Tópico: [EN] Mapping the Dark Web
06-03-2016, 14:00 #1
[EN] Mapping the Dark Web
The Dark Web is officially defined as "websites that cannot be accessed or reached without the use of specialised software", the most widely used and common of which is the TOR browser (The Onion Router).
Tuesday, 1 March 2016
The core principle of Tor, 'onion routing', was developed in the mid-1990s by the US Naval Research Lab with the purpose of protecting U.S. Intelligence communications online. In 2006, the TOR project was founded and made free for all to use. This initially led to a rise in use by journalists to protect their identity in countries without freedom of speech, then a rise in whistle-blower sites such as Wikileaks.
However the privacy benefits of TOR have led to a unchecked rise in illegal activities, where criminals use Tor to create and run hidden online marketplaces from child pornography to drugs, leaked data, credit cards, fake documentation and weapons; all can be purchased using normal currency or Bitcoins.
ZeroDayLab’s partner Intelliagg released a white paper on the Dark Web, where over a sample period, they monitored over 30,000 top level sites or .onion (Hidden Services).
Through compiling the hidden service address list from different sources, from spidering, private link lists and monitoring the TOR network itself, Intelliagg interrogated hidden services over port 80 and 443 using a mixture of human and machine learning information gathering techniques.
Key findings from the research include:
- 46% of the 30,000 hidden services analysed were active at the time of the assessment (the other 54% of sites could be attributed to C2 servers or other temporary uses such as onion shares, ricochet chat).
- 76% of the sites were in English, unsurprisingly Chinese and German as second and third languages.
- 48% of the sites were classified as illegal.
- With manual classification of over 1,000 sites, it was deemed that 68% of the content was illegal according to US and UK law.
- File sharing (29%), leaked data (28%), and financial fraud (12%), were the top classification of hidden marketplaces. Surprisingly, hacking only made up 3% of the sites interrogated.
- Interestingly, 39% of sites interrogated were unlinked, meaning they were extremely difficult to find.
In addition to the research conducted, Intelliagg has provided a interactive map, found here which I highly recommend viewing and exploring the vast and now visible dark web.
06-03-2016, 17:33 #2
Dark Web drugs, data dumps and death: Which countries specialize in what services?
An interesting study on the global underground company shows that money can get you anything -- wherever you are.
Dubbed the "fastest route to cybercriminal superstardom," Brazilian sellers are young, bold, and completely disregard the law on their quest for notoriety.
March 2, 2016
China's hacking hardware, the United States' assassins or Japan's taboo content -- in the Dark Web, only money matters.
On Tuesday, Trend Micro researchers released a whitepaper (.PDF) documenting the results of an investigation into the Web's underbelly, asking if the underground is connected globally, or whether there are countries which have a certain illegal "specialization" in goods or services.
There are three loose layers of the Internet; the "Clear" Web, the "Deep" Web and the "Dark" Web. The Clear Web is where we go for daily tasks and to visit standard websites through search engines such as Google, Bing and Baidu.
The "Deep" Web is the layer underneath which is not indexed by standard search engines, and has to be accessed through a service such as the Tor network to access .onion websites hosted in this area.
Lastly, the "Dark" Web is a fraction of the Deep Web where illegal dealings take place, such as the purchase of weapons, drugs, counterfeit documents and hacking tools.
The average person is unlikely to go beyond the Clear Web, but the rest of the Internet is open to anyone using the right setup.
Over the past few years, Trend Micro has conducted a number of research projects focusing on these areas and the underground economy at large. Within the latest research paper, Trend Micro focuses on comparisons between different countries, their users and their online activities.
The team focuses on six main markets: Russia, Japan, China, Germany, the US and Canada, and finally Brazil. Trend Micro says that a "global cybercriminal underground market" does not exist; rather, each country's economy is unique -- and the goods being sold are different, too.
In Russia, where stolen data sales run rife, stiff competition from Dark Web vendors has pushed up the efficiency levels of supplying illegal goods and data such as credit card information. Trend Micro says sellers from this country are forced to "step up their game by providing goods in the shortest amount of time and most efficient manner possible," and often takes business away from rivals such as Germany.
