The Beginners Guide to the Internet Underground
Dec 29, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
I n f o r m a t i o n W a r f a r e C e n t e r , L L C
w w w . i n f o r m a t i o n w a r f a r e c e n t e r . c o m
( 7 1 9 ) 3 5 9 - 8 2 4 8
This doc covers the basics of anonymity, hactivism,
& hidden parts of the Internet underground, along
with some of the things you may find there.
Jeremy Martin
Sr. Security Researcher
Disclaimer: Do NOT break the law. This was written to
explain what the Darknet / Tor hidden service) is and what
kind of things you may find. It is not an invitation to break the
law without recourse. Just like any network, this one has both
good and bad guys. If you break the law, you will get caught.
Bad guys have to be lucky EVERY time. The Good guys only
have to be lucky once.
Images within this document were taken directly off the
Internet or from screenshots at the time of research. The
content of these pages are subject to update, discussion and
dispute, and comments are welcome.
The Beginner’s Guide to The Internet Underground
7/ 1/ 2 0 1 3
1
“If you know both yourself and your enemy, you can win a hundred battles without a single loss” –
rough translation; Sun Tzu’s Art of War.
"Trust but verify" - Ronald Reagan or the Russian proverb "Доверяй, но проверяй"
2
Page The Story 4 Can there be true anonymity on the Internet? 5 The Internet Underground: Tor Hidden Services 10 - Tips 13
Creating your own Darknet home 14 Other Internet hidden networks: I2P: Anonymizing network 15 Hacker Groups 17 - The Hactavist 17 - The Cyber Criminal 18
- Cyber Espionage / Warfare - The Cyber Jihadists
21 22
The Activist Group “Anonymous” 23 - Messages from Anonymous: 23 Information sharing 29 - Security Research 29
- Internet Piracy 30 Digital Forensics and investigation 33 - Disk forensics 34
- Network forensics 35 - Misc forensics 36
- Anti-forensics example 37 Resources 38 About the Author 39
3
4
It's half past midnight. The glow of computer screens flicker off empty energy bottles strewn across the room. Moving images of Japanese anime irradiates from a monitor while the beat of progressive house music leaks out of speakers throughout the room. Pictures on the television show news bulletins filled with thoughts of terrorism, espionage, and a cyber-apocalypse. This fear mongering preceded an Executive Order to allow both companies and government agencies to monitor everything from emails to telephones without a search warrant. This has inflamed the hacker community along with a small portion of the population who consider themselves freedom fighters and patriots. One of the laptops sitting on a nearby desk (a customized Linux) starts to flash, catching a hacker's attention. A script designed to crawl government and military websites, found and defaced the 17th website tonight with cyber-“patriot” propaganda. Another laptop views a pastebin information leak where thousands of email accounts and millions of emails from those in the law enforcement, government, and intelligence agencies are listed with a note saying “If you want to watch us, let the public watch you.” The sites publishing the information are getting shut down quickly at first, but soon the data spreads like wildfire. Within a couple hours, the television across the room showcases the major networks as they are commenting on misdeeds of a few corrupt officials due to leaked cables. An IRC chat window starts to become active. Several hackers, known only by their handle, start to laugh (lolz). At first they were hacking for the lolz, but now it is different. They all feel invincible and are doing it for ideology. The chat turns more organized, and plans for future attacks start to solidify. … It is now three in the morning and the sound of rain drowns out the scream of police sirens racing down the street. Tires screech as over a dozen vehicles swarm the suspect’s house. Within a minute, there are over twenty fully armed S.W.A.T. and federal agents moving towards the red door in the front of the house. 1, 2, 3 one of the officers motions… “This is the police!” another yells as two cops swinging a “door knocker”, busts the weak wooden door off of the hinges. Black clothed bodies flood the portal. The Special Agent (SA) in charge of the operation walks through the shattered home immediately after being cleared by the shock troops. Once he gets to the back bedroom where the suspects are located, he finds an elderly couple terrified lying in their bed. Surrounded by weapons drawn, the SA simply asks if the couple had any knowledge of the cyber-attacks plaguing the country. In tear soaked speech, the wife mutters, “No.", as the SA shakes his head in frustration. A couple of miles away from the flashing of police lights, the actual criminal gazes through his window laughing at how untouchable he thinks he is. The hacker perpetrated the attack by purchasing a high power wireless card with a directional antenna during his travels. Using cash, the transaction was practically untraceable. He used a Linux distribution called “Reaver Pro” to crack the elderly couple’s wireless WPS key. This only took a few hours and gave the hacker the WPA password, which happened to be their son’s name. Now, even if they change the WPA key, the broken WPS key will instantly give him their new password unless they change the WPS key as well. He then proceeded to change or spoof his MAC address (hardware fingerprint) to that of the couple’s personal computer and then piggybacked off their service.
5
Artwork by Jeremy Martin
The interesting thing is most of it can easily be true. Poor choices by management and improper
implementation by staff is rampant. How many malware writers actually get caught let alone convicted?
How many hackers actually get caught let alone convicted? Even the hactavists that do get arrested for
attacks such as Denial of Service use the defense of activism, free speech, or a “cyber sit-in. Most of the
ones caught aren’t even the masterminds behind the attacks. The mentalities of hackers vary from a
bored teen doing it because they can to actual state-sponsored espionage to an ideological electronic
warfare. Anyone can be a hacker. Anyone can be an activist. Anyone can be a criminal…
How many cyber laws, just here in the U.S.A., have been passed in the last ten years in the name of “anti-
terrorism”? The recently failed and reintroduced CISPA was such a law that violats the 4th amendment
and every revision of the wiretap laws ever passed. It is understandable why a government would want
to do this. It is also understandable why the people would want to stand up against the illegal activities
of its government. Warrantless wiretap… Think of this; most cell phones and telephones cross over
networks at some point. The voice becomes digital and therefore data, and falls under the monitoring
statutes for “Provider Protection”. Why would this be considered absolutely inconceivable pre-911 and
perfectly acceptable post-911? Questions need to be asked before trying to understand the why. Why
would people want to be anonymous or exercise their right to privacy and free speech? Why would
others want to monitor everyone’s communications in the name of security? Why would some be
considered cyber-terrorists? Can on actually protect themselves from prying eyes?
.
Now, the hackers come across a device that looks “interesting”. They simply listened to the network traffic for a couple of days. After they record the data between the control center and what ends up being a chemical injector, one of the hackers realizes which one is which. As a political statement, the hacker changes the amount of fluoride flowing into the drinking water. He plans to do this for only a few minutes. Almost immediately, lightning strikes a phone pedestal a mile down the road. The DSL line the hacker is using “goes dark”. Panic finds its way across the hacker’s face as he realizes he just murdered over a thousand people with fluoride poisoning.
None of the exploits used or information leaked to the public was ever traced back to the original sources. The hacker and his associates continued the attacks believing they are invincible while fighting for a “just” cause. The fight on both sides escalated over the next year until the freedom fighters hacked a water treatment facility running SCADA or Industrial Control Systems (ICS). The facility's management made a poor descision and connected the secure network to the enterprise network without proper security. This gave our attackers access to some very sensitive systems.
6
Amendment I
Congress shall make no law respecting an establishment of religion, or prohibiting the free
exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people
peaceably to assemble, and to petition the government for a redress of grievances.
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon
probable cause, supported by oath or affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.
“Six Strikes” rule
With this new wiretap, the parties agreed on a system through which copyright infringers are
warned that they are breaking the law. After six warnings, ISPs may then take a variety of
repressive measures, which include slowing down offenders’ connections and temporary
disconnection. At the time of this research, some of the ISPs that have already subscribed to this
are AT&T, Cablevision, Comcast, Time Warner Cable, and Verizon. This means these “service
providers” are watching everything you do and may be giving that intelligence to the
government or other companies. I hope you like the thought of hundreds of people reading ALL
of your emails and listening to your phone conversations.
CISPA (Cyber Intelligence Sharing and Protection Act) – shot down 2012& resurrected in 2013
NDAA 2011 (The National Defense Authorization Act)
Digital Millennium Copyright Act (DMCA)
Etc…
Constitution of the United States
To some extent, the answer to the title is yes. However, there are many variables to consider. Just in the United States, there are many laws on the books (especially post-911) that have enabled “Big Brother” to potentially violate several of the rights granted to Americans by the Bill of Rights. Listed are just a few of the regulations or budget contracts that reference loosening the term “reasonable search and seizure” covered in the fourth Amendment and why there is such an internet outcry to Internet privacy. Currently, there are several Internet Service providers that may be illegally wiretapping all your traffic. Whether it is foreign or state sponsored activity or the ISP is watching what you are doing so they can censor, filter, or shape your bandwidth, your secrets may not be that secret. Look at the recent classified information leaked by Edward Snowden about the secret wiretapping programs PRISM and NUCLEON.
