Comments on: Embassy email accounts breached by unencrypted passwords http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/ Security Research, Computer Laboratory, University of Cambridge Fri, 12 Mar 2010 02:03:57 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Steven J. Murdoch http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/comment-page-1/#comment-24014 Steven J. Murdoch Wed, 12 Sep 2007 11:43:12 +0000 http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/#comment-24014 @Phil <blockquote>Please route a bunch of packets to me</blockquote> That is precisely what <a href="http://en.wikipedia.org/wiki/Border_Gateway_Protocol" rel="nofollow">BGP</a> lets you do on the normal Internet. It comes with some limitations, and you need to be an ISP, but who says all ISPs are honest? Similarly, if you set up a high-power access point in a busy airport, plenty of people will send their packets your way. The difference is that an exit node on Tor can't choose what data it receives and doesn't know where it comes from (unless the content gives that away). Whereas the BGP and fake-AP attacks are much more targetted and give more information. If you trust the people around you more than a random stranger, then you're right – Tor makes the risk of sniffing worse. But people in sensitive occupations, like embassy employees, might worry about those nearby far more than someone who randomly sees their traffic. I'm not condoning the absence of encryption, instead I'm just pointing out that the question of whether Tor increases the risk of sniffing does not have a simple answer. That depends on the content in question and the risk-environment of the user. @Phil

Please route a bunch of packets to me

That is precisely what BGP lets you do on the normal Internet. It comes with some limitations, and you need to be an ISP, but who says all ISPs are honest? Similarly, if you set up a high-power access point in a busy airport, plenty of people will send their packets your way.

The difference is that an exit node on Tor can’t choose what data it receives and doesn’t know where it comes from (unless the content gives that away). Whereas the BGP and fake-AP attacks are much more targetted and give more information.

If you trust the people around you more than a random stranger, then you’re right – Tor makes the risk of sniffing worse. But people in sensitive occupations, like embassy employees, might worry about those nearby far more than someone who randomly sees their traffic.

I’m not condoning the absence of encryption, instead I’m just pointing out that the question of whether Tor increases the risk of sniffing does not have a simple answer. That depends on the content in question and the risk-environment of the user.

]]> By: Phil Wise http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/comment-page-1/#comment-24012 Phil Wise Wed, 12 Sep 2007 10:28:43 +0000 http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/#comment-24012 This is an interesting side effect of Tor. Normally packet sniffing is very hard to perform unless you are very close to the one end of the link, because no-one is going to let you or I near the core Internet routing fabric. With an overlay network, it is much easier to become a core router, and that makes attacks that were previously only theoretical achievable in practice because you can effectively ask Tor 'Please route a bunch of packets to me', and that isn't possible on the IP internet. This is an interesting side effect of Tor. Normally packet sniffing is very hard to perform unless you are very close to the one end of the link, because no-one is going to let you or I near the core Internet routing fabric. With an overlay network, it is much easier to become a core router, and that makes attacks that were previously only theoretical achievable in practice because you can effectively ask Tor ‘Please route a bunch of packets to me’, and that isn’t possible on the IP internet.

]]> By: Steven J. Murdoch http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/comment-page-1/#comment-24006 Steven J. Murdoch Tue, 11 Sep 2007 21:22:22 +0000 http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/#comment-24006 @Mark I haven't seen any authoritative explanation for why embassy personnel are using Tor, but I can think of some reasons. Tor is an anti-surveillance technology, and embassy employees are in the type of jobs where they worry about that. For example, suppose an embassy worker is checking their email from a public access point. By using Tor, they hide their affiliation, potentially reducing the risk that they will be attacked. They might also want to hide their employment from their ISP. Of course, they should be using encryption but I can understand why embassies might have encouraged the use of Tor. A VPN hides the data, but not the identify of the user, so the security added by Tor could be beneficial. @Mark

I haven’t seen any authoritative explanation for why embassy personnel are using Tor, but I can think of some reasons. Tor is an anti-surveillance technology, and embassy employees are in the type of jobs where they worry about that.

For example, suppose an embassy worker is checking their email from a public access point. By using Tor, they hide their affiliation, potentially reducing the risk that they will be attacked. They might also want to hide their employment from their ISP.

Of course, they should be using encryption but I can understand why embassies might have encouraged the use of Tor. A VPN hides the data, but not the identify of the user, so the security added by Tor could be beneficial.

]]> By: Mark M. http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/comment-page-1/#comment-24005 Mark M. Tue, 11 Sep 2007 21:16:01 +0000 http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/#comment-24005 Have I missed the explanation of why embassy personnel are using ToR to forward email? I wouldn't have thought anonymity was an issue, and apparently security isn't either... When even smallish private companies use VPNs for access to internal mailservers from remote locations, the notion that the foreign services of some major countries do not is hard to credit. Amazing! Have I missed the explanation of why embassy personnel are using ToR to forward email? I wouldn’t have thought anonymity was an issue, and apparently security isn’t either…

When even smallish private companies use VPNs for access to internal mailservers from remote locations, the notion that the foreign services of some major countries do not is hard to credit. Amazing!

]]> By: Matt http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/comment-page-1/#comment-23991 Matt Mon, 10 Sep 2007 18:53:43 +0000 http://www.lightbluetouchpaper.org/2007/09/10/embassy-email-accounts-breached-by-unencrypted-passwords/#comment-23991 <em>I did note that the passwords of the Uzbek accounts are very good</em> They're long and non-mnemonic, but they all take the form ([a-z][0-9])*, which yields a smaller password space than, say, [a-z0-9]*. They do get points for effort, though, particularly compared to "password", "asdfgh", "12345678" ("That sounds like the combination an idiot would put on his luggage!"), and all of the Iranian passwords. Wow. I did note that the passwords of the Uzbek accounts are very good

They’re long and non-mnemonic, but they all take the form ([a-z][0-9])*, which yields a smaller password space than, say, [a-z0-9]*. They do get points for effort, though, particularly compared to “password”, “asdfgh”, “12345678″ (”That sounds like the combination an idiot would put on his luggage!”), and all of the Iranian passwords. Wow.

]]>