Privacy

“Proxy” servers are an everyday part of Internet surfing. But using one in a crime could soon lead to more time in the clink.

A key vote Wednesday on new federal sentencing guidelines would classify the use of proxies as evidence of “sophistication,” increasing sentences by about 25 percent – which could mean years or even decades longer behind bars, depending on the crime. It’s akin to judges handing down stiffer sentences when a gun is used in a robbery.

Yet digital-rights advocates are worried. Although they aren’t absolving criminals, they complain that the proposal is so broad, it could lead to unnecessarily harsh sentences for tech neophytes who didn’t know they were using proxies in the first place or who were simply engaging in a practice often encouraged as a safer way of using the Internet.

“It sends a bad message about protecting your own privacy,” said John Morris, general counsel for the Center for Democracy and Technology.
This is the government saying, “If you take normal steps to protect your privacy, we’re going to view you as a more sophisticated criminal.’”

Proxies are computers that sit between a user and the Internet at large. They can be used to disguise that person’s numeric Internet Protocol address, which is akin to a street address for a computer.
Proxies are scattered around the Internet and are routinely used to relay Internet traffic, often unbeknownst to Internet users.

Corporations routinely use proxies to let their employees work from home; virtual private networks, or VPNs, make traffic look like it’s coming from within the company’s internal network, thus bypassing its security firewalls.

Cell phone providers use proxies to connect devices to the Internet, while people in repressive countries use them to circumvent Internet censors. Internet service providers also use proxies to speed traffic, by storing copies of frequently accessed Web pages locally, avoiding the need for users to reach out to the original site every time.

Privacy-minded users also rely on proxies to surf the Internet anonymously. With the free service Tor, for example, people install software to turn their computers into relay points for routing traffic between other people’s computers. Thus, a Web site only knows the identity of the last relay point, not the user actually accessing it.

But such anonymity proxies can be used for both good and bad, and a debate is stirring as the government proposes to impose stiffer penalties for crimes committed by someone who had been using those and other proxies.

The U.S. Sentencing Commission is to vote Wednesday on a series of amendments to the sentencing guidelines, which heavily influence the sentences that judges hand down. The amendment in question would treat the use of proxies as evidence of “sophistication” in planning certain types of crimes, from embezzlement to forgery and other types of fraud.

If the commission approves it, the change takes effect Nov. 1 unless Congress takes the rare step of blocking it beforehand.

Opposing the change requires a delicate touch, because the rule would apply only to people already convicted of crimes and facing sentencing.

“It’s kind of a fine line we’re dancing around, because we’re not trying to coddle cybercriminals, but we also really don’t think the government should be creating and institutionalizing a disincentive, a penalty for routine, safe privacy practices,” Morris said.

The Justice Department pushed for the change as a way to exact a harsher punishment on criminals who set up extensive proxy networks in multiple countries to evade law enforcement. Investigators can spend months, if not years, unraveling the networks. Sometimes, it’s impossible if they can’t get cooperation from foreign governments.

Officials pointed to several recent cases that illustrate the complexity of investigations involving proxies.

One probe – into a spamming operation specializing in “pump and dump” schemes involving Chinese penny stocks – took three years to complete and resulted in the indictment of 11 people in federal court in Michigan last year.

Investigators said the defendants bought lists of known proxies and used them to send millions of pieces of spam e-mail, earning millions of dollars by selling the stock they were promoting at inflated prices.

Criminals often tap into legitimate proxies that are misconfigured. Businesses, universities and home users who own such proxies usually aren’t aware their bandwidth is being sucked up by spammers or other criminals trying to hide their tracks.

A criminal could throw off an investigation by making traffic appear to come from a country with weak law enforcement. U.S. investigators could waste months trying to get cooperation only to hit a dead end – by then, the criminal has long moved on.

“So much of the initial challenge in an investigation is determining attribution – where are the transmissions coming from?” Michael DuBose, chief of the computer crime and intellectual property section of the Justice Department’s criminal division, said in an interview.

DuBose said the change is meant to punish people who knowingly use proxies to hide their identity and execute a criminal scheme.

But the current wording has been criticized as vague, and its opponents want a clearer statement of its application only to people who use proxies with criminal intent. Some also say that calling the use of proxies “sophisticated” is a stretch, given their ubiquity. The commission could change the language when it votes Wednesday.

“Even if someone did use a technology that made law enforcement’s life harder, and even if they did have criminal intent, technologically it may not be sophisticated at all,” Seth Schoen, staff technologist with the Electronic Frontier Foundation, a San Francisco-based nonprofit focused on online free speech and privacy. The EFF also helped fund development of the Tor anonymity proxy service.