Just in the USA, there are several interesting federal laws
Computer Fraud and Abuse Act (CFAA)
USA Patriot Act, Title II (Enhanced Surveillance Procedures)
ECPA (Electronic Communication Privacy Act)
Title 18, U.S.C §1030 (Computer Fraud and Abuse Act)
Title 18, U.S.C §2703 (Disclosure of customer communications)
7
A simple way to prevent from being tracked back (as in the story) is to use someone else’s Internet. With
the proliferation of wireless devices, finding someone else’s internet is very easy. This is a method of
blending in. The attacker assumes someone else’s digital identity and piggybacks off their internet
connection. At a minimum, this is theft of services, but this theft is far easier than most people believe.
If you boot off a live Linux CD, you can see the WiFi traffic without even connecting to the targeted
network. At the time of this research, Backtrack is one of the best security distributions. Once you have
booted into the operating system, you can use a program called “airmon-ng”. This will allow you to turn
your current wireless card into a monitoring device. After you see a wireless access point and decide
who is a “top talker” on that device, use a program called “macchanger” to alter your network
fingerprint to the top talker’s MAC. Use “ifconfig” to turn the wireless card on. Then connect to the
same remote access point. Even though you are spoofing the target “MAC address”, but you are usually
going to be another Internet Protocol (IP) address… A lot of analysts may miss this. If they have a
service proxy, you may have to use programs like Burpe suite or Paros proxy to fake other connection
information like browser or paid connection information. I have seen some providers associate the paid
account with a specific access point which is just as easy to bypass as the other methods.
The command line examples would look like (Cli = Command line interface :)
Cli1: air0mon start wlan0 <enter>
Cli1: air0dump-ng <enter>:
View the “top talker”
Cli2: macchanger wlan0 –m “top talker MAC address”
Cli2: ifconfig wlan0 up
Cli2: iwconfig
Cli2: iwconfig wlan0 mode Managed
Cli2: iwconfig wlan0 essid “target ssid”
Cli2: iwconfig wlan0 key “wireless password” (if password is needed)
Cli2: dhclient wlan0 or dhcpcd wlan0 (to get a DHCP IP address)
At this point, they should be connected to the target network. If someone was trying to track back the
source address; they would get the victims IP address. Further investigation may reveal that the victim
was being hacked, but that is about all. If the hacker connected to a personal account or services such as
email, Facebook, LinkedIn, or other targeted personal info, other evidence could be acquired from the
ISP. If the suspect uses a long range card with long range antenna, chances of tracking them drastically
decreases to almost nil.
Again, piggybacking on someone else’s internet without authorization is illegal. Do NOT break the law.
8
There are legitimate reasons why governments want to
monitor and control the communications of the populace
and/or foreign entities. Threats against Intelligence and
National Security are valid concerns. However, many
countries used those excuses and violated the basic trust
they once had with their citizens. Tunisia, Egypt, and
Syria are just some of the more recent countries that have
fallen to the temptation to censor or monitor.
The need for some to pass information without prying eyes has spawned many different methods of
“anonymous” communication or covert channels. To understand how people are hiding what they are
sending and where they are sending from, you need to know the basics of the communication mechanism
they are using. I am going to focus on the Internet as the backbone medium. There is always a
fingerprint on every packet that is sent. If all the systems or nodes on a network are monitored and
logged, the origin can always be traced. The challenge with the Internet is that nobody controls
everything (even though there is a current power struggle in this area). This means that if you cannot get
the logs, you may not get the origin or the original fingerprint. There are several reasons you don’t get
the logs. The two most common are political and the lack of storage.
During the uprising in Tunisia, the government at the time tried to stop transmissions and effectively
turned off the traditional paths to the Internet. Several groups then helped re-open the communication
channels by sending dialup numbers, IRC channels, proxy addresses, and VPN servers. Soon after, the
twitter feeds and videos started to stream out of the country again. On the other side of this coin, many
people use these types of jump points to download movies, music, and pirated software or send out
malicious attacks against targets. The MPAA allegedly hired people in India to attack thepiratebay.se in
a massive DDoS attack. The hactavist group “Anonymous” then attacked back, effectively shutting down
the MPAA websites. Anonymous has even taken to the Tor network for protection from cyber spying
with the old site Anonops.org being moved to anonops532vcpz6z.onion. Many Internet Service
Providers (ISPs) are working with the local government or copyright owners such as MPAA, RIAA,
Microsoft, etc… to monitor your entire Internet traffic looking for evidence for possible pirated
Intellectual Property.
To get around this, suspects can use methods to make their origins anonymous on the Internet.
Encryption is still the best solution to keep your information private. For whatever reason you want to
protect your identity and data on the Internet, there are several options. Proxy servers are one of the
most common routes. There are free and commercial proxy servers all around the world that offer access
without logging the connections. Some of these proxies offer SSH encryption or even AES 256 bit
encryption tunnels such as the services from BTGaurd. Using network encryption makes network
forensics virtually impossible. Finding the source is also difficult outside knowing that the IP address of
the proxy and getting the answer from that system.
9
The TOR community or Onion network is another
service that contains thousands of public proxies and
thousands more that are not publically known. With
this being said, blacklisting TOR network addresses
does not work. The basic TOR client that comes with
the TOR Browser Bundle (TBB) even allows you (the
client) to be a proxy into the TOR network. TOR
however does not support Bit torrent, but it does
support browsing, chat, email, and other basic Internet
services. However, once on the TOR network, others on
the same network will know your original IP address.
There are many “secure” live operating systems you can use to
log into TOR. The first one I want to talk about is Tails. “The
Amnesic Incognito Live System is a live CD/USB distribution
preconfigured so that everything is safely routed through Tor
and leaves no trace on the local system.” This can be found on
thetorproject.org. The second one I would like to mention is
Whonix “(called TorBOX or aos in past) is an anonymous
general purpose operating system based on Virtual Box, Debian
GNU/Linux and Tor. By Whonix design, IP and DNS leaks are
impossible. Not even malware with root rights can find out the
user's real IP/location.” Both of these are pre-configured
operating systems that will let you automatically connect to the
TOR network with little to no work on your part. Whonix is
based of two different virtual machines and does require more
resources and a running OS. The Tail OS, if burned to a CD,
doesn’t leave a forensic trail on the local hard drive.
Live Operating systems usually run in memory only. Some of the live Linux distributions will even
prevent automatic mounting of drives and network cards after the OS boots up. If the drives are
mounted, they can be mounted as read only. Programs like MacChanger will allow the user to spoof the
hardware finger print to obfuscate the vendor/identification at the OSI layer 2 (datalink layer). This
allows for plausible deniability, especially if connecting to unsecured wireless networks. Once the system
is shut down, everything in memory is wiped out.
A USB drive can be used to substitute the CD. The simple fact is, if people investigating do not have the
original USB, the game is over. Coming from someone with a computer forensics background, I can
attest that a suspect using live Linux makes the investigation a nightmare. Another Live Linux system
that is very popular in the security community is BackTrack Linux (backtrack-linux.org).
10
The other method to completely hide all your traffic is the traditional VPN. A VPN server essentially
hides your IP address because you are virtually connected to a completely separate network. Once you
touch the Internet, it is going through their gateway. The downside is that there is a bandwidth
bottleneck. You are also on a network with others trying to hide their identity. Once you are on the
network, your source is known by the other people on the network.
Now from the investigation standpoint; if the logs do not exist, there is no forensic footprint. If the
evidence has been tampered with or does not exist, there is no case. If you are not on the same network
as those using these services, especially the proxies, you may never find the origin or the suspect. If you
are on the same network or inline between the suspect and the proxy, you may be able to see what is
going through the wire if it is unencrypted. However, you need to be careful of wiretap laws. Not even
the ISP’s have the right to monitor your traffic without probable cause and more than likely a court order.
However, there is legislation and activities that are pushing this into a very grey area… ISPs are using
the excuse that too many people are sharing illegal or protected IP content and should be able to protect
themselves. Just be aware of your environment, the jurisdiction, and monitoring laws in your area.
This is a major security threat for companies that want to control all of their traffic. If you blacklist, there
will only be other covert channels popping up to bypass the blocking. It comes down to managing
acceptable risk. Going back the beginning of this article, some laws are being pushed that wiretaps may
be a normal part of everyday life and that National Security trumps right to privacy as it is in most other
countries around the world.
If you are not a member of a hacking group/hactavist community/state sponsored cyber army, you may
not have the access to a private VPN or proxy. In this case, there are several resources you can choose
from, but it all comes down to researching the product that is right for you. Here is a list of services that
some people use to hide their origin.
Services that may not log
BTguard
Private Internet Access
TorrentPrivacy
TorGuard
ItsHidden
Ipredator
Faceless
IPVanish
AirVPN
PRQ
BlackVPN
Privacy.io
Okayfreedom
Cryptocloud
Services that do not support anonymity (Log a lot)
hidemyass
Hotspot Shield
VyprVPN
SwissVPN
StrongVPN
11
Some people think onion routing or the Tor network is for criminals and people with something to hide.