If you're looking for prototype software, services and cracking tools -- as well as hardware -- the Chinese forums are the best place to start. The researchers say that Chinese users are the quickest to adapt to changing trends in the cybercrime world, and they are also "leading the way" in cybercriminal innovation.
Skimming equipment, hardware, exploits and hacking tools abound, as well as social engineering toolkits and a swathe of ready-made systems for cybercriminals.
Likely due to language barriers, German vendors stock their websites full to the brim with as many products as possible. However, these products generally serve a niche market, such as droppers which exploit vulnerabilities in software only recognizable to German buyers.
Trend Micro says sellers from this country often rely on Russia for tips and trading tactics, and there is most likely collaboration between the two countries given clues such as cross-advertising and overlapping profiles.
The US and Canada
Vendors based in the US do not often close their doors to the uninitiated; rather, they encourage new members and novices to engage in cybercrime.
"It is not a locked vault accessible only to the tech-savviest of hackers but rather a glass tank -- open and visible to both cybercriminals and law enforcement," the team says.
The US is also, ironically, the best place for the darkest and most dangerous services and purchases, including assassination services and murder-for-hire.
Meanwhile in Canada, the underground economy is not as well-developed or efficient as others. However, vendors are still making a profit on counterfeit documents and credentials including driver's licenses and passports, as well as stolen financial data and information dumps. Vendors are also known to sell their wares worldwide.
Japanese underground dwellers focus less on the illegal and more the taboo, including forums locked to Japanese speakers who communicate in code. Anonymity is king, and Japanese buyers and sellers do everything possible to keep surveillance at bay.
Unlike other markets, Japanese sellers also often accept unusual means of payment, such as gift cards and forum points.
Brazil is an interesting case. Dubbed the "fastest route to cybercriminal superstardom," Brazilian sellers are young, bold, and completely disregard the law on their quest for notoriety.
Sellers from this country will also brazenly advertise on the Clear Web and inflate their own egos by boasting of their wares and exploits. Due to this, Brazilian underground players are most often seen working alone.
06-03-2016, 17:40 #3
Why CloudFlare can never satisfy Tor die-hards, and shouldn't try
Tor admins say that CloudFlare security makes the service unusable. CloudFlare said there is no way for them to placate Tor users while protecting their customers.
March 1, 2016
About a week ago Jacob Appelbaum, an advocate, security researcher, and developer at the Tor Project, launched an angry and frustrated trouble ticket complaining about the treatment of Tor users on sites protected by networking giant and security vendor CloudFlare.
"[CloudFlare] do not appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and, frankly, they run untrusted code in millions of browsers on the web for questionable security gains," said Appelbaum.
CloudFlare seems sympathetic, but there are few benefits in going out of its way to give Appelbaum and others a good user experience.
The basic issue here is that Tor anonymizes traffic. As with so much in security, reputation analysis is a critical part of the protection that CloudFlare provides to its customers. Tor makes reputation analysis impossible beyond the point of the Tor exit node. As a result, CloudFlare must treat even repeated interaction with a Tor node, even a simple GET request, as suspicious and possibly a bot. It treats the traffic so by using CAPTCHA challenges. Obviously repeated CAPTCHA challenges make for a lesser user experience.
CloudFlare CTO John Graham-Cumming and Marek Majkowski, a systems engineer, spend some time discussing these problems in the ticket thread. But the Tor users don't cut them a whole lot of slack and express little concern for the needs of CloudFlare and its customers.
Graham-Cumming rebuffed some complaints, arguing that there can be malicious traffic coming from Tor exit nodes. Sometimes it's reasonable for CloudFlare customers to block entire nodes, particularly if they are geolocated in regions where the CloudFlare customer has no legitimate clients.
And it's not just CloudFlare
A recent Akamai "State of the Internet" report contained an entire section on Tor. They looked at traffic inbound to about 3,000 Akamai customers. The key data from the report pointed to malicious traffic constituting a much higher portion of Tor traffic -- about 1 in 380 requests -- than non-Tor traffic -- about 1 in 11,500. Certainly the non-Tor traffic dwarfed the Tor traffic, so only 1.26 percent of attack requests were from Tor exit nodes, but that's a high percentage considering that only 0.04 percent of traffic was from Tor. On the other hand, and somewhat to my surprise, the conversion rates for requests to commerce sites were not all that different (1:895 for Tor, 1:834 for non-Tor), so Tor customers have value.