“They’re proposing to make a kind of judgment that this is something unusual or remarkable, which just doesn’t match my experience with the technology. This is an everyday technology.”

Source: AP

A Swedish hacker tells how he infiltrated a global communications network used by scores of embassies over the world, using tools freely available on the internet.

In August, Swedish hacker Dan Egerstad gained access to sensitive embassy, NGO and corporate email accounts. Were they captured from the clutches of hackers? Or were they being used by spies? Patrick Gray investigates the most sensational hack of 2007.

IT WASN’T supposed to be this easy. Swedish hacker Dan Egerstad had infiltrated a global communications network carrying the often-sensitive emails of scores of embassies scattered throughout the world. It had taken him just minutes, using tools freely available for download on the internet.

He says he broke no laws.

In time, Egerstad gained access to 1000 high-value email accounts. He would later post 100 sets of sensitive email logins and passwords on the internet for criminals, spies or just curious teenagers to use to snoop on inter-governmental, NGO and high-value corporate email.

The question on everybody’s lips was: how did he do it? The answer came more than a week later and was somewhat anti-climactic. The 22-year-old Swedish security consultant had merely installed free, open-source software – called Tor – on five computers in data centres around the globe and monitored it. Ironically, Tor is designed to prevent intelligence agencies, corporations and computer hackers from determining the virtual – and physical – location of the people who use it.

“Tor is like having caller ID blocking for your internet address,” says Shava Nerad, development director with the Tor Project. “All it does is hide where you’re communicating from.”

Tor was developed by the US Navy to allow personnel to conceal their locations from websites and online services they would access while overseas. By downloading the simple software, personnel could hide the internet protocol address of their computers – the tell-tale number that allows website operators or intelligence services to determine a user’s location.

Eventually the navy realised it must take Tor beyond the armed forces. “The problem is, if you make Tor a tool that’s only used by the military . . . by using Tor you’re advertising that you’re military,” Nerad says.

So Tor was cast into the public domain. It is now maintained and distributed by a registered charity as an open-source tool that anyone can freely download and install. Hundreds of thousands of internet users have installed Tor, according to the project’s website.

Mostly it is workers who want to browse pornographic websites anonymously. “If you analyse the traffic, it’s just porn,” Egerstad told Next by phone from Sweden. “It’s kind of sad.”

However, Dmitri Vitaliev, a Russian-born, Australian-educated computer security professional who lives in Canada, says Tor is a vital tool in the fight for democracy. Vitaliev trains human-rights campaigners on how to stay safe when online in oppressive regimes. “It’s incredibly important,” he said in a Skype chat from the unrecognised state of Transnistria, a breakaway region in Moldova where he’s assisting a local group working to stop the trafficking of women. “Anonymity is a high advantage in countries that perform targeted surveillance on activists.”

It’s also used to bypass website censorship in more than 20 countries that censor political and human rights sites, he says.

Tor works by connecting its users’ internet requests, randomly, to volunteer-run Tor network nodes. Anyone can run a Tor node, which relays the user’s traffic through other nodes as encrypted data that can’t be intercepted.

When the user’s data reaches the edge of the Tor network, after bouncing through several nodes, it pops out the other side as unencrypted, readable data. Egerstad was able to get his mitts on sensitive information by running an exit node and monitoring the traffic that passed through it.

The problem, says Vitaliev, is some Tor users assume their data is protected from end to end. “As in pretty much any other internet technology, its vulnerabilities are not well understood by those who use it (and) need it most,” he says.

The discovery that sensitive, government emails were passing through Tor exit nodes as unencrypted, readable data was only mildly surprising to Egerstad. It made sense – because Tor documentation mentions “encryption”, many users assume they’re safe from all snooping, he says.

“People think they’re protected just because they use Tor. Not only do they think it’s encrypted, but they also think ‘no one can find me’,” Egerstad says. “But if you’ve configured your computer wrong, which probably more than 50 per cent of the people using Tor have, you can still find the person (on) the other side.”

Initially it seemed that government, embassy, NGO and corporate staffers were using Tor but had misconfigured their systems, allowing Egerstad to sniff sensitive information off the wire. After Egerstad posted the passwords, blame for the embarrassing breach was initially placed on the owners of the passwords he had intercepted.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It’s quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown.

“The whole point of the story that has been forgotten, and I haven’t said much about it, (is that) many of these accounts had been compromised,” he says. “The logins I caught were not legit users but actual hackers who’d been reading these accounts.”

In other words, the people using Tor to access embassy email accounts may not have been embassy staff at all. Egerstad says they were computer hackers using Tor to hide their origins from their victims.

The cloaking nature of Tor is appealing in the extreme to computer hackers of all persuasions – criminal, recreational and government sponsored.

