How Tor helped catch the Harvard bomb threat suspect
A student named Eldo Kim has been accused of emailing bomb threats to Harvard University buildings to delay final exams. For anonymity and privacy advocates as well as practitioners of OPSEC (operational security), what's more interesting is the way he was caught.
According to the criminal complaint by the U.S. attorney's office in Massachusetts, the messages were allegedly sent around 8:30am on a Monday morning to offices including the Harvard University Police Department and Harvard Crimson. They originated from a service called GuerillaMail, which advertises disposable, temporary email addresses. According to the affidavit of FBI agent Thomas M. Dalton, “investigation yielded information that the person who sent the e-mail messages accessed Guerrilla Mail by using ... Tor” and that “Harvard University was able to determine … Eldo Kim accessed Tor using Harvard’s wireless network.”
Tor is the premier online anonymity software browser, which routes a user's connection through several “nodes” and, if used correctly, is able to conceal their true location and identity. So does this mean that Tor is broken? Not at all.
The affidavit is lacking in crucial detail about how Eldo Kim was identified, but here's how it could have happened.
A Tor circuit is defined by the nodes that a message traverses and where it enters and exits, employing a concept called onion routing. While the list of Tor exit nodes is publicly available, “relays” where connections enter are known as well. The IP address of the exit node used by the suspect was included in a header labeled ‘X-Originating-IP,’ which is tacked onto emails sent from GuerillaMail by default, and that IP also would have appeared in their access logs. On the other hand the address of the entry node, and the suspect's connection to it, could be observed by Harvard via metadata analysis of a traffic flow log on their network during the time in question. It’s trivial to correlate an IP address with Tor at either end of the equation.
Harvard University is presumed to retain logs of recent network activity, and furthermore, users of their Wi-Fi network are required to authenticate with their registered campus ID. It sounds like network administrators merely looked to see who was using the Tor protocol or connecting to a known Tor relay's IP address at the time the emails were sent. They would have settled upon Kim because his identification and computer’s MAC address was attached to the activity, and the list of people accessing Tor on campus during that time-frame, and thus the number of suspects to be questioned, was probably very small.
Indeed, by looking at potential motive, the targeted buildings, and the time the emails were sent, authorities were likely able to drastically narrow their list of potential suspects, as security researcher @thegrugq noted.
The text of the actual bomb threat would have been indecipherable and unable to be captured as it traveled between Kim’s computer and the servers of GuerillaMail, since layers of encryption are applied to data in transit via Tor and they employ SSL/HTTPS on its website. GuerillaMail had little to offer the FBI other than the fact the message originated from Tor and when. Yet, after receipt of the email and determining it was from a Tor user, authorities were able to go back in time and correlate it with Tor activity on their network, without being certain about its content.
This raises important questions about the extent of logging and monitoring which is done by Harvard, and whether their practices are conducive to students' privacy.
Now I'm curious about tye kind of network logs Harvard is keeping that let them retrospectively ID Tor users.— matt blaze (@mattblaze) December 18, 2013
After last year's email search scandal, I'd think Harvard would have thought very carefully about keeping logs of net activity.— matt blaze (@mattblaze) December 18, 2013
Catching idiots who email bomb threats is all well and good, but wonder what the access policy for these logs is.— matt blaze (@mattblaze) December 18, 2013
The policy, titled “Computer Rules and Responsibilities,” from Harvard’s IT department reads: “HUIT reserves the right to scan the Harvard network and systems connected to it to assist in identifying and protecting against exploitable security vulnerabilities (e.g., viruses) and to preserve network integrity and availability of resources (e.g., sufficient bandwidth).”
Upon being questioned by the FBI, Kim allegedly confessed. That’s crucial. Without an admission of guilt, his actions would have been difficult to prove definitively, since he could have been accessing the Tor network for some other purpose. It seems as though the guy panicked about the exam, sent the emails at the last minute, but didn’t think it through.
Ultimately Kim may have been caught because he used Tor, rather than in spite of the fact he did.
A version of the article originally appeared on Wireless Fantasy.
Photo by cthulhuwho1/Flickr (remix by Fernando Alfonso III)