Well, they are half right. The Tor network was designed to give a masked, “semi-safe”, passage to those
that needed to get information out. “Tor was originally designed, implemented, and deployed as a third-
generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with
the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is
used every day for a wide variety of purposes by normal people, the military, journalists, law
enforcement officers, activists, and many others.” - torproject.org
With Tor, 3 Nodes from a pool of thousands will be chosen with
the route changing often. The onion-like encrypting assures the
anonymity and can be a way to bypass traffic filters or
monitors. This medium has been recognized as a “safer” way to
communicate over the Internet. What most people do not
realize is that there is an entire underground out there called
“Darknet”. Others just call the underground Internet Tor
network “hidden servers”. These hidden servers usually have a
“.onion” extension and can only be seen using a Tor proxy or
TorVPN. The easiest way to get onto the Tor network is with
the Tor Browser Bundle (TBB). It is free and very easy to install
and then use. All you have to do is go to the torproject.org and
download TBB and within minutes you will be connected.
There are legitimate reasons to use Tor, especially for those that are trying to hide their identities from
oppressive governmental regimes or reporters trying to minimize leaking the identity of informants.
Some will even stay on the proxy network and use services like Tor mail, a web based email service.
There are still some anonymity challenges. If you are on the same network, you may still leak the
originating IP address and there is a risk of someone capturing your traffic. Some will even go as far as
only using HTTPS (SSL encryption) or reverting back to the good old VPN.
There are darker usages of the hidden servers. There are E-Black Markets all over this network that sell anything from Meth to Machine guns and services that range from assembling credit card data to assassinations (“you give us a picture; we'll give you an autopsy report!”). Most of the sites trade their goods with an e-currency called Bitcoins, an anonymous electronic commodity that can purchase almost anything.
One of the most popular “secret” sites called “The Silk Road” or
SR has almost anything you can think of. SR has evolved over the
years and has recently dropped its weapon sales section. They
have also banned assassination services to minimize attention
from showing up on Law Enforcement’s radar. They still have
plenty of drugs, counterfeit items, and stolen goods.
12
13
There are still plenty of other sites that focus on arms dealing or unfiltered auction site. Once you are on
Tor, the next thing you would have to do to communication with some of these sites is to get an
anonymous Tor based email. This is a web based email that you log into that acts just like a regular email
except it only exists in the Tor world. Another popular communications mechanism is TorPM.
Tor Communications
Tor Mail – http://jhiwjjlqpyawmpjx.onion
E-Black Market sites
C'thulhu (“organized criminal group”): http://iacgq6y2j2nfudy7.onion/ Assassination Board: http://4eiruntyxxbgfv7o.onion/
Another hitman: http://2v3o2fpukdlpk5nf.onion/
Swattingservice (fake bomb threats): http://jd2iqa4yt7vqvu5o.onion/ Onion-ID (fake ID): http://g6lfrbqd3krju3ek.onion/ Quality Counterfeits: http://i3rg5diydpbxkewu.onion/
Social Network mul.tiver.se: http://ofrmtr2fphxkqgz3.onion/
Informational
LiberaTor (weaponry & training): http://p2uekn2yfvlvpzbu.onion/
The Hidden Wiki: http://kpvz7ki2v5agwt35.onion/wiki/
Search
The Tor Hidden Service Search: http://www.ahmia.fi/
Torch: http://xmh57jrzrnw6insl.onion/
Torlinks: http://torlinkbgs6aabns.onion/
So let’s take this step by step.
1.) Download “Tor Browser Bundle” from torproject.org.
2.) Double left click in “Start Tor Browser”.
3.) You should then see Vidalia connecting to Tor.
4.) The Tor Browser should automatically open.
You are now on the “Tor network”.
You can now access “.onion” domains.
5.) Create a TorMail account on jhiwjjlqpyawmpjx.onion.
6.) Create a TorPM account on 4eiruntyxxbgfv7o.onion/pm/
7.) Enjoy a little more anonymity for research.
The Silk Road: http://silkroadvb5piz3r.onion/index.php
Black Market Reloaded: http://5onwnspjvuk7cwvk.onion/index.php
Zanzibar's underground marketplace: http://okx5b2r76olbriil.onion/
TorBlackmarket: http://7v2i3bwsaj7cjs34.onion/
EU Weapons & Ammunition: http://4eiruntyxxbgfv7o.onion/snapbbs/2e76676/
CC4ALL (Credit Card site): http://qhkt6cqo2dfs2llt.onion/
CC Paradise: http://mxdcyv6gjs3tvt5u.onion/
14
Tips:
The Tor network has been around for many years and there are many hidden servers out there with “.onion” extensions. There are many .onion sites that are benign, but there are many out there that contain contraband materials such as child pornography, illegal weapons, assassination services, drugs, stolen credit cards, and fake IDs. Investigating these sites can be problematic since the addresses are only available through the Tor system. If you are researching in this realm, be extremely careful. Be aware that there is more offensive material on that network per capita than on the normal Internet, surface web, or deepweb. I would document your research and report the CPKP sites to the proper authorities. This will help protect you from getting dinged for the possible illegal activity.
If you fear that your connection is being monitored through deep packet inspection, the Tor network may not be visible. An extra step that can be taken to keep them from seeing your data is to also use a VPN service, bounce through a Socks5 proxy using an SSL tunnel, and then connect to the Tor network. Just remember, if the VPN or Proxy servers log the information, you are not truly anonymous. The more layers of security used, the more effort will be needed to peeled back to investigate.
The need to be anonymous is not a representation of a guilty conscience. Just like a settlement in a lawsuit is not an admission of guilt. However, upstream providers, management, and law enforcement sometimes disagree.
While trying to be faceless and hide your true identity, make sure you do not log into identifiable accounts. It is amazing how many people check their regular email, chat, or uses their nicknames and it makes investigations a lot easier.
In the end, it all comes down to level of effort. The effort you want to put into being just another face in the crowd versus the effort of those that want monitor.
Here are some examples of levels on how someone can decrease the probability of them getting caught.
Example 1 Connect directly This leaves a direct fingerprint to the source. This is never suggested and usually points to a novice or script kiddie.
Example 2 change their MAC address This changes the fingerprint of the hardware
Connect to a VPN This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside.
Connect to Tor This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.
Example 3 change their MAC address This changes the fingerprint of the hardware
Connect to a VPN This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside
Connect to a Proxy This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.
Connect to Tor This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.
15
Anyone can setup a “Darknet storefront”. In
many cases, knowledge of web development isn’t
needed. Using a program called PortableApps
from www.portableapps.com can make this a
trivial process. You can add the Tor Browser
Bundle and xampp (a self-encapsulated webserver
bundle). This means that someone could have a
Darknet hidden service on a thumbdrive and run
the server on any computer they are currently at.
As shown in the image above, xampp is running and apache is listening on port 80 and 443. If you were
to open a web browser and visit http://127.0.0.1, you would see the welcome page. To customize the
website, just copy a index.html file directly into the PortableApps\xampp-portable\htdocs folder. Once
this is done, you should be rendering your personal custom website. Now to create an onion domain.
Open the Tor Browser. Vidalia control panel should open. In this window, there is a settings button that gives you access to the proxy configuration. In here, there is a services area that allows pointing to your local web server. Choose either port 80 or 443 for standard HTTP and then add. It will generate a couple configuration files for you to use and keep with the webserver. Now, every time you run the Tor Browser, you will have a link back to your web server. This does take a few minutes to prorogate across the onion router network, but this is the easiest and most mobile method, allowing more Anonymity for hosting the service. Unfortunately, drug dealers, pedophiles, and terrorists already know this.
16
"I2P is an anonymizing network, offering a simple layer
that identity-sensitive applications can use to securely
communicate. All data is wrapped with several layers of
encryption, and the network is both distributed and
dynamic, with no trusted parties."
“I2P is a project to build, deploy, and maintain a network supporting secure and anonymous
communication. People using I2P are in control of the tradeoffs between anonymity, reliability,
bandwidth usage, and latency.” “Unlike many other anonymizing networks, I2P doesn't try to provide
anonymity by hiding the originator of some communication and not the recipient, or the other way
around. I2P is designed to allow peers using I2P to communicate with each other anonymously — both
sender and recipient are unidentifiable to each other as well as to third parties”
"The I2P/Tor outproxy functionality does have a few substantial weaknesses against certain attackers -
once the communication leaves the mixnet, global passive adversaries can more easily mount traffic
analysis. In addition, the outproxies have access to the cleartext of the data transferred in both directions,
and outproxies are prone to abuse, along with all of the other security issues we've come to know and
love with normal Internet traffic." - www.i2p2.de
Terminology of Tor Vs. I2P
Tor I2P
Cell Message
Client Router or Client
Circuit Tunnel
Directory NetDb
Directory Server Floodfill Router
Entry Guards Fast Peers
Entry Node Inproxy
Exit Node Outproxy
Hidden Service Eepsite or Destination
Hidden Service Descriptor LeaseSet
Introduction point Inbound Gateway
Node Router
Onion Proxy I2PTunnel Client (more or less)
Relay Router
Rendezvous Point somewhat like Inbound Gateway + Outbound Endpoint
Router Descriptor RouterInfo
Server Router
17
Let’s take a step back and compare the two different networks Tor and I2P. Onion routing wraps your
traffic or packets in multiple layers of encryption. Each router in the chain has its own key and can only
decrypt the traffic at the layer that it encrypted.
