22 November 2014

Hacker Lexicon: What Is The Dark Web? Hiding In Plain Sight On The Internet Isn’t As Easy, Or Foolproof As You May Think

November 20, 2014 
Hacker Lexicon: What Is The Dark Web? Hiding In Plain Sight On The Internet Isn’t As Easy, Or Foolproof As You May Think

Mr. Greenberg, writing in the November 19, 2014 edition of Wired.com, says, “with the rise and fall of the Silk Road, — and, then its rise and fall again — the last couple of years have cast new light on the Dark Web. But,” he observes, “when a news organization as reputable as 60 Minutes [they once were that reputable - but, not anymore in my book] describes the Dark Web as “as vast, secret, cyber “underworld,” that accounts for “90 percent of the Internet,” — it’s time for a refresher.”

“The Dark Web isn’t that particularly vast, it’s not 90 percent of the Internet,” Mr. Greenberg argues, “and, it’s not even particularly secret. In fact,” he writes, “the Dark Web is a collection of web sites that are publicly visible, yet hide the IP addresses of the servers that run them. That means anyone can visit a Dark Web site; but, it can be very difficult to figure out where they’re hosted — or, by whom.”

Hiding In Plain Sight 

“The majority of Dark Web sites use the anonymity software Tor, though a smaller number also use a similar tool called I2P. Both of those systems encrypt web traffic in layers, and bounce it through randomly-chosen computers around the world, each of which removes a single layer of encryption…before passing the data on to its next hop in the network. In theory,” Mr. Greenberg writes, “that prevents any spy — even one who controls one of those computers in the encrypted chain — from matching the traffic’s origin with its destination.”

“When Web users run for Tor, for instance,” Mr. Greenberg argues, “any sites they visit can’t easily see their IP address. But, a Web site that itself runs Tor — what’s known as Tor Hidden Service — can only be visited by Tor users. Traffic from both the user’s computer; and, the web server takes three hops to a randomly chosen meet-up point in the Tor network, like anonymous bagmen trading briefcases in a parking garage.”

“Just because the IP addresses of those sites are kept hidden, however, doesn’t mean they’re necessarily secret,” Mr. Greenberg correctly asserts. “Tor hidden services like the drug-selling sites Silk Road, Silk Road 2, Agora, and Evolution,” he adds, “have had hundreds of thousands of regular users; Anyone who runs Tor; and, knows the site’s url, which for Tor hidden services ends in “.onion,” can easily visit those online ['black'] marketplaces.” 

Not To Be Mistaken With The Deep Web

“When news sites mistakenly describe the Derk Web as accounting for 90 percent of the Internet, they’re confusing it with the so-called Deep Web, the collection of all sites on the web that aren’t reachable by a search engine. Those unindexed sites,’ Mr. Greenberg says, “do include the Dark Web; but, they also include much more mundane content like registration-required web forums; and, dynamically-created pages like your Gmail account — hardly the scandalous stuff 60 Minutes had in mind. The actual Dark Web, by contrast, likely accounts for less than .01 percent of the Web: Security researcher Nik Cubrilovic counted less than 10,000 Tor hidden services in a recent crawl of the Dark Web, compared with hundreds of millions of regular websites.” 

A Few Cracks Of Light — May Be All That’s Needed

“Though the Dark Web is most commonly associated with the sale of drugs, weapons, counterfeit documents, and child pornography — all those vibrant industries do in fact take advantage of Tor hidden services — not everything on the Dark Web is quite so “dark,” Mr. Greenberg contends. “One of the first, high-profile…Dark Web sites, was the Tor hidden service. WikiLeaks created to accept leaks from anonymous sources. That idea has since been adapted in a tool called SecureDrop, software that integrates with Tor hidden services to let any news organization receive anonymous submissions. Even FaceBook has launched a Dark Web site aimed at better catering to users to visit the site using Tor to evade surveillance and censorship,” Mr. Greenberg wrote. 

“Just how completely Tor can evade the surveillance of highly-resourced law enforcement and intelligence agencies, however, remains an open question,” Mr. Greenberg concludes. “In early November [2013] a coordinated action by the FBI and Europol known as Operation Onymous seized dozens of Tor hidden services, including three of the six most popular drug markets on the Dark Web. For now, just how the Feds located these sites remains a mystery. Some [cyber] security researchers speculate that government hackers used so-called “denial-of-service attacks” that found” Tor relays they controlled — thus tracing their IP addresses. Or, they must have simply used old-fashioned investigative techniques such as turning administrators into informants, or found other hackable vulnerabilities in the target sites.”

“Either way, the message is clear,” Mr. Greenberg ends. “Even on the Dark Web, it only takes a few small cracks — to let the light in.”

81 Percent Of Tor Users Can Easily Be Unmasked By Analyzing Router Information 

In a separate, but related article, Swati Khandewal, writing on the November 18, 2014 website The Hacker News, notes that “the latest research suggests that more than 81 percent of Tor users can be “de-anonymized” by exploiting the traffic analysis software ‘Netflow Technology’ that CISCO has built in to its router protocols.”

Mr.Swati writes that “Netflow is a network protocol designed to collect and monitor network traffic. The technique involves analyzing “data in the network flows — which can then be juxtaposed with TCP connections, or other IP packets sharing common characteristics, such as UDP packets sharing source and destination IP addresses, port numbers, and other information.”

And, the analysis that at least 81 percent of Tor users can be de-anonymized — was a sox year effort. Professor Sambuddho Chakravarty, a former [cyber] security researcher at Columbia University’s Network Security Lab; and, now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, India — “used a technique, in order to determine Tor relays, which involved a modified public Tor server running on Linux, accessed by the victim or client, and modified Tor node that can form one-hop circuits with arbitrary legitimate nodes.”

“According to the research paper.” Mr. Khandewal writes, “large-scale traffic analysis attacks in the Tor environment does not necessarily require the resources of a nation-state — even a single Autonomous System (AS) may observe a large fraction entry and exit node traffic.” Indeed, the paper concludes that “even a single AS could monitor more than 39 percent of randomly-generated Tor circuits.”

“Chakravarty’s research on traffic analysis doesn’t need hundreds of millions of dollars in expense, nor the kind of infrastructural efforts that NSA puts into their FoxAcid Tor redirects; however, it benefits from running one or more high-band width, high-performance, high-uptime Tor relays,” Mr. Khandewal noted.

Taken Together — The Two Articles Have Implications For The Intelligence Community, Privacy Advocates and Law Enforcement

The bottom line: It is very difficult to hide on the Internet/World Wide Web, even if you are using a Dark Web portal such as the Tor, or encryption. Enough digital exhaust, digital ‘bread crumbs’ are more often than not — enough for a determined adversary or foe to discern who the originator of a particular email stream really is. This means that we should use this kind of research to our advantage in collecting against a foreign adversary; and, also be cognizant that these same kind of techniques will be used against us — to expose our undercover operatives; thwart law enforcement; and perhaps leave false trails, denial, deception, and so on. V/R, RCP

No comments: