Andy Malone MVP UK CDPB376 A Journey Through the Looking Glass Microsoft MVP Enterprise Security Microsoft Certified Trainer 18 years Founder Cybercrime Security Forum Winner Microsoft Speaker Idol 2006 ID: 579251
Download Presentation The PPT/PDF document "The Dark Web Rises" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
The Dark Web Rises
Andy Malone MVP (UK)
CDP-B376
A Journey Through the Looking GlassSlide3
Microsoft MVP (Enterprise Security)
Microsoft Certified Trainer (18 years)
Founder: Cybercrime Security Forum!Winner: Microsoft Speaker Idol 2006Author: The Seventh DayAndy Malone(United Kingdom)
Follow me on Twitter @
AndyMalone
www.Andymalone.orgSlide4Slide5
This Session will DiscussSlide6
TOR: A Tale of Two Sides
Freedom from Censorship, No Restrictions,
Private Communication, Many US UK Agencies use similar private channels The Dark Web: Drugs, Guns, Malicious Software, Pedophiles. Slavery, Black MarketSlide7
TOR: Providing a Voice for the OppressedSlide8
Freedom from Potential Oppression
Freedom from having communications monitoredUsed by government embassies for sending of confidential emails
Useful in accessing blocked Internet Sites where restrictions are enforced I.e. The UK, Saudi Arabia, China etc Why use the Onion?Slide9
Current TOR Clients / Projects
https://www.torproject.org/Slide10
Variants (Other Anonymizing Technologies)
Tor (anonymity network)
Garlic RoutingAnonymous P2PThe Amnesic Incognito Live SystemDegree of anonymityChaum mixesBitblinderJava Anonymous ProxySlide11
TOR is an Open Source Non Profit Organization running
out of an YWCA in Cambridge, Massachusetts 33 Full Time EmployeesTOR’s hosted by 1000s of Volunteers around the world
Initially Sponsored by the US Office of Naval Research Laboratory In 2004 - 2005 Was supported by the Electronic Frontier FoundationWhere it all beganSlide12
“There are no conspiracies. We don’t do things we don’t want to.
No backdoors ever!”
Jacob Appelbaum: TOR (2013) TOR: Key PrincipleSlide13
Over
60.000 Users DailyApprox. 3500 Routers and GrowingCurrently 6 Million + users Worldwide
Every web page, database etc that Google can’t index is considered as the Dark Web9x% of web pages are in the Dark Web!Media wrong when they say that the only way to access the dark web is through TORQuestion: Is it all bad?Up & RunningSlide14
Who uses this Technology?Slide15
The TechnologySlide16
An
anonymous communication technique Messages constantly encrypted and
sent through several onion routers which creates a circuit of nodes using random domain namesEach OR removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where process is repeated Thus the analogy “onion router”. Prevents these intermediary nodes from knowing the origin, destination, and contents of the messageWhat is a Onion Router?Slide17
Onion Routing: How it WorksSlide18
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Bob
Jane
Unencrypted
Each OR maintains a TLS / AES connection to every other OR
Users run
an
onion proxy (OP) to fetch directories, establish circuits across the
network
Each OR maintains a long & short term onion identity key (10
mins
)
Used
to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,
etc
Port 9001
Port 9090
Port 443Slide19
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 1
: Alice’s TOR Client obtains a list of TOR Clients from a directory server
Port 9001
Port 9030Slide20
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 2
: Alice’s TOR Client picks a
random
path to a destination server.
Green links
are encrypted,
red links
are in the clear
Port 443
Port 80Slide21
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 3
: If at a later time Alice connects to a different resource then a different, random route is selected. Again
Green links
are encrypted,
red links
are in the clear
Port 80
Port 443Slide22
Onion Routing: Peeling back the Layers
https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html
Alice builds a two-hop circuit and begins fetching a web page.Slide23
Onion Routing: Cells
TOR Node
TLS EncryptedControl cells: interpreted by the nodes that receive themRelay cells: which carry end-to-end stream data. Has an additional header on front of the payload containing streamIDIntegrity checksum
Length of payload and relay command.