Tor, based off C, has been around for a longer period of time and has more nodes or proxies. This
network also has the capability to use TLS and bridges. Tor acts as a Socks proxy so all traffic is
forwarded as a relay, exit, or client node. With government and commercial funding, the Tor community
has a solid base in research and development. This also means that a lot of the exit nodes are known and
blacklisted. However, there are many private proxies listed in the network that change frequently or you
can set up a relay. Another big bonus is that Tor is hard to block, even at the state-level borders.
Unfortunately, this network uses a centralized directory based management.
I2P is based off Java which means that there is naturally a higher footprint. However, it is a fully
distributed network which focuses on services instead of the entire TCP/IP stack which makes the
communications faster and more portable (port forwarding is now available). The encryption tunnels
also have less of a life span. This makes crypto-analysis attacks more difficult.
Here is another example of how someone can decrease the probability of them getting caught.
Example 4 Change MAC address This changes the fingerprint of the hardware
Connect to WiFi Hotspot Hide in plain sight but not on your network
Connect to a VPN This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside.
Connect to a Proxy This again adds a layer of obfuscation to the target by ripping of the source information and adding its own.
Use an encrypted tunnel to Proxy This distorts the view from prying eyes
Connect to IP2 This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.
The attacker can also bounce through multiple proxies, but the more connections you go through, the
slower the connection will be. Bouncing through multiple servers is nothing new. The average attacker
usually goes through 2-3 hop points. It is also not as easy to trace back as most of the movies seem to
show. As mentioned before, if the server does not log, the job of the forensics analyst becomes a LOT
more difficult if not impossible. This is where you may have to get several court orders from multiple
countries to trace back the source of the attack.
Reminder:
When connecting to any proxy or using anonymizing methodology, NEVER use personal identifiable
indicators. That means do not log into email, facebook, bank, or any other site you would normally
connect to. Use a different browser and or even a different system if you don’t want to spoof
fingerprints. Do not cache or save bad data. It’s better not to even search for bad data or contraband.
18
Some of the groups that post here claim to
be politically motivated and others are just
doing it because they can. Either way, it is
still damaging to the victim. The methods
of the website defacements range from
simple SQL injection to advanced buffer
overflows that allow the attacker to take
complete control of the server. The nice thing about this site is, they keep tabs on what group attacks
what sites and how many defacements each group has accomplished. Zone-h has been the target of
hackers themselves over the years. There are hackers out there that no longer trust the site because of the
vulnerabilities they have had in the past. The simple fact still rings true… If your domain is published
on the site, there is a problem. Your site has been defaced. Many of the actors here have been recorded
as threats to nation-states and have active arrest warrants out for top members of the groups.
There are other sites out there such as hack-db.com that contains similar information and xssed.org that
lists sites verified to be vulnerable to cross site scripting (XSS). Even on the Tor network, there are a few
resources available such as HackBB: clsvtzwzdgzkjda7.onion & Rent-a-Hacker: ugh6gtz44ifx23e7.onion.
The interesting thing about most of these sites is that they will not post the event until after they verify.
These sites are a third party that manually validates each entry before the posts get listed into the archive.
Team GhostShell is another hacking group that targets governments, companies, and universities. They
have leaked millions of records from top universities and the Russian government onto the Internet.
Ashiyane Digital Security Team, china hacker, Iran Black Hats Team, and Fatal Error are groups that
seem to focus more on website defacements and recognition. Many of the defacements are either simple
“fix your security” suggestions or complete political hactavist “change your ways” statements.
There are plenty of hacking groups. The range goes from hacktivists to bored fourteen year olds to organized crime to state sponsored actors. There are many websites out there on the regular Internet that monitors or allows hackers to post their conquests. Zone-h.org is one of these sites. Zone-h disclaimer: “all the information contained in Zone-H's cybercrime archive were either collected online from public sources or directly notified anonymously to us. Zone-H is neither responsible for the reported computer crimes nor it is directly or indirectly involved with them. You might find some offensive contents in the mirrored defacements. Zone-H didn't produce them so we cannot be responsible for such contents.”
19
The cyber-criminal underworld has many faucets, but the common thread most of them share is that each
caveat or sub-group usually focuses on money. This is a completely different mindset from hactavists or
people trying to find out how things work. It is about the money. Let’s dissect some of the sub-groups
into basic “Cyber” sections.
The “Carder” deals with stolen credit card numbers and card replication
The “Counterfeiter” deals with creating reproductions or falsified documents
The “Pirate” deals with copyright and intellectual property trade
The “Bot herder” deals with botnets and Command & Control servers
The “Extortionist” deals with stealing, hiding, or threatening to release data for a fee
The “Spook” deals with industrial or state secrets for a fee
The “Carder”
The Carding industry is a multi-million dollar data trade. There
are market places that allow people who steal databases or even
skim or double swipe cards. The more reliable the data, the
higher the price seller can demand. Many of the players in this
space will even guarantee a minimum of $1,000 to $5,000 on the
card for less than a tenth of the price.
The “Counterfeiter”
The Counterfeiting realm isn’t that prominent, but it is
a staple of any black market. For a nominal fee, a
person can get an entirely new identity to include a
fully functional passport, driver’s license, proof of car
insurance, credit card, and possibly even a social
security card. This isn’t always for basic identity theft
(financial reasons). Some people want a new
identification to hide from something, frame someone,
or start life “fresh” as a new person or “citizen”.
The “Pirate”
The Pirating community focuses on trading IP. Movies, music, software, and more fall under here.
20
The “Bot herder”
The Botnet world is an interesting one. There are many uses for a
bot net, but the basics are always the same. That is to compromise
as many systems as they can. Most of the bots have a Command &
Control server that the herder will connect to and from there, the
bots or zombies can be told what to do. These distributed systems
are used to make money. They can be rented out for DDoS attacks,
used for spam email to generate revenue, or for click fraud. Click
fraud is when an individual registers for an affiliate click through
marketing program where the affiliate will pay for a certain amount
of “clicks” or links followed. The click fraud comes into play when
the software imitates the actions of a fake user and automates the
click / link following action, thus generating revenue. Cell phones
are the newest target to this ever growing threat.
The “Extortionist”
The cyber extortion is similar to the traditional form. Think of the
good old mob shows. The criminal goes up to the store owner and
“offers protection” for a price. Now from the cyber side… Someone
from across the world breaks into your system, encrypts all of your
data, and leaves a message on your screen that says “Pay $1,000 and
we will give you the password to your data”. A more simple
approach I have seen ran a program that stopped other programs
from running, then popped up a picture that claimed it was the FBI
that locked the computer out for downloading movies. Send $200 to
an offshore account as a “fine” and the computer will be unlocked.
The “Spook”
The espionage isn’t just government to government. Sometimes the actors are corporations stealing trade
secrets from one another. This is a multi-billion dollar industry and can make or break companies or
even countries. Much of the US threat from this involves China and Russia considering they are
persistent collectors. Nortel Networks was a victim for almost 10 years. The Office of the National
Counterintelligence Executive even published a report highlighting the dangers of cyber espionage. This
is NOT the legal cousin OSINT or Competitive Intelligence (CI).
21
"New York Times hacking: A sign of things to come?"
"Washington Post Joins List of News Media Hacked by the Chinese"
"Nortel hacked: Nortel faced corporate espionage from China-based hackers for more than a decade"
"Evidence of more China-led 'cyber-espionage' against US increases"
"Bank Hacking Was the Work of Iranians, Officials Say"
"BofA, JPMorgan, Citi Repeatedly Hacked by Iran"
"How Iran hacked super-secret CIA stealth drone"
"Defense Secretary Leon Panetta: Iranians hacked oil companies"
"Out in the Wild, Government-Created Stuxnet Virus Now Infecting Corporations"
These headlines are getting more and more common every day. It is a will known fact that countries and
even businesses engage in the act of espionage. This activity has been going on for thousands of years
and has even earned a chapter in Sun Tzu’s “Art of War”.
The Foreign Econimic Collection report released in October, 2011 to Congress by the Office of the
National Counterintelligence Executive (ONCIX) states:
“Pervasive Threat from Adversaries and Partners Sensitive US economic information and technology are
targeted by the intelligence services, private sector companies, academic and research institutions, and
citizens of dozens of countries.
Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US
private sector firms and cybersecurity specialists have reported an onslaught of computer
network intrusions that have originated in China, but the IC cannot confirm who was
responsible.
Russia’s intelligence services are conducting a range of activities to collect economic information
and technology from US targets.
Some US allies and partners use their broad access to US institutions to acquire sensitive US
economic and technology information, primarily through aggressive elicitation and other human
intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.”
“Estimates from academic literature on the losses from economic espionage range so widely as to be
meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the
variety of methods used to calculate losses.”
It has been accepted that it occures, but the theme from everyone is that know one knows truly how
much damage is being caused by the theft of state and corporate secrets. What everyone does agree on is
that there are common actors in this space and the damage is great. The shadows have always been
throughout the internet. As for the military warriors, the active aggressors, are just now starting to make
their presence know. 'If you shut down our power grid, maybe we will put a missile down one of your
smokestacks,' unnamed official
22
These hackers are not state sponsored, hactavists, or cyber criminals. There are several groups in the
Middle East region trying to cultivate hackers for ideological reasons. For example, a Muslim
Brotherhood leader was documented as promoting ‘Cyber Jihad’ and restoration of the Caliphate; calling
out for people to commit electronic terrorism against the enemies of Islam. The main targets of course
would be Israel and western nations.
“encourage young people to undertake electronic jihad.” … “Some of our youth are extremely clever. I
hope that a group of hackers will get together, and will wage resistance over the Internet, targeting Israeli
and Zionist sites and destroying them electronically.” - Tareq Al-Suwaidan
“with expertise in this domain to target the websites and information systems of big companies and
government agencies” - Al Qaeda recruitment video http://bcove.me/dtsnmixe
"Electronic jihad is a phenomenon whereby mujahideen use the Internet to wage economic and
ideological warfare against their enemies. Unlike other hackers, those engaged in electronic jihad are
united by a common strategy and ideology which are still in a process of formation." - jihadwatch.org
The following are documents that give you an idea of what some believe.
How can I Train Myself for Jihad - qx7j2selmom4ioxf.onion/jihad.html
The Al Qaeda Manual - qx7j2selmom4ioxf.onion/alquedatraining.txt
This is not state sponsored activity, is an ideology which makes it far more dangerous. There has been an
increase in cyber activity from motivated hackers focusing on financial and Industrial Control Systems
(ICS). These attacks included website defacement, Denial of Service, and system exploitation. In August,
2012, a Saudi Oil firm was hit with malware and 30,000 systems were affected. October 12th, Defense
Secretary Leon E. Panetta warned of a “cyber-Pearl Harbor”. The interesting thing about this statement is
that we have always been facing such threats since the Internet became an international communication
mechanism. If you are on the Net, you are being attacked on a daily basis.
23
No matter what side of the debate you are on, Anonymous has made a mark in cyberspace, politics, and general freedom of speech. Whether it is helping the people of Tunisia get word to the rest of the world of the atrocities occurring against the uprising populace or calling attention to cyber legislation (SOPA, PIPA, CISPA, etc…) that would destroy free speech as some see it, the hactavist phenomenon have caused change. “Anonymous does not have a membership list, and you can't really 'join' it either. If you identify with or say you are Anonymous, you are Anonymous. No one has the authority to say whether you are Anonymous or not, except for yourself.” – anonnews.org There are several groups that claim to be part of Anonymous, but as everyone has seen, each group has its own doctrine or political motives. Some of them are informational while others are very destructive. There have even been messages sent under the mask of Guy Fawkes with threats of violence and terrorism. Many of these messages have been shot down as fakes such as the original Westboro Baptist Church and the November 5th 2012 government bomb threat. There has been actual retribution from Anonymous over the past year. Several of their “Operations” have caused websites from corporations like Sony to Federal government organizations like the CIA, FBI, and DOJ to go down. The group uses very simple methods for Distributed Denial of Service, primarily resource starvation; making thousands of legitimate connections for the attack to use up as much of the resource as they can. If you use more than the victim has, the victim then starts to fail.
Other operations have been focusing on the freedom of information, or literally freeing the information from the owners and giving it to the people. Project Mayhem-2012 calls for a program called Tyler (both named after the movie Fight-Club) to “leak it all!” They believe the operation will help fight political and corporate corruption. “Imagine you purchase a USB drive. Imagine you take it to your work place. Imagine you collect evidence of illegality and corruption. Imagine together we expose all lies. Imagine we leak it all.”
The only thing this section is trying to do is link to news and messages about or from Anonymous over the year years. This is not a piece to state what side you should be on and does not advocate illegal activity without expectations of jail time. Both statements are below. The messages from Anonymous follow the pattern of freedom from oppression/censorship and yet the actions range from targeting pedophiles to governments. The week of this update, the “group” hacked the Federal Reserve, compromising over 4000 customer accounts from Banks and defaced several government websites. This is beyond the normal actions of “cyber sit-ins” or hactivism. The message of peace is often overshadowed by the actions of cyber violence. Below are examples of press releases associated with released videos. At this time, there have been over nine thousand (400+) releases.
24
Dear brothers and sisters. Now is the time to open your eyes! In a stunning move that has civil libertarians stuttering with disbelief, the U.S. Senate has just passed a bill that effectively ends the Bill of Rights in America. The National Defense Authorization Act is being called the most traitorous act ever witnessed in the Senate, and the language of the bill is cleverly designed to make you think it doesn't apply to Americans, but toward the end of the bill, it essentially says it can apply to Americans "if we want it to. Bill Summary & Status, 112th Congress (2011 -- 2012) | S.1867 | Latest Title: National Defense Authorization Act for. This bill, passed late last night in a 93-7 vote, declares the entire USA to be a "battleground" upon which U.S. military forces can operate with impunity, overriding Posse Comitatus and granting the military the unchecked power to arrest, detain, interrogate and even assassinate U.S. citizens with impunity. Even WIRED magazine was outraged at this bill, reporting: Senate Wants the Military to Lock You Up Without Trial ...the detention mandate to use indefinite military detention in terrorism cases isn't limited to foreigners. It's confusing, because two different sections of the bill seem to contradict each other, but in the judgment of the University of Texas' Robert Chesney — a nonpartisan authority on military detention — "U.S. citizens are included in the grant of detention authority." The passage of this law is nothing less than an outright declaration of WAR against the American People by the military-connected power elite. If this is signed into law, it will shred the remaining tenants of the Bill of Rights and unleash upon America a total military dictatorship, complete with secret arrests, secret prisons, unlawful interrogations, indefinite detainment without ever being charged with a crime, the torture of Americans and even the "legitimate assassination" of U.S. citizens right here on American soil! If you have not yet woken up to the reality of the police state we've been warning you about, I hope you realize we are fast running out of time. Once this becomes law, you have no rights whatsoever in America. — no due process, no First Amendment speech rights, no right to remain silent, nothing. The US senate does not want us to speak. I suspect even now orders are being shouted into telephones and men with guns will soon be on their way. Why? Because while the truncheon may be used in lieu of conversation, words will always retain their power. Words offer the means to meaning and for those who will listen, the enunciation of truth. And the truth is, there is something terribly wrong with this country, isn't there? Cruelty and injustice...intolerance and oppression. And where once you had the freedom to object, to think and speak as you saw fit, you now have censors and systems of surveillance, coercing your conformity and soliciting your submission. How did this happen? Who's to blame? Well certainly there are those who are more responsible than others, and they will be held accountable. But again, truth be told...if you're looking for the guilty, you need only look into a mirror. I know why you did it. I know you were afraid. Who wouldn't be? War. Terror. Disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. Fear got the best of you and in your panic, you turned to the now President in command Barack Obama. He promised you order. He promised you peace. And all he demanded in return was your silent, obedient consent.
25
More than four hundred years ago, a great citizen wished to embed the fifth of November forever in our memory. His hope was to remind the world that fairness. Justice, and freedom are more than words - they are perspectives. So if you've seen nothing, if the crimes of this government remain unknown to you, then I would suggest that you allow the fifth of November to pass unmarked. But if you see what I see, if you feel as I feel, and if you would seek as I seek...then I ask you to stand beside one another, one year from November 5th, 2011, outside the gates of every court house of every city DEMANDING our rights!! Together we stand against the injustice of our own Government. We are anonymous. We are Legion. United as ONE. Divided by zero. We do not forgive Censorship. We do not forget Oppression. US SENATE... Expect us!! Music by: Wolfgang Amadeus Mozart - Requiem
AMERICAN FREEDOM ALERT - CODE RED.
The Government has committed TREASON against you! Will you sit and watch while your freedoms are
taken away? Or will you walk out your door and fight for your rights?
THE CHOICE IS YOURS. THE LATTER IS BEST.
Gather an army of people. Flood the streets. If police gives you violence, give them tenfold of that.
OCCUPATIONS ARE OVER. REAL REVOLUTION IS HERE. THE FORMER UNITED STATES
GOVERNMENT SHALL BE DESTROYED.
