The Extras… - PowerPoint Presentation

Slide1
Slide2

The Extras…

Follow @AndyMalone & Get my OneDrive LinkSlide3

The Dark Web Rises:

A journey through the Looking Glass

Andy Malone

DCIM-B351Slide4

Microsoft MVP (Enterprise Security)

Microsoft Certified Trainer (18 years)

Founder: Cybercrime Security Forum!

International Event Speaker

Winner: Microsoft Speaker Idol 2006

Andy Malone

(United Kingdom)

Follow me on Twitter @

AndyMalone

www.cybercrimesecurityforum.orgSlide5

This Session will DiscussSlide6

TOR: A Tale of Two Sides

Freedom from Censorship, No Restrictions,

Private Communication, Many US UK Agencies use similar private channels

The Dark Web: Drugs, Guns, Malicious Software,

Pedophiles. Slavery, Black MarketSlide7

TOR: Providing a Voice for the OppressedSlide8

Freedom from Potential OppressionFreedom from having communications monitored

Used by government embassies for sending of

confidential emails

Useful in accessing blocked Internet Sites where restrictions are enforced I.e. The UK, Saudi Arabia, China

etc

Why use the Onion?Slide9

Current TOR Clients / Projects

https://www.torproject.org/Slide10

Variants (Other Anonymizing Technologies)

Tor (anonymity network)

Garlic Routing

Anonymous P2P

The Amnesic Incognito Live System

Degree of anonymity

Chaum mixesBitblinderJava Anonymous ProxySlide11

TOR is an Open Source Non Profit Organization running out of an YWCA in Cambridge, Massachusetts

33 Full Time Employees

TOR’s hosted by 1000s of Volunteers around the world

Initially Sponsored by the US Office of Naval

Research Laboratory

In 2004 -

2005 Was supported by the Electronic Frontier FoundationWhere it all beganSlide12

“There are no conspiracies. We don’t do things we don’t want to.

No backdoors ever!”

Jacob

Appelbaum

: TOR (2013)

TOR: Key PrincipleSlide13

Over 60.000 Users Daily

Approx. 3500 Routers and Growing

Currently 6 Million + users Worldwide

Every web page, database etc that Google can’t index is considered as the Dark Web

9x% of web pages are in the Dark Web!

Media wrong when they say that the only way to access the dark web is through TOR

Question: Is it all bad?Up & RunningSlide14

Who uses this Technology?Slide15

The TechnologySlide16

An anonymous communication technique

Messages constantly

encrypted and

sent through several onion routers which creates a circuit of

nodes using random domain names

Each

OR removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where process is repeated Thus the analogy “onion router”. Prevents these intermediary nodes from knowing the origin, destination, and contents of the message

What is a Onion Router?Slide17

Onion Routing: How it WorksSlide18

Onion Routing: How it Works

TOR Node

Encrypted

Alice

Bob

Jane

Unencrypted

Each OR maintains a TLS / AES connection to every other OR

Users run

an

onion proxy (OP) to fetch directories, establish circuits across the

network

Each OR maintains a long & short term onion identity key (10

mins

)

Used

to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,

etc

Port 9001

Port 9090

Port 443Slide19

Onion Routing: How it Works

TOR Node

Encrypted

Alice

Dave

Bob

Jane

Unencrypted

Step 1

: Alice’s TOR Client obtains a list of TOR Clients from a directory server

Port 9001

Port 9030Slide20

Onion Routing: How it Works

TOR Node

Encrypted

Alice

Dave

Bob

Jane

Unencrypted

Step 2

: Alice’s TOR Client picks a

random

path to a destination server.

Green links

are encrypted,

red links

are in the clear

Port 443

Port 80Slide21

Onion Routing: How it Works

TOR Node

Encrypted

Alice

Dave

Bob

Jane

Unencrypted

Step 3

: If at a later time Alice connects to a different resource then a different, random route is selected. Again

Green links

are encrypted,

red links

are in the clear

Port 80

Port 443Slide22

Onion Routing: Peeling back the Layers

https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html

Alice builds a two-hop circuit and begins fetching a web page.Slide23

Onion Routing: Cells

TOR Node

TLS Encrypted

Control cells

: interpreted by the nodes that receive them

Relay cells

: which carry end-to-end stream

data. Has

an additional header on front of the payload containing streamIDIntegrity checksumLength of payload and relay command.

Fixed-sized cells 512 bytes with a header and a payloadSlide24

Onion Routing: Cell Commands

Current Relay Commands

Relay data: data flowing down stream

Relay begin: to open a stream

Relay end: to close a stream cleanly

Relay teardown: to close a broken stream

Relay connected: to notify successful relay begin

Relay extend/extended: to extend the circuit by a hopRelay send me: congestion control

Relay drop: implements long-range dummiesSlide25

Using the Onion Router

Requires a Client

Many sites require pre- registration

Ensure you have an anonymous Email Address

.

onion-URLs are used to identify hidden

servicesAddresses 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configuredThese 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32Slide26

Demo

Exploring the TOR ProjectSlide27

A Journey Inside the DarknetSlide28

The Deep Dark Web

Anonymous and unindexed area of the internet used for serious criminal activity including

Copyright infringement

Credit Card fraud and identity theft

Rumored to contain more than 500 times the size of the traditional web

Currently around ½ a Million deep web sites worldwide and approx. 20,000 sites in Russia alone

Used by Military & Law Enforcement AgenciesSlide29

The Deep Dark WebSlide30

Content ClassificationsSlide31

Finding Content

Search Engines not the best option

Wikis Provide entry points

Beware of Malicious links!

