FEATURE
among attackers. Many enterprises have
so far been slow to respond appropriately
to this trend, despite evidence that doing
so would, for many, substantially reduce
their exposure to todays most common
successful attacks.
Its not surprising that most compa-
nies are unaware of all the versions of
Java on their systems. Most organisa-
tions have no idea whats running on
their endpoints and servers they lack
visibility into those systems. And tradi-
tional security solutions, including anti-
virus, cant protect them from modern
threats. While the industry appears to
be making efforts to mitigate some of
the issues that have brought us to where
we are today, those efforts will have
little impact on remediating the current
situation. Traditional security solutions
cant necessarily protect organisations
from all modern threats.
Unveiling the dark web
Danny Bradbury
The dark web is a secretive, anonymous place where shadowy users access
hidden services. It can be used for good or bad but can it be cracked?
And if so, how?
The media is littered with discussions
of the deep web and the dark web, but
they are different entities. The former
consists of web pages accessible on the
public Internet, but not via search engines
such as Google. Search engines crawl the
Internet using search bots that index data,
these days using robots.txt files as guides
that tell them what data to index, under
the 1994 Robots Exclusion Standard.1,2
Web crawlers cannot index deep web
content. It is usually accessible only
when a user searches a specific database,
meaning that there is no explicit link for
it.3 The dark web, on the other hand,
is often publicly available you simply
have to know how to find it, because
it exists on an alternate layer of the
Internet. This alternate layer is often
constructed by a community that wants
to preserve anonymity, autonomy, or
perhaps an ideology.
14
Network Security
Recent high-profile attacks continue to
demonstrate that enterprises should view
Java as a major security risk. Enterprises
can benefit from better characterising
and understanding the applications run-
ning on the endpoints in their environ-
ment, so they can evaluate the risks to
those endpoints and more effectively
prioritise remediation efforts. Moving
forward, real-time visibility and protec-
tion for endpoints and servers will be
essential.
About the author
Harry Sverdlove, Bit9s chief technology
officer, draws from two decades of applica-
tion design and analysis with industry-
leading IT enterprises. He regularly pub-
lishes threat intelligence research, including:
Java Vulnerabilities Write Once, Pwn
Anywhere (2013), Pausing Google Play:
More Than 100,000 Android Apps May
Such communities can use the dark
web for a variety of activities, both
good and bad. Dark webs have been
used for criminal activities such as
the distribution of child pornography,
hacking rings, money laundering, and
sales of weapons and drugs.4 However,
they have also been used as tools to
help citizens route around censorship
measures enforced in non-democratic
states, such as China.5
A tour of Tor
One of the most commonly-used mecha-
nisms for creating dark webs is Tor, a
routing mechanism designed to preserve
anonymity by creating an alternative
mechanism to DNS for routing traffic.
Tor uses a concept called onion routing,
which was first created by the US Naval
Research Laboratory.6
Pose Security Risks (2012) and The Most
Vulnerable Smartphones (2011). Prior
to joining Bit9, Sverdlove was principal
research scientist for McAfee, where he
supervised the overall architecture of crawl-
ers, spam detectors and link analysers. He
joined McAfee through its 2006 acquisi-
tion of SiteAdvisor, where he was chief
scientist and developed systems for testing,
detecting and analysing any Windows-
based application. Prior to SiteAdvisor,
Sverdlove ran his own consulting company
specialising in Windows automation and
spam detection. He also was director of
engineering at Compuware Corporation
(formerly NuMega Technologies). Prior to
NuMega, Sverdlove was principal architect
for Rational Software, where he designed
the core automation engine behind Rational
Robot. He earned a bachelors degree in
electrical engineering from the Massachusetts
Institute of Technology.
Danny Bradbury
Tor uses a selection of relay machines
running freely available, open source soft-
ware. The sender of a piece of traffic will
find an entry point and choose a random
routing path through a selection of relays
to obfuscate their point of origin. Traffic
routed along this path will be encrypted
until it leaves the last relay, to be sent to a
specific IP address on the public Internet.
This means that the traffic will appear to
have originated from the IP address of
that last relay.
Tor can also be used to host websites
as hidden services online. These services
use seemingly incomprehensible names,
with the suffix .onion. The names are
derived from public keys provided from a
key pair, provided by the hidden service.
Unlike traditional DNS routing, the path
to communication between a client and
a Tor-based hidden service is not explicit.
The system is designed to preserve the
April 2014

anonymity both of the hidden service,
and of the client connecting to it.
Websites on Tor
The hidden service chooses a selection
of relays on the Tor network that serve
as introduction points for anyone wish-
ing to access it. They can be viewed as
go-betweens to help establish initial com-
munication. The hidden service packages
information about these relays, along
with its public key, into a descriptor that
is then sent to a distributed hash table.
