the extras… follow @andymalone & get my onedrive link
TRANSCRIPT
The Extras…Follow @AndyMalone & Get my OneDrive Link
The Dark Web Rises: A journey through the Looking GlassAndy Malone
DCIM-B351
Microsoft MVP (Enterprise Security)Microsoft Certified Trainer (18 years)Founder: Cybercrime Security Forum!International Event SpeakerWinner: Microsoft Speaker Idol 2006
Andy Malone(United Kingdom)
Follow me on Twitter @AndyMalone
www.cybercrimesecurityforum.org
This Session will DiscussWhat is TOR and how does it keep me anonymous?
Who uses TOR & Why?
Understand what the Darkweb is & Learn about it’s dangersLearn about Potential Flaws in the Technology
Forensics & Law Enforcement
TOR Technology & My Business
TOR: A Tale of Two Sides
Freedom from Censorship, No Restrictions, Private Communication, Many US UK Agencies use similar private channels
The Dark Web: Drugs, Guns, Malicious Software, Pedophiles. Slavery, Black Market
TOR: Providing a Voice for the Oppressed
Freedom from Potential OppressionFreedom from having communications monitoredUsed by government embassies for sending of confidential emailsUseful in accessing blocked Internet Sites where restrictions are enforced I.e. The UK, Saudi Arabia, China etc
Why use the Onion?
Current TOR Clients / Projects
Tails TOR Browser TOR Atlas
Stem (Development Environment)
Orbot (Android)
ARM (Shell)
Pluggable Transports TOR Cloud
https://www.torproject.org/
Variants (Other Anonymizing Technologies)
Tor (anonymity network)Garlic RoutingAnonymous P2PThe Amnesic Incognito Live SystemDegree of anonymityChaum mixesBitblinderJava Anonymous Proxy
TOR is an Open Source Non Profit Organization running out of an YWCA in Cambridge, Massachusetts
33 Full Time EmployeesTOR’s hosted by 1000s of Volunteers around the world
Initially Sponsored by the US Office of Naval Research Laboratory In 2004 - 2005 Was supported by the Electronic Frontier Foundation
Where it all began
“There are no conspiracies. We don’t do things we don’t want to. No backdoors ever!”
Jacob Appelbaum: TOR (2013)
TOR: Key Principle
Over 60.000 Users DailyApprox. 3500 Routers and GrowingCurrently 6 Million + users WorldwideEvery web page, database etc that Google can’t index is considered as the Dark Web9x% of web pages are in the Dark Web!Media wrong when they say that the only way to access the dark web is through TORQuestion: Is it all bad?
Up & Running
Who uses this Technology?
Home Users can protect themselves when online
Activists can anonymously report abuses from danger zones
Whistleblowers can use Tor to safely report on corruption
Journalists use Tor to protect their research and sources online
Military and law enforcement can protect communications, investigations, and intelligence (No
IP Trace)
The Technology
An anonymous communication technique Messages constantly encrypted and sent through several onion routers which creates a circuit of nodes using random domain namesEach OR removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where process is repeated Thus the analogy “onion router”. Prevents these intermediary nodes from knowing the origin, destination, and contents of the message
What is a Onion Router?
Onion Routing: How it Works
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Bob
Jane
Unencrypted
•Each OR maintains a TLS / AES connection to every other OR
•Users run an onion proxy (OP) to fetch directories, establish circuits across the network
•Each OR maintains a long & short term onion identity key (10 mins)
•Used to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,etc
Port 9001Port 9090Port 443
Onion Routing: How it Works
TOR Node
Encrypted
Alice
Dave
Bob
Jane
UnencryptedStep 1: Alice’s TOR Client obtains a list of TOR Clients from a directory server
Port 9001Port 9030
Onion Routing: How it Works TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 2: Alice’s TOR Client picks a random path to a destination server. Green links are encrypted, red links are in the clear
Port 443
Port 80
Onion Routing: How it Works TOR Node
Encrypted
Alice
Dave
Bob
Jane
Unencrypted
Step 3: If at a later time Alice connects to a different resource then a different, random route is selected. Again Green links are encrypted, red links are in the clear
Port 80
Port 443
Onion Routing: Peeling back the Layers
https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html
Alice builds a two-hop circuit and begins fetching a web page.
Onion Routing: Cells
TOR Node
TLS Encrypted
• Control cells: interpreted by the nodes that receive them
• Relay cells: which carry end-to-end stream data. Has an additional header on front of the payload containing
• streamID• Integrity checksum• Length of payload and relay command.