Fixed-sized cells 512 bytes with a header and a payloadSlide24
Onion Routing: Cell Commands
Current Relay Commands
Relay data: data flowing down streamRelay begin: to open a streamRelay end: to close a stream cleanlyRelay teardown: to close a broken streamRelay connected: to notify successful relay beginRelay extend/extended: to extend the circuit by a hopRelay send me: congestion controlRelay drop: implements long-range dummiesSlide25
Using the Onion Router
Requires a Client
Many sites require pre- registration Ensure you have an anonymous Email Address.onion-URLs are used to identify hidden servicesAddresses 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configuredThese 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32Slide26
Demo
Exploring the TOR ProjectSlide27
A Journey Inside the DarknetSlide28
The Deep Dark Web
Anonymous and unindexed area of the internet used for serious criminal activity including
Copyright infringementCredit Card fraud and identity theftRumored to contains more than the traditional web Currently around ½ a Million deep web sites worldwide and approx. 20,000 sites in Russia aloneUsed by Military & Law Enforcement AgenciesSlide29
The Deep Dark WebSlide30
Content
ClassificationsSlide31
Finding Content
Search Engines not the best option
Wikis Provide entry pointsBeware of Malicious links!Use of TOR may lead to Prosecution by law enforcement agenciesLaw Enforcement can use BigPlanet Deep Web Intelligence toolsSlide32
Demo
Exploring the DarkwebSlide33Slide34Slide35Slide36Slide37Slide38
Potential
Flaws in the OnionSlide39
Potential Flaws
in the Onion!
Multi Hopping = Slower ConnectionsConfusion between unlinkability with anonymityWhile using Tor leaks can occur via Flash plug-in’s & other media add-onsDarknet Heavily Monitored by Law Enforcement AgenciesNSA & GCHQ Installing hundreds of OR’s in order to capture & analyze trafficMany Honeypot Sites Exist in order to catch criminals Slide40
Potential Flaws
in the Onion!Slide41
Timing analysis
Adversary
could determine whether a node is transmitting by correlating when messages are sent by a server and received by a nodeTor, and any other low latency network, is vulnerable to such an attackCounter Measure: A Node can defeat this attack by sending dummy messages whenever it is not sending or receiving real messages (Not currently part of the Tor threat model)Slide42
Entry Node Sniffing
TOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised
Node
Police
Law Enforcement Monitor suspects client machine (Entry Point)Slide43
Exit Node Sniffing
TOR Node
Encrypted
Target
Unencrypted
Criminal posts anonymous content onto Server
Compromised
Node
Infected with malicious code
Police
Law Enforcement Monitors Target client machine (Exit Point)
An
exit node
has complete access to the content being transmitted from the sender to the recipient
If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internetSlide44
Intersection Attacks
TOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised
Node
Police
Network Analysis
Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis
Offline NodeSlide45
Predecessor attacks (Replay)
Compromised Nodes
can retain session information as it occurs over multiple chain reformations Chains are periodically torn down and rebuiltIf the same session is observed over the course of enough reformationsThe compromised node connects with the particular sender more frequently than any other node Increasing the chances of a successful traffic analysisSlide46
Ddos
Attack
DoS and TorTor is vulnerable to DoS attacks because users can consume more network resources than allowed or render the network unusable for other users.Tor deals with these attacks withPuzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier.Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow.Slide47
Fighting Internet Crime
TOR Node
Encrypted
Unencrypted
Security Agencies
TOR is a key technology in the fight against organized crime on the internet
Illegal Site
Agency IP Address Hidden from Site ownerSlide48
Forensically Speaking
TORSlide49
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7
showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications:C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6\_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db C:\Windows\AppCompat\Programs\RecentFileCache.bcf Slide50
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit) on Windows 7 showed that the Windows Thumbnail Cache contains the Onion Logo icon.Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. Slide51
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit) on Windows 7 showed that the Windows paging file, C:\pagefile.sys, contains the filename for the Tor Browser Bundle executableSlide52
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle
(64-bit) on Windows 7 showed that the registry contains the path to the Tor Browser Bundle executableHKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files:C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Result: No trace of the Tor Browser Bundle in any of the NTUSER.DAT filesSlide53
TOR: Forensically Speaking
Looks like regular HTTPS Traffic on port 443…Slide54
TOR: Forensically Speaking
The Truth is revealedSlide55
Blocking TOR Traffic
Obtain list of TOR ServersSlide56
Blocking TOR Traffic
Obtain list of TOR Servers
Then create an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the listSlide57
# Gets List of the
Torproject Exit Points that would access your ipaddress
## This URL gets the new list:#URL=’https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=<ENTER YOUR IP ADDRESS HERE>‘TORIPLIST=.toriplistGETTORLIST(){/usr/bin/wget –no-check-certificate –output-document=${TORIPLIST} ${URL}} # End of GETTORLISTBLOCKADDRESSES(){# Create a chain named TORBLOCK./sbin/iptables -N TORBLOCK# Flush the TORBLOCK chain./sbin/iptables -F TORBLOCK# Return to parent chain if the source is not in the TORBLOCK chain./sbin/iptables -I TORBLOCK -j RETURN# Then do this for each address to block:# /sbin/iptables -I TORBLOCK -s IPADDRESS -j DROP# We are doing the above in the loop below:for node in `/bin/grep -v -e ^# ${TORIPLIST}`do/sbin/iptables -I TORBLOCK -s $node -j DROPdone} # End of BLOCKADDRESSESGETTORLIST
BLOCKADDRESSES
rm
-f ${TORIPLIST}
Blocking TOR Traffic (Automated Script)
Add output to IP Address tables
* Additional links on slidesSlide58
Demo
Blocking TOR – Application Aware FirewallsSlide59
Web Browser Fingerprinting
Relatively New Concept
A technique researched by Electronic Frontier Foundation, of anonymously identifying a web browser with up to 94% accuracy rates Even in Privacy Mode or with Cookies Disabled. Browsers can still be trackedBrowser version, language, OS, Installed Fonts, Browser Add in’s, time zone etcSlide60
Web Browser Fingerprinting
Browser information Collected includes but not limited to:
Browser supported itemsPlugin informationGeographical informationDevice related informationOperating system informationThis collection of information is combined into a SHA256 hash which gives you a unique fingerprint for any given web browserSlide61
Are you really Unique?
