Common Darknet Weaknesses

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is Aiden Crenshaw and my presentation for today is a darknets and overview of a tax strategy first of all a little bit about me for anybody who hasn't been for my presentations before I'll make this brief I my name is Aiden Crenshaw I've an iron geek.com I have an interest in InfoSec education I don't know everything I'm just a geek on my hands it's possible I get a few things wrong if so let me know I'd be interested in knowing that technical details of what exactly is going on and how many regular on the ISDN podcast usually every Thursday I'm also a researcher pertinacity Institute alright a little background first of all what technologies is this talk with me about darknets does like a million definitions but my particular one is essentially anonymizing networks generally speaking the use encryption and proxies or systems of several nodes where you cascade through them to hide who's actually who who's communicating with who on a network does sometimes also referred to as cipher spaces which I can't like this term better dotnet means didn't things did people like sometimes people use it to dark net but it mean only friend a friend not necessarily a general open cyberspace for anybody can connect like Torres or I HP is however inside each one of those networks you could possibly have a dark net in the other sense where the only friend a friend Allison got met in the broader sense of tour in general ITP in general and so forth and I just use the term tour and I can pee a lot here those are the two dog net something we talking the most about it's a bunch of ones that have been you know cooked up by academia but these two seems they've got her major deployment so total bid ones I'll use whenever I need up user an example we seen to my knowledge of the two biggest uh contenders out in this particular space and I say contenders they're not necessarily in competition they both have slightly different focuses which will go and do here and it a few notes a lot of stuff gets subtle a lot of the attacks get subtle and getting them to actually function might be a crapshoot a terms vary from researcher to researcher so you'll go out there and read terms in academia like okay what do you mean by this like I'm pulling up the term civil and sock puppet I be more familiar the term sock puppet other people tell us are looking into research in academia I never heard the term civil becoming that here in a bit maybe these weaknesses are interrelated and sometimes one weakness can be used with another weakness to greatly amplify the attack and be able to get past some ones at a minute and I'm gonna D and this bunch of anonymous and it hooks out there just to name a few here's a few more makes Tarzan mixing in here and so forth but like I said I keep eating tour the two I pay the most width and they seem to have the most foothold also I'm gonna try to go more real wall with some of these attacks we could actually be used with some of the academic stuff I will be talking about traffic analysis attacks but uh I really think application level attacks is probably where the biggest risk is to anybody using one these networks uh threat model you can't protect against everything I mean the fit if I thought it's not gonna protect you from someone seeing your house looking over your shoulder at your monitor that's just the way it is and it's not gonna protect you necessarily depending on the darknet from a state agency that could actually in theory get ISP records from all ISPs in the United States or let's go of a smaller country nice think that gets a lot more difficulty got me difficult it's not going to get in that kill switch in the United States a lot harder than it is in the country like Iran but depending on who your adversary is there's doing threat models you know some protocols to initially a lost cause I would talk about that here in a bit most of the people who are using these documents are using HTTP based protocols but Dahl things and some of these protocols like victoy unless you do some heavy modification yeah that's kind of a lost cause but some users may end up doing things to reveal themselves for instance tours model if you go out and use with protocols that give away your identity or you use the same name on tor hidden services as you do on the public Internet it's not nothing that is going to protect you or if you allow six billion different plugins in your browser you stop sniffing around websites with tor there's no guarantee that's going to protect you also different text and give different levels of information some just give details about a the client host who it is the IP address and if you have the IP address true IP address you can find more information sometimes it just reduces to an amenity set but I mean by this is it reduces the totem of people it could possibly be like you may not instead of being it's an IDP user you might say it's an IEP user in Indiana that's a good example of reducing someone's an amenity set or possibly because of the posts they make and the things they say all the time they make it you can get an idea of where in the world they are there's also active versus passive attackers attackers you can actually sit there and mess up the network to be able to find out more information passer tackles do people who are just sitting significant traffic but don't necessarily modify it location Location Location this cat goes with no active versus passive where up someone's inside the network already and seeing traffic or the outside of it like let's say the ISP adversaries of course vary by power those nation states like I mentioned before depending on how draconian the laws are that particular country that makes a huge difference also the size of infrastructure presence Western democracies we Paul a whole lot safer than in some other countries government agencies have limited resources depends on what they have it means they have the power in theory to maybe get a term might be subpoena to say I give me all your records this is t email directors from this is P can you oughta wake up some this is P to figure out well this traffic's bouncy through then I'm not sure that be able to necessarily track it all down could be someone with who runs an ISP or could be someone else runs a whole lot of nodes I'm gonna talk about Sybil and sock puppets later on to give you a quick overview what that is though essentially someone controls more than one node in the network and it can start having those nodes collude to find out more information just in private interest groups might be interested for instance our iwi and MP double-a these people generally aren't going to be able to you know get a tap on your internet connection directly and it does uh people like me schmuck some extra time in the hands now I written into a my last aid talk a whole lot more in the dark nets I'm gonna go briefly covered two major ones toward a GP just so the rest of slides make some kind of sense most people give you no diagrams with the circle here circle here of lines between them I don't like to do that I like doing something a little bit more whimsical so this is my idea of a node diagram for tor essentially you have something that bounces around the network you have by default in a tunnel you have let's say free hops let's say this is you right here you might talk to the directory server it would give you different total routers you can go through you make a connection to one make a connection to another make attention to a third one and you make the connection through the circuit that way they don't know who you originate from and as a level encryption here a level of encryption here and 11 encryption here which I'll explain shortly essentially it's called The Onion Router tour because it has layers just like an ogre think of Chinese nesting dolls IPP is a little bit different i QP you have one directional tunnel so you have n tunnels and out tunnels you may have multiple ones and you're in tunnel while you're out tunnel eventually goes into someone else's in tunnel but let's say this is the server this is my client here I could be going through and out my out tunnel back into someone else's in tunnel they set the link of this tunnel I set the length of that tunnel ITP allows you to make compromises between like latency and Emma meditating obviously the longer the number of hops you have probably the more anonymous you're going to be the longer or take and all traffic duck comes back in a different direction