Download presentation
Presentation is loading. Please wait.
Published byBaldwin Hill Modified over 9 years ago
1
4/19/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
The Extras… & Get my OneDrive Link
3
The Dark Web Rises: A journey through the Looking Glass
4/19/2017 DCIM-B351 The Dark Web Rises: A journey through the Looking Glass Andy Malone © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
Andy Malone (United Kingdom)
4/19/2017 Microsoft MVP (Enterprise Security) Microsoft Certified Trainer (18 years) Founder: Cybercrime Security Forum! International Event Speaker Winner: Microsoft Speaker Idol 2006 Andy Malone (United Kingdom) Follow me on © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
This Session will Discuss
What is TOR and how does it keep me anonymous? Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business
6
TOR: A Tale of Two Sides Freedom from Censorship, No Restrictions,
Private Communication, Many US UK Agencies use similar private channels The Dark Web: Drugs, Guns, Malicious Software, Pedophiles. Slavery, Black Market
7
TOR: Providing a Voice for the Oppressed
8
Why use the Onion? Freedom from Potential Oppression
Freedom from having communications monitored Used by government embassies for sending of confidential s Useful in accessing blocked Internet Sites where restrictions are enforced I.e. The UK, Saudi Arabia, China etc
9
Current TOR Clients / Projects
Tails TOR Browser TOR Atlas Stem (Development Environment) Orbot (Android) ARM (Shell) Pluggable Transports TOR Cloud
10
Variants (Other Anonymizing Technologies)
Tor (anonymity network) Garlic Routing Anonymous P2P The Amnesic Incognito Live System Degree of anonymity Chaum mixes Bitblinder Java Anonymous Proxy
11
Where it all began TOR is an Open Source Non Profit Organization running out of an YWCA in Cambridge, Massachusetts 33 Full Time Employees TOR’s hosted by 1000s of Volunteers around the world Initially Sponsored by the US Office of Naval Research Laboratory In Was supported by the Electronic Frontier Foundation
12
TOR: Key Principle “There are no conspiracies. We don’t do things we don’t want to. No backdoors ever!” Jacob Appelbaum: TOR (2013)
13
Up & Running Over 60.000 Users Daily Approx. 3500 Routers and Growing
Currently 6 Million + users Worldwide Every web page, database etc that Google can’t index is considered as the Dark Web 9x% of web pages are in the Dark Web! Media wrong when they say that the only way to access the dark web is through TOR Question: Is it all bad?
14
Who uses this Technology?
Home Users can protect themselves when online Activists can anonymously report abuses from danger zones Whistleblowers can use Tor to safely report on corruption Journalists use Tor to protect their research and sources online Military and law enforcement can protect communications, investigations, and intelligence (No IP Trace)
15
The Technology
16
What is a Onion Router? An anonymous communication technique
Messages constantly encrypted and sent through several onion routers which creates a circuit of nodes using random domain names Each OR removes a layer of encryption with its symmetric key to reveal routing instructions, and sends the message to the next router where process is repeated Thus the analogy “onion router”. Prevents these intermediary nodes from knowing the origin, destination, and contents of the message
17
Onion Routing: How it Works
18
Onion Routing: How it Works
Port 9001 Port 9090 Port 443 Alice Each OR maintains a TLS / AES connection to every other OR Users run an onion proxy (OP) to fetch directories, establish circuits across the network Each OR maintains a long & short term onion identity key (10 mins) Used to sign TLS certificates which sign the OR’s router descriptor, summary of keys, address, bandwidth ,etc Unencrypted Encrypted TOR Node Bob Jane
19
Onion Routing: How it Works
Port 9001 Port 9030 Alice Unencrypted Step 1: Alice’s TOR Client obtains a list of TOR Clients from a directory server Encrypted TOR Node Bob Dave Jane
20
Onion Routing: How it Works
Unencrypted Encrypted TOR Node Port 443 Alice Step 2: Alice’s TOR Client picks a random path to a destination server. Green links are encrypted, red links are in the clear Port 80 Bob Jane Dave
21
Onion Routing: How it Works
Unencrypted Encrypted TOR Node Port 443 Alice Step 3: If at a later time Alice connects to a different resource then a different, random route is selected. Again Green links are encrypted, red links are in the clear Bob Port 80 Jane Dave
22
Onion Routing: Peeling back the Layers
Alice builds a two-hop circuit and begins fetching a web page.