Header circuit
identifier or circutID
Inst
ruct
io nPayload Command Pa
ylo
ad Data
Fixed-sized cells 512 bytes with a header and a payload
Onion Routing: Cell Commands
Current Relay CommandsRelay data: data flowing down streamRelay begin: to open a streamRelay end: to close a stream cleanlyRelay teardown: to close a broken streamRelay connected: to notify successful relay beginRelay extend/extended: to extend the circuit by a hopRelay send me: congestion controlRelay drop: implements long-range dummies
Using the Onion Router
Requires a ClientMany sites require pre- registration Ensure you have an anonymous Email Address.onion-URLs are used to identify hidden servicesAddresses 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configuredThese 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32
DemoExploring the TOR Project
A Journey Inside the Darknet
The Deep Dark WebAnonymous and unindexed area of the internet used for serious criminal activity including
Copyright infringementCredit Card fraud and identity theft
Rumored to contain more than 500 times the size of the traditional web Currently around ½ a Million deep web sites worldwide and approx. 20,000 sites in Russia aloneUsed by Military & Law Enforcement Agencies
The Deep Dark Web
Controlled substance marketplaces
Armories selling all kinds of weapons
Child pornography
Unauthorized leaks of sensitive information
Money laundering
Copyright infringement
Credit Card Fraud
Content Classifications
Dynamic Unlinked Private Site
Contextual•Varied access pages with differing ranges of client IP addresses
Limited Access•Limited technically (e.g. using Robots Exclusions, CAPTCHAs. Or no-cache Pragma HTTP headers, which prohibit browsing & caching
Scripted•Accessible through links produced by JavaScript
•Content dynamically downloaded via Flash or Ajax
Non HTML/Text
Finding Content
Search Engines not the best optionWikis Provide entry pointsBeware of Malicious links!Use of TOR may lead to Prosecution by law enforcement agenciesLaw Enforcement can use BigPlanet Deep Web Intelligence tools
DemoExploring the Darkweb
Potential Flaws in the Onion
Potential Flaws in the Onion!
Multi Hopping = Slower ConnectionsConfusion between unlinkability with anonymityWhile using Tor leaks can occur via Flash plug-in’s & other media add-onsDarknet Heavily Monitored by Law Enforcement AgenciesNSA & GCHQ Installing hundreds of OR’s in order to capture & analyze trafficMany Honeypot Sites Exist in order to catch criminals
Potential Flaws in the Onion!
Timing Attack
Entry Monitoring
Intersection Attack
Ddos Attack
Predecessor Attack (Replay)
Exit node Sniffing
Timing analysis
Adversary could determine whether a node is transmitting by correlating when messages are sent by a server and received by a nodeTor, and any other low latency network, is vulnerable to such an attackCounter Measure: A Node can defeat this attack by sending dummy messages whenever it is not sending or receiving real messages (Not currently part of the Tor threat model)
Entry Node SniffingTOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised Node
Police
Law Enforcement Monitor suspects client machine (Entry Point)
Exit Node SniffingTOR Node
Encrypted
Target
Unencrypted
Criminal posts anonymous content onto Server Compromised
Node
Infected with malicious code
Police
Law Enforcement Monitors Target client machine (Exit Point)
• An exit node has complete access to the content being transmitted from the sender to the recipient
• If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internet
Intersection AttacksTOR Node
Encrypted
Bob
Unencrypted
Criminal posts anonymous content out to Compromised Server
Compromised Node
Police
Network AnalysisNodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis
Offline Node
Predecessor attacks (Replay)
Compromised Nodes can retain session information as it occurs over multiple chain reformations
Chains are periodically torn down and rebuilt
If the same session is observed over the course of enough reformationsThe compromised node connects with the particular sender more frequently than any other node Increasing the chances of a successful traffic analysis
Ddos Attack
DoS and TorTor is vulnerable to DoS attacks because users can consume more network resources than allowed or render the network unusable for other users.
Tor deals with these attacks with
Puzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier.Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow.
Fighting Internet Crime
TOR Node
Encrypted
Unencrypted
Security Agencies TOR is a key technology in the fight against organized crime on the internet
Illegal Site
Agency IP Address Hidden from Site owner
Forensically SpeakingTOR
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications:
C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6\_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf
The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:
C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db C:\Windows\AppCompat\Programs\RecentFileCache.bcf
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the Windows Thumbnail Cache contains the Onion Logo icon.
Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:
C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon.