this makes some traffic mouse attacks a whole hell of a lot harder at least for my personal feeble attempts there's Polly government agencies that have much better handle on this and I've got at least one would assume but these one-way tunnels complicate things greatly as far as doing traffic analysis by the way I'll click over traffic analysis here in a bit but you say you don't know who said it's been in the military committee of signals intelligence you don't know what the traffic is you know this person at this base just in a bunch communication to these folks these folks start moving Eva don't know that communication was it tells you something well in traffic analysis since you're watching the traffic even it's all encrypted to figure out who's talking to who timings and other things that could possibly reveal information I have to P differs from toward a few ways though toward generally speaking you're supposed to connect it to connect to a some website out in the public Internet there's simpler tor hidden services where you can hide something inside the talk cloud I hate the term cloud but it's semi applicable here well iqp you can't Fox you out to the public Internet but only if someone provides an out proxy generally speaking it's focus is get in service text functions um so you have friends eat sites or a type of service that you can hide inside ITP that is a website but you can also hide other protocols like an IRC and whatnot also it later sings a little bit different and one of its big focuses is a be distributed I'll talk a bit this in a little bit maybe will actually let me see if I can uh get back a second underneath my tour slides you notice how short talking to a directory server this directory server is controlled by the folks that create the Tor project and other people can actually fork tour and make their own subtour networks after a fashion if anybody has an iron key they have their own tour based network but since you have the central bit of infrastructure someone has control over it if someone takes that the strategy server that costs issue well I think you want to avoid that so it tried to be very distributed iqp like TOA also has model levels of encryption since at any time you have least three levels of encryption you know essentially in the end between this participant in this participant they're trying to communicate and also on the tunnel level on in and out and also between each and every single hop so in theory no one but the endpoint and exit point can see what the traffic is supposed to be now here's my silly gloating animation essentially the way gothic reality this is what I GP does I just play a little bit about Onion Routing a little bit ago to house like Chinese nesting dolls it's similar in a GP essentially the match each one of these levels like a lair is stripped on a put-on and then let me back this up a little bit it sends something out to the exit point or the end point of a tunnel and that might get sent into someone else's in tunnel so this because it's going out to your particular out tunnel maybe it's going into muggle dipping in tiles unlike tole we have one single circuit once that hits the end of a tunnel I'm understanding the different cloves and this is why it's called garlic each clove of that piece of garlic could here we go okay you go to this particular endpoint of this other in tunnel you go to this one you go to this one once again confusing the living hell out traffic analysis but that's essentially how I keep eating toward differ now will actually get into some common weaknesses these are going to be semi nonspecific but just to give you an idea if you have a look at the literature some of the attacks that are out there against these anonymizing networks but would make give me a gauge for the crowd how many people have ever used tor okay how people have ever used ITP I need to change that I hear you have good day good I just reduced is that a diamond that he said ah tor has a whole lot more foothold but I - piece of fun fun to spoil so how do I make people give it a chance but this first one is going to be more toy centric it's about untrusted exit points essentially where untrusted exponent is anybody could be comment or about it so if I wanted to come and tour out at my home I'm this set myself up as an exit point and well some job will be routed through me and some I'll be the X point and be the out spot where traffic just comes through me and it goes out so public Internet the problem is depending on the traffic descending then I'd be unequipped if it's encrypted throughout the entire Tor network but once it hits me and on the exit point I can look at the data now if they're using an extra level crypts on top of that like visiting the site using HTTPS that's that's much better audio still people who could use a Maxime on spikes SSL strip and possibly cause confusion there so it depends on how much you trust that exit node an optimum for incidents there besides just looking at the traffic that's going out the exit point the person could be modifying it also so mething someone sets up an exit point on tour that injects malware and whatever pages you are viewing completely possible or to conject other things that can reveal your identity which I'll talk about here in a bit that's actually the incidence of this select those diab I don't have Branson's last name dead Dan a ghost at he did some call up people uber footed as two embassy hack a while back back in 2007 but since that you said some tour exit points or least one and a bunch of people embassies they don't want the government of the country they were in to be spying on them so he said good we use tor and that was secure as it gets out of the country which is true but they were using a non equipment protocols for instance pop3 without encryption so they were sending a username and password and since the in plain text once it hit that exit point so the guy went an exit point Dan in this case sit down sit the traffic this could also be web traffic this could be tons of different things another example or through examples of a plain text protocol so those don't know these are protocols that there's no encryption by default then the passwords might be passed in clear text or in an easily reversible format like a base64 pop3 SMTP HTTP basic authentication etc etc etc also a Moxie Marlinspike with a SSL strip like I mentioned before was doing something similar this if you set up an exit point and use this user using HTTPS this tool would sit there and go oh I'm going to be the back YouTube HTTP if you're not seeing up paying attention to what it says in your url you could very well give only I apologize for the incredibly uh unused friendly URLs in here if anybody wants to slide up to the presentation just let me know okay to give you a quick video illustration of how these uh untwist X nodes work let's say you want to send some traffic so this guy down here in the bottom left hand corner is our client he's trying to contact the web server way over here and let me get that back up alright which one these machines you think is the bad actor which one's evil the one of the goatee of course you'll need to watch motional trick anyway so at merck about layers of encryption well with the first hop a layer gets stripped off gets the next hop later stripped off gets next hop legged stripped off so it's encrypted throughout the entire way but each point only knows the person who just send it to them so that no one knows both the contents in theory both the contents and the original person who sent it in so that gets sent out the exit point but at that point it's in clear text the guy can sit there look at it sniff it modify it send it back the modify that the send it back is where I was mentioning some attacks can be put together for a really big effect we'll get that in a second ah mitigation toys am the mini and I'm really which tables of as I can't pronounce it not necessarily security if you use Indian protocols that aren't necessarily encrypted the guy had exit points gonna be SEO traffic just like if he was sitting on your local area network at least as far as anything going through tour is concerned so don't use plain text protocols you said it's Indian encrypted also if you're simply using a password across these protocols you're not goin on amiss are you especially these people sort of thing gets me about I I have a hold over top an anonymous and now this is something different now than what it was or some people consider it if you're using a username like