23
Onion Routing: Cells Control cells: interpreted by the nodes that receive them Relay cells: which carry end-to-end stream data. Has an additional header on front of the payload containing streamID Integrity checksum Length of payload and relay command. TLS Encrypted Header circuit identifier or circutID Instruction Payload Command Payload Data TOR Node Fixed-sized cells 512 bytes with a header and a payload
24
Onion Routing: Cell Commands
Current Relay Commands Relay data: data flowing down stream Relay begin: to open a stream Relay end: to close a stream cleanly Relay teardown: to close a broken stream Relay connected: to notify successful relay begin Relay extend/extended: to extend the circuit by a hop Relay send me: congestion control Relay drop: implements long-range dummies
25
Using the Onion Router Requires a Client
Many sites require pre- registration Ensure you have an anonymous Address .onion-URLs are used to identify hidden services Addresses 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configured These 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32
26
Demo Exploring the TOR Project
27
A Journey Inside the Darknet
28
The Deep Dark Web Anonymous and unindexed area of the internet used for serious criminal activity including Copyright infringement Credit Card fraud and identity theft Rumored to contain more than 500 times the size of the traditional web Currently around ½ a Million deep web sites worldwide and approx. 20,000 sites in Russia alone Used by Military & Law Enforcement Agencies
29
The Deep Dark Web Controlled substance marketplaces
Armories selling all kinds of weapons Child pornography Unauthorized leaks of sensitive information Money laundering Copyright infringement Credit Card Fraud
30
Content Classifications
Dynamic Unlinked Private Site Contextual Varied access pages with differing ranges of client IP addresses Limited Access Limited technically (e.g. using Robots Exclusions, CAPTCHAs. Or no-cache Pragma HTTP headers, which prohibit browsing & caching Scripted Accessible through links produced by JavaScript Content dynamically downloaded via Flash or Ajax Non HTML/Text
31
Finding Content Search Engines not the best option
Wikis Provide entry points Beware of Malicious links! Use of TOR may lead to Prosecution by law enforcement agencies Law Enforcement can use BigPlanet Deep Web Intelligence tools
32
Demo Exploring the Darkweb
38
Potential Flaws in the Onion
39
Potential Flaws in the Onion!
Multi Hopping = Slower Connections Confusion between unlinkability with anonymity While using Tor leaks can occur via Flash plug-in’s & other media add-ons Darknet Heavily Monitored by Law Enforcement Agencies NSA & GCHQ Installing hundreds of OR’s in order to capture & analyze traffic Many Honeypot Sites Exist in order to catch criminals
40
Potential Flaws in the Onion!
