Professional Documents
Culture Documents
among attackers. Many enterprises have Recent high-profile attacks continue to Pose Security Risks (2012) and The Most
so far been slow to respond appropriately demonstrate that enterprises should view Vulnerable Smartphones (2011). Prior
to this trend, despite evidence that doing Java as a major security risk. Enterprises to joining Bit9, Sverdlove was principal
so would, for many, substantially reduce can benefit from better characterising research scientist for McAfee, where he
their exposure to todays most common and understanding the applications run- supervised the overall architecture of crawl-
successful attacks. ning on the endpoints in their environ- ers, spam detectors and link analysers. He
Its not surprising that most compa- ment, so they can evaluate the risks to joined McAfee through its 2006 acquisi-
nies are unaware of all the versions of those endpoints and more effectively tion of SiteAdvisor, where he was chief
Java on their systems. Most organisa- prioritise remediation efforts. Moving scientist and developed systems for testing,
tions have no idea whats running on forward, real-time visibility and protec- detecting and analysing any Windows-
their endpoints and servers they lack tion for endpoints and servers will be based application. Prior to SiteAdvisor,
visibility into those systems. And tradi- essential. Sverdlove ran his own consulting company
tional security solutions, including anti- specialising in Windows automation and
virus, cant protect them from modern About the author spam detection. He also was director of
threats. While the industry appears to Harry Sverdlove, Bit9s chief technology engineering at Compuware Corporation
be making efforts to mitigate some of officer, draws from two decades of applica- (formerly NuMega Technologies). Prior to
the issues that have brought us to where tion design and analysis with industry- NuMega, Sverdlove was principal architect
we are today, those efforts will have leading IT enterprises. He regularly pub- for Rational Software, where he designed
little impact on remediating the current lishes threat intelligence research, including: the core automation engine behind Rational
situation. Traditional security solutions Java Vulnerabilities Write Once, Pwn Robot. He earned a bachelors degree in
cant necessarily protect organisations Anywhere (2013), Pausing Google Play: electrical engineering from the Massachusetts
from all modern threats. More Than 100,000 Android Apps May Institute of Technology.
The dark web is a secretive, anonymous place where shadowy users access
hidden services. It can be used for good or bad but can it be cracked?
And if so, how? Danny Bradbury
The media is littered with discussions Such communities can use the dark Tor uses a selection of relay machines
of the deep web and the dark web, but web for a variety of activities, both running freely available, open source soft-
they are different entities. The former good and bad. Dark webs have been ware. The sender of a piece of traffic will
consists of web pages accessible on the used for criminal activities such as find an entry point and choose a random
public Internet, but not via search engines the distribution of child pornography, routing path through a selection of relays
such as Google. Search engines crawl the hacking rings, money laundering, and to obfuscate their point of origin. Traffic
Internet using search bots that index data, sales of weapons and drugs.4 However, routed along this path will be encrypted
these days using robots.txt files as guides they have also been used as tools to until it leaves the last relay, to be sent to a
that tell them what data to index, under help citizens route around censorship specific IP address on the public Internet.
the 1994 Robots Exclusion Standard.1,2 measures enforced in non-democratic This means that the traffic will appear to
Web crawlers cannot index deep web states, such as China.5 have originated from the IP address of
content. It is usually accessible only that last relay.
when a user searches a specific database, A tour of Tor Tor can also be used to host websites
meaning that there is no explicit link for as hidden services online. These services
it.3 The dark web, on the other hand, One of the most commonly-used mecha- use seemingly incomprehensible names,
is often publicly available you simply nisms for creating dark webs is Tor, a with the suffix .onion. The names are
have to know how to find it, because routing mechanism designed to preserve derived from public keys provided from a
it exists on an alternate layer of the anonymity by creating an alternative key pair, provided by the hidden service.
Internet. This alternate layer is often mechanism to DNS for routing traffic. Unlike traditional DNS routing, the path
constructed by a community that wants Tor uses a concept called onion routing, to communication between a client and
to preserve anonymity, autonomy, or which was first created by the US Naval a Tor-based hidden service is not explicit.
perhaps an ideology. Research Laboratory.6 The system is designed to preserve the
14
Network Security April 2014
FEATURE
Websites on Tor
The hidden service chooses a selection
of relays on the Tor network that serve
as introduction points for anyone wish-
ing to access it. They can be viewed as
go-betweens to help establish initial com-
munication. The hidden service packages
information about these relays, along
with its public key, into a descriptor that
is then sent to a distributed hash table.