I use iron geek if you use that in both your anonymous or pseudonymous setting and the public internet it kind of defeat the purpose there's now haven't you so people who have sinned a public email addresses through tor network yeah not so good I some of a common attacks DNS leaks and various other protocols and application level problems block you talk about traffic analysis and it's neat stuff in the signals intelligence standpoint but I really think this is where people will get bit okay an overview does all the traffic go for the proxy fine you're using a dotnet everything's encrypted it's going through multiple hops so no one really knows who's talking to who but what if you're not sending all of your data through tale whether there's something about the protocol that's not quite right and it's sitting stuff outside the dotnet a common example is DNS link so I'll illustrate here in a second let's say let's say I'm using tor to visit a sec maniac so I'm missing SEC maniac and I've got comm correct I'm visiting that and I'm like okay I'm secure all my traffic to him is encrypted it's encrypted back but I don't want people to know that I'm visiting his site well if there's a DNS leak they might know I have to see my traffic for tor but if my machine saqqaq a bigger bag it could be asking the DNS server hey what's ID address of Dave's box even I'm not using it and it's still asking the question my ISP knows a visiting Dave site they may not know what I'm looking at but that's still information if you're visiting the toilet and service or an IP each site same thing don't be some string of characters dot I GP or dot onion and if you're not configured right those hidden service will be reported to that DNS server which I'll illustrate in a second there's other ways things can be leaked as well though yes we see the stuff bONIES yes you see stuff needs to be reported my little call me copyright infringement yes yes thank you you for that to them are they going to be able to get to that side or is that something it's ever change depending on if they use some of the weaknesses I have any slides and the person they configure the civil right and a bunch of a little if it's possible to trace the stuff down but there's no one answer to say yes you can't find it but yeah basically it's really hard to report and you can report it that doesn't mean they can do anything about it or easily do anything about it so basically you map make sure that the dot is configured and you go find when we talk in kind of the dual purposes here I'm talking in some senses by how to protect yourself using a dominant for an immunity and how to catch someone who's using one I find the whole interplay kind of like a game of chess where one side tries to outsmart the other so I'm kind of preaching to both sides here I just think the atopic isn't interesting ah a snippet can also use web bugs depending on how you have your proxying set up for instance let's say you have your browser set to send all HTTP traffic food tour or ITP but you forget about HTTP or possibly I don't know FTP if for some reason if there was a browser bug an FTP wasn't automatically sent food whatever the default box II was that would be an issue because the person could use that to embed a link inside a web page Eva a webpage day on or possibly by injecting if they're the exit point and find out who you are I have some coalescing examples of web bugs but since your web blog is like let's say an image you put on a web page and in where that image is fetched that IP is reported to inverse of information is reported to the server that's hosting that web bug you can use that kind of thing for tracing people down HTTP is a good example I'll show cuz I screwed up this configuration before we're using a ITP but there's other application level stuff that can be a problem javascript also is pretty hosed go out there and check out Greg Lea flashes Def Con 17 talk and basically makes you go yeah javascript was a bad idea from the very beginning as far as a security is concerned especially an amenity in this case let's talk about DNS leaks for a second here we have a DNS query let's say that some dot onion address or ITP or even a sec maniac even though all my traffic going through the network from here to here might be encrypted backup even though all that might be encrypted that doesn't necessarily mean that it can't this person doesn't know who I'm visiting not to say what I'm doing but they know who I'm visiting that could be bad enough ah a few ways of mitigating these kind of problems push them to show up in tort lease make sure you not watch this move toy and IGP mount put a sniffer and use a Limpy cap filter like a port 53 to find Olfa tcp and UDP packets they'll leave it on 53 and see if anything any kind of a name resolution traffic is leaving that should in theory if toys configured value ice please configured byte you're not going to see that traffic hopefully uh if you're having some problems one thing you might want to make sure at least in Firefox go in there and make sure that this particular setting in about config is set to true so it knows to use DNS through the Sox connection through the proxy this gets a lot more complicated in other and other protocols like what you have to configure this in like an IRC client to make sure it does name resolution at varies from IRC client IRC client same thing to secure shell you can do this cure shell to a box over dark net but you better be damn sure that you have that proxy setting set correctly tor button should help one of the I'm use tour or iqp generally speaking I use a tor browser bundle and then this configure it so I can swap actual from both of them and the tor browser bundle has various settings already done for you to help with an amenity basically stripping out certain information that might be returned by a browser user agent stuff a screen resolution stuff I believe don't use a bunch of plugins that's another big one other applications vary of course you may also want to try just by walling off port 53 to make sure it can't go anyplace and then the only way out of that particular box is the proxy also with tor one things you can do is you can actually set up a local DNS server on your box and then if you're worried about a DNS traffic going out you can point your local machines DNS over the point to localhost and it will resolve everything automatically through localhost and it won't it would talk to other main name server oh well I will outside the one running local host because of Tor so that's a nicer maybe over top in some cases but probably the most secure option and you can make that little setting by editing your tor C file and putting in those flags but grabbing content outside the darknet this can be also be an issue now this illustration I have more of a mesh ITP kind of styler know diagram but let's say some traffic is being sent through if someone doesn't have face configured right they could be getting HTTP traffic through on ITP but not not setting STP HTTP through it and by default HTTP out proxies all right repiy does various modifications to the traffic to try to be sure an amenity that's all you can't lead it on HTTPS and nothing in this there's been HTTPS out proxies but I'm not sure this one up at this moment but let's say you've only configured an HTTP 1 well that traffic may be going through a IPP and bouncing around and come back to you and they don't know who you are with that web page hosts the file - like a web bug that is accessed via HTTPS then it's possible that you'll request that when you get your page back and you request the image and then I'll have your real IP address this same kind of thing could happen if this is more popping back in the day but I think most web browsers don't honest wide and loose on this they are now used to see the URL lines instead of starting with HTTP it's up like telnet colon slash slash those kind of things those responding to be had at their now admission this doesn't happen in I to Pei you should go in and set this proxy right and say use this for all protocols though this particular setting I have right now isn't necessarily going to work for SSL traffic as I recall you can also set up SSL Fox it should work though I don't know if that particular tour so I'm sorry I GP uh proxies actually up and letting at this point the basically someone has to inside ITP say yes I'll be an out and that's going out proxy and I'm not sure if anybody is actually hosting an HTTPS one at this moment ok slightly related subject