The FBI has traced emails containing bomb threats against Harvard University buildings back to their alleged sender, even though the threatening emails were sent using the anonymizing Tor network.
Eldo Kim, the 20-year-old Harvard undergraduate accused of sending the hoax threats, appeared in court Wednesday to answer related charges. If convicted, he faces up to five years in prison -- followed by three years of supervised release -- and a fine of up to $250,000.
The threats were sent via emails with the subject line "bombs placed around campus" and named four locations. But the emails said that bombs had been placed in only two of those locations. "Guess correctly," the message said. "Be quick for they will go off soon." The emails were sent Monday at 8:30 a.m. to two university officials, the Harvard Crimson daily student newspaper, and the University Police Department, which quickly notified the FBI.
The FBI immediately launched an investigation, assisted by the Bureau of Alcohol, Tobacco, Firearms, and Explosives; the Secret Service; the Joint Terrorism Task Force; and state and local law enforcement agencies. All four buildings were evacuated. Bomb technicians and hazmat officers combed through them but found no bombs. Accordingly, about six hours after the threats were received, officials determined that they were hoaxes, and they allowed the buildings to reopen.
[Tor users may not be as anonymous as they think. See Tor Anonymity Cracked; FBI Porn Investigation Role Questioned.
In theory, using Tor helps anonymize data flowing across the Internet, potentially obscuring the sender or receiver. For example, a leaked National Security Agency presentation titled "Tor Stinks" revealed that the network could hide the identity of users from the US intelligence agency. "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users."
In reality, however, would-be users need to avoid committing some basic operational security errors. For starters, the timing of the bomb emails was suspicious; they arrived 30 minutes before students were scheduled to begin taking their final exams Monday.
According to an affidavit included in the criminal complaint, someone used the Tor network to connect to Guerrilla Mail, which promises "disposable temporary email addresses," and send the bomb hoaxes. The affidavit was signed by FBI special agent Thomas M. Dalton, who works on one of the FBI's Boston counterterrorism squads. "Both Tor and Guerilla Mail are commonly used by Internet users seeking to communicate anonymously and in a manner that makes it difficult to trace the IP address of the computer being used," he wrote.
But that didn't mean Harvard's IT department couldn't look for anyone who may have been using Tor that morning. That's just what it did. "Harvard University was able to determine that, in the several hours leading up to the receipt of the email messages described above, Eldo Kim accessed Tor using Harvard's wireless network," Dalton wrote.
According to the affidavit, an FBI agent and a Harvard police officer interviewed Kim Monday night. After waiving his Miranda rights, Kim confessed to emailing the threats. "According to Kim, he was motivated by a desire to avoid a final exam scheduled to be held" Monday.
What the affidavit doesn't say is that the bureau likely tracked down its suspect through a process of elimination. "Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat," Bruce Schneier, the outgoing security futurologist for BT, wrote in a blog post.
The moral is that, though using Tor obscured the IP address of the person who accessed Guerrilla Mail to send the emails, it didn't obscure the fact that someone was using Tor via the local network. "This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess," Schneier wrote. "Tor didn't break; Kim did."
Furthermore, the Tor traffic likely gives prosecutors added digital forensic evidence as they build a case against Kim. "I don't think any lawyer in the world could save him at this point," Harvard Law School professor Alan M. Dershowitz told the Crimson. He predicted that Kim will plead guilty. "If he was given his Miranda warnings and he confessed, and the forensic evidence supports the use of his computer and the use of the website, he doesn't seem to have a defense and there will probably be some kind of plea bargain. He will be prosecuted and convicted and sentenced."
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach (free registration required).