Regular I.E
11BrowserSlide62
Are you really Unique?
Privacy
IE 11BrowserSlide63
Are you really Unique?
Older
TORSlide64
Are you really Unique?
Updated
TORSlide65
You may want to take a look at
Other Privacy
SolutionsSlide66
Staying Anonymous: Proxy Servers
Most
common method to hide your IP address Allows users to make indirect network connections to the InternetActivity goes to proxy first, which sends on for information, data, files, email, etc In each case, your actual IP address is hidden.Then serves up requests by connecting directly to the source or by serving it from a cache Proxy servers (or simply "proxies") come in a few varieties.Slide67
Staying Anonymous: Proxy Servers
Anonymous
ProxyThis type of proxy server identifies itself as a proxy server. It is detectable (as a proxy), but provides reasonable anonymity for most users.Distorting ProxyThis type of proxy server identifies itself as a proxy server, but creates an "incorrect" originating IP address available through the "http" headers.High-Anonymity ProxyThis type of proxy server does not identify itself as a proxy server and does not make available the original IP address.Slide68
Web Based: Proxy Servers
Simply enter
the URL of a website that you wish to visit anonymouslyWhen you submit the form, the website proxy server makes a request for the page that you want to visitThe proxy usually does not identify itself as a proxy server and does not pass along your IP address in the request for the pageThe features of these sites vary (ad blocking, JavaScript blocking, etc.), as does their price.Slide69
Demo
Proxy Heaven Slide70Slide71Slide72Slide73Slide74Slide75
Safeplug
:
Anonymity in a BoxSlide76
Code Talker Tunnel Previously
SkypeMorph
EncryptedUnencryptedEavesdropper: Skype Video TrafficBob: TOR traffic disguised via OpenWRT compatible modem
Alice
Bob
Alice:
TOR traffic disguised via
OpenWRT
compatible modemSlide77
Code Talker Tunnel Previously
SkypeMorph
Protocol camouflaging tool Designed to reshape traffic output of any censorship circumvention tool to look like Skype video calls Can be used as a SOCKS proxy and therefore it is extremely easy to use it with different anonymity and censorship resistance tools Hard to block and identify protocol obfuscationHigh-bandwidth channelHome-router-ready version supporting OpenWRT firmware'sCheck it out at: git://git-crysp.uwaterloo.ca/codetalkertunnelSlide78
TOR: Top Tips
Don’t use Browser widgets
Don’t Torrent Over TorUse The Tor Browser (Most up to date)Always use HTTPS Versions of SitesNever open documents downloaded through Tor while onlineUse bridges and/or find companySlide79
Session ReviewSlide80
The Extras…
Follow @AndyMalone & Get my OneDrive LinkSlide81
B305: A Game of Clouds – Black Belt Security for the Microsoft Cloud
B374: Hacking Beyond Borders: Mobile Device (In)Security
B376: The Dark Web Rises: A Journey Through The Looking GlassRelated content
Join me for a
Meet & Greet
at the IT Community Experts
Booth in the Resource
Zone, 29/10 at 14:00
!Slide82
TwC
cloud trust
Security development lifecycleSecurity
intelligence report
Trustworthy computing
Security blog
www.microsoft.com/sir
www.microsoft.com/sdl
www.microsoft.com/twc
blogs.technet.com/security
www.microsoft.com/
trustedcloud
ResourcesSlide83
Come
visit us
in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7For more informationWindows Server Technical Preview
http://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center Technical Preview
http://
technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack
Azure Pack
http://
www.microsoft.com/en-us/server-cloud/products/
windows-azure-packSlide84
Resources
Learning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
Developer Network
http
://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide85
Please Complete An Evaluation Form
Your input is important!
TechEd Schedule Builder
CommNet
station
or PC
TechEd Mobile
app
Phone or Tablet
QR codeSlide86
Evaluate this sessionSlide87
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.