From: nobody@kaiwan.com (Anonymous)
To: julf@penet.fi
Message Hash: 9894bb37fd6df18d6f8ac1674198c4ce0238a59871bed3484a6318a02e847edf
Message ID: <199407300200.TAA02127@kaiwan.kaiwan.com>
Reply To: N/A
UTC Datetime: 1994-07-30 02:01:24 UTC
Raw Date: Fri, 29 Jul 94 19:01:24 PDT
From: nobody@kaiwan.com (Anonymous)
Date: Fri, 29 Jul 94 19:01:24 PDT
To: julf@penet.fi
Subject: Attempted Compromise of anon.penet.fi Server?
Message-ID: <199407300200.TAA02127@kaiwan.kaiwan.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
A number of postings to the alt.test Usenet newsgroup from
pseudonymous accounts at anon.penet.fi have recently been
reported. Correspondingly, a number of people have received
email from that server indicating that an unsolicited
pseudonymous account and ID and have been established for them at
that server.
Assuming no actual compromise of the anon.penet.fi database
itself, this attack could serve a number of purposes. Let's
assume that an attacker had obtained the Cypherpunks mailing
list, perhaps merged with a listing of all posters to sci.crypt,
alt.security.pgp, alt.politics.org.nsa, etc. and, forging a
message from each member, attempted to create a new pseudonymous
account at the anon.penet.fi server for each one. Likely motives
for, and outcomes from this attack are:
SCENARIO #1:
Attempting to assign a new anon account to a person by posting to
alt.test. Each failure would indicate that the address owner
already possessed a password-protected anon ID there. This
information could prove potentially "useful", I suppose. For
example, a list of names of anon forwarder users could be
collected for "special treatment" later, possibly a "sting"
operation of some sort, it would also net a few people whose only
use of anon.penet.fi was merely REPLYING to another's
pseudonymous address, which also results in the allocation of a
new ID. See Scenario #4 for further speculation.
SCENARIO #2:
Attempting to create such an account and SUCCEEDING would now
match up the user ID with the new account number. Any future
posts via this account could then be easily cross-referenced back
to the source. Any account thus created, as evidenced by a
"welcome" message from anon.penet.fi, should probably NOT be
used, at least where anonymity was needed.
SCENARIO #3:
If the new accounts were password-protected by the forger, and
the passwords NOT revealed to the putative "owners", the result
would be a "denial of service". Has anyone received a message
that an unsolicited new account has also been password
"protected"? (Scenarios #2 and #3 are mutually exclusive, BTW.)
SCENARIO #4:
The most serious of all is the possibility of a "barium attack".
A special "coded", but seemingly innocuous, message could be sent
to each email address identified in Scenario #1. If the person
replies, he/she has just blown his/her anonymous cover, and any
previous (or future) postings/correspondence using that ID are
then traceable back to the source. Needless to say, anyone who
has a pseudonymous ID at anon.penet.fi that he/she would like to
keep secret should be EXTREMELY careful in responding to any
messages coming through that server. The most likely means of
accomplishing this attack is through the Subject: header, since
many people reply to messages and keep the original subject,
prefixing it with "RE: ". If I send messages to Alice, Bob, and
Charlie via anon.penet.fi, using a slightly different Subject:
line for each, then a reply containing that Subject: line will
link the pseudonymous return address on the reply with the
recipient of the original message.
The source of this attack could be either a TLA (three-letter
agency, such as NSA, FBI, CIA, etc.), some hacker, or even the
infamous Larry Detweiler. I cite the "TLA" option since a number
of messages have been posted to various newsgroups via
anon.penet.fi that seemingly violate Federal law. At first
glance the attack would seem to have been executed in a somewhat
clumsy fashion, particularly the posting of public messages with
the text "I am John Doe", or whatever. OTOH, given the
inevitable "welcome" message from anon.penet.fi to the "holders"
of the newly assigned IDs, such "clumsiness" could also be
designed to make a sophisticated attack look amateurish to
disguise the motives and capabilities of the attacker(s). Or,
this whole thing could be an attempt to achieve "Death to
Blacknet" by undermining user confidence in the anon servers by
spreading "fear, uncertainty, and doubt".
QUESTION: Has anyone with a previously existing,
password-protected identity at anon.penet.fi received an "invalid
password" message recently, even though no attempts to send mail
through the server had been made? If not, then that's a bad sign
because it might indicate that password protection has somehow
been curcumvented by the attacker.
-- Diogenes - a registered pseudonym.
PGP key (ID# D1150D49) available through PGP Public Key Servers
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBLjmja+Rsd2rRFQ1JAQExTAP6A4kTUwufW05Bx5Mznz3AkjDKuP18K5/P
FhZT3LEed2j8x1fxFbwmNdkUnHVsxf+pvA0cfmQQV68CY9R0BIkPEUmf59wMAlZ4
vr6kei5nNw6WFb8W3ihk7GhqynTuIZjGCHdPXP/IaZKcxGx0tdTB2A1A74eVYBB3
yRWrSTbSEbc=
=7yi1
-----END PGP SIGNATURE-----
Return to July 1994
Return to “nobody@kaiwan.com (Anonymous)”
1994-07-30 (Fri, 29 Jul 94 19:01:24 PDT) - Attempted Compromise of anon.penet.fi Server? - nobody@kaiwan.com (Anonymous)