In the end, Akamai doesn't tell customers to do one thing or the other, but it hints that for customers with sophisticated and up-to-date web application security it makes sense to let Tor traffic through and to scrutinize it heavily, just as they do with non-Tor traffic.
For other sites, the risks of accepting any Tor traffic may well outweigh the potential benefits. This Akamai data hasn't been updated in subsequent reports, including the Q4 report released today.
This is basically CloudFlare's philosophy as well, although their default settings may be more restrictive than Akamai's. Many of these impediments to Tor users are set by the CloudFlare customer. It is their decision, not CloudFlare's, to make their service more or less accessible to Tor users. The default setting of CloudFlare services are important, but a clear consensus has developed over the years that the defaults for security products should tend to be stricter and that users should affirmatively relax restrictions, if that is what they wish. And more than its competitors, CloudFlare emphasizes security in its marketing, although CDN performance is obviously an important function.
I spoke to CloudFlare CEO Matthew Prince. A key takeaway is that he wants to accommodate Tor users as best he can, arguing strongly for the ability to be anonymous. But Tor users aren't his customers. Customers come to CloudFlare to get security for their sites, and so whatever he does he can't compromise that security, and I don't think he would want to.
One illustrative point Prince made was, as Graham-Cumming had indicated in the Tor Project thread, that they would now allow customers to whitelist specific Tor exit nodes. This elicited much enthusiasm on the Tor project thread, but Prince says that it's not something that customers want. With rare exceptions, what they want is to blacklist Tor exit nodes.
The reason he had resisted whitelisting for so long is that he felt he couldn't enable it without also enabling blacklisting, and he resists anything that will serve to balkanize the Internet. Customers ask them to allow blacklisting of whole countries, and why not? If you're a take-out BBQ restaurant in Chicago, Internet traffic to your site from Turkey is probably not legitimate and you're better off losing the business.
The usual trade-off
As always, there's a general trade-off between convenience, or ease of use, and security. This is a phenomenon well beyond computers; it applies, for example, to controlling the access of people to a building. Prince put a second-level twist on it. He said to imagine a triangle where the three points are security, anonymity, and friction, the last being the antithesis of convenience. You can't have all three. Given that you have to have maximum security, as it's the reason customers buy the product, there will be a trade-off between anonymity and friction. The choice CloudFlare makes, to create some friction (CAPTCHAs) in order to allow anonymity, is the most logical decision to make, and the one that Facebook and Google have made in similar circumstances.
This may not satisfy Appelbaum or the rest of Tor's core users.
Prince, Graham-Cumming, and others at CloudFlare who are working hard to do so are probably working too hard.
Why should CloudFlare expend a whole lot of effort accommodating the users of a system designed to make their job as hard as possible? Certainly it would be better if Tor users could have a good experience, but I don't see how that can be done, with talk of blinded tokens notwithstanding. It's just unreasonable for Tor users to expect service providers to compromise their security for the convenience of a service that carries large amounts of malicious traffic. Prince told me that the percentage of malicious traffic they see from Tor exit nodes is far higher than what is reported by Akamai. CloudFlare would do better to direct its effort at improving overall traffic performance.
There will be a lot of sympathy for Tor among CloudFlare's engineers, but it's hard to see that CloudFlare's customers feel the same. Surely they would like to get extra business from Tor users, but at what cost? As long as CloudFlare doesn't force this sympathy for Tor on them, they probably won't care that Tor users are inconvenienced, and they too would rather CloudFlare focus on other matters.
06-03-2016, 17:48 #4
How the FBI Located Suspected Admins of the Dark Web’s Largest Child Porn Site
March 2, 2016
In February 2015, the Federal Bureau of Investigation launched an operation that was notable for two reasons: it was the largest known law enforcement hacking operation to date, and it entailed operating a child pornography website as a honeypot for 13 days.