When a client tries to access the ser-
vice, it requests this description from
the database, while also choosing a relay
independently to act as a rendezvous
point. Having obtained the names of the
introduction points, the client contacts
one of them and sends it a package of
information encrypted using the hidden
services public key. That package contains
a one-time secret, and the name of the
rendezvous point chosen by the client.
Perhaps the most publicised
exploitation of the dark web
was Silk Road, a black market
website for vendors and
customers of illicit goods and
services
The hidden service decrypts this intro-
ductory message using its own private
key, finds the address of the rendezvous
point, connects with it, and sends it the
one-time secret. If everything matches,
the rendezvous point then becomes
the relay for further communication
between the two parties.
Silk Road
All of this makes it exceedingly diffi-
cult for law enforcement to catch those
using the dark web for illegal purposes.
Perhaps the most publicised exploitation
of the dark web was Silk Road, a black
market website for vendors and custom-
ers of illicit goods and services, including
Class-A narcotics and hitmen-for-hire.
Silk Road, founded in 2011, was oper-
ated by Ross William Ulbricht, a US
citizen who is said to have made hun-
dreds of millions of dollars in revenues
April 2014
Number of relays and bridges in the Tor network, 3 Jan to 3 Apr 2014. Source:
https://metrics.torproject.org.
from the service. Exact figures are dif-
ficult to access, due to the highly volatile
nature of bitcoin, the virtual currency
used exclusively by the service. Revenues
totalled over 9.5 million bitcoins, and
collected commissions amounted to
over 600,000 bitcoins, according to a
civil forfeiture complaint.7 At the time
of writing, those commissions would be
worth $522.5m on revenues of $8.2bn,
thanks to the soaring value of the decen-
tralised virtual currency.
According to the FBIs complaint, the
Tor network appears to have done its
job, preserving Ulbrichts anonymity
as he operated the service. Anonymous
vendors would advertise on his market-
place, taking orders from users across
the globe. Customers would send their
payment in bitcoins to an electronic
address operated by Ulbricht, who also
employed several administrators. Silk
Road would then act as an escrow ser-
vice, holding the funds until the custom-
er confirmed that they had received the
goods. The service would then release
the money after taking a commission.
But while the technology may have
been flawless, Ulbricht wasnt. FBI oper-
atives had to analyse his activities outside
the service to build their case. He used
the same online handle (altoid) several
times to alert visitors to online forums
when Silk Road was launched. He used
it again when posting on the program-
ming website Stack Overflow, where
coders ask each other for programming
FEATURE
advice. When agents finally gained con-
trol of the Silk Road servers later in the
case, they were able to match its source
code with code that members of the
community had given him in response
to his questions.
The clincher came when Ulbricht used
this handle in another post, as he tried
to hire developers for a venture-backed
bitcoin start-up company. In this case,
he also listed his Gmail address, ros-
sulbricht@gmail.com. This enabled FBI
investigators to obtain the records for that
email address from Google, cross refer-
encing it to his Google+ account, where
they were able to find a profile picture
that matched the one on his LinkedIn
account. They also asked Google for
access records, which showed them he
had looked into his account from a San
Francisco-based Comcast IP address. This
was registered to a friend of his.
One of our concerns is, are we
catching the less sophisticated?
Are the more sophisticated ones
using these technologies and
not making mistakes the one
that we have to deal with?
In the meantime, US Customs and
Border Protection had intercepted a parcel
shipped to a San Francisco address from
Canada. That parcel contained fake IDs
containing his picture. He had ordered
them from his own vendors via Silk Road,
but had failed to have then sent to a PO
15
Network Security
 FEATURE
The Tor Projects browser package makes connecting to and using the Tor network very simple.
Most dark websites can be accessed only via Tor.
box. Instead he used the house where
he was living. When Department Of
Homeland Security investigators visited
the house, they found him.
Human error vs
technical flaws
Silk Road deliberately excluded child
pornography, but Ernie Allen, executive
director of the International Centre for
Missing and Exploited Children, warns
that dark economies are also being used
to perpetrate those crimes. When those
criminals are caught, they are also appre-
hended because of human error, rather
than any failure in the technology, he
asserts. Infiltration plays a big part.
The cases that are being made involve
offenders that make a mistake, he says.
One of our concerns is, are we catch-
ing the less sophisticated? Are the more
sophisticated ones using these technolo-
gies and not making mistakes the one
that we have to deal with?
The question for many, then, is
whether there are technical vulnerabili-
ties in the technologies underpinning the
dark web, which could make it possible
for enforcement or others to identify
those more sophisticated users.
