On catching the Harvard bomb threat suspect using Tor
December 18, 2013 | #OopsSec | @ageis
The announcement of a criminal complaint by the U.S. attorney’s office in Massachusetts against one Harvard University student named Eldo Kim has the public musing on why one would deem this an appropriate method of delaying final exams, but for anonymity/privacy advocates as well as practitioners of OPSEC (operational security), what’s more interesting is the way he was caught.
The messages were allegedly sent around 8:30AM Monday morning to offices including the Harvard University Police Department and Harvard Crimson. They originated from a service called GuerillaMail, which advertises disposable, temporary e-mail addresses. According to the affidavit of FBI agent Thomas M. Dalton, “investigation yielded information that the person who sent the e-mail messages accessed Guerrilla Mail by using. . .Tor.” and that “Harvard University was able to determine. . .Eldo Kim accessed Tor using Harvard’s wireless network.”
Of course, Tor is the premier online anonymity software, which routes a user’s connection through several “nodes”, and if used correctly, is able to conceal their true location and identity. So does this mean that Tor is broken? Not at all. The affidavit is lacking in crucial detail about how Eldo Kim was identified, but here’s how it could have happened.
A Tor circuit is defined by the nodes that a message traverses and where it enters and exits, employing a concept called onion routing. While the list of Tor exit nodes is publicly available, “relays” where connections enter are known as well. The IP address of the exit node used by the suspect was included in a header labeled ‘X-Originating-IP’ which is tacked onto e-mails sent from GuerillaMail by default, and that IP also would have appeared in their access logs. On the other hand the address of the entry node, and the suspect’s connection to it, could be observed by Harvard via metadata analysis of a traffic flow log on their network during the time in question. It’s trivial to correlate an IP address with Tor at either end of the equation.
Harvard University is presumed to retain logs of recent network activity, and furthermore, users of their WiFi network are required to authenticate with their registered campus ID. It sounds like network administrators merely looked to see who was using the Tor protocol, or connecting to a known Tor relay’s IP address at the time the e-mails were sent. They would have settled upon Kim because his identification and computer’s MAC address was attached to the activity, and the list of people accessing Tor on campus during that time-frame, and thus the number of suspects to be questioned, is probably very small.
Security researcher @thegrugq has more to say on the police investigator’s point of view: “Clearly finals week makes it likely it is a student. Secondly, the casual phrasing of the target locations suggests someone who is familiar with the campus, again pointing towards a student. At this point, the student population that had exams scheduled for any of those locations would be the collective pool of suspects (the only people with motive). Since the emails were sent 30 minutes before the exam, that means it was likely someone who was within a sub-30m travel range of those exam halls so he can maintain his cover as a student prepared to take the exam… i.e. someone who is likely on the campus grounds already.”
The text of the actual bomb threat would have been indecipherable and unable to be captured as it traveled between Kim’s computer and the servers of GuerillaMail, since layers of encryption are applied to data in transit via Tor, and they employ SSL/HTTPS on their website. GuerillaMail had little to proffer the FBI other than the fact the message originated from Tor and when. Yet, after receipt of the e-mail and determining it was from a Tor user, authorities were able to go back in time and correlate it with Tor activity on their network, without being certain about content. They don’t even need deep packet inspection to do this, just a list of source and destination IP addresses and ports.
This raises important questions about the extent of logging and monitoring which is done by Harvard, and whether their practices are conducive to students’ privacy.
The policy titled Computer Rules and Responsibilities from Harvard’s IT department reads: “HUIT reserves the right to scan the Harvard network and systems connected to it to assist in identifying and protecting against exploitable security vulnerabilities (e.g., viruses) and to preserve network integrity and availability of resources (e.g., sufficient bandwidth).”
Upon being questioned by the FBI, Kim allegedly confessed. This is key because without that, his action might be difficult to prove definitively, since he could have been accessing the Tor network at 8:30AM on Monday for some other purpose. Until that confession, the authorities were likely only guessing, and the perpetrator could have been any other Tor user or Harvard student.
thegrugq says, “He had a clear technical plan on how he was going to do it, but I think he didn’t really account for the things that would happen afterwards.” thegrugq believes it’s likely Kim wasn’t prepared for handling the interview, which he would have faced at some point even without Tor, although “it should be noted that the FBI are trained manipulative interrogation professionals.” It seems as though the guy panicked about the exam, sent the e-mails at the last minute, but didn’t think it through fully.
In this case, it’s likely that Eldo Kim’s OPSEC mistakes led to his downfall. Ultimately he may have been caught because he used Tor, rather than in spite of the fact he did. To disguise that you’re connecting to Tor, one needs to do extra configuration and use “private/obfuscated bridges” in order to avoid known entrance nodes. If he desired to not be caught, as his use of Tor indicates, he could have taken more steps to cover his tracks, such as connecting from someplace off-campus or with a VPN. He definitely shouldn’t have used the university WiFi, which would’ve easily compromised his security.
Users browsing this forum: No registered users and 5 guests