simple thing let's say your web surfing around and uh tor and you visit some website you like hmm I want to do something a little bit more suspicious so I'm gonna go visit in a while you're visiting it let's say all the public in there first then you decide to visit over tor later on so you could do something a little bit more wellthanks some you don't want to be no well if you got a cookie while you're stuffing it over the it public Internet and using the same web browser well we stick to it overt or you might very well be sitting the exact same cookie again and told us and tore button has various features along with I was it Polly pop oh this little HTTP proxy that's meant to filter out various identity me billing information out of your HTTP traffic there's various things to try to mitigate this but it is a concern if you don't have toll configured properly you get a cookie off the public Internet then when using tor and you go to the same page so ya go to using tor and you go to the same page that same cookie gets sent will be so good there's no reason to separate your profiles and used in browsers for different tasks so physically done is if you can make a hidden server contact you over the public Internet the last few examples I've given have been on your client and your contacting some internet site in this case you might be trying to reveal the identity of sub hidden server this is the server inside of iqp network that you don't know it's real IP address you know its name but it's bounced around in between hosts inside the network to be able to get to it if you can contact it let's say with an exploit let's say you had like a shell execution exploit with some bad web vulnerability on-air if you can tell it to ping you well game over you make it ping you from its real IP address those mitigations you can do to this though another example of applications that are totally of well law all an amenity is a BitTorrent butter fault a lot of ways people configuring BitTorrent whenever they use tor is you know very wrong it was a paper within a while back I have the names of all the offers down here at the bottom of this slide hopefully I'll be visible in the video where essentially they found that most tor users only using tor to hide the contacting of the tracker the person keeping track of okay this Pierre in this BitTorrent transaction as this part of the data this one has this part a this one price to our data you basically track screw has what so they can set up communications between the peers well if you only send in communication and communication to the tracker over tor you're still contacting the peers directly that's revealing your identity right there also though on the exit point let's say the person decides to June contacting the track over decides to modify the data they can add their own IP addresses yeah I'm one of the people who is participating in this bit torn contact me and when you contact them this varies identifying an information you can go ok that's who you are also the pinyon how the clients configured another motor operation for a BitTorrent is to use what's called distributed hash table that's over UDP well toll doesn't really support UDP so that gets sent out to the distributed hash table and that can be scraped for information it gets somewhat more secure now most these are mitigated if the person decides to send all traffic including peer-to-peer traffic food tour that would be dogs slow but the distributed hash table one that's not mitigated because if your machine starts using the tracklist torts and sending those packets out via UDP if someone's out there harvesting the distributed hash table off the internet they could possibly bill people's identity there's also the information inside the BitTorrent protocol that we bill who's who an oddish traffic actually has like peer ID and port number and so just from the ground up it was exactly designed for an amenity though certain modifications have been done to like the one that they exist instead of I to P that makes it a lot better but generally speaking BitTorrent over tor probably not this great option ok yet another example of an application that will screw the pooch Oh to speak is IRC by default even if you configure IRC to go from Tora IGP there's some things on the protocol level that will screw you up who has three of ident basically used to be a dude except I put a call out you responses to be to say who's this person contacting me well inside of a IRC clients you can say what's your I did so that when someone does out who is on you like right Nixon says give me info this person or just who is command they can find out your username on some box well you can set this information but depending on a client you're using it made the thought to your actual username for instance one time I connected to I to P as a SOF I was fairly hidden that's all looking around and looking who is the everybody including myself and I realized that well I had a pseudo name while I was using I to P is to I did who is on me they can see that Aiden at some host name not my real host name instill Aidid at some place was contacting how is that particular identity instead of I to P well there's only so many Adrian's probably doing research and ITP if nothing else is reduced to as amenities said if not outlet we feel who I am or let's say if that particular ident information we build relic as the I stuck in institution if we build inside could be the same is using stood on them some do dot 85 and when you did the ident on it it said relic that would be pretty revealing now you can fix this kind of problem actually going in to IOC client and configuring what you want it to return for us I didn't information but by default depending on the IRC client it made me feel more information than you actually want that be an example of an application that just really gives them too much data all right doodle mitigations make sure your browsers go set the sent all the traffic through the dark net which is trated some of that video go look in the firewall rules the block all traffic it's not going out for the protocol for the particular ports that you know your dotnet client is using limit plugins used of course because this can totally mess you up because the plugin can be used to reveal more information about you depending on whether or not it knows to actually use an honor the browser's proxies for instance in the past I think it was maybe like Flash and Adobe Acrobat didn't stay on in the proxy settings that would configured inside the browser and someone can since you provide payload they could possibly get you to contact them over the public Internet and then know your IP address which a little looking around later the map is find your identity use a separate browser for different tasks also there's two great sites for going to check out how anonymous you are from a standpoint of well one decoder that net tries a bunch of different techniques of reveal who you are and go try sniffing your PDF and see if your browser stops using your cloaking service instead it reveals your real IP address it does that with a word docs also it tries a bunch of different ways to try to reveal who you are not the click PFF is something a little different it basically tells you how unique your particular browser user agent string is as well as like various information in JavaScript and plugins returned to the site so I can say you are unique amongst so many different people or like how many people share your exact identifier OCE hidden supervised make sure you patch your stuff if you have like a really out of date version of some web application and someone can use some sort of shell injection and get to ping them back out and public internet that's a bad sign so make sure you keep your stuff patches also you could just try not letting the Box on the public Internet have it on its own virtual host they can only talk to the SAS in VMware you could have a guest OS they can only talk to the host OS typing how this would work but let's say how the web server inside the VM or just regular box the website was configured to owning responds with 127.0.0.1 and that send traffic anyplace else but the service that is coming in via the darknet is allowed in basically the idea being to make sure that service can't contact anything else outside of outside of its own little Network I'm chopping of a better way of explaining it that may need a future diagram okay attacks on centralized resources infrastructure attacks and denial of service attacks this is not