Potential Tor Browser Vulnerability Reported
December 19, 2016
Over at Hacker Noon, blogger “movrcx” reveals a potential vulnerability chain that he says threatens the entire Tor Browser ecosystem in, “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale.” Movrcx says the potential avenue for a massive hack has existed for some time, but taking advantage of these vulnerabilities would require around $100,000. This could explain why movrcx’s predicted attack seems not to have taken place. Yet. The write-up summarizes the technique:
Anti-Privacy Implantation at Mass Scale: At a high-level the attack path can be described by the following:
*Attacker gains custody of an addons.mozilla.org TLS certificate (wildcard preferred)
*Attacker begins deployment of malicious exit nodes
*Attacker intercepts the NoScript extension update traffic for addons.mozilla.org
*Attacker returns a malicious update metadata file for NoScript to the requesting Tor Browser
*The malicious extension payload is downloaded and then silently installed without user interaction
*At this point remote code execution is gained
*The attacker may use an additional stage to further implant additional software on the machine or to cover any signs of exploitation
This attack can be demonstrated by using Burp Suite and a custom compiled version of the Tor Browser which includes a hardcoded root certificate authority for transparent man-in-the-middle attacks.
See the article for movrcx’s evidence, reasoning, and technical details. He emphasizes that he is revealing this information in the hope that measures will be taken to nullify the potential attack chain. Preferably before some state or criminal group decides to invest in leveraging it.
Cynthia Murrell, December 19, 2016
Nobody Really Knows What Goes on over Dark Web
December 16, 2016
While the mainstream media believes that the Dark Web is full of dark actors, research by digital security firms says that most content is legal. It only says one thing; the Dark Web is still a mystery.
The SC Magazine in an article titled Technology Helping Malicious Business on the Dark Web Grow says:
The Dark Web has long had an ominous appeal to Netizens with more illicit leanings and interests. But given a broadening reach and new technologies to access this part of the web and obfuscate dealings here, the base of dark web buyers and sellers is likely growing.
On the other hand, the article also says:
But despite its obvious and well-earned reputation for its more sinister side, at least one researcher says that as the dark web expands, the majority of what’s there is actually legal. In its recent study, intelligence firm Terbium Labs found that nearly 55 percent of all the content on the dark web is legal in nature, meaning that it may be legal pornography, or controversial discussions, but it’s not explicitly illegal by U.S. law.
The truth might be entirely different. The Open Web is equally utilized by criminals for carrying out their illegal activities. The Dark Web, accessible only through Tor Browser allows anyone to surf the web anonymously. We may never fully know if the Dark Web is the mainstay of criminals or of individuals who want to do their work under the cloak of anonymity. Till then, it’s just a guessing game.
Vishal Ingole, December 16, 2016
Facial Recognition Fraught with Inaccuracies
November 2, 2016
Images of more than 117 million adult Americans are with law enforcement agencies, yet the rate of accurately identifying people accurately is minuscule.
A news report by The Register titled Meanwhile, in America: Half of adults’ faces are in police databases says:
One in four American law enforcement agencies across federal, state, and local levels use facial recognition technology, the study estimates. And now some US police departments have begun deploying real-time facial recognition systems.
Though facial recognition software vendors claim accuracy rates anywhere between 60 to 95 percent, statistics tell an entirely different story:
Of the FBI’s 36,420 searches of state license photo and mug shot databases, only 210 (0.6 per cent) yielded likely candidates for further investigations,” the study says. “Overall, 8,590 (4 per cent) of the FBI’s 214,920 searches yielded likely matches.
Some of the impediments for accuracy include low light conditions in which the images are captured, lower procession power or numerous simultaneous search requests and slow search algorithms. The report also reveals that human involvement also reduces the overall accuracy by more than 50 percent.
The report also touches a very pertinent point – privacy. Police departments and other law enforcement agencies are increasingly deploying real-time facial recognition. It not only is an invasion of privacy but the vulnerable networks can also be tapped into by non-state actors. Facial recognition should be used only in case of serious crimes, using it blatantly is an absolute no-no. It can be used in many ways for tracking people, even though they may not be criminals. Thus, it remains to be answered, who will watch the watchmen?
Vishal Ingole, November 2, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Need a Low Cost College Degree? Dark Web U Is for You
October 11, 2016
The lawless domain just got murkier. Apart from illegal firearms, passports, drugs and hitmen, you now can procure a verifiable college degree or diploma on Dark Web.
The Next Web in an article Dark Web crooks are selling fake degrees and certifications for the price of a smartphone REPORTS:
Cyber criminals have created a digital marketplace where unscrupulous students can
purchase or gain information necessary to provide them with unfair and illegal
academic credentials and advantages.
The certificates for these academic credentials are near perfect. But what makes this cybercrime more dangerous is the fact that hackers also manipulate the institution records to make the fake credential genuine.
