A security researcher has collected thousands of sensitive emails and passwords from the embassies of countries such as Russia and India. He today blamed the systems administrators responsible for not using encryption to shield their traffic from snooping.
Dan Egerstad, a 21-year-old security researcher, revealed on Monday he was able to capture the information by setting up his own node in a peer-to-peer network used by the embassies to make their internet traffic anonymous.
The embassies relied on a volunteer network of servers using software called Tor (The Onion Router) to hide their internet traffic and make it anonymous. Traffic sent through a Tor node is transmitted through a randomly selected series of other Tor nodes before exiting the network for its intended destination, so as to disguise the source and destination of the traffic.
But although traffic between nodes in a Tor network is encrypted by default, traffic entering and exiting the system is not, so anyone wanting to hide not only who are they are communicating with, but what they are saying, must apply an extra layer of encryption themselves. Embassies and companies neglected to do this, which left their information open for Egerstad to collect.
Anyone can run a Tor server and add it to the network. Egerstad, who runs his own consulting company in Malmo, Sweden, did just that as part of his security research, and monitored the traffic exiting the Tor network through it.
To his surprise, he found that more than 99 percent of the traffic - including requests for websites, instant-messaging traffic and emails - were transmitted unencrypted.
"By accident, I saw one really sensitive email," Egerstad said in a telephone interview. "I thought 'What is that doing there?'"
Using specially designed software to search that traffic for keywords, Egerstad was soon collecting usernames, passwords and email sent by embassies around the world, as well as large companies.
Late last month, Egerstad published the usernames and passwords for around 100 embassies.
Egerstad said the process of snooping on the traffic is trivial. The problem is not with Tor, which still works as intended, but with users' expectations: the Tor system is designed to merely anonymise internet traffic and does not perform end-to-end encryption.
"If they are using encryption - no problem, it doesn't matter," Egerstad said.
Organisations running other Tor nodes could also be snooping on traffic exiting the network there, Egerstad warned.
For example, several Tor nodes in the Washington, DC, area can handle up to 10TB of data a month, a flow of data that would cost at least $5,000 a month to run, and is likely way out the range of volunteers who run a node on their own money, Egerstad said.
"Who would pay for that?" Egerstad said.