so much against individual nodes as the network in general I suppose you could try the denial of service individual at hidden service or eep site inside of the darknet but more likely a lot of the attack will be a blunted by other hosts in between you and them taking the blunt of the damage I hope you won't suggest that well if you want stay anonymous from your DDoS inside first of all people who think DDoS is a political statement irritate me but if you say we're on two issues toward how you are because if you try to DDoS root or you end up essentially denial of servicing tor you would necessarily contact what you're trying to hit well you would but at a greatly diminished ability there's all sorts of browsers attacks out there salvation attacks essentially maybe that's at your node or your several nodes in the network you can promise that resources and then not give them partitioning attacks well you want to separate the network into subgroups so if you know this run routes traffic for this one network and this one bounce traffic for didn't pop network you take out these nodes you can cut down the atom in any set of what you have to search and of course it's flooding you know your general denial service sort of attack or you describe that Oh attacks on shared known infrastructure can be a problem for instance this say someone stuck the mallocing towards of dementia tree service would that be a huge issue because then people wouldn't be able to necessarily find tor about us and what they able to use the network also total or severe blocking of the internet would be a huge bomb you can if you do on the internet connection then you're really not getting this duck net there's been a few cases similar to some of the things I just talked about for instance China back on September 25th 2009 blocked access to tour directory servers so people who are using toward a normal fashion couldn't actually connect they couldn't find a list of routers to hop through also Egypt Libya and Iran they bought in and access well you can't get on ITP if you can't get any internet access I supposed to possibility of a net split that might be beyond topic here for instance tour director service if someone blocks that connection to tour directory server well you ain't using tor with some exceptions we're going to talk a little bit about bridge nodes since your bridge node is a tour router that's not advertised directly by Toto a tree service and I thought this would be one central list these anywhere essentially you can I email certain email address at tor project and you'll get a list of bridge nodes you can contact ethic they occasionally send that that information via other ways or you can send bridge rodents out of a country and then tell other people about it inside the country and they can use you but that basically just makes it so they four days have much harder time blocking all poor rabbits when suppose against to one bridge node hopefully you're golden a distributed infrastructure helps for instance I to P there's not a directory service to say which node is which it's all just taken care of in a distributed hash table called net DB taking out the dev site might be kind of an issue but actually all the development in ninety P is all supposed to be done over I to P so that might be somewhat difficult protocol obfuscation might also help if someone does know someone's using a dark net may not attempt to block it tor does this to an extent by neutronic the traffic look like a HTTP by sending a lot of traffic out on a 443 tourism other stuff it sends that obviously isn't ITP sent out via a random port every machine you know different tor routers out there didn't or you sorry doing IDP users on ester using the same port and you're sitting there looking at the traffic it should just look like in Krypton gibberish so that makes it I'd repeat fairly hard to block it's also sitting stuff via i2 via UDP and TCP total incipio blocking of the internet though that takes a little bit more to mitigate and some people talking about technologies to do that if someone blocks all internet access that's a bit of a difficulty oh let's say like we're right here on the network at this university we can't seem to connect our pilot have no problem a problem talk because as soon as it tries to contact out on a 443 and notices it can't man the middle that SSL connection your connection is not going to go anywhere so people come up with other ways of getting around that people talk about making mesh and storage networks storing board networks essentially these mesh networks might have different boxes in the country they have radio communications for each other if you can through each other if you can contact one of them you can hopefully get a message out by it hopping around until eventually it's sometimes working to the public internet or whatever resource you're trying to go for now this may or may not always work those two contact the store and forward or essentially let's say you want to try and get a message out and real-time is not necessarily something you have to worry about that you just think it's an email if it arrives now of it rides out two hours and now I may not matter well if the mesh network is set in such a way that it can be passed along from device to device until a device gets in range of one they can get the communication out that might be good that might be useful let's say someone has them on the phone with that message that phone gets sent to known and I guess into another note as the Kitsch come into range of each other that might be an example of a store and forward I more info on our mesh networks there's no real clear front-runner do people have put up both idea of projects to create their own like a dotnet backbone so you don't have to wait but Internet getting blocked you can go out there and check out wireless mesh network on Wikipedia and building off with a few different projects that relate to this kit alphas at one project you might want look at all so those are the New York Times not too long ago about us actually sponsoring some research in this particular area like sitting into third world countries all right hoc based attacks this is another place where people can at least reduce the an amenity set of someone using a dotnet some protocols allow you to check remote systems clock this could be an issue if let's say they're not using a universal time let's say they're using local time well there's only so many places in the world where it's free p.m. in any one moment that gives you an idea of where the person is in the world that would uses an amenity set also sometimes people have clocks that are just playing off they'll set them wrong would not have a automatically updated via a time server so that'd be an issue but mine applaud issues can sometimes be statistically analyzed to figure out with somebody else there's some give you some research and try to figure out where various tor hidden service were based on temperature essentially the temperature of the area of the world they were in at that time would have an effect on the computers clock and how fast the slow ran and they tried to a statistical analysis to figure out world in the world the person was based on that now the research that was done as I would call this is I think it's a Murdoch's paper they found a cold quickly he used tor we didn't use the product for Internet the public got there on the internet he used his own internal like lab tour because the public in it toward it was so much jitter I don't have you guys here used toy and notice how slow it can be sometimes this is too much variance in there for you to be able to get good accurate clock information so he used his own he might I'm not sure if I'm hopefully I'm according his research correctly on that maybe for something better statistics in more collection you could actually find the data IGP I've actually done some messing knowledge for clock differences there myself though this was a more this is a less accurate method more of just checking clocks and seeing if they were way off from what they should be when I was doing my musician ITP I checked out various or each sites and essentially try to see how many seconds difference they were for me in time well if it's only a few seconds that could be easily explained by metal jitter and because all those hops you have to go through in the darknet one of those could be causing the latency issues it's causing that time difference however if there's only one of the hosts it's like four thousand seconds different