The article ADDS:
A flourishing market for hackers who would target universities in order to change
grades and remove academic admonishments
This means that under and completely non-performing students undertaking an educational course need not worry about low grades or absenteeism. Just pay the hackers and you have a perfectly legal degree that you can show the world. And the cost of all these? Just $500-$1000.
What makes this particular aspect of Dark Web horrifying interesting is the fact that anyone who procures such illegitimate degree can enter mainstream job market with perfect ease and no student debt.
Vishal Ingole, October 11, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Surprisingly Diverse Types of Cybercriminals Threatening Your Business
July 29, 2016
The article titled BAE Systems Unmasks Today’s Cybercriminals- Australia on BAE Systems digs into the research on the industrialization of cyber crime, which looks increasingly like other established and legal industries. While most cybercriminals are still spurred to action by financial gain, there are also those interested more in a long-term strategy of going after intellectual property and selling the data on the black market. The article states,
“Some cyber criminals are becoming even more professional, offering skills and services, such as “project management” to other criminal organisations. They are writing their own software that comes with service agreements and money-back guarantees if the code gets detected, with the promise of a replacement. This ‘industrialisation’ of cyber crime means it has never been more important for businesses to understand and protect themselves against the risks they face,” said Dr Rajiv Shah, regional general manager, BAE Systems Applied Intelligence.”
The article pinpoints six profiles including career criminals but also internal employees, activists and, and what they call “The Getaway,” or underage criminals who won’t be sentenced like adults. Perhaps the most insidious of these is The Insider, who can be a disgruntled employee or a negligent employee with more access than is good for them or the company they work for.
Chelsea Kerwin, July 29, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Marketing Case for Value from Dark Web
April 19, 2016
For marketers crying for more user data, the Dark Web may present a challenge — or not. A longread article, Bitcoin Remains Most Popular Digital Currency on Dark Web from Coin Desk reiterates the landscape of the Dark Web is more nuanced than the headlines screaming cybercrime suggest. Despite the inability to know users’ locations, identities and interests, which may worry marketers, several points are raised asking marketers if there is possibility for value in the Dark Web. Explaining more about the potential benefits to marketing and sales, cybersecurity reporter Brian Krebs is quoted,
“‘Plenty of would-be, legitimate consumers come from regions of the world where perhaps governments don’t want their consumers visiting certain places or buying certain items. And for those consumers, [the Dark Web] can be a boon, and potential positive for retailers and marketers,’ Krebs writes in an e-mail. Krebs goes on to say that much of the supposed danger posed by the Dark Web is nothing out of the ordinary when it comes to cybersecurity.”
This useful piece not only provides insights into how the marketing industry views Tor, but also serves as a handy layman’s guide to Dark Web (synonymous with darknet and dark net) terminology and a brief history. Additionally, the founder of Adland presents an interesting case for opening a .onion site to complement a site on the Surface Web, or the “regular” internet.
Megan Feil, April 19, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Surfing Safely on the Dark Web
March 29, 2016
The folks at Alphr want us to be safe if we venture onto the Dark Web, so they offer guidance in their article, “Is the Dark Web Safe?” The short answer, of course, is “parts of it.” Writer Thomas McMullan notes that, while the very act of accessing hidden sites through Tor is completely legal, it is easy to wander into illegal territory. He writes:
“‘Safe’ is a bit of a vague term. There is much of worth to be found on the dark web, but by its nature it is not as safe as the surface-level internet. You can only access pages by having a direct link (normally with a .onion suffix) and while that makes it harder to accidentally stumble across illegal content, you’re only a click away from some pretty horrible stuff. What’s more, the government is cracking down on illegal material on the dark web. In November 2015, it was announced that GCHQ and the National Crime Agency (NCA) would be joining forces to tackle serious crimes and child pornography on the dark web. Director of GCHQ Robert Hannigan said that the new Joint Operations Cell (JOC) will be ‘committed to ensuring no part of the internet, including the dark web, can be used with impunity by criminals to conduct their illegal acts’.”
The article goes on to note that plugins which can present a false IP address, like Ghostery, exist. However, McMullan advises that it is best to stay away from anything that seems questionable. You have been warned.
Cynthia Murrell, March 29, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Reputable News Site Now on the Dark Web
March 28, 2016
Does the presence of a major news site lend an air of legitimacy to the Dark Web? Wired announces, “ProPublica Launches the Dark Web’s First Major News Site.” Reporter Andy Greenberg tells us that ProPublica recently introduced a version of their site running on the Tor network. To understand why anyone would need such a high level of privacy just to read the news, imagine living under a censorship-happy government; ProPublica was inspired to launch the site while working on a report about Chinese online censorship.