If it weren’t for the “last-hop” exit node issue Egerstad exposed in such a spectacular way, parties unknown would still be rifling the inboxes of embassies belonging to dozens of countries. Diplomatic memos, sensitive emails and the itineraries of government staffers were all up for grabs.

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails.

If he turned his findings over to the Swedish authorities, his experiment might be used by his country’s intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking.

So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. “They wanted to know everything I knew,” he says. “That’s the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority.”

Frustrated by the lack of a response, Egerstad’s next step caused high anxiety for government staffers – and perhaps intelligence services – across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. “I just ended up (saying) ‘Screw it, I’m just going to put it online and see what happens’.”

The news hit the internet like a tonne of bricks, despite some initial scepticism. The email logins were quickly and officially acknowledged by some countries as genuine, while others were independently verified.

US-based security consultant – and Tor user – Sam Stover says he has mixed feelings about Egerstad’s actions. “People all of a sudden (said) ‘maybe Tor isn’t the silver bullet that we thought it was’,” Stover says. “However, I’m not sure I condone the mechanism by which that sort of information had to be exposed in order to do that.”

Stover admits that he, too, once set up a Tor exit node. “It’s pretty easy . . . I set it up once real quick just to make sure that I could see other people’s traffic and, sure enough, you can,” he says. “(But) I’m not interested in that sort of intelligence gathering.”

While there’s no direct evidence, it’s possible Egerstad’s actions shut down an active intelligence-gathering exercise. Wired.com journalist Kim Zetter blogged the claims of an Indian Express reporter that he was able to access the email account for the Indian ambassador in China and download a transcript of a meeting between the Chinese foreign minister and an Indian official. In addition to hackers using Tor to hide their origins, it’s plausible that intelligence services had set up rogue exit nodes to sniff data from the Tor network.

“Domestic, or international . . . if you want to do intelligence gathering, there’s definitely data to be had there,” says Stover. “(When using Tor) you have no idea if some guy in China is watching all your traffic, or some guy in Germany, or a guy in Illinois. You don’t know.”

Egerstad is circumspect about the possible subversion of Tor by intelligence agencies. “If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they’re using lots of bandwidth, they’re heavy-duty servers and so on,” Egerstad says. “Who would pay for this and be anonymous?”

While Stover regards Tor as a useful tool, he says its value is greatly overestimated by those who promote and use it. “I would not use or recommend the tool to hide from people between you and your endpoint. It’s really purely a tool to hide from the endpoint,” he says.

As a trained security professional, Stover has the nous to understand its limitations, he says. Most people don’t.

The lesson remains but the data Egerstad captured is gone, the Swedish hacker insists. He’s now focusing on his career as a freelance security consultant. “I deleted everything I had because the information I had was belonging to so many countries that no single person should have this information so I actually deleted it and the hard drives are long gone,” he says.

Source

Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, CB

Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.

Moore first discussed his “countermeasures” at a meeting of the Austin Hackers Association (AHA) last summer when it became clear that the EFF-backed anonymity/privacy network was being used for the most nefarious purposes. Further confirmation came last September when German authorities cracked down on Tor node operators because of the proliferation of child porn.

In an e-mail interview, Moore said the plan is to release the source code, which will allow anyone to run a patched Tor server to help pinpoint pedophiles online.

Moore’s description of the countermeasures:

1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client.

2. When child porn-related keywords are seen (either the Web request, or the response), inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.

3. The decloak engine is based on the following techniques:

a) A unique identifier is created to track this user.

b) The browser is asked to resolve a unique host name, containing the identifier, that is part of a special domain hosted on my server. I run a modified DNS server that updates a database with the address from which the DNS request is received. The goal of this step is to determine the ISP of the user.

c) The browser is asked to load a Java applet. This applet uses two different techniques to obtain information about the user.

d) The first method uses the Java API to determine the local IP address of the user. This value is then passed back to the JavaScript code in the Web HTML snippet hosting the applet. The goal of this step is to get the real *internal* IP address of the user.

e) The second method involves the applet sending a raw DNS packet, directly to my server. Since this is UDP, it does not pass through TOR, and since it is sent by the Java code, it does not go through the ISP. This packet contains the unique identifier and if received, gives away the real *external* IP of the user. The goal of this step is to get the address of the user’s NAT gateway.

f) At this point, my server is able to determine the internal address of the user, the external address from which they access the internet, and the ISP they use to provide DNS resolution, as well as the IP address they come from through the TOR network. This information, along with the unique tracking ID, allows me to identify a specific workstation within an organization or residence.

As to whether this is enough for law enforcement authorities to make an arrest and build a case, Moore’s answer: “No idea.”

by Ryan Naraine