Tor vulnerabilities
Several questions have arisen about
the vulnerability of the Tor network to
attack. The recent revelations about the
16
Network Security
NSAs systematic undermining of cryp-
tography efforts has led some to muse
that it can break 1024-bit RSA keys.
Assuming no breakthroughs, the NSA
can spend $1bn on custom chips that
can break such a key in a few hours,
said Robert Graham of Errata Security.8
The worry was that a large percent-
age of Tor nodes were using version 2.3,
which relied on 1024-bit RSA keys for
its cryptography. However, newer ver-
sions of the software have improved this,
substituting ECDHE cipher suites for
the 1024-bit Diffie-Hellman prime, the
developers say.9
There are other potential attacks, how-
ever. For example, its possible that law
enforcement and intelligence agencies run
their own Tor relays, which could enable
them to monitor the flow of traffic enter-
ing and exiting the Tor network. The
more nodes that were run, the more likely
they would be to compromise traffic
entering and leaving the network.
By correlating patterns in clear-
text traffic entering and leaving
the network, they may be able
to infer information about that
traffic, along with the senders
and receivers
In a mailing list communication,
Roger Dingledine, the director of the
Tor project, points out that the authori-
ties could just as easily monitor Internet
communications with the complicity of
major ISPs, which would enable them
to watch those communicating with Tor
nodes before their traffic reached the
dark web, or after it left.
Other research conducted by Aaron
Johnson, who works The US Naval
Research Laboratory, suggests that traffic
analysis could help to strip the anonym-
ity from Tor.11 By correlating patterns in
clear-text traffic entering and leaving the
network, they may be able to infer infor-
mation about that traffic, along with the
senders and receivers.
This has led to proposals for dark web
protocols that are resistant to traffic analy-
sis and correlation. One, called Aqua, uses
traffic obfuscation techniques, further
developing on a long-discussed concept of
introducing latency and decoy traffic to
throw snoopers off the scent.12
Dingledine admits that the chance
of successfully identifying Tor users
through such attacks is realistic, and sug-
gests some fixes. It would take a redesign
of the way that initial entry points into
the Tor network (known as guards) are
chosen, and would also benefit from a
larger network.13
Tor, which at the time of writing had
almost 5000 relays on the network and
processed over 24GB/sec of traffic, can
also be attacked by those disrupting ser-
vice for their own ends. The service has
around 800,000 actual users each day,
said Dingledine, but recalls that in August
some jerk flooded the network with five
million compromised Windows machines
operating as Tor clients. In his description
of the event, he attributes it to a botnet.14
None of that helps the reliability or per-
formance of a dark web network.
Other dark web systems
What other dark web technologies exist?
Freenet is a long-running project that
allows users of the network to store
files on each others computers and cre-
ate freesites, accessible only using the
network. Another, i2p, is an anonymis-
ing network like Tor, formed in 2003.
It enables the operation of eepsites,
which are websites hosted anonymously.
Browsers must be configured to access a
web proxy provided from a list.
April 2014

It could be argued that dark webs are
also a concept at the nation-state level.
Repeated reports have emerged of China
wanting its own Internet, annexed from
ICAANs domain name process, even to
the point of using China-owned domain
names that may not be recognised by
Western DNS.15 Iran has also been
reportedly developing its own Internet,
allegedly with Chinas help.16
Such networks may not need secret
client-side software to access them, simply
because they are more a product of bal-
kanisation than subversion. The developers
may simply not want outsiders getting in
or insiders getting out. In that sense, they
could be viewed as dark webs, but instead
of layering atop the traditional Internet,
they may be compartmentalised segments
of it. Significantly, while efforts like Tor are
focused on preserving anonymity and free-
dom of speech, the motivation for these
networks are often the opposite.
The FBI may play whack-a-mole
with dark websites, but they continue to
emerge. New players have restarted Silk
Road, which continues to operate. Others,
such as Sheep Marketplace, shut down
following the theft of thousands of bit-
coins, which some have attributed to the
sites owners.20 That is perhaps the biggest
problem of all for some users of the dark
web: when you cant see who youre dealing
with, it is difficult to trust them.
About the author
Danny Bradbury is a technology write with
25 years of experience. He writes regularly
about subjects ranging from security to digi-
tal currency. He has worked for publications
ranging from the Guardian, through to the
Economist Intelligence Unit, and Canadas
National Post newspaper, and recently
won the Best International Cyber-security
Feature award at the BT Information
Security awards.
References
1. Wes Sonnenreich. A History of Search
Engines, Wiley, 1997. Accessed Apr
2014. www.wiley.com/legacy/comp-
books/sonnenreich/history.html.
2 Robots Exclusion Standard. Accessed
Apr 2014. www.robotstxt.org/orig.html.
3. Steve Pederson. Understanding
the Deep Web in 10 Minutes.