When a client tries to access the ser-
vice, it requests this description from
the database, while also choosing a relay Number of relays and bridges in the Tor network, 3 Jan to 3 Apr 2014. Source:
independently to act as a rendezvous https://metrics.torproject.org.
point. Having obtained the names of the
introduction points, the client contacts from the service. Exact figures are dif- advice. When agents finally gained con-
one of them and sends it a package of ficult to access, due to the highly volatile trol of the Silk Road servers later in the
information encrypted using the hidden nature of bitcoin, the virtual currency case, they were able to match its source
services public key. That package contains used exclusively by the service. Revenues code with code that members of the
a one-time secret, and the name of the totalled over 9.5 million bitcoins, and community had given him in response
rendezvous point chosen by the client. collected commissions amounted to to his questions.
over 600,000 bitcoins, according to a The clincher came when Ulbricht used
Perhaps the most publicised civil forfeiture complaint.7 At the time this handle in another post, as he tried
exploitation of the dark web of writing, those commissions would be to hire developers for a venture-backed
was Silk Road, a black market worth $522.5m on revenues of $8.2bn, bitcoin start-up company. In this case,
website for vendors and thanks to the soaring value of the decen- he also listed his Gmail address, ros-
customers of illicit goods and tralised virtual currency. sulbricht@gmail.com. This enabled FBI
services According to the FBIs complaint, the investigators to obtain the records for that
Tor network appears to have done its email address from Google, cross refer-
The hidden service decrypts this intro- job, preserving Ulbrichts anonymity encing it to his Google+ account, where
ductory message using its own private as he operated the service. Anonymous they were able to find a profile picture
key, finds the address of the rendezvous vendors would advertise on his market- that matched the one on his LinkedIn
point, connects with it, and sends it the place, taking orders from users across account. They also asked Google for
one-time secret. If everything matches, the globe. Customers would send their access records, which showed them he
the rendezvous point then becomes payment in bitcoins to an electronic had looked into his account from a San
the relay for further communication address operated by Ulbricht, who also Francisco-based Comcast IP address. This
between the two parties. employed several administrators. Silk was registered to a friend of his.
Road would then act as an escrow ser-
Silk Road vice, holding the funds until the custom- One of our concerns is, are we
er confirmed that they had received the catching the less sophisticated?
All of this makes it exceedingly diffi- goods. The service would then release Are the more sophisticated ones
cult for law enforcement to catch those the money after taking a commission. using these technologies and
using the dark web for illegal purposes. But while the technology may have not making mistakes the one
Perhaps the most publicised exploitation been flawless, Ulbricht wasnt. FBI oper- that we have to deal with?
of the dark web was Silk Road, a black atives had to analyse his activities outside
market website for vendors and custom- the service to build their case. He used In the meantime, US Customs and
ers of illicit goods and services, including the same online handle (altoid) several Border Protection had intercepted a parcel
Class-A narcotics and hitmen-for-hire. times to alert visitors to online forums shipped to a San Francisco address from
Silk Road, founded in 2011, was oper- when Silk Road was launched. He used Canada. That parcel contained fake IDs
ated by Ross William Ulbricht, a US it again when posting on the program- containing his picture. He had ordered
citizen who is said to have made hun- ming website Stack Overflow, where them from his own vendors via Silk Road,
dreds of millions of dollars in revenues coders ask each other for programming but had failed to have then sent to a PO
15
April 2014 Network Security
FEATURE
16
Network Security April 2014
FEATURE
It could be argued that dark webs are Brightplanet white paper, March Hitesh Ballani, Paul Francis. Towards
also a concept at the nation-state level. 2013. Accessed Apr 2014. http:// Efcient Trafc-analysis Resistant
Repeated reports have emerged of China bigdata.brightplanet.com/ Anonymity Networks. MPI-SWS,
wanting its own Internet, annexed from Portals/179268/docs/deep%20 University of Washington, UIUC,
ICAANs domain name process, even to web%20whitepaper%20v3_for%20 Microsoft Research. Accessed Dec
the point of using China-owned domain approval.pdf. 2013. www.mpi-sws.org/~stevens/
names that may not be recognised by 4. Meghan Neal. To Bust a Giant pubs/sigcomm13.pdf.
Western DNS.15 Iran has also been Porn Ring, Did the FBI Crack the 13. Roger Dingledine. Improving
reportedly developing its own Internet, Dark Web? Vice, September 2013. Tors anonymity by changing guard
allegedly with Chinas help.16 Accessed Apr 2014. http://mother- parameters. Tor blog, 16 Oct 2013.
