Follow AndyMalone amp Get my OneDrive Link The Dark Web Rises A journey through the Looking Glass Andy Malone DCIMB351 Microsoft MVP Enterprise Security Microsoft Certified Trainer 18 years ID: 334243
Download Presentation The PPT/PDF document "The Extras…" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
The Extras…
Follow @AndyMalone & Get my OneDrive LinkSlide3
The Dark Web Rises:
A journey through the Looking Glass
Andy Malone
DCIM-B351Slide4
Microsoft MVP (Enterprise Security)
Microsoft Certified Trainer (18 years)
Founder: Cybercrime Security Forum!
International Event Speaker
Winner: Microsoft Speaker Idol 2006
Andy Malone
(United Kingdom)
Follow me on Twitter @
AndyMalone
www.cybercrimesecurityforum.orgSlide5
This Session will DiscussSlide6
TOR: A Tale of Two Sides
Freedom from Censorship, No Restrictions,
Private Communication, Many US UK Agencies use similar private channels
The Dark Web: Drugs, Guns, Malicious Software,
Pedophiles. Slavery, Black MarketSlide7
TOR: Providing a Voice for the OppressedSlide8
Freedom from Potential OppressionFreedom from having communications monitored
Used by government embassies for sending of
confidential emails
Useful in accessing blocked Internet Sites where restrictions are enforced I.e. The UK, Saudi Arabia, China
etc
Why use the Onion?Slide9
Current TOR Clients / Projects
https://www.torproject.org/Slide10
Variants (Other Anonymizing Technologies)
Tor (anonymity network)
Garlic Routing
Anonymous P2P
The Amnesic Incognito Live System
Degree of anonymity
Chaum mixesBitblinderJava Anonymous ProxySlide11
TOR is an Open Source Non Profit Organization running out of an YWCA in Cambridge, Massachusetts
33 Full Time Employees
TOR’s hosted by 1000s of Volunteers around the world
Initially Sponsored by the US Office of Naval
Research Laboratory
In 2004 -
2005 Was supported by the Electronic Frontier FoundationWhere it all beganSlide12
“There are no conspiracies. We don’t do things we don’t want to.
No backdoors ever!”
Jacob
Appelbaum
: TOR (2013)
TOR: Key PrincipleSlide13
Over 60.000 Users Daily
Approx. 3500 Routers and Growing
Currently 6 Million + users Worldwide
Every web page, database etc that Google can’t index is considered as the Dark Web
9x% of web pages are in the Dark Web!
Media wrong when they say that the only way to access the dark web is through TOR
Question: Is it all bad?Up & RunningSlide14
Who uses this Technology?Slide15
The TechnologySlide16
An anonymous communication technique
Messages constantly
encrypted and
sent through several onion routers which creates a circuit of
nodes using random domain names
Each
OR removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where process is repeated Thus the analogy “onion router”. Prevents these intermediary nodes from knowing the origin, destination, and contents of the message
What is a Onion Router?Slide17
Onion Routing: How it WorksSlide18
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Bob
Jane
Unencrypted
Each OR maintains a TLS / AES connection to every other OR
Users run
an
onion proxy (OP) to fetch directories, establish circuits across the
network
Each OR maintains a long & short term onion identity key (10
mins
)
Used
to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,
etc
Port 9001
Port 9090
Port 443Slide19
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 1
: Alice’s TOR Client obtains a list of TOR Clients from a directory server
Port 9001
Port 9030Slide20
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 2
: Alice’s TOR Client picks a
random
path to a destination server.
Green links
are encrypted,
red links
are in the clear
Port 443
Port 80Slide21
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 3
: If at a later time Alice connects to a different resource then a different, random route is selected. Again
Green links
are encrypted,
red links
are in the clear
Port 80
Port 443Slide22
Onion Routing: Peeling back the Layers
https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html
Alice builds a two-hop circuit and begins fetching a web page.Slide23
Onion Routing: Cells
TOR Node
TLS Encrypted
Control cells
: interpreted by the nodes that receive them
Relay cells
: which carry end-to-end stream
data. Has
an additional header on front of the payload containing streamIDIntegrity checksumLength of payload and relay command.