than me and I'm getting my response time only like less than a second know I have a pretty good idea that's the only site out there that steps clock is that much off but that's who it is actually explains I take a little bit better I see did a harvesting attack while I sat there and log every I took a user I could because I have part of the distributed hash table on my machine as far as uh information about routers I can connect to I logged all that started hitting everyone was IP addresses to see if they had a website on him if they did I note the UH what particular Webster software running as well as what time they had on once I had that information I would also try to contact each side I knew about and see if I could correlate them because they were hosting their each sites on a machine that also had a public facing address and second query both I could do a correlation attack and figure out who is who an example that might be attack of s hey what time is it most said box says what time it's far enough off and it's only one it's that far off you might have a good idea of who it is um mitigations well depending on how far off the clock is I think this attack can be fairly hard to pull off there's a film about judo in all these networks because it takes time to proxy that connection from host to host the host to host so let's o'clock is severely off probably not gonna be a big issue I imagine having the clock set to a reliable NTP so would probably help however if you set yourself to a unreliable NTP server that's not really going to be particularly good some mitigations can take place in the.net protocol itself like the certain timing things that are inherent in self ITP and iqp make sure that people aren't too far off from each other however that particular timestamp is internal the IDP itself it doesn't reflect the time of the host machine so not a puppet in that case because the application they are player can rebuild the identity all right another cool example of ways that people can uh Bill identities inside of darknets metadata we talked a little bit about metadata believing the first talk today essentially metadata is data about data this could be stuff like you know the GPS coordinates where is taken or what the username of the person who created was or timestamps on when it was last modified or when it was created initially and lots of document formats have metadata in on for instance jpeg exif IPTC docx files docx exe s always have metadata image you can scrape for information so the things stored of course are void mentioned GPS info sometimes network paths there's a cruel tool out there for Volker you can actually point it out a domain name suck down all dockage can and sometimes by extracting a few documents you can find names of like print servers and servers that that document has been related to so you can find information on someone's internal network just from like a document they put on website way back in the day back in the office 97 days it was actually embedding MAC addresses inside a document a few prime examples I can't think of any example of people instead of darknets being revealed by metadata but here's a few that's on the public internet who had some monies in piles of metadata first of all catch Swartz she posted a picture of herself online and it simply looked like the one you see up in the corner and she cropped it and it was all good she posted it the problem is EXIF data inside JPEGs also has a thumbnail well the thumb the hell didn't get modified when she caught the image and it went down a little bit further so there you go a new example is demonstrated at the BTK killer at one point the longest time he was just like sitting letters in he went years and years the is valid getting caught eventually I think he said the books gonna be coming out of something and he said stop bragging so he since it was a floppy disk of a would document on it to the cops well they get it and they look at the metadata and it says offer or something Dennis and had the end since the software he where he started used was registered to the church he was working at it had the church's name so there's only so many Dennis's at that particular Church it didn't take too long to figure out who he actually was another example is a nephew Chan at one point I'm on 4chan he posted an image of his aunt who was in the shower and someone said post all the rest the image was long revealed where you are we posted he depicted the photo was his iPhone and at a time by default - then the iPhone was putting the EXIF data in there GPS coordinates so people unfortunately able to figure out where his aunt actually lived all right mitigations well duh clean up metadata it that'd be a good one and because it varies some apps app on how you do that so I can't give you a one-size-fit-all solution for that okay local attacks at this point it's probably a lost cause someone has seized the machine I'm going to find out what you've been going one of the nice things about the toilet browser bundle is by default as soon as you close it it doesn't log history or cookies or anything like that now I haven't tested its privacy mode to be 100% sure that something's not leaking out into memory that may be leaking out at a swap file but it makes a it does various things to keep them happening let's say you're using tor and you're going to various sites or you might be encrypted and going through tor but someone grabs the browser in your hitch and I was particular sites are still in the history they know whether you've been pretty much some has access to your local box your home it's got the old security maximum if someone has physical access someone else's physical access to your box is no longer your box especially at this point comes down to traditional forensics data on the hard drive cache data and URLs memory forensics if all else fails who it is for like the cold boot attack but Co boot attack was out of this let's say that someone had a the encryption keys up for the head using full hard drive encryption encryption keys were up in memory they decide to shut down a machine really quick well look for a certain amount of time someone could grab those uh dims out of the machine room depths and pull data off of them they could recover that key to a degree this particular attack as someone academic cuz you have to do it really really fast for instance you take your laptop and just hold it up like for 20 seconds and you keep it away from somebody they apply how a problem covering the data off of it but uh there's a guy who's been some doing some research on doing non amaizing or sorry doing forensics on live CDs where memory forensics comes into play I suppose mitigations does of course anti forensics if you don't leave logs on a machine in the first place that's a great start I have a class I've done on a what I call called computing in other words hidden computing a cult directly be the word occult I believe is originally lacking for hidden essentially any forensics is techniques to be done to fought forensic analysis so that particular video might be worth checking out also people who use live STIs or live USB drives they can avoid leaving some tracks flawed these well since the CD is write only media well clean watching this is going to go if you know I'm technically wrong but since the CD is right only media you're not believe logs aren't necessarily a same case of a lot of USB drives is not actually fighting back to the USB Drive it's loading something of memory running the OS but as soon as you pull up the USB Drive reboot the machine infinite things gone well Android case he was messing around with actually doing forensics on memories let's say someone sees the machine while it was using a CD or while it was using when his boot USBs they could actually grab data from memory and figure out what person's been up to and his black hat slides out there I've contacted him hoping he's contacted the black hat folks and could be able to get a video of his talk out there cuz the hard drive encryption would also go a long way in mitigating all this okay we'll get in some more academic attacks at this point how many - first time yes hopefully all right civil attacks my percentage of civil tagging system we used any place outside of academia a civil was apparently those killed in a book we had mobile personalities and hunting was civil the idea of civil attack is essentially a like a sock puppet feel familiar form or someone poses this more than one person the idea being by being more than one person