Use of TOR may lead to Prosecution by law enforcement agencies

Law Enforcement can use

BigPlanet Deep Web Intelligence toolsSlide32

Demo

Exploring the DarkwebSlide33
Slide34
Slide35
Slide36
Slide37
Slide38

Potential Flaws in the OnionSlide39

Potential Flaws in the Onion!

Multi Hopping = Slower Connections

Confusion between

unlinkability with

anonymity

While using Tor

leaks can occur via Flash plug-in’s & other media add-onsDarknet Heavily Monitored by Law Enforcement AgenciesNSA & GCHQ Installing hundreds of OR’s in order to capture & analyze trafficMany Honeypot Sites Exist in order to catch criminals Slide40

Potential Flaws in the Onion!Slide41

Timing analysis

Adversary

could determine whether a node is

transmitting by

correlating when messages are sent by a server and

received

by a nodeTor, and any other low latency network, is vulnerable to such an attackCounter Measure: A Node can defeat this attack by sending dummy messages whenever it is not sending or receiving real messages (Not currently part of the Tor threat model)Slide42

Entry Node Sniffing

TOR Node

Encrypted

Bob

Unencrypted

Criminal posts anonymous content out to Compromised Server

Compromised

Node

Police

Law Enforcement Monitor suspects client machine (Entry Point)Slide43

Exit Node Sniffing

TOR Node

Encrypted

Target

Unencrypted

Criminal posts anonymous content onto Server

Compromised

Node

Infected with malicious code

Police

Law Enforcement Monitors Target client machine (Exit Point)

An

exit node

has complete access to the content being transmitted from the sender to the recipient

If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internetSlide44

Intersection Attacks

TOR Node

Encrypted

Bob

Unencrypted

Criminal posts anonymous content out to Compromised Server

Compromised

Node

Police

Network Analysis

Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis

Offline NodeSlide45

Predecessor attacks (Replay)

Compromised Nodes

can

retain session information as

it occurs over multiple chain reformations

Chains

are periodically torn down and rebuiltIf the same session is observed over the course of enough reformationsThe compromised node connects with the particular sender more frequently than any

other node Increasing the chances of a successful traffic analysisSlide46

Ddos Attack

DoS

and Tor

Tor is vulnerable to

DoS

attacks because users can consume more network resources than allowed or render the network unusable for other users.

Tor deals with these attacks withPuzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier.

Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow.Slide47

Fighting Internet Crime

TOR Node

Encrypted

Unencrypted

Security Agencies

TOR is a key technology in the fight against organized crime on the internet

Illegal Site

Agency IP Address Hidden from Site ownerSlide48

Forensically Speaking

TORSlide49

TOR: Forensically Speaking

A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7

showed that the

Windows Prefetcher

keeps records of the different Tor Browser Bundle applications

:C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6\_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf

The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db

C:\Windows\AppCompat\Programs\RecentFileCache.bcf Slide50

TOR: Forensically Speaking

A forensic analysis of the Tor Browser Bundle

(64-bit

) on Windows 7 showed that the

Windows Thumbnail Cache

contains the Onion Logo icon.

Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. Slide51

TOR: Forensically Speaking

A forensic analysis of the Tor Browser Bundle

(64-bit

) on Windows 7 showed that the

Windows paging file

, C:\pagefile.sys,

contains the filename for the Tor Browser Bundle executableSlide52

TOR: Forensically Speaking

A forensic analysis of the Tor Browser Bundle

(64-bit

) on Windows 7 showed that the

registry

contains the path to the Tor Browser Bundle

executableHKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files:C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1

Result: No trace of the Tor Browser Bundle in any of the NTUSER.DAT filesSlide53

TOR: Forensically Speaking

Looks like regular HTTPS Traffic on port 443…Slide54

TOR: Forensically Speaking

The Truth is revealedSlide55

Blocking TOR Traffic

Obtain list of TOR ServersSlide56

Blocking TOR Traffic

Obtain list of TOR Servers

Then

create an

AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the

listSlide57

# Gets List of the Torproject Exit Points that would access your

ipaddress

#

# This URL gets the new list:#

URL=’https://check.torproject.org/

cgi

-bin/TorBulkExitList.py?ip=<ENTER YOUR IP ADDRESS HERE>‘TORIPLIST=.toriplistGETTORLIST(){

/usr/bin/wget –no-check-certificate –output-document=${TORIPLIST} ${URL}} # End of GETTORLISTBLOCKADDRESSES()