In his last official act of business in 2011, President Barack Obama signed the National Defense
Authorization Act from his vacation rental in Kailua, Hawaii.
In a statement, the president said he did so with reservations about key provisions in the law — including
a controversial component that would allow the military to indefinitely detain terror suspects, including
American citizens arrested in the United States, without charge.
The president defended his action, writing that he signed the act, "chiefly because it authorizes funding
for the defense of the United States and its interests abroad, crucial services for service members and
their families, and vital national security programs that must be renewed."
Some citizens remain completely confused by the language of the bill, running around the Internet
screaming that the law "does not apply to American citizens."
This is, naturally, part of the side effect of having such a dumbed-down education system where people
can't even parse the English language anymore. If you read the bill and understand what it says, it clearly
offers absolutely no protections of U.S. citizens. In fact, it affirms that Americans are subjected to
indefinite detainment under "existing authorities."
26
The writers of the bill have managed to fool a lot of everyday people who seem unable to parse language
and read plain English with any depth of understanding. That is as much a failure of America's public
education system as anything else. I find it astonishing that today's citizens can't even read and
understand the grammatical structure of sentences written in plain English. This alone is a highly
disturbing subject that must be addressed another day. For now, it's enough just to realize that the NDAA
really does apply to you, me, and all our neighbors and friends. In signing it, Obama has cemented his
place in history as the enabler of government-sponsored mass murder of its own citizens.
History does repeat itself after all. Hitler, Stalin, Mao and now "Obama the enabler." While Obama himself
probably won't engage in the mass murder of American citizens, have no illusions that a future President
will try to use the powers enacted by Obama to carry out such crimes.
The system was built for the 1% not for us. They live because of "we". This must change. Don't stop the
fight, don't stop the protest. We will win. Occupy everything, everywhere. This is the beginning, this is the
start.
So, brothers and sisters. The collective is calling upon the citizens of the United States to protest against
the new sections in the national defense authorization act that were passed a short while ago.
While we cannot force the American people to protest, we must tell them that this law will strip away any
rights they thought they had including, but not limited to, Free speech, Free press, Free access to
information, and the right to protest, assemble, and bear arms.
This law cannot be changed according to the Feinstein Act.Sections Ten thirty one and ten thirty two of
the national defense authorization act have been passed and ratified. It grants unlimited powers to the
executive branch of the government to indefinitely detain suspects, even American citizens, without trial.
All a person has to do is to commit a belligerent act. What is a belligerent act? Is protesting a
belligerent act? Is being Anonymous a belligerent act? This is where we draw the line. This is when we
leave our computers. This is when we take out our masks and defy the corrupt rule of law.This is when
we revolt.The time has come for you to accept the truth and join us in overthrowing yet another corrupt
military regime.
Operation Blackout, engaged.
We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
To the United States government, you should've expected us.
Link to NDAA Bill
http://www.gpo.gov/fdsys/pkg/BILLS-112hr1540enr/pdf/BILLS-112hr1540enr.pdf
Other Link News
http://www.naturalnews.com/034538_NDAA_American_citizens_indefinite_detainmen...
http://www.cbsnews.com/8301-250_162-57350607/obama-signs-defense-bill-with-re...
http://www.thenewamerican.com/usnews/constitution/10396-president-obama-signs...
27
Since those messages, there have been many threats, many protests, and attacks from both sides of the
coin. Anonymous has taken down government sites and members have been arrested. Most members
evade arrest or harassment by using anonymity services on the Internet. Some of the ones that have been
caught have made a mistake such as connecting to an IRC channel without bouncing through proxies and
encryption. Some have been caught when using a VPN service that logs traffic and actively works with
Law Enforcement (LE) such as HideMyAss. A common LE saying is “You have to be lucky every time…
I only have to be lucky once...” As we have already discussed, covering your tracks can be easy, but one
mistake can make it to where everyone knows your name.
“On November 5th 2012 WE THE PEOPLE will march on Washington DC peacefully and unarmed to arrest all
members of congress, the president, and all supreme court justices where they will be held without bond until a full
independent investigation and trial have been completed. We must re-elect our government within 90 days in order
to stave of unrest.” This did not have the effect some would have thought it would.
The scheduled Tyler leaks have come and gone with no real data leaks. If information was captured or
stolen, it has not been given to the masses. However, threats have been given to the Department of
Justice after the suicide of Aaron Swartz. In the aftermath of his death, a petition was completed “calling
for the dismissal of Heymann” (the prosecutor). The Whitehouse is now required to respond.
“… Aaron Swartz was persecuted. Now Aaron Swartz is dead.
Tonight, the President of the United States will appear before a joint session of Congress to deliver the State of the
Union Address and tomorrow he plans to sign an executive order for cyber-security as the House Intelligence
committee reintroduces the defeated CISPA act which turns private companies into government informants.
He will not be covering the NDAA, an act of outright tyrannical legislation allowing for indefinite detention of
citizens completely outside due process and the rule of law. In fact, lawyers for the government have point-blank
refused to state whether or not journalists who cover stories or groups the Government disfavors would be subject to
this detention.
He will not be covering the extra-judicial and unregulated justifications for targeted killings of citizens by military
drones within the borders of America, or the fact that Orwellian newspeak had to be used to make words like
“imminent” mean their opposite.
He will not be covering Bradley Manning, 1000 days in detention with no trial for revealing military murders, told
that his motive for leaking cannot be taken into consideration, that the Government does not have room for
conscience.
He will not be covering the secret interpretations of law that allow for warrant-less wiretapping and surveillance of
any US citizen without probably [sic] cause of criminal acts, or the use of Catch-22 logic where no-one can complain
about being snooped on because the state won’t tell you who they’re snooping on, and if you don’t know you’re
being snooped on, you don’t have a right to complain.
We reject the State of the Union. We reject the authority of the President to sign arbitrary orders and bring
irresponsible and damaging controls to the Internet…”
The list of high valued targets has just increased for Anonymous and their ilk.
28
29
File sharing is perfectly legal. The challenge comes when people start sharing files that someone else
owns the copyright to. The other term you will hear over and over again is Intellectual Property (IP)
ownership. Many of the file sharing sites that you will come across will have access to pirated movies,
music, software, and other IP. In the United States, one of the biggest laws that gets used against people
that share movies and reverse engineer software is the Digital Millennium Copyright Act (DMCA). This
is even used several times every year at Defcon/Black hat when security researchers go to give a
presentation and the IP owners go to court for a gag order.
Security Research
Some people will leak vulnerability findings from their research
or even make fully functional Proof of Concept (also called
exploits) and release the information to the public. Some of the
sites that deal with information release under the “public disclosure” mentality would be Packet Storm
Security and the Exploit Database. Whatever side you are on, these two locations have a plethora of
information for both offensive and defensive usage, including source code for fully operational exploits.
A lot of the PoC source code is functional and written for Metasploit. Metasploit is a penetration testing
framework designed essentially as a point and click application to speed things up and also allow those
that are script kiddies to exploit systems. Because of this, anyone that uses Metasploit can now exploit a
vulnerability that the program supports.
The DMCA is not the end point for security. Many security researchers have gotten around it by using
exemptions for education use. There are exceptions to these exceptions. The U.S. Copyright Office
published a document on Oct. 26 2012, specifying that “jailbreaking” a smartphone is deemed legal. The
same rules do not apply to tablets or gaming consoles. This goes to show that intelligence does not
dictate policies and law, money does. This will cause a little bit of difficulty with those in the digital
forensics field. Two cases previous to this had different ideas.
“Atari Games v. Nintendo: The author does not acquire exclusive rights to a literary work in its entirety.
Under the Act, society is free to exploit facts, ideas, processes, or methods of operation in a copyrighted
work. To protect processes or methods of operation, a creator must look to patent laws.”
“Sega v. Accolade: the intermediate copying of the object code of a copyrighted computer program as
necessary to disassemble the program to view its expression was a fair use under Section 107 of the
copyright laws.”
“Viruses don't harm, ignorance does!” - VX Heavens. There are several sites that even specialize in
Viruses, Worms, Trojans, and other malicious logic. Most of the sites do not last long doe to legal issues.
VX Heavens even has the good old “Error 451: Unavailable for legal reasons” displayed.
30
The history of file sharing has been an ever evolving and bloody one. From BBS systems to news groups
to IRC to P2P, the methods have changed, but the mentality has not. One of the more common mediums
used at this point is called Bit Torrent. This allows several people to “seed” or share a file while others
download bits and pieces of all that are hosting. A person can create a torrent from a file or folder. Once
the file is created and hashed to verify integrity of the data, it is then posted to torrent trackers. Many of
the torrent trackers use UDP protocol while others use an HTTP connection. Some of the sites even force
you to make an account and upload the .torrent file manually. This minimizes the same data flooding the
trackers. DO NOT TORRENT OVER TOR! Using P2P applications over Tor will DoS the network.