in the network you can influence votes or routing decisions and that sort of thing I can further my sock puppets instead lot of times these are not to say the attacking of themselves that they make other attacks easier for instance if you are every node in the network but the end point in the beginning point well you can figure out who the beginning point in point is that's a very worst-case scenario but it basically makes a lot of attacks easier if you have multiple nodes but let's say this one guy in the corner is evil your sites to set up wooden one no two he controls you can have these collude to find out more information for instance let's say you were incredibly unlucky and he has toe and ITP have mitigations against this but say you're incredibly unlucky by using tor and you connect the three boxes as your routers and all three of those were controlled by the exact same person well that your host mitigations there's no absolute fix for this you can make it cost more to have nodes in network and whoever did is they have a hood of proof of work algorithms okay a way back when the one that is put forth to stop spam was the use proof-of-work basically before Amazo would accept any kind of message you had to solve some mathematical algorithm that was easy to check but hard to do so it would keep you boobs being a sin as many messages as fast but very sir I guess logistical reasons that was never really that never gonna took off but the same technique has been used in other places like a Bitcoin for instance making it make it where people can mine these bitcoins and it's easy to check when that something's a valid bit point that's hard I know example might be password hashes if someone gives you the wood it's easy to check if it matches the hash I'm taking that hash and figuring out what the original wood is is doable with massive brute force but not necessarily time practical ITP and tore both put in a restriction to where they try to keep same / 16 IP addresses from being in consecutive hops for instance let's say your IP address of your institutions was one two three one two three something-something well it would try to keep those two from being one hop in the very next hop the idea being that if someone wants to try to make a bunch of colluding nodes they might all have on the own little IP network by themselves so basically they try to keep those separate another example that might be for justice jurisdictional reasons having about traffic back from one country to another to another to another to really confuse boundary issues central infrastructure may be more resilient to this however it also has its own issues if one central point is deciding who's who and who's doing what then that's one point of failure but if you really secure that point in some cases that might be a mitigation against civil attacks both IGP and tow have appearing strategies to try to keep you from talking to people consecutively who might cause you an issue and there's been some academic research done with things like civil guard of civil limit and civic civil in fur and fur that try to base who you connect to based on who you know the idea being is that you can know the people in your network and that knows that a bad actors won't know as many people so they won't be used as regularly but uh who's here with and it seems to revolve like social networking to decide who routes what traffic where I see a couple problems does however booth is with know of Robin sage was there that security researcher who did the Robin sage stunt it was a cool thing well anyway this guy did is he decide to make this a very cute girl who was a information security researcher he started like making my favorite Twitter I'm making a Facebook profile ever and he said try to see how many people in the industry he could get to connect and contact her and there being a ton of people to add have you thought you have people in there Facebook who they barely even know I'm thinking using social networks as a way of controlling who peers of who may not be the best issue in the world though you might want to be the papers that it's the arguments of a bit more fine-grain than that then I'm giving them credit for alright traffic analysis attacks there's a lot of academic work on these unfortunately takes well unfortunately all fortune thing I look at it it takes much more powerful adversary to pull them off I really think that if you're using a dark net you should probably more worried about application layer stuff from drilling your identity but we'll talk a little bit about traffic analysis attacks it's lost several variations on a profile each traffic it can be stuff like well I'll get to the illustrations to be able to do it you could be something like a timing of data exchanges could be sized in traffic it could be the ability to tag traffic let's say the encryption algorithm allows people to still modify the data if someone can tag it and change the data they can track it throughout the entire network journalist takes a powerful adversary and it's really but can be someone hard to defeat in low latency networks reasons I'll show you a second very well be my low latency network those networks out there that would be cast or and Ford where let's say it's a mail message it hits one node if it takes ten seconds to get to the next node or it takes an hour if it's an email it may not really matter that much however for web traffic that really just would have worked web chat with an example so it's low latency a lot of these attacks involved timing I'm gonna step up there a lot easy text involves timing and if you know this particular person sitting five Meg's of traffic and this other one received five Meg's of traffic off in a certain time period those kind of time correlations you can use to figure out who's talking to who whereas just looking at IUP I started thinking of it from the standpoint of looking like this I was like well I don't you believe in blue traffic analysis on this so many people are talking to each other over one-way connections but from ISPs viewpoint you can only have one connection in in one connection out they can cast it there and watch traffic nice try sit there on Wireshark and try to figure out which pair was which and I knew the right answer because I was able to go into IUP itself and see who my partner's word and communications and I still had issues but give you an example of a correlating traffic let's say some client sends five Meg's in and another one receives five Meg's and sends out eight Meg's that same one that sent five Meg's in earlier just receive that eight Meg's if you can't meet the data you know who's talking to who it could also be things like timing like a student apparently send a little bit of data that's more data right a little bit since the more data that timing can also reveal information also things to be done to affect timing this is what civil attacks can help augment traffic correlation attacks let's say someone's sitting just watching the timing Decker revealed information they can also try to attack different servers out there or different nodes of the darknet and say ok I'm going to cause the now service here at certain intervals and see if I can correlate how disinfects traffic and other nodes by doing that figure out who's talking to who they can also just sit there and kind of control how fast the traffic goes through them this would be similar to a tagging attack the way at least I'd repeat works is it signs the data so if some stuffs modifying the data that's going to be an issue but I suppose if you slow down the packets a certain amount and put a student rhythm to them you might be able to follow that along the line there's also been people who've done various attacks and tore it try to change the load on certain notes try to figure out who's talking to who what figure out who's going through which nodes and reduce the an amenity set as well the identification is for this would be things like more about is the bigger the network is the harder it would be to find here like being a needle and a much bigger haystack also people have talked about using entry guards to make sure the first hot to connecting to is not necessarily uh how to put this if you're both in toward the first hop and the last hot in a network it's really easy to figure out who you are and what data you're sending because if you're the exit point if the attack is the exit point they'll see in the unencrypted traffic assuming you're not using the encrypted protocol if they're also your first node