April 2014
Brightplanet white paper, March
2013. Accessed Apr 2014. http://
bigdata.brightplanet.com/
Portals/179268/docs/deep%20
web%20whitepaper%20v3_for%20
approval.pdf.
4. Meghan Neal. To Bust a Giant
Porn Ring, Did the FBI Crack the
Dark Web? Vice, September 2013.
Accessed Apr 2014. http://mother-
board.vice.com/blog/the-fbi-says-it-
busted-the-biggest-child-porn-ring-
on-the-deep-web-1.
5. Danny Bradbury. Chaos aims to
crack Chinas wall. Guardian, 7 Aug
2008. Accessed Apr 2014. www.
theguardian.com/technology/2008/
aug/07/censorship.hacking.
6. Onion Routing. Copy of site circa
2005, US Naval Laboratory. Accessed
Dec 2013. www.onion-router.net/.
7. Civil Forfeiture complaint, US vs
Ross William Ulbricht, received
30 Sept 2013. www.scribd.com/
doc/172993645/Civil-Forfeiture-
Complaint.
8. Robert Graham. Tor is still DHE
1024 (NSA crackable). Errata
Security, 6 Sept 2013. Accessed
Apr 2014. http://blog.erratasec.
com/2013/09/tor-is-still-dhe-
1024-nsa-crackable.html#.
UqpDkWRDt_c.
9. Tor developers. Changes in ver-
sion 0.2.4.17-rc. Github, Sept 6
2013. Accessed Apr 2014.
https://gitweb.torproject.org/tor.
git/blob/refs/tags/tor-0.2.4.17-rc:/
ChangeLog#l769.
10. Roger Dingledine. [liberationtech]
Anonymity Smackdown: NSA
vs. Tor. LiberationTech mailing
list. Accessed Apr 2014. https://
mailman.stanford.edu/pipermail/
liberationtech/2013-August/010595.
html.
11. Aaron Johnson, Chris Wacek, Rob
Jansen, Micah Sherr, Paul Syverson.
Users Get Routed: Trafc Correlation
on Tor by Realistic Adversaries.
US Nava Research Laboratory and
Georgetown University, accessed
December 2013. www.ohmygodel.com/
publications/usersrouted-ccs13.pdf.
12. Stevens Le Blond, David Choffnes,
Wenxuan Zhou, Peter Druschel,
FEATURE
Hitesh Ballani, Paul Francis. Towards
Efcient Trafc-analysis Resistant
Anonymity Networks. MPI-SWS,
University of Washington, UIUC,
Microsoft Research. Accessed Dec
2013. www.mpi-sws.org/~stevens/
pubs/sigcomm13.pdf.
13. Roger Dingledine. Improving
Tors anonymity by changing guard
parameters. Tor blog, 16 Oct 2013.
Accessed Apr 2014. https://blog.tor-
project.org/blog/improving-tors-ano-
nymity-changing-guard-parameters.
14. Roger Dingledine. How to handle
millions of new Tor clients. Tor blog,
5 Sept 2013. Accessed Apr 2014.
https://blog.torproject.org/blog/how-
to-handle-millions-new-tor-clients.
15. Lawrence Latif. The Chinese govern-
ment wants its own Internet. The
Inquirer, 14 July 2010. Accessed Apr
2014. www.theinquirer.net/inquirer/
news/1722650/chinese-government-
Internet.
16. Aida Aki. Iran Plans Its Own
Sanitised Internet with Chinese
Help. Voice of America, 31 July
2013. Accessed Apr 2014. www.
voanews.com/content/iran-plans-its-
own-sanitised-Internet-with-chinese-
help/1713638.html.
17. Ian Clarke, Oskar Sandberg,
Brandon Wiley, and Theodore
W. Hong. Freenet: A Distributed
Anonymous Information Storage
and Retrieval System. In Proc. of
the ICSI Workshop on Design Issues
in Anonymity and Unobservability,
Berkeley, CA, 2000. International
Computer Science Institute. Accessed
Apr 2014. http://lsirwww.epfl.ch/
courses/dis/2003ws/papers/clarke-
00freenet.pdf.
18. i2P Website. Accessed December
2013. www.i2p2.de.
19. Danny Bradbury. Homeland Security
Committee chairman responds to Silk
Road 2.0. CoinDesk, 6 Nov 2013.
Accessed Apr 2014. www.coindesk.
com/new-silk-road-rises/.
20. Danny Bradbury. Users Track
$100m in Stolen Bitcoin After Sheep
Marketplace Hack. Coindesk, 3 Dec
2013. Accessed Apr 2014. www.coin-
desk.com/sheep-marketplace-track-
stolen-bitcoins/.
17
Network Security