On 30 June 2010, US government
officials seized several file sharing
domains including tvshack.net owned
by Richard O'Dwyer for "violations of
Federal criminal copyright infringement
laws". Violating copyright or IP law is
big deal because the owners of the
material, including the MPAA claim
that: “The industries contribute over
$15 billion in taxes annually. The U.S.
economy loses an estimated $25.6
billion per year, and an estimated
375,000 jobs per year, to criminal
copyright infringement.”
The US risks losing our extradition treaty because of TVShack and this order… In simple terms, do not
share material without permission from the IP owner. That is theft and is illegal. Do NOT break the law.
This goes for the vendors and “victims” as well. Do not break the law…
The owners of the Intellectual Property that has been claimed to be damaged have also caused damages
and break the law themselves. The Sony BGM copy protection rootkit scandal is a prime example of
illegal activity in the name of anti-piracy while stealing code themselves. They claimed it was a self-
defense mechanism to stop theft. Only recently have they felt backlash on another issue with being
fined in the UK over their failed security policies which allowed Lulzsec to steal customer data.
It is said in the dark corners of the Deepweb that other victims have also become the evil aggressors.
The MPAA & RIAA have been accused of breaking the law over the years in the name of anti-piracy. The
MPAA allegedly paid an Indian software company to perform a DDoS against The Pirate Bay.
31
The Pirate Bay (TPB)
TPB “World’s most resilient tracking” is file sharing site that has lasted many court battles. When visiting
the site, you can find almost anything you want. The site contains some content that is considered IP
theft but some of the links are perfectly legitimate. TPB has two sites. The first one currently is at
www.thepiratebay.se while the second has gone on to the Tor network and resides at
jntlesnev5o7zysa.onion. The file links used to be torrent only, but has recently moved to magnet links to
provide less accountability or “traceability” for hosting the .torrent files.
The documentary “The Pirate Bay – Away From Keyboard (TPB-AFK) was release at the beginning of
February 2013 and can be found for free all over the Internet. This includes the popular website for
which it is named after.
* The movie can be seen in the resource section of www.informationwarfarecenter.com.
32
The website www.EZTV.it is another site that allows
you to download files using a bit torrent client. The
files they specialize in are TV show only. Some people
that use this site will argue that it is NOT IP theft if
they already pay for the license to watch the content
through their cable or satellite TV. That side of the
fight claims it to be “fair use” and the same as using
devices like Tivo to record your show for later viewing.
“Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered fair, such as criticism, comment, news reporting, teaching, scholarship, and research. Section 107 also sets out four factors to be considered in determining whether or not a particular use is fair.
1. The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes
2. The nature of the copyrighted work 3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole 4. The effect of the use upon the potential market for, or value of, the copyrighted work “
- copyright.gov : FL-102, Reviewed June 2012
The Hactavist group Anonymous released a new evolution of Peer 2 Peer applications called Tyler for
their own version of its own 'WikiLeaks' project. “It will not be deployed on a static server. TYLER will be
P2P encrypted software, in which every function of a disclosure platform will be handled and shared by everyone
who downloads and deploys the software. In theory, this makes it sort of like BitCoin or other P2P platforms in that
there is virtually no way to attack it or shut it down. It would also obviously be thoroughly decentralized.” -
“TYLER is a massively distributed and decentralized Wiki pedia style p2p cipher-space structure impregnable to
censorship” – anonnews.org. The name of this program is called Tyler (after the movie Fight club) and is
part of Project Mayhem 2012: Dangerous Idea #1. The video released by Anonymous can be found at
http://anonnews.org/press/item/1783. “
The potential issues of Tyler come down to what is leaked. If it is governmental classified information,
lives could be lost. Imagine a list of covert operatives active in a foreign country being leaked out. This
has happened in the past and many lives were lost. Robert Hanssen is a prime example of this. He was a
spy for the USSR working in the FBI and because of the leak; he is now spending life at a Supermax
federal prison in Florence, Colorado. If it is economic/industrial espionage, the penalties are almost as
severe. Sometimes the espionage isn’t as covert as some would think. In January 2010, the Chinese
Chengdu J-20 stealth fighter jet was speculated by some as having been reverse engineered from the parts
of a US F-117 Nighthawk stealth fighter shot down over Serbia in 1999.
* At the end of January, 2013 there have been no big news releases about information leaked from Tyler.
Data warehousing and cloud computing are high value targets for such activity. The funny part is file
sharing groups are also taking to this medium for that exact mentality. Spread the wealth and allow
everyone access to the data.
33
Basic forensics
Forensics is the science (and art) of finding residual artifacts that prove or disprove an alleged event
occurred. Digital forensics in a nut shell, it is the method of string searching a data container (forensic
image) with a tool that parses that data in a humanly readable format. None of the tools seem to gather
exactly the same information. FTK vs. EnCase, XRY vs. Cellibrite, or Wireshark vs. Microsoft Network
Analyzer all come up with similar but different answers. Before you can start a forensic investigation,
you need probable cause or a red flag to tell you what to look for. If there is no red flag, there is scope.
For example; a manager at a large company does not like one of the employees. He asks the security
team to investigate the individual’s personal laptop and corporate computer system. The manager then
says “Just give the results to me for now”. There are no allegations of a crime or a policy violation. At
this point, any analyst that continues to hack the personal laptop is possibly breaking the law. As for the
corporate system, there are possible harassment charges, hostile work environment complaints, and a
stalking case that can be pursued by the victim against the manager, analyst, and company.
An example of a legitimate investigation; an incident response team notices an alert that a system is
downloading inappropriate material from the Internet. This is clearly a violation to the security policy
that all employees signed and acknowledged (each employee went through training that that explained
the policy along with annual refresher training). Physical security, along with Human Resources, walks
to the employee’s cubicle and remove the system for a forensic acquisition and analysis. After a quick
investigation, it is found that there were tens of thousands of policy violations on the system. During an
interview, the employee admits to the activity and is released from employment. This real world scenario
is a common one. If their personal laptop was found, the company would need consent of the employee
to access it. They could then call law enforcement, but this is where it becomes a blurry line. If the
employee does not give consent, probable cause is needed for law enforcement to move forward. If this
does not occur in a “work at will” state, the employee still may have recourse if the policies were not
perfect, enforced uniformly across the entire organization, and training was not provided. They may
have civil and criminal recourse if their personal system was touched.
This is where jurisdiction becomes a trickster. In the United States, there are many laws on the books that
protect the citizen against unreasonable search and seizure. Then it comes down to what the definition if
“is is”… Or what exactly is deemed “reasonable”. This has changed for some since September 11th and
the term “terrorism” has been used as “reasonable”. Many times, these have been proven to be unlawful
wiretaps, searches & seizures, and arrests. (EFF Vs. FBI).
For as paranoid as I may sound, I know what is out there and how much data can be captured. I capture
sensitive data all the time when I am working as a penetration tester or a forensic analyst. To put a spin
of reality into the mix comes down to money, time, need, and other resources. The more data captured
means the more likely a false negative (a real threat) will slip by unless you hire more analysts. Any way
you look at it, you need to know what you are looking for before you start or you will be wasting
valuable resources.
34
Post mortem disk forensics
This is related to after the fact; the system is shut down forensics. The probable cause has been tripped;
you seize the computer, and make forensically sound copies of the hard drive for further analysis. The
interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive
until overwritten by other data. If you delete a file, there is a possibility of recovering it years later.
There are a lot of variables in place here, but if a suspect is breaking policy or the law, there is a good
chance there may be artifacts of that activity on the system (computer, tablet, phone, game console, etc…).
META information is the data in a file just after the header (first few bytes) and the meat of the file.
Graphics, Office files, and a lot of other files have this META data. For example, a lot of graphics have an
extra section of META called EXIF. This is usually inserted into pictures taken from a phone or a camera
and some editing applications such as Photoshop. Midrange and higher cameras add serial numbers.
Phones with location services can even add the GPS location when the picture was taken. This is prime
intel for stalkers and undesirables. This is an example of why one should watch what they post online.
Some of the information that can be found:
Browser history
Email / Webmail
Documents (PDFs, spreadsheets, videos, pictures, intellectual property, etc.)
Physical locations (GPS)
Programs (malware, hacker tools, pirated software, etc.)
Basically anything to touch your hard drive.
Live system forensics
This is related to incident response “live” forensics. The probable cause has been tripped; you go to the
system to dump memory, look at processes, and current connections. Memory is extremely volatile, if the
system powers down, and can be lost forever.
The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the
drive until overwritten by other data. Almost all of the devices that would be investigated post mortem
(computer, tablet, phone, game console, etc…) can also benefit from this as well. It just depends on what
you are looking for. If the person has encryption of data at rest or “disk encryption”, you may have to
capture the memory before shutting down the computer or you will not be able to decrypt the hard drive.
Some of the information that can be found:
Passwords and keys (disk encryption keys, file passwords, etc.)
Secure browsing (web browsing, email, chat, etc.)