on the entry point they see the amount of traffic you're sending it's much easier to figure out the disk person is the person who was sitting out this data in to come out this exit point so toward us a couple things to mitigate this want to be entry guards where it chooses a certain of people to always contact if it randomly chose people appear through randomly every single time eventually an attacker would be both the exit point and the first node that you hop in to hug by choosing a certain set you always use as your entry points yeah it's possible you'll be really have really bad luck and choose a malevolent pair that very first time but at least it reduces chances of having it eventually happen after you send enough traffic there should be a better way of explaining that all right one-way tunnels can't help and it definitely seems to confuse information least while I'm sitting there trying to sniff traffic and ITP short-lived tunnels may help so you're not saying as much traffic through the same nodes basically you use these sets of nodes to Vout fooful oh well then also you changed our whole new set of nodes a bit up here profile to figure out who's bad actor like if you know one person only hops on during certain times or only seemed to send traffic certain ways that would be an issue signing of the data which I believe I know I'd repeat that signing of the data to make sure it has been modified I'm pretty sure toward us as well uh fixed speeds another issue uh some networks have been proposed to keep people ooh that timing attacks they basically make it to where it always sends at the same speed or they put delays on traffic like witness your sing an email an email relay doesn't say I have to send it instantaneously if you worry about timing attacks you can have it wait a certain amount of time before it sends on to the next node unfortunately doesn't look at low latency networks patting and chafing if you worry depression Chaffin sorry um you're sitting Jada I'll check Kali didn't think eyes if you're sending data out there you're worried about people doing analysis on the amount of traffic you're sending well if it's padded it's always the same size they're not going to be used traffic size to figure out whom to a chaff would become the opposite thing like someone sends out a bunch of day that's padded and also they said not the unneeded item for the smell to the next note so that the sizes of data going and packets going between this node and this node and this node can't be easily correlated non-trivial delays would help in some cases and that goes back to some of the stuff I covered earlier intersection and correlation attacks this can be related to some of the earlier attacks as well this can be as simple as knowing who's up when a hidden service is available but is let's say you notice let's say you've log all the people you know who inside ITP and you log whenever this one particular each site is hidden web server is up if you notice this one particular iqp routers down at the exact same time that this each site is down and it's always like that that might be an example of a correlation attack you could do techniques can be used to reduce this animated reset as opposed to someone starts a knocking off various machines on the internet like analysis you deep sites fill up okay that must be not be you and so on so forth application flaws can also reduce the atom data set I mentioned before when I was doing some research in ITP I was checking for what particular web server software each machine was running well if I load all this I know you were getting this particular version of Apache I can only check boxes they have that particular version of Apache I've just animated a set I reduced the number of boxes I actually have to check to see whether or not it's the same person this also goes back into harvesting attacks of being the law all this data and profile the different nodes in the network here's an example of a simple correlation attack let's say someone contacts ping won't be a good example instead of trying to contact a tor hidden server they can go and check to see whether or not it's up and then they check every other node in the network really quickly to see if they are up eventually if when it's down at the same time as the hidden server that might be and I give you an idea that's that person now I'm fortunate this attack well fortunately unfortunately a really big network would be difficult to pull off but it's a really simple example of a correlation attack another one might be let's say you know the IP address is a bunch of the routers and you and one in Cerritos actually hosts the deep site you might be able to find out what's off of that excites running then all the IP addresses you promised it out of distributed hash table you can check each one of those to see whether or not it's funny the exact same version of software then each one of the ones that is running that same version of software you can request that site for instance this one tax I was doing let's say there's a site called some site that i2p I might request it directly and go okay this is the strip of software you're running cuz you're returning that information to me all right now much like every idea to know to see who else has that same super software now in my host header in my HTTP protocol I'm going to quest that particular website from you if you return that website to me I know it's you and I was able to do not of my some people in ITP that way general mitigations because more nodes would help the more noticeable all the hard it is to pull off these attacks I think I was only dealing in I to people like sixty thousand nodes at the time and it was doable on my home machine with a cable modem but the more nodes you have more difficult that would be give it about IP P a sense done some extra work on it where if you're hosting a server inside of a GP and the HTTP server it strips out that service software header so it's not as easy to correlate they implemented that I think sometime late last year early this year giving less data across a lot makes it a harder people audience contacts since you can't reused in an amenity sets you have to check more nodes to see as see if they can do to make harvesting and scraping more difficult though oops and back up a second you can see what they can do to make the harvesting attacks a harder to do for instance up or I guess a good example this might be mentioning tor tor bridge routers it's easy to harvest toward relatives because you can just access the directory server it gives you all the information however bridge routers you can't easily harvest cuz they don't put all the information in one place this slowly distributed out that might be an example of making harvesting and scraping harder to do do it more information on iqp specifically as far as the anonymizing I have a paper out of my website on it which I'll link to here shortly as well as a video ok we're almost done I promise if you want to have more information on a various research into a diminutive networks check out the archive the free Haven has also if you want more information on different threat models I to P has a great page on that I have a general dotnet talk that I did earlier this year here at aid and I also have a video and article on denies the anonymizing each sides inside ICP let them say a quick thanks to the conference organizers for having me here tenacity of helping get to DEFCON this is actually my practice session for this particular talk hopefully I have a little bit more polished by the time I get to DEFCON my buddies at derbycon and the ISDN podcast as and also the open icon library for helping me out a lot of the artwork a few events I want to mention upcoming up Derby con on September 30th through October 2nd in Louisville Kentucky the day before that is Louisville InfoSec come both you can and there's a bunch of accomplices throughout the year I'd recommend attending sky dog con dojo condo I'm not staying as an elf it's going to be a third one I'm not sure on that yet Hakan which is going to be happening in a October correct Freaknik of course not a common and outer zone finally are there any questions so I was like drinking from the fire hose boo well Ksenia if you have comes with questions later I'll be at the conference to the end of it so just let me know

Info

Channel: Adrian Crenshaw

Views: 38,387

Rating: undefined out of 5

Keywords: aide3

Id: bI_1qlcwfE0

Channel Id: undefined

Length: 73min 54sec (4434 seconds)

Published: Mon Jul 18 2011