In addition, court documents reviewed by Motherboard suggest that a foreign agency working with the FBI may have operated a different child porn site in some capacity for at least four months.
The targets of the FBI's investigation were users of Playpen, a site on the so-called dark web that one FBI agent described as “the largest remaining known child pornography hidden service in the world” in a criminal complaint.
In order to locate these users in the real world, the agency took control of Playpen and operated it from February 20 to March 4 in 2015, deploying a hacking tool to identify visitors of the site. The FBI hacked computers in the US, Greece, Chile, and likely elsewhere.
But, in identifying at least two high ranking members of Playpen, and possibly one other, the FBI relied on information provided by a foreign law enforcement agency (FLA), according to court documents.
That FLA had "seized" another child pornography site identified only as "Website 2." Documents suggest this site was operational four months after the seizure, with no indication that the FLA had given up control of it. The foreign agency used a hacking technique of its own to identify at least one user of that site, which led the FBI to identify a suspected moderator of Playpen.
Three US-based men, Steven Chase, Michael Fluckiger, and David Lynn Browning, have all been indicted for their role as suspected administrators and moderators of Playpen, including engaging in a child exploitation enterprise. Their cases were unsealed in March and August of 2015, but have only now been reported.
In November 2014, an FLA, “acting independently and according to its own national laws,” seized a child pornography site hosted on the so-called dark web, according to a complaint against one of the defendants, signed by Karlene Clapp, a special agent with the FBI. The complaint and other court documents do not name the agency or country, nor the website that was taken over.
The following month after the seizure, the FLA obtained an IP address for one of the moderators of this site by sending the target a link to a streaming video on an external website.
“If the user chose to open the file, a video file containing images of child pornography began to play, and the FLA captured and recorded the IP address of the user accessing the file,” the FBI complaint reads. Some of the related court documents were recently shared by a user on Reddit.
The video was configured in such a way that when it was opened, the target's computer would open up an internet connection outside of the anonymity network used by the child pornography site, “thereby allowing FLA to capture the user's actual IP address, as well as a session identifier to tie the IP address to the activity of a particular user account,” the complaint continues. (The documents do not explicitly say whether this site was hosted on the Tor network, or another less popular network, such as I2P; it only refers to the website operating within “the Network”.)
This IP address was then provided to the FBI, and led to David Lynn Browning of Kentucky. Browning, in addition to allegedly being a moderator of the child pornography site seized by the FLA, was suspected of being a moderator on Playpen, according to communications provided by the FLA to the FBI in April 2015. He was arrested in July 2015, according to court documents.
The FLA also obtained the IP address for Michael Fluckiger, a suspected moderator on the seized site and administrator on Playpen. The court documents do not say whether he was identified in the same fashion, however, and he was arrested in March 2015. In Fluckiger’s complaint, the FBI mention that the FLA was able to obtain communications from another, third website, which was used as a chat room to discuss child pornography and exploitation.
Steven Chase has also been indicted for his role as an administrator in Playpen. It is not clear how he was identified, but he was arrested on February 20, 2015, the day that the FBI started to run Playpen from its own servers. On Tuesday, a judge granted more time to complete a mental health examination of the defendant.
Much attention has focused on how the FBI ran Playpen for 13 days. Defense lawyers have argued that this constituted "outrageous conduct" from the FBI because the agency, in essence, distributed child pornography. A judge in a related case has ruled otherwise, though.
But, looking at the timeline of the FLA's involvement, it seems like this unknown agency might have had some sort of control over a child pornography site for a much longer period of time, possibly for at least four months. According to court documents, the FLA seized the site in November 2014. On March 13, 2015, an FBI agent acting in an undercover capacity accessed the site. Logically, the site must have still been active for an FBI agent to successfully log into it.
“After successfully logging into the site, the undercover Agent observed a chat window, which listed users currently in the chat room on the left side of the page and recent messages posted by these users to the right of their usernames,” the complaint said.
However, it is not clear from the court documents what exactly constituted a seizure of the second child pornography site. The documents don’t say whether this refers to the FLA running the site from their own servers, similar to the Playpen case, or whether it took control of a primary administration account and allowed the site to continue operating.