{# Create a chain named TORBLOCK./sbin/iptables -N TORBLOCK# Flush the TORBLOCK chain./sbin/iptables -F TORBLOCK# Return to parent chain if the source is not in the TORBLOCK chain./sbin/iptables -I TORBLOCK -j RETURN# Then do this for each address to block:# /sbin/iptables -I TORBLOCK -s IPADDRESS -j DROP# We are doing the above in the loop below:for node in `/bin/grep -v -e ^# ${TORIPLIST}`do/sbin/iptables -I TORBLOCK -s $node -j DROPdone} # End of BLOCKADDRESSESGETTORLISTBLOCKADDRESSESrm -f ${TORIPLIST}Blocking TOR Traffic (Automated Script)

Add output to IP Address tables* Additional links on slidesSlide58

Web Browser Fingerprinting

Relatively New Concept

A technique researched

by Electronic Frontier Foundation, of anonymously identifying a web browser

with up to

94

% accuracy rates Even in Privacy Mode or with Cookies Disabled. Browsers can still be trackedBrowser version, language, OS, Installed Fonts, Browser Add in’s, time zone etcSlide59

Web Browser Fingerprinting

Browser information Collected includes but not limited to:

Browser

supported

items

Plugin information

Geographical informationDevice related informationOperating system information

This collection of information is combined into a SHA256 hash which gives you a unique fingerprint for any given web browserSlide60

Are you really Unique?

Regular I.E

11

BrowserSlide61

Are you really Unique?

Privacy

IE 11

BrowserSlide62

Are you really Unique?

Older

TORSlide63

Are you really Unique?

Updated

TORSlide64

Demo

Web Browser FingerprintsSlide65

You may want to take a look at

Other Privacy

SolutionsSlide66

Staying Anonymous: Proxy Servers

Most

common method to hide your IP address

Allows users

to make indirect network connections to the

Internet

Activity goes to proxy first, which sends on for information, data, files, email, etc In each case, your actual IP address is hidden.

Then serves up requests by connecting directly to the source or by serving it from a cache Proxy servers (or simply "proxies") come in a few varieties.Slide67

Staying Anonymous: Proxy Servers

Anonymous

Proxy

This type of proxy server identifies itself as a proxy server. It is detectable (as a proxy), but provides reasonable anonymity for most users.

Distorting

Proxy

This type of proxy server identifies itself as a proxy server, but creates an "incorrect" originating IP address available through the "http" headers.High-Anonymity ProxyThis type of proxy server does not identify itself as a proxy server and does not make available the original IP address.Slide68

Web Based: Proxy Servers

Simply enter

the URL of a website that you wish to visit

anonymously

When

you submit the form, the website proxy server makes a request for the page that you want to

visitThe proxy usually does not identify itself as a proxy server and does not pass along your IP address in the request for the pageThe features of these sites vary (ad blocking, JavaScript blocking, etc.), as does their price.Slide69

Demo

Proxy Heaven Slide70
Slide71
Slide72
Slide73
Slide74
Slide75

Safeplug

:

Anonymity in a BoxSlide76

Code Talker Tunnel Previously SkypeMorph

Encrypted

Unencrypted

Eavesdropper: Skype Video Traffic

Bob:

TOR traffic disguised via

OpenWRT

compatible modem

Alice

Bob

Alice:

TOR traffic disguised via

OpenWRT

compatible modemSlide77

Code Talker Tunnel Previously SkypeMorph

Protocol

camouflaging

tool

Designed

to reshape traffic output of any censorship circumvention tool to look like Skype video

calls Can be used as a SOCKS proxy and therefore it is extremely easy to use it with different anonymity and censorship resistance tools Hard to block and identify protocol obfuscationHigh-bandwidth channelHome-router-ready version supporting

OpenWRT firmware'sCheck it out at: git://git-crysp.uwaterloo.ca/codetalkertunnelSlide78

TOR: Top Tips

Don’t use Browser widgets

Don’t Torrent Over Tor

Use The Tor Browser (Most up to date)

Always use HTTPS Versions of Sites

Never open

documents downloaded through Tor while onlineUse bridges and/or find companySlide79

Session ReviewSlide80

The Extras…

Follow @AndyMalone & Get my OneDrive LinkSlide81

Come Visit Us in the Microsoft Solutions Experience!

Look for Datacenter and Infrastructure Management

TechExpo

Level 1 Hall CD

For More Information

Windows Server 2012 R2

http://technet.microsoft.com/en-US/evalcenter/dn205286

Windows Server

Microsoft Azure

Microsoft Azure

http://azure.microsoft.com/en-us/

System Center

System Center 2012 R2

http://technet.microsoft.com/en-US/evalcenter/dn205295

Azure Pack

Azure Pack

http://www.microsoft.com/en-us/server-cloud/products/windows-azure-packSlide82

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEdSlide83

Complete an evaluation

and

enter to win!Slide84

Evaluate this session

Scan this

QR

code

to evaluate

this

session.Slide85

©

2014

Microsoft Corporation. All rights reserved. Microsoft, Windows,

and

other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.