Such networks may not need secret board.vice.com/blog/the-fbi-says-it- Accessed Apr 2014. https://blog.tor-
client-side software to access them, simply busted-the-biggest-child-porn-ring- project.org/blog/improving-tors-ano-
because they are more a product of bal- on-the-deep-web-1. nymity-changing-guard-parameters.
kanisation than subversion. The developers 5. Danny Bradbury. Chaos aims to 14. Roger Dingledine. How to handle
may simply not want outsiders getting in crack Chinas wall. Guardian, 7 Aug millions of new Tor clients. Tor blog,
or insiders getting out. In that sense, they 2008. Accessed Apr 2014. www. 5 Sept 2013. Accessed Apr 2014.
could be viewed as dark webs, but instead theguardian.com/technology/2008/ https://blog.torproject.org/blog/how-
of layering atop the traditional Internet, aug/07/censorship.hacking. to-handle-millions-new-tor-clients.
they may be compartmentalised segments 6. Onion Routing. Copy of site circa 15. Lawrence Latif. The Chinese govern-
of it. Significantly, while efforts like Tor are 2005, US Naval Laboratory. Accessed ment wants its own Internet. The
focused on preserving anonymity and free- Dec 2013. www.onion-router.net/. Inquirer, 14 July 2010. Accessed Apr
dom of speech, the motivation for these 7. Civil Forfeiture complaint, US vs 2014. www.theinquirer.net/inquirer/
networks are often the opposite. Ross William Ulbricht, received news/1722650/chinese-government-
The FBI may play whack-a-mole 30 Sept 2013. www.scribd.com/ Internet.
with dark websites, but they continue to doc/172993645/Civil-Forfeiture- 16. Aida Aki. Iran Plans Its Own
emerge. New players have restarted Silk Complaint. Sanitised Internet with Chinese
Road, which continues to operate. Others, 8. Robert Graham. Tor is still DHE Help. Voice of America, 31 July
such as Sheep Marketplace, shut down 1024 (NSA crackable). Errata 2013. Accessed Apr 2014. www.
following the theft of thousands of bit- Security, 6 Sept 2013. Accessed voanews.com/content/iran-plans-its-
coins, which some have attributed to the Apr 2014. http://blog.erratasec. own-sanitised-Internet-with-chinese-
sites owners.20 That is perhaps the biggest com/2013/09/tor-is-still-dhe- help/1713638.html.
problem of all for some users of the dark 1024-nsa-crackable.html#. 17. Ian Clarke, Oskar Sandberg,
web: when you cant see who youre dealing UqpDkWRDt_c. Brandon Wiley, and Theodore
with, it is difficult to trust them. 9. Tor developers. Changes in ver- W. Hong. Freenet: A Distributed
sion 0.2.4.17-rc. Github, Sept 6 Anonymous Information Storage
About the author 2013. Accessed Apr 2014. and Retrieval System. In Proc. of
Danny Bradbury is a technology write with https://gitweb.torproject.org/tor. the ICSI Workshop on Design Issues
25 years of experience. He writes regularly git/blob/refs/tags/tor-0.2.4.17-rc:/ in Anonymity and Unobservability,
about subjects ranging from security to digi- ChangeLog#l769. Berkeley, CA, 2000. International
tal currency. He has worked for publications 10. Roger Dingledine. [liberationtech] Computer Science Institute. Accessed
ranging from the Guardian, through to the Anonymity Smackdown: NSA Apr 2014. http://lsirwww.epfl.ch/
Economist Intelligence Unit, and Canadas vs. Tor. LiberationTech mailing courses/dis/2003ws/papers/clarke-
National Post newspaper, and recently list. Accessed Apr 2014. https:// 00freenet.pdf.
won the Best International Cyber-security mailman.stanford.edu/pipermail/ 18. i2P Website. Accessed December
Feature award at the BT Information liberationtech/2013-August/010595. 2013. www.i2p2.de.
Security awards. html. 19. Danny Bradbury. Homeland Security
11. Aaron Johnson, Chris Wacek, Rob Committee chairman responds to Silk
References Jansen, Micah Sherr, Paul Syverson. Road 2.0. CoinDesk, 6 Nov 2013.
1. Wes Sonnenreich. A History of Search Users Get Routed: Trafc Correlation Accessed Apr 2014. www.coindesk.
Engines, Wiley, 1997. Accessed Apr on Tor by Realistic Adversaries. com/new-silk-road-rises/.
2014. www.wiley.com/legacy/comp- US Nava Research Laboratory and 20. Danny Bradbury. Users Track
books/sonnenreich/history.html. Georgetown University, accessed $100m in Stolen Bitcoin After Sheep
2 Robots Exclusion Standard. Accessed December 2013. www.ohmygodel.com/ Marketplace Hack. Coindesk, 3 Dec
Apr 2014. www.robotstxt.org/orig.html. publications/usersrouted-ccs13.pdf. 2013. Accessed Apr 2014. www.coin-
3. Steve Pederson. Understanding 12. Stevens Le Blond, David Choffnes, desk.com/sheep-marketplace-track-
the Deep Web in 10 Minutes. Wenxuan Zhou, Peter Druschel, stolen-bitcoins/.
17
April 2014 Network Security