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the Windows paging file, C:\pagefile.sys, contains the filename for the Tor Browser Bundle executable
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the registry contains the path to the Tor Browser Bundle executable
HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files:
C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Result: No trace of the Tor Browser Bundle in any of the NTUSER.DAT files
TOR: Forensically Speaking
Looks like regular HTTPS Traffic on port 443…
TOR: Forensically Speaking
The Truth is revealed
Blocking TOR Traffic
Obtain list of TOR Servers
Blocking TOR TrafficObtain list of TOR Servers
Then create an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list
# Gets List of the Torproject Exit Points that would access your ipaddress## This URL gets the new list:#URL=’https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=<ENTER YOUR IP ADDRESS HERE>‘TORIPLIST=.toriplistGETTORLIST(){/usr/bin/wget –no-check-certificate –output-document=${TORIPLIST} ${URL}} # End of GETTORLIST
BLOCKADDRESSES(){# Create a chain named TORBLOCK./sbin/iptables -N TORBLOCK# Flush the TORBLOCK chain./sbin/iptables -F TORBLOCK# Return to parent chain if the source is not in the TORBLOCK chain./sbin/iptables -I TORBLOCK -j RETURN# Then do this for each address to block:# /sbin/iptables -I TORBLOCK -s IPADDRESS -j DROP# We are doing the above in the loop below:
for node in `/bin/grep -v -e ^# ${TORIPLIST}`do/sbin/iptables -I TORBLOCK -s $node -j DROPdone
} # End of BLOCKADDRESSES GETTORLIST
BLOCKADDRESSES rm -f ${TORIPLIST}
Blocking TOR Traffic (Automated Script)
Add output to IP Address tables* Additional links on slides
Web Browser Fingerprinting
Relatively New ConceptA technique researched by Electronic Frontier Foundation, of anonymously identifying a web browser with up to 94% accuracy rates Even in Privacy Mode or with Cookies Disabled. Browsers can still be trackedBrowser version, language, OS, Installed Fonts, Browser Add in’s, time zone etc
Web Browser Fingerprinting
Browser information Collected includes but not limited to:Browser supported itemsPlugin informationGeographical informationDevice related informationOperating system informationThis collection of information is combined into a SHA256 hash which gives you a unique fingerprint for any given web browser
Are you really Unique?
Regular I.E 11Browser
Are you really Unique?
Privacy IE 11Browser
Are you really Unique?
OlderTOR
Are you really Unique?
UpdatedTOR
DemoWeb Browser Fingerprints
You may want to take a look atOther Privacy Solutions
Staying Anonymous: Proxy Servers
Most common method to hide your IP address Allows users to make indirect network connections to the InternetActivity goes to proxy first, which sends on for information, data, files, email, etc In each case, your actual IP address is hidden.Then serves up requests by connecting directly to the source or by serving it from a cache Proxy servers (or simply "proxies") come in a few varieties.
Staying Anonymous: Proxy Servers
Anonymous ProxyThis type of proxy server identifies itself as a proxy server. It is detectable (as a proxy), but provides reasonable anonymity for most users.
Distorting ProxyThis type of proxy server identifies itself as a proxy server, but creates an "incorrect" originating IP address available through the "http" headers.
High-Anonymity ProxyThis type of proxy server does not identify itself as a proxy server and does not make available the original IP address.
Web Based: Proxy ServersSimply enter the URL of a website that you wish to visit anonymouslyWhen you submit the form, the website proxy server makes a request for the page that you want to visitThe proxy usually does not identify itself as a proxy server and does not pass along your IP address in the request for the pageThe features of these sites vary (ad blocking, JavaScript blocking, etc.), as does their price.
DemoProxy Heaven
Safeplug: Anonymity in a Box
Code Talker Tunnel Previously SkypeMorph
Encrypted
Unencrypted
Eavesdropper: Skype Video Traffic
Bob: TOR traffic disguised via OpenWRT compatible modem
AliceBob
Alice: TOR traffic disguised via OpenWRT compatible modem
Code Talker Tunnel Previously SkypeMorph
Protocol camouflaging tool Designed to reshape traffic output of any censorship circumvention tool to look like Skype video calls Can be used as a SOCKS proxy and therefore it is extremely easy to use it with different anonymity and censorship resistance tools Hard to block and identify protocol obfuscationHigh-bandwidth channelHome-router-ready version supporting OpenWRT firmware'sCheck it out at: git://git-
crysp.uwaterloo.ca/codetalkertunnel
TOR: Top Tips
Don’t use Browser widgetsDon’t Torrent Over TorUse The Tor Browser (Most up to date)Always use HTTPS Versions of SitesNever open documents downloaded through Tor while onlineUse bridges and/or find company
Session Review
What is TOR and how does it keep me anonymous?
Who uses TOR & Why?
Understand what the Darkweb is & Learn about it’s dangersLearn about Potential Flaws in the Technology
Forensics & Law Enforcement
TOR Technology & My Business
The Extras…Follow @AndyMalone & Get my OneDrive Link
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure PackAzure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.