens of countries. Diplomatic memos,
sensitive emails and the itineraries of government staffers were all up
After a couple of months sniffing and capturing information, Egerstad
was faced with a moral dilemma: what to do with all the intercepted
passwords and emails.
If he turned his findings over to the Swedish authorities, his
experiment might be used by his country's intelligence services to
continue monitoring the compromised accounts. That was a little too
close to espionage for his liking.
So Egerstad set about notifying the affected governments. He approached
a few, but the only one to respond was Iran. "They wanted to know
everything I knew," he says. "That's the only response I got, except a
couple of calls from the Swedish security police, but that was pretty
much all the response I got from any authority."
Frustrated by the lack of a response, Egerstad's next step caused high
anxiety for government staffers - and perhaps intelligence services -
across the globe. He posted 100 email log-ins and passwords on his blog,
DEranged Security. "I just ended up (saying) 'Screw it, I'm just going
to put it online and see what happens'."
The news hit the internet like a tonne of bricks, despite some initial
scepticism. The email logins were quickly and officially acknowledged by
some countries as genuine, while others were independently verified.
US-based security consultant - and Tor user - Sam Stover says he has
mixed feelings about Egerstad's actions. "People all of a sudden (said)
'maybe Tor isn't the silver bullet that we thought it was'," Stover
says. "However, I'm not sure I condone the mechanism by which that sort
of information had to be exposed in order to do that."
Stover admits that he, too, once set up a Tor exit node. "It's pretty
easy . . . I set it up once real quick just to make sure that I could
see other people's traffic and, sure enough, you can," he says. "(But)
I'm not interested in that sort of intelligence gathering."
While there's no direct evidence, it's possible Egerstad's actions shut
down an active intelligence-gathering exercise. Wired.com journalist Kim
Zetter blogged the claims of an Indian Express reporter that he was able
to access the email account for the Indian ambassador in China and
download a transcript of a meeting between the Chinese foreign minister
and an Indian official. In addition to hackers using Tor to hide their
origins, it's plausible that intelligence services had set up rogue exit
nodes to sniff data from the Tor network.
"Domestic, or international . . . if you want to do intelligence
gathering, there's definitely data to be had there," says Stover. "(When
using Tor) you have no idea if some guy in China is watching all your
traffic, or some guy in Germany, or a guy in Illinois. You don't know."
Egerstad is circumspect about the possible subversion of Tor by
intelligence agencies. "If you actually look in to where these Tor nodes
are hosted and how big they are, some of these nodes cost thousands of
dollars each month just to host because they're using lots of bandwidth,
they're heavy-duty servers and so on," Egerstad says. "Who would pay for
this and be anonymous?"
While Stover regards Tor as a useful tool, he says its value is greatly
overestimated by those who promote and use it. "I would not use or
recommend the tool to hide from people between you and your endpoint.
It's really purely a tool to hide from the endpoint," he says.
As a trained security professional, Stover has the nous to understand
its limitations, he says. Most people don't.
The lesson remains but the data Egerstad captured is gone, the Swedish
hacker insists. He's now focusing on his career as a freelance security
consultant. "I deleted everything I had because the information I had
was belonging to so many countries that no single person should have
this information so I actually deleted it and the hard drives are long
gone," he says.
Patrick Gray's interviews with Dan Egerstad and Sam Stover can be heard
in his podcast from http://ITRadio.com.au/security.
Visit InfoSec News