Taken from http://derangedsecurity.com/
Thisis going to be a long post, several important things needs to be said. It’s important you read it to the end.
We choose to wait this long before posting the whole story to give not only governments time to secure themselves but also to protect private users and businesses. The affected on the list has by now figured out that we had passwords to many more than just the 100 we posted and secured ALL their accounts. Many of the private/company users have by now received our e-mails warning them, few responses though. Remember that we found this kind of information on thousands of users, some of them being fortune 500 companies, Nasdaq and New York noted companies. The information we gathered is not worth millions, it’s worth billions in the right hands.
No accounts have been hacked, you have been actively exposing them yourself not only to us but to about 1000 others all over the world, every day. This has been told about many times before which you choose to ignore. The team behind the product is completely open with this security threat but they probably should have made a bigger warning text I guess. For us to publish yet another warning or for the vendor to tell you again would have gotten no effect once more.
Alright, with the boring stuff said this is how we did it:
#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.
Did you get it? These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!
ToR isn’t the problem, just use it for what it’s made for.
#2. I’ll have a lot of people to thank for helping me here, you all know who you are white-hats and friends out there. ToR has about 1000 nodes set up to handle exit-traffic (unencrypted). These are the servers all you traffic is going to be sent through. Of course you know everything about them, right? I had five running during this test that no one knew about, who owns the others?
Just to give you something to think about we did look into a few servers out of 1000 we thought looked interesting. We aren’t trying to tell you what to think, you will have to do that yourself.
Example of Exit-nodes that can read your traffic:
• Nodes named devilhacker, hackershaven…
• Node hosted by an illegal hacker-group
• Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month.
• Node hosted by Space Research Institute/Cosmonauts Training Center controlled by Russian Government
• Nodes hosted on several Government controlled academies in the US, Russia and around Asia.
• Nodes hosted by criminal identity stealers
• Node hosted by Ministry of Education Taiwan (China)
• Node hosted by major stock exchange company and Fortune 500 financial company
• Nodes hosted anonymously on dedicated servers for ToR costing the owner US$100-500 every month
• Node hosted by China Government official
• Nodes in over 50 countries with unknown owners
• Nodes handling over 10TB data every month
We can prove all this but not the intentions of each server. They might be very nice people spending a lot of money doing you a favor but it could just as well be something else. We don’t however think it’s weird that Universities are hosting nodes, just that you need to be aware of it. Criminals, hackers and Governments are running nodes, why?
This experiment has proven another major problem regarding Computer Security. Even though I haven’t broken into anything which people blame me for, it’s obvious that laws for computer crimes are problematic. Laws don’t work over boarders but the Internet and the criminals do.
This world experiment has never been done before, what would happen if someone was DEranged enough to post a list completely public worth millions exposing Governments. We got this message out to at least 157 countries and billions of people in just a week. I’ll have to say that even it if took 5 days to get 70% fixed that was fast compared to what I’m used to.
PS: Data and hard drive on each node is destroyed.