Timing Attack Entry Monitoring Intersection Attack Ddos Attack Predecessor Attack (Replay) Exit node Sniffing
41
Timing analysis Adversary could determine whether a node is transmitting by correlating when messages are sent by a server and received by a node Tor, and any other low latency network, is vulnerable to such an attack Counter Measure: A Node can defeat this attack by sending dummy messages whenever it is not sending or receiving real messages (Not currently part of the Tor threat model)
42
Entry Node Sniffing Unencrypted Encrypted TOR Node
Criminal posts anonymous content out to Compromised Server Compromised Node Police Law Enforcement Monitor suspects client machine (Entry Point) Bob
43
Exit Node Sniffing Unencrypted Encrypted TOR Node Criminal posts anonymous content onto Server Compromised Node Police An exit node has complete access to the content being transmitted from the sender to the recipient If the message is encrypted by SSL, the exit node cannot read the information, just as any encrypted link over the regular internet Law Enforcement Monitors Target client machine (Exit Point) Infected with malicious code Target
44
Intersection Attacks Unencrypted Encrypted TOR Node
Criminal posts anonymous content out to Compromised Server Compromised Node Offline Node Network Analysis Nodes periodically fail of the network; any chain that remains functioning cannot have been routed through either the nodes that left or the nodes that recently joined the network, increasing the chances of a successful traffic analysis Police Bob
45
Predecessor attacks (Replay)
Compromised Nodes can retain session information as it occurs over multiple chain reformations Chains are periodically torn down and rebuilt If the same session is observed over the course of enough reformations The compromised node connects with the particular sender more frequently than any other node Increasing the chances of a successful traffic analysis
46
Ddos Attack DoS and Tor Tor deals with these attacks with
Tor is vulnerable to DoS attacks because users can consume more network resources than allowed or render the network unusable for other users. Tor deals with these attacks with Puzzle solving: At beginning of TLS handshake or accepting create cells, this limits the attack multiplier. Limiting rates: Limits rates of accepting of create cell and TLS connections so the computational work of processing them doesn’t disrupt the symmetric cryptography operations that allow cells to flow.
47
Fighting Internet Crime
Agency IP Address Hidden from Site owner Unencrypted Encrypted TOR Node Security Agencies TOR is a key technology in the fight against organized crime on the internet Illegal Site
48
Forensically Speaking
TOR Forensically Speaking
49
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (version , 64-bit) on Windows 7 showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications: C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE C5.pf C:\Windows\Prefetch\TOR-BROWSER \_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle: C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x db C:\Windows\AppCompat\Programs\RecentFileCache.bcf
50
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the Windows Thumbnail Cache contains the Onion Logo icon. Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle: C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon.
51
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the Windows paging file, C:\pagefile.sys, contains the filename for the Tor Browser Bundle executable
52
TOR: Forensically Speaking
A forensic analysis of the Tor Browser Bundle (64-bit) on Windows 7 showed that the registry contains the path to the Tor Browser Bundle executable HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files: C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Result: No trace of the Tor Browser Bundle in any of the NTUSER.DAT files
53
TOR: Forensically Speaking
Looks like regular HTTPS Traffic on port 443…
54
TOR: Forensically Speaking
The Truth is revealed
55
Blocking TOR Traffic Obtain list of TOR Servers
56
Blocking TOR Traffic Obtain list of TOR Servers
Then create an AI Engine rule using a Log Observed rule block to detect network traffic with an origin or destination IP address on the list
57
Blocking TOR Traffic (Automated Script)
# Gets List of the Torproject Exit Points that would access your ipaddress # # This URL gets the new list: # URL=’ YOUR IP ADDRESS HERE>‘ TORIPLIST=.toriplistGETTORLIST() { /usr/bin/wget –no-check-certificate –output-document=${TORIPLIST} ${URL} } # End of GETTORLIST BLOCKADDRESSES() { # Create a chain named TORBLOCK. /sbin/iptables -N TORBLOCK # Flush the TORBLOCK chain. /sbin/iptables -F TORBLOCK # Return to parent chain if the source is not in the TORBLOCK chain. /sbin/iptables -I TORBLOCK -j RETURN # Then do this for each address to block: # /sbin/iptables -I TORBLOCK -s IPADDRESS -j DROP # We are doing the above in the loop below: for node in `/bin/grep -v -e ^# ${TORIPLIST}` do /sbin/iptables -I TORBLOCK -s $node -j DROP done } # End of BLOCKADDRESSES GETTORLIST BLOCKADDRESSES rm -f ${TORIPLIST} Add output to IP Address tables * Additional links on slides
58
Web Browser Fingerprinting
Relatively New Concept A technique researched by Electronic Frontier Foundation, of anonymously identifying a web browser with up to 94% accuracy rates Even in Privacy Mode or with Cookies Disabled. Browsers can still be tracked Browser version, language, OS, Installed Fonts, Browser Add in’s, time zone etc
59
Web Browser Fingerprinting
Browser information Collected includes but not limited to: Browser supported items Plugin information Geographical information Device related information Operating system information This collection of information is combined into a SHA256 hash which gives you a unique fingerprint for any given web browser
60
Are you really Unique? Regular I.E 11 Browser
61
Are you really Unique? Privacy IE 11 Browser
62
Are you really Unique? Older TOR
63
Are you really Unique? Updated TOR
64
Demo Web Browser Fingerprints
65
You may want to take a look at
Other Privacy Solutions You may want to take a look at
66
Staying Anonymous: Proxy Servers
Most common method to hide your IP address Allows users to make indirect network connections to the Internet Activity goes to proxy first, which sends on for information, data, files, , etc In each case, your actual IP address is hidden. Then serves up requests by connecting directly to the source or by serving it from a cache Proxy servers (or simply "proxies") come in a few varieties.
