1994-07-30 - Attempted Compromise of anon.penet.fi Server?

Header Data

From: nobody@kaiwan.com (Anonymous)
To: julf@penet.fi
Message Hash: 9894bb37fd6df18d6f8ac1674198c4ce0238a59871bed3484a6318a02e847edf
Message ID: <199407300200.TAA02127@kaiwan.kaiwan.com>
Reply To: N/A
UTC Datetime: 1994-07-30 02:01:24 UTC
Raw Date: Fri, 29 Jul 94 19:01:24 PDT

Raw message

From: nobody@kaiwan.com (Anonymous)
Date: Fri, 29 Jul 94 19:01:24 PDT
To: julf@penet.fi
Subject: Attempted Compromise of anon.penet.fi Server?
Message-ID: <199407300200.TAA02127@kaiwan.kaiwan.com>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

A number of postings to the alt.test Usenet newsgroup from 
pseudonymous accounts at anon.penet.fi have recently been 
reported.  Correspondingly, a number of people have received 
email from that server indicating that an unsolicited 
pseudonymous account and ID and have been established for them at 
that server.

Assuming no actual compromise of the anon.penet.fi database 
itself, this attack could serve a number of purposes.  Let's 
assume that an attacker had obtained the Cypherpunks mailing 
list, perhaps merged with a listing of all posters to sci.crypt, 
alt.security.pgp, alt.politics.org.nsa, etc. and, forging a 
message from each member, attempted to create a new pseudonymous 
account at the anon.penet.fi server for each one.  Likely motives 
for, and outcomes from this attack are:

SCENARIO #1:

Attempting to assign a new anon account to a person by posting to 
alt.test.  Each failure would indicate that the address owner 
already possessed a password-protected anon ID there.  This 
information could prove potentially "useful", I suppose.  For 
example, a list of names of anon forwarder users could be 
collected for "special treatment" later, possibly a "sting" 
operation of some sort, it would also net a few people whose only 
use of anon.penet.fi was merely REPLYING to another's 
pseudonymous address, which also results in the allocation of a 
new ID.  See Scenario #4 for further speculation.

SCENARIO #2:

Attempting to create such an account and SUCCEEDING would now 
match up the user ID with the new account number.  Any future 
posts via this account could then be easily cross-referenced back 
to the source.  Any account thus created, as evidenced by a 
"welcome" message from anon.penet.fi, should probably NOT be 
used, at least where anonymity was needed.

SCENARIO #3:

If the new accounts were password-protected by the forger, and 
the passwords NOT revealed to the putative "owners", the result 
would be a "denial of service".  Has anyone received a message 
that an unsolicited new account has also been password 
"protected"?  (Scenarios #2 and #3 are mutually exclusive, BTW.)

SCENARIO #4:

The most serious of all is the possibility of a "barium attack".  
A special "coded", but seemingly innocuous, message could be sent 
to each email address identified in Scenario #1.  If the person 
replies, he/she has just blown his/her anonymous cover, and any 
previous (or future) postings/correspondence using that ID are 
then traceable back to the source.  Needless to say, anyone who 
has a pseudonymous ID at anon.penet.fi that he/she would like to 
keep secret should be EXTREMELY careful in responding to any 
messages coming through that server.  The most likely means of 
accomplishing this attack is through the Subject: header, since 
many people reply to messages and keep the original subject, 
prefixing it with "RE: ".  If I send messages to Alice, Bob, and 
Charlie via anon.penet.fi, using a slightly different Subject: 
line for each, then a reply containing that Subject: line will 
link the pseudonymous return address on the reply with the 
recipient of the original message.

The source of this attack could be either a TLA (three-letter 
agency, such as NSA, FBI, CIA, etc.), some hacker, or even the 
infamous Larry Detweiler.  I cite the "TLA" option since a number 
of messages have been posted to various newsgroups via 
anon.penet.fi that seemingly violate Federal law.  At first 
glance the attack would seem to have been executed in a somewhat 
clumsy fashion, particularly the posting of public messages with 
the text "I am John Doe", or whatever.  OTOH, given the 
inevitable "welcome" message from anon.penet.fi to the "holders" 
of the newly assigned IDs, such "clumsiness" could also be 
designed to make a sophisticated attack look amateurish to 
disguise the motives and capabilities of the attacker(s).  Or, 
this whole thing could be an attempt to achieve "Death to 
Blacknet" by undermining user confidence in the anon servers by 
spreading "fear, uncertainty, and doubt".

QUESTION: Has anyone with a previously existing, 
password-protected identity at anon.penet.fi received an "invalid 
password" message recently, even though no attempts to send mail 
through the server had been made?  If not, then that's a bad sign 
because it might indicate that password protection has somehow 
been curcumvented by the attacker.

 -- Diogenes - a registered pseudonym.
    PGP key (ID# D1150D49) available through PGP Public Key Servers

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBLjmja+Rsd2rRFQ1JAQExTAP6A4kTUwufW05Bx5Mznz3AkjDKuP18K5/P
FhZT3LEed2j8x1fxFbwmNdkUnHVsxf+pvA0cfmQQV68CY9R0BIkPEUmf59wMAlZ4
vr6kei5nNw6WFb8W3ihk7GhqynTuIZjGCHdPXP/IaZKcxGx0tdTB2A1A74eVYBB3
yRWrSTbSEbc=
=7yi1
-----END PGP SIGNATURE-----





Thread