Why not just navigate to ProPublica’s site through Tor? Greenberg explains the danger of malicious exit nodes:
“Of course, any privacy-conscious user can achieve a very similar level of anonymity by simply visiting ProPublica’s regular site through their Tor Browser. But as Tigas points out, that approach does leave the reader open to the risk of a malicious ‘exit node,’ the computer in Tor’s network of volunteer proxies that makes the final connection to the destination site. If the anonymous user connects to a part of ProPublica that isn’t SSL-encrypted—most of the site runs SSL, but not yet every page—then the malicious relay could read what the user is viewing. Or even on SSL-encrypted pages, the exit node could simply see that the user was visiting ProPublica. When a Tor user visits ProPublica’s Tor hidden service, by contrast—and the hidden service can only be accessed when the visitor runs Tor—the traffic stays under the cloak of Tor’s anonymity all the way to ProPublica’s server.”
The article does acknowledge that Deep Dot Web has been serving up news on the Dark Web for some time now. However, some believe this move from a reputable publisher is a game changer. ProPublica developer Mike Tigas stated:
“Personally I hope other people see that there are uses for hidden services that aren’t just hosting illegal sites. Having good examples of sites like ProPublica and Securedrop using hidden services shows that these things aren’t just for criminals.”
Will law-abiding, but privacy-loving, citizens soon flood the shadowy landscape of the Dark Web.
Cynthia Murrell, March 28, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
A Place to Express Yourself on the Dark Web
March 7, 2016
For evidence that the dark web is not all about drugs and cybercrime, check out this article at Motherboard: “The Dark Web Now Has a Literary Journal.” As it turns out, anonymity is also good for people who wish to freely explore their creativity and private thoughts.
The new journal, the Torist, was just launched by a professor at the University of Utah, Robert W. Ghel, and a person known simply as GMH. Inspired by the free discussions on their dark-web-based social network, Galaxy, they have seized their chance to create something unexpected. The journal’s preface asks:
“If a magazine publishes itself via a Tor hidden service, what does the creative output look like? How might it contrast itself with its clearweb counterparts? Who indeed will gravitate towards a dark web literary magazine?”
So, why is one of the Torist’s creators anonymous while the other is putting himself out there? Writer Joseph Cox tells us:
Gehl, after being pitched the idea of The Torist by GMH, decided to strip away his pseudonym, and work on the project under his own name. “I thought about that for a while,” Gehl said. “I thought that because GMH is anonymous/pseudonymous, and he’s running the servers, I could be a sort of ‘clear’ liason.”
So while Gehl used his name, and added legitimacy to the project in that way, GMH could continue to work with the freedom the anonymity awards. “I guess it’s easier to explore ideas and not worry as much how it turns out,” said GMH, who described himself as someone with a past studying the humanities, and playing with technology in his spare time.
Gehl and GMH say part of their reasoning behind the journal is to show people that anonymity and encryption can be forces for good. Privacy furthers discussion of controversial, personal, and difficult topics and, according to GMH, should be the default setting for all communications, especially online.
Submissions are currently being accepted, so go ahead and submit that poem or essay if you have something to get off your chest, anonymously. If you dare to venture into the dark web, that is.
Cynthia Murrell, March 7, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Dark Web Crime Has Its Limits
February 12, 2016
The Dark Web is an intriguing and mysterious phenomenon, but rumors about what can be found there are exaggerated. Infomania examines what is and what is not readily available in that murky realm in, “Murder-for-Hire on the Dark Web? It Can’t Be True!”
Anonymity is the key factor in whether certain types of criminals hang out their shingles on the TOR network. Crimes that can be more easily committed without risking identification include drug trafficking, fraud, and information leaks. On the other hand, contract assassins, torture-as-entertainment, and human trafficking are not actually to be found, despite reports to the contrary. See the article for details on each of these, and more. The article cites independent researcher Chris Monteiro as it summarizes:
The dark web is rife with cyber crime. But it’s more rampant with sensationalized myths about assassination and torture schemes — which, as Chris can attest, simply aren’t true. “What’s interesting is so much of the coverage of these scam sites is taken at face value. Like, ‘There is a website. Therefore its contents must be true.’ Even when mainstream media picks it up, very few pick it up skeptically,” he says.
Take the Assassination Market, for example. When news outlets got wind of its alleged existence in 2013, they ran with the idea of “Murder-for-hire!!” on the Internet underground. Although Chris has finally demonstrated that these sites are not real, their legend lives on in Internet folklore. “Talking about the facts — this is how cybercrime works, this is how Tor and Bitcoin work — is a lot less sexy than saying, ‘If you click on the wrong link, you’ll be kidnapped, and you’ll end up in a room where you’ll be livestreamed, murdered, and you’re all over the internet!’” Chris says. “All I can do is point out what’s proven and what isn’t.”
So, next time someone spins a scary tale about killers-for-hire who are easily found online, you can point them to this article. Yes, drug trafficking, stolen data, and other infractions are big problems associated with the Dark Web, but let us not jump at shadows.
Cynthia Murrell, February 12, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
