Hacking in the real world

In 2007, Swedish security consultant Dan Egerstad kindly set up some ‘exit nodes’ for the Tor anonymity network. Tor is a distributed ‘onion routing’ system, through which the path of data is very difficult to track. For all intents and purposes, nobody can tell where data coming out of a Tor exit node entered the network, or what a person connected to an entry node is doing.

So Tor’s a great way for people in repressive countries to do stuff on the web that their government wouldn’t like. It’s also a great way for office workers to look at porn.

Dan Egerstad ‘sniffed’ the traffic coming out of the exit nodes he operated. In that traffic was all sorts of confidential information, most notably including usernames and passwords for hundreds of email accounts belonging to the staff of embassies all over the world.

The Tor network prevented Egerstad from seeing where this data had come from, but there was nothing stopping him harvesting all the information he liked from the flow of anonymised, but not encrypted, data coming out of the network through the boxes he was operating.

The Sydney Morning Herald called the Egerstad affair “the hack of the year”; sniffing unencrypted data passing through a computer you own is not, if you ask me, actually much of a hack. But the boringness of the hack is more than made up for by the lesson it teaches – don’t use an interceptable, unscrambled communications medium to transfer confidential data.

Data inside the Tor network is highly secure, but if it’s coming from and going to computers outside the network, then it’s as wide open as any other plain internet connection.

People put confidential data in accessible plaintext all the time. You’ve probably done it several times. Do you, for instance, shred your ten-year-old bank statements when you throw them away? If you don’t, and if that account is still open, anybody who gets hold of the statement can use the information on it to help them steal your identity, or just make fake cheques.

And shops just won’t stop throwing away unshredded credit card carbons. That’s why credit cards have all sprouted those little Card Security Code numbers, usually on the back of the card; there was no other way to stop dumpster divers from collecting valid card details. Online stores that don’t ask for a Card Security Code will still accept such stolen details.

Oh, and have you ever put confidential information in a plain email? Admin staff at your ISP can, but probably won’t, read any mail you send through their servers. Every internet relay point for traffic from your ISP’s server to the recipient’s server – that’ll probably be at least two or three companies on top of the ones that own the sending and receiving servers – can also trivially sniff unencrypted SMTP email. And then there’s whoever runs the receiving mail server.