67
Staying Anonymous: Proxy Servers
This type of proxy server identifies itself as a proxy server. It is detectable (as a proxy), but provides reasonable anonymity for most users. Distorting Proxy This type of proxy server identifies itself as a proxy server, but creates an "incorrect" originating IP address available through the "http" headers. High-Anonymity Proxy This type of proxy server does not identify itself as a proxy server and does not make available the original IP address.
68
Web Based: Proxy Servers
Simply enter the URL of a website that you wish to visit anonymously When you submit the form, the website proxy server makes a request for the page that you want to visit The proxy usually does not identify itself as a proxy server and does not pass along your IP address in the request for the page The features of these sites vary (ad blocking, JavaScript blocking, etc.), as does their price.
69
Demo Proxy Heaven
75
Safeplug: Anonymity in a Box
76
Code Talker Tunnel Previously SkypeMorph
Alice: TOR traffic disguised via OpenWRT compatible modem Bob: TOR traffic disguised via OpenWRT compatible modem Alice Bob Unencrypted Encrypted Eavesdropper: Skype Video Traffic
77
Code Talker Tunnel Previously SkypeMorph
Protocol camouflaging tool Designed to reshape traffic output of any censorship circumvention tool to look like Skype video calls Can be used as a SOCKS proxy and therefore it is extremely easy to use it with different anonymity and censorship resistance tools Hard to block and identify protocol obfuscation High-bandwidth channel Home-router-ready version supporting OpenWRT firmware's Check it out at: git://git-crysp.uwaterloo.ca/codetalkertunnel
78
TOR: Top Tips Don’t use Browser widgets Don’t Torrent Over Tor Use The Tor Browser (Most up to date) Always use HTTPS Versions of Sites Never open documents downloaded through Tor while online Use bridges and/or find company
79
Session Review What is TOR and how does it keep me anonymous?
Who uses TOR & Why? Understand what the Darkweb is & Learn about it’s dangers Learn about Potential Flaws in the Technology Forensics & Law Enforcement TOR Technology & My Business
80
The Extras… & Get my OneDrive Link
81
Come Visit Us in the Microsoft Solutions Experience!
For More Information Windows Server 2012 R2 Windows Server System Center System Center 2012 R2 Azure Pack cloud/products/windows-azure-pack Microsoft Azure Come Visit Us in the Microsoft Solutions Experience! Look for Datacenter and Infrastructure Management TechExpo Level 1 Hall CD
82
Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
4/19/2017 Resources Sessions on Demand Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals msdn Resources for Developers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
83
Complete an evaluation and enter to win!
4/19/2017 Complete an evaluation and enter to win! © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
84
Evaluate this session Scan this QR code to evaluate this session.
4/19/2017 Evaluate this session Scan this QR code to evaluate this session. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
85
4/19/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.