Playpen had three administrators, including Fluckiger and Chase, and numerous moderators, including Browning, according to court documents. Admins handled the technical aspects of the site and hosted it, developed and enforced rules, and other tasks. Moderators, meanwhile, didn't have such a technologically hands-on role, and kept the forum clean and organised.
Playpen is not named in the court documents of these three defendants, but it is clearly the site in question. One criminal complaint says that “From on or about August 2014 until on or about February 20, 2015, Website 1 was physically hosted on servers in Lenoir North Carolina.” Playpen was based in the same physical location, until February 20, when it was seized by the FBI. From that point, Playpen was run from servers in Virginia, according to court documents.
Chase, Fluckiger and Browning have all been included in the same indictment, charging them with a slew of child pornography offenses. Browning pleaded guilty in December, and Fluckiger did the same. Chase's case, however is still going through the courts.
But, only two out of three Playpen administrators are covered in this indictment. It is unclear whether the third is still at large. It is also not totally clear whether Chase, who was arrested on February 20, 2015, was the one who led the FBI to take control of the Playpen server.
When asked specific questions about these cases, Peter Carr, a spokesperson for the Department of Justice, told Motherboard in an email that “We don't have anything public we can point you to beyond what you have already identified.”
The FBI declined to comment and the US Attorney's office did not respond to a request for comment.
The UK’s National Crime Agency told Motherboard in an email that “the NCA does not routinely confirm or deny the receipt of specific intelligence or ongoing investigations for reasons of operational security.”
“We work closely with international partners both in law enforcement and industry to share intelligence and work collaboratively to bring those involved in the sexual exploitation of children to account,” the spokesperson added.
Although the name of the FLA is not mentioned in court documents, the investigation into Playpen was part of a joint FBI and Europol effort called Operation Pacifier.
Claire Georges, a spokesperson for Europol, told Motherboard in an email that “Unfortunately, Europol is unable to provide any comments on Operation Pacifier. We can only refer you back to the FBI who are allowed to communicate on the matter.” When asked to confirm whether the action by the foreign law enforcement agency was indeed part of Pacifier, Georges added “I'm really sorry but I am not allowed to say anything more.”
As more details about the shuttering of child porn sites comes to light, it’s clear that multiple law enforcement agencies will use a variety of tactics to identify suspects on the so-called dark web.
06-03-2016, 18:40 #5
Web becoming hostile to even modest attempts by users to protect their privacy
Around 4% of the top 1,000 sites routinely reject or ignore access requests from people who use the Tor system to anonymise their browsing activity.
The idea that cyberspace is growing invisible to law enforcement isn't borne out by the facts
FBI director James Comey has been sounding off for ages that cyberspace is "going dark" (or invisible to law enforcement) because of encryption and that this is intolerable.
This species of moral panic has a long pedigree, reaching back to the 1990s or earlier.
In the past, official fears about "going dark" have proved overblown. Is that likely to be the case now?
In order to find out, the Berkman Center at Harvard convened a group of experts to ponder the problem. The title of the report of their sober del*iberations, Don't Panic, just about sums it up. Sure, the report says, smartphone encryption is a pain for law enforcement, but most online activity will remain unencrypted (and therefore visible either by surveillance or warrant) for two simple reasons: one is that some kinds of electronic data (for example, metadata) will remain unencrypted because networked systems couldn't function otherwise; the other is that "the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality." And the forthcoming internet of things will provide lots of opportunities for spooks to observe people without worrying about breaking encryption.
So the FBI should calm down: the surveillance-based business model of the web will ensure that the world won't go dark on them just yet.
Just to emphasise the point, an intriguing investigation by Cambridge University scientists published last week illuminated how the mainstream web is becoming hostile to even modest attempts by users to protect their privacy.
The researchers conducted a large-scale automated survey to determine what proportion of mainstream websites routinely reject or ignore access requests from people who use the Tor system to anonymise their browsing activity.
They found that, already, around 3.67pc of the top 1,000 sites do so. My hunch is that this proportion is likely to increase. The FBI can sleep easy in their beds.