Programs (hacker tools, pirated software, etc.)
Malware (rootkits, trojans, worms, viruses, botnets, etc.)
Basically anything to touch your volatile memory.
35
Network forensics
To break it down, data is data… If a suspect downloads illegal pictures or movies, that data is broken up
into smaller pieces and transferred to the system. It is then rebuilt for the user to access. If you were to
record the network traffic, every file transferred would be able to be rebuilt on any other system.
Let’s use an example; John Doe downloaded a .PDF file containing classified information to his personal
laptop at a hotel. He had the need to know, but forgot to use an encrypted connection or VPN. The
traffic was being monitored through “deep packet inspection” or “packet sniffing” and saved to a file.
Later the person that captured the transmission ran a simple program called “Networkminer” and carved
out the .PDF with very little effort. Later the classified document was leaked to the press and John Doe
gets blamed for the leak since there was a unique identifier in the META section of the file that connected
to his user id.
This scenario above is very realistic and happens all the time. Most public services offer unencrypted and
unsecured wireless access. This means that any fourteen year old can read your email as you are
downloading it if you are not using encryption. Even if you are using encryption like SSL, programs
such as “Dsniff” and “Cain” can start a man-in-the-middle attack and spoof the SSL certificate. This
would cause the average user to assume that they are safe when in fact; every SSL packet they send is
going through an attacker’s system and unencrypted before being forwarded on. If you EVER get an SSL
certificate error when going to a website, call and report it to security. There are ONLY two things that
cause this… The first is a bad guy is hacking your connection. The second is the system administrators
are not doing their job and need to fix their mistake, especially if you are using a smart card (It is usually
the second)…
If you are lucky enough to have full packet capture on your network, as mentioned before, you can
rebuild everything. The simple reality is, most organizations do not want to spend the resources. It is
very expensive. Imagine a network of twenty systems each downloading ten gigs in one day. The
normal noise of the network along with the download sessions would be well over two hundred gigs.
That would then have to be stored for analysis which is where the cost comes in. That is why a most
people usually do not log everything. They only log the red flag events.
Network forensics also covers viewing logs from network devices such as routers, intrusion detection
systems, firewall, systems, etc… Each computer has a hardware fingerprint (MAC address) and an
Internet fingerprint (IP address). These can be traced back in several ways to the owner. The website
arin.net or the American Registry for Internet Numbers is a good place to start.
Some of the information that can be found:
Passwords and keys (email, bank accounts, etc.)
Internet activity (web browsing, email, chat, etc.)
Files downloaded (hacker tools, pirated software, etc.)
Malware (rootkits, trojans, worms, viruses, botnets, etc.)
Cyber-attacks (denial of services, buffer overflows, SQL injections, known bad ip addresses, etc.)
Basically anything to touch your network.
36
Intellectual Property forensics
Sometimes the easiest way to find out who is sharing your data is to download your data from them and
look at the remote MAC and IP addresses. Find out who owns it; get a court order for the owner of the IP
address to give the information for the user associated with it at that time frame. This is where
jurisdiction issues become a nightmare. This is also why the bad guys are using someone else’s Internet
access or using proxy and VPN services.
Methods used in the past by Intellectual Property owners that have been illegal themselves include the
rootkit that Sony distributed and loose keyword searches used to automatically trigger lawsuit threats
used by the music industry. Be careful of trying to attack the attackers because most of your targets will
probably be victims.
Hidden service forensics
We are going to take a look at the Internet underground from the other side of the coin. In networking,
everything leaves a footprint or a digital fingerprint, even when the information goes through networks
like Tor. If your organization has enough resources, you can set up a large amount of Tor onion routers
to act as both “exit relays” and “non-exit relays”. What this means is that some of the routers can be set
up as the original entry/exit points to the Tor network. The others will be encryption/decryption pass
through gateways inside the Tor network.
After the routers are set up, it will take time and a lot of data analysis. The biggest challenge is getting
the traffic to go through your systems so you can capture the data. This is where the numbers game
comes in along with a boatload of patience. The entry points can gleam the origination or source of the
person using the client or hidden service. From the non-exit relays, everything is encrypted in layers
through the Tor network; you will not be able to see the raw traffic unless you control the layers.
Anti-Forensics
In the end, anti-forensics is nothing more than trying to make it harder for the analyst. As you have read
throughout this document, there are many anti-forensic methods. Some will make it almost impossible
for evidence to be found.
Methods used individually or in combination to hide or destroy evidence
Editing timestamps
Editing logs
Overwriting data or drive wiping
Encryption of data, disk, or network traffic
Spoofing physical MAC address
Internet theft (using someone else’s Internet)
Bouncing through anonymizers (NAT, proxy, SSL, or VPN servers)
Using live Linux CD’s
Air Gap (bouncing protocols or communication mediums)
37
Now we will tie many of our previous examples together and ad a small twist. An easy way to
communicate covertly with someone you already know is to set up am email account. Then share the
account with the others in the group. Now we are going to apply this to the internet underground while
making it almost impossible for anyone monitoring you to conduct a proper investigation.
Steps to follow
Use a live custom Linux CD
Change the MAC address
Connect to the Internet
Connect to a VPN service
Route through a proxy with an AES 256 bit tunneling client
Connect to Tor
Set up a TorMail account
Share the username and password with those you want to correspond with
Only use the email account to write messages and then save them as a draft
Only use the live Linux session to use the email
The steps above can be automated through the use of scripts so anyone can use it. For example, if your
organization was a news agency that had journalists on the ground in a hostile region. Most of the
reporters will not have advanced computer knowledge, but could carry around a business card cd or
thumb drive. All they would have to do is insert what they have in a computer and boot it up. You
could have someone customize a Linux distribution to spoof the MAC address, connect through all of the
encryption tunnels, and start a browser in a “safe browsing” session. There are of course several factors
to consider, the biggest being how to connect to the Internet (wireless, cell, phone line, etc…).
P.S. Your connection speed is only as fast as your bottleneck (slowest segment). The more hops or
connections you go through, the slower your connection will be.
38
This document has covered several aspects of the Internet Underground including the Who, What, When,
Where, How, and Why. Knowing the basics of the Internet (Surfaceweb, Deepweb, and Darknet) gives a
solid baseline for securing your position. It helps with investigations against such communications if
crimes have been involved and it also gives you the framework to use these same methods yourself for
secured communications. Using encryption is not illegal yet and it is ALWAYS a good idea when used in
moderation. You never know who is watching. It could be your employer, your government, or your
government’s enemies. “Big Brother” may just be a bored fourteen year old running the newest version
of Backtrack.
39
Resource Name Location
4Chan 4chan.org
Anonymous News anonnews.org
Anonymous Operations anonops.org
Archives.org archives.gov
Black Market Reloaded 5onwnspjvuk7cwvk.onion
Copyright Office copyright.gov
Cornell Law law.cornell.edu
Exploit Database exploit-db.com
EzTV eztv.it
Hack-DB hack-db.com
House.gov rules.house.gov I2P Project i2p2.de
Information Warfare Center informationwarfarecenter.com
Infosec Instructor infosecinstructor.com
Infragard infragard.org
ISSA issa.org
Packet Storm Security packetstormsecurity.org
Silk Road silkroadvb5piz3r.onion
The Library of Congress loc.gov
The Pirate Bay thepiratebay.se
The Tor Project torproject.org
Torrent Freak torrentfreak.com
U.S. Copyright Office copyright.gov
Xssed xssed.com
Zone-h zone-h.org
40
Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare. Starting his career in 1995, Mr. Martin has worked with Fortune 200 companies and Federal Government agencies. He has received numerous awards for service. He has been teaching Advanced Ethical Hacking, Computer Forensics, Data Recovery, SCADA/ICS security, Security Management, and more since 2003. As a published author he has spoken at security conferences around the world. Current research projects include SCADA security, vulnerability analysis, threat profiling, exploit automation, anti-forensics, and reverse engineering malware. In a past life, he was also a freelance artist
Credentials: CISSP-ISSAP/ISSMP, CISM, NSA-IAM/IEM, CHS-III, CEI-CHFI/CEH/CNDA/ECSA/LPT, A+/Net+/Security+/Linux+, LPIC-I, CPT/CEPT/CCFE/CDRP/CASS/CSSA/CREA, ACSA, Novell CLA, CDCS, etc…
Board of Directors for Infragard, Denver Chapter (2006-2009)
CHS officer of American College of Forensic Examiners Int’l (2005-2008) Advisory Board for the Business Espionage Controls and Countermeasures Association
Published work used in post graduate courseware. Also contributing editor for Blacklisted 411, Engine
Builder, EthicalHacker.net, Hackin9, IQ Magazine, Successful Dealer, and
The Business Espionage Report (TBER)
Editors: Amy Martin
Todd Adams
Andy Alford
Copyright © 2013 Information Warfare Center, LLC All rights reserved.
www.informationwarfarecenter.com
41
Related Documents