Fixed-sized cells 512 bytes with a header and a payloadSlide24
Onion Routing: Cell Commands
Current Relay Commands
Relay data: data flowing down stream
Relay begin: to open a stream
Relay end: to close a stream cleanly
Relay teardown: to close a broken stream
Relay connected: to notify successful relay begin
Relay extend/extended: to extend the circuit by a hopRelay send me: congestion control
Relay drop: implements long-range dummiesSlide25
Using the Onion Router
Requires a Client
Many sites require pre- registration
Ensure you have an anonymous Email Address
.
onion-URLs are used to identify hidden
servicesAddresses 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configuredThese 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32Slide26
Demo
Exploring the TOR ProjectSlide27
A Journey Inside the DarknetSlide28
The Deep Dark Web
Anonymous and unindexed area of the internet used for serious criminal activity including
Copyright infringement
Credit Card fraud and identity theft
Rumored to contain more than 500 times the size of the traditional web
Currently around ½ a Million deep web sites worldwide and approx. 20,000 sites in Russia alone
Used by Military & Law Enforcement AgenciesSlide29
The Deep Dark WebSlide30
Content ClassificationsSlide31
Finding Content
Search Engines not the best option
Wikis Provide entry points
Beware of Malicious links!
Use of TOR may lead to Prosecution by law enforcement agencies
Law Enforcement can use
BigPlanet Deep Web Intelligence toolsSlide32
Demo
Exploring the DarkwebSlide33Slide34Slide35Slide36Slide37Slide38
Potential Flaws in the OnionSlide39
Potential Flaws in the Onion!
Multi Hopping = Slower Connections
Confusion between
unlinkability with
anonymity
While using Tor
leaks can occur via Flash plug-in’s & other media add-onsDarknet Heavily Monitored by Law Enforcement AgenciesNSA & GCHQ Installing hundreds of OR’s in order to capture & analyze trafficMany Honeypot Sites Exist in order to catch criminals Slide40
Potential Flaws in the Onion!Slide41
Timing analysis
Adversary
could determine whether a node is
transmitting by
correlating when messages are sent by a server and
received
by a nodeTor, and any other low latency network, is vulnerable to such an attackCounter Measure: A Node can defeat this attack by sending dummy messages whenever it is not sending or receiving real messages (Not currently part of the Tor threat model)Slide42
Entry Node Sniffing
TOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised
Node
Police
Law Enforcement Monitor suspects client machine (Entry Point)Slide43
Exit Node Sniffing
TOR Node
Encrypted
Target
Unencrypted
Criminal posts anonymous content onto Server
Compromised
Node
Infected with malicious code
Police
Law Enforcement Monitors Target client machine (Exit Point)
An
exit node
has complete access to the content being transmitted from the sender to the recipient
If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internetSlide44
Intersection Attacks
TOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised
Node
Police
Network Analysis
Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis
Offline NodeSlide45
Predecessor attacks (Replay)
Compromised Nodes
can
retain session information as
it occurs over multiple chain reformations
Chains
are periodically torn down and rebuiltIf the same session is observed over the course of enough reformationsThe compromised node connects with the particular sender more frequently than any
other node Increasing the chances of a successful traffic analysisSlide46
Ddos Attack
DoS
and Tor
Tor is vulnerable to
DoS
attacks because users can consume more network resources than allowed or render the network unusable for other users.
Tor deals with these attacks withPuzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier.
Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow.Slide47
Fighting Internet Crime
TOR Node
Encrypted
Unencrypted
Security Agencies
TOR is a key technology in the fight against organized crime on the internet
Illegal Site
Agency IP Address Hidden from Site ownerSlide48
Forensically Speaking
TORSlide49
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7
showed that the
Windows Prefetcher
keeps records of the different Tor Browser Bundle applications
:C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6\_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf
The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
C:\Windows\AppCompat\Programs\RecentFileCache.bcf Slide50
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit
) on Windows 7 showed that the
Windows Thumbnail Cache
contains the Onion Logo icon.
Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. Slide51
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit
) on Windows 7 showed that the
Windows paging file
, C:\pagefile.sys,
contains the filename for the Tor Browser Bundle executableSlide52
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit
) on Windows 7 showed that the
registry
contains the path to the Tor Browser Bundle
executableHKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files:C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
Result: No trace of the Tor Browser Bundle in any of the NTUSER.DAT filesSlide53
TOR: Forensically Speaking
Looks like regular HTTPS Traffic on port 443…Slide54
TOR: Forensically Speaking
The Truth is revealedSlide55
Blocking TOR Traffic
Obtain list of TOR ServersSlide56
Blocking TOR Traffic
Obtain list of TOR Servers
Then
create an
AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the
listSlide57
# Gets List of the Torproject Exit Points that would access your
ipaddress
#
# This URL gets the new list:#
URL=’https://check.torproject.org/
cgi
-bin/TorBulkExitList.py?ip=<ENTER YOUR IP ADDRESS HERE>‘TORIPLIST=.toriplistGETTORLIST(){
/usr/bin/wget –no-check-certificate –output-document=${TORIPLIST} ${URL}} # End of GETTORLISTBLOCKADDRESSES()
{# Create a chain named TORBLOCK./sbin/iptables -N TORBLOCK# Flush the TORBLOCK chain./sbin/iptables -F TORBLOCK# Return to parent chain if the source is not in the TORBLOCK chain./sbin/iptables -I TORBLOCK -j RETURN# Then do this for each address to block:# /sbin/iptables -I TORBLOCK -s IPADDRESS -j DROP# We are doing the above in the loop below:for node in `/bin/grep -v -e ^# ${TORIPLIST}`do/sbin/iptables -I TORBLOCK -s $node -j DROPdone} # End of BLOCKADDRESSESGETTORLISTBLOCKADDRESSESrm -f ${TORIPLIST}Blocking TOR Traffic (Automated Script)
Add output to IP Address tables* Additional links on slidesSlide58
Web Browser Fingerprinting
Relatively New Concept
A technique researched
by Electronic Frontier Foundation, of anonymously identifying a web browser
with up to
94
% accuracy rates Even in Privacy Mode or with Cookies Disabled. Browsers can still be trackedBrowser version, language, OS, Installed Fonts, Browser Add in’s, time zone etcSlide59
Web Browser Fingerprinting
Browser information Collected includes but not limited to:
Browser
supported
items
Plugin information
Geographical informationDevice related informationOperating system information
This collection of information is combined into a SHA256 hash which gives you a unique fingerprint for any given web browserSlide60
Are you really Unique?
Regular I.E
11
BrowserSlide61
Are you really Unique?
Privacy
IE 11
BrowserSlide62
Are you really Unique?
Older
TORSlide63
Are you really Unique?
Updated
TORSlide64
Demo
Web Browser FingerprintsSlide65
You may want to take a look at
Other Privacy
SolutionsSlide66
Staying Anonymous: Proxy Servers
Most
common method to hide your IP address
Allows users
to make indirect network connections to the
Internet
Activity goes to proxy first, which sends on for information, data, files, email, etc In each case, your actual IP address is hidden.
Then serves up requests by connecting directly to the source or by serving it from a cache Proxy servers (or simply "proxies") come in a few varieties.Slide67
Staying Anonymous: Proxy Servers
Anonymous
Proxy
This type of proxy server identifies itself as a proxy server. It is detectable (as a proxy), but provides reasonable anonymity for most users.
Distorting
Proxy
This type of proxy server identifies itself as a proxy server, but creates an "incorrect" originating IP address available through the "http" headers.High-Anonymity ProxyThis type of proxy server does not identify itself as a proxy server and does not make available the original IP address.Slide68
Web Based: Proxy Servers
Simply enter
the URL of a website that you wish to visit
anonymously
When
you submit the form, the website proxy server makes a request for the page that you want to
visitThe proxy usually does not identify itself as a proxy server and does not pass along your IP address in the request for the pageThe features of these sites vary (ad blocking, JavaScript blocking, etc.), as does their price.Slide69
Demo
Proxy Heaven Slide70Slide71Slide72Slide73Slide74Slide75
Safeplug
:
Anonymity in a BoxSlide76
Code Talker Tunnel Previously SkypeMorph
Encrypted
Unencrypted
Eavesdropper: Skype Video Traffic
Bob:
TOR traffic disguised via
OpenWRT
compatible modem
Alice
Bob
Alice:
TOR traffic disguised via
OpenWRT
compatible modemSlide77
Code Talker Tunnel Previously SkypeMorph
Protocol
camouflaging
tool
Designed
to reshape traffic output of any censorship circumvention tool to look like Skype video
calls Can be used as a SOCKS proxy and therefore it is extremely easy to use it with different anonymity and censorship resistance tools Hard to block and identify protocol obfuscationHigh-bandwidth channelHome-router-ready version supporting
OpenWRT firmware'sCheck it out at: git://git-crysp.uwaterloo.ca/codetalkertunnelSlide78
TOR: Top Tips
Don’t use Browser widgets
Don’t Torrent Over Tor
Use The Tor Browser (Most up to date)
Always use HTTPS Versions of Sites
Never open
documents downloaded through Tor while onlineUse bridges and/or find companySlide79
Session ReviewSlide80
The Extras…
Follow @AndyMalone & Get my OneDrive LinkSlide81
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure Management
TechExpo
Level 1 Hall CD
For More Information
Windows Server 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack
Azure Pack
http://www.microsoft.com/en-us/server-cloud/products/windows-azure-packSlide82
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide83
Complete an evaluation
and
enter to win!Slide84
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide85
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows,
and
other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.