Thursday, 4 December 2014

Tor: The Dark World

darknet

Operation Onymous appeared to strike a big blow against the Deep Web, but as you would probably expect in such matters, not everything is what it seems.

Tor, the anonymising web protocol that underpins the so-called 'Deep Web' has been on the radar of law enforcement on both sides of the Atlantic for a good while now. However, last year's arrest of Ross Albricht, the man allegedly behind the infamous Silk Road online marketplace and known online as 'Dread Pirate Roberts', appeared to mark an escalation in efforts to bring law to its wild west nature. While other sites popped up to replace Silk Road (most notably Silk Road 2.0 - SR2 from now on), many of them seemed to have been seized in a multinational police operation a few weeks ago, apparently highlighting just how far investigative tactics have come in a year. It may not have been as successful as was first trumpeted, though.

What does it all mean for Tor going forward? Is law enforcement circumventing its efforts to create an anonymous online service, and is its aim of creating an untrackable web network just a pipe dream? If so, what does it mean not only for criminals but for the dissidents, activists, whistleblowers and journalists that have also turned to this technology in the face of increasing surveillance?


The Takedowns


The 'facts' were these... It was a cross border operation dubbed Operation Onymous, said to have involved 17 countries, with the European aspect controlled by Europol's Joint Cybercrime Action Taskforce working out of the Hague. On the 5th and 6th November, law enforcement bodies in the US and Europe took possession of various deep web marketplaces (over 400 individual URLs spanning 27 sites, according to Gizmodo: tinyurl.com/pm9lluq) that allegedly deal in everything from drugs, to stolen credit cards, guns and fake passports/lD. These sites apparently accounted for the something in the region of 40% of all such trading on the Deep Web, the most high profile of them being SR2. The attack came a year-and-change after Silk Road fell to a similar operation. 17 suspects have been arrested worldwide, with six of those being in the UK and a further two in Dublin. The UK leg of the swoop was orchestrated by the National Crime Agency and went under the name Project Protein. Worldwide, it's said that Bitcoins totalling around $1 million, drugs, weapons, forged documents as well as cash and precious metals have also been seized. The big name among all those arrests was a San Franciscan named Blake Benthall, who was identified by the FBI as 'Defcon', one of the main players behind SR2.

The Fallout

So how did this come about, then? Well, it would seem that from the start of the SR2 project, police had an inside man working as an admin, and that rather than finding some sort of vulnerability in the Tor network itself (though efforts to do that are probably ongoing) the weakness came from sites that "failed to use adequate operational security", as a blog post by Tor Executive director Alan Lewman pointed out. However, through the same blog, which you can read at tinyurl.com/qazupdw, he does go on to outline several methods by which Tor sites could be compromised technically. These include SQL injections, a common hacking technique that can exploit weaknesses in badly coded sites; Bitcoin Deanonymisation, exploiting a flaw with the cryptocurrency recently outlined in a project you can read about at tinyurl.com/q5vu3rc; or attacks on the network itself, such as a recent attack suspected to have been instigated by researchers at Carnegie Mellon University in the US (tinyurl.com/lsjba2b) but later patched by Tor. At least for now, though, Lewman's assessment of what allowed police to bring down so many sites is "we still don't know", which taken in isolation should send a shiver down the back of anyone relying on the Deep Web.

Reality Bites


However, now the dust has settled, analysis of what actually went on and what was taken down seems to reinforce Lewman's initial assessment that it was human error that revealed the location of these Deep Web sites' servers and thus allowed the authorities to trace those involved. Australian blogger and Infosec consulant Nik Cubrilovic also recently posted that he believed that the police significantly exaggerated the success of Operation Onymous (www. nikcub.com/posts/onymous-part1), considering that the number of sites seized had been quietly amended down following the initial reports. From an intial 414, it was then changed to "upwards of 50", and then just 27.

The reason for this is that some of the seizures are in fact clones of the originals, designed as phishing scams to trick users into giving up logins and Bitcoin details. In fact, Cubrilovic's blog goes so far as to outline one case where a jihadi site's clone was pulled down while the original remained. His conclusion is that this rather "slapshot" nature of the sites targeted (and we'd suggest, the relatively small number of arrest compared to sites seized) suggests that police achieved what they did by taking action against a particular host (probably the one hosting SR2, information on which was given to them by the inside source) rather than exploiting a Tor weakness.

Other reports suggest that at least three of the biggest SR2-style marketplaces still remain active after the attack - and offer a much broader and violent range of things on sale, including weapons and those willing to use them on your behalf. It all serves to paint a picture, not only of a thriving marketplace that the police have no way of infiltrating, but of Onymous essentially being a case of the police getting lucky (or, more likely, its operators sloppy - apparently Blake Benthall was registered as owner of the SR2 server under his personal email address, for example) and choosing to try to make some good PR out of the bust, assuming people will see the headlines and not the creeping truth emerging on tech blogs later down the line.

What Next For The Deep Web?


There is little doubt that while services like SR2 continue to operate using its protocols, Tor is going to come under increasing pressure over the next few years. Whether or not the system remains robust enough to withstand such pressure - at least to the extent that it retains credibility among its user base - will be decided by people much cleverer than us, and there are forces massing on both sides of the fence. It's likely to be an ongoing war that will run and run.

What Silk Road and its ilk are doing, ultimately, is giving authorities around the world a stick to beat Tor with. It's hard to debate that there's little public benefit to shutting such services down: crime is crime. However, be under no illusion that drug dealing and the like is the only reason that governments would like to see Tor discredited and potential users walk away under the influence of the kind of inflated headlines Onymous elicited from the mainstream press. While there are many nefarious goings-on happening across such networks, the idea of an anonymous web that can't be controlled is frightening for many regimes, not least the UK and America it would seem.

Exactly how secure Tor is to monitoring from nationstate level incursions is pretty much guesswork at this point, really. However, at least on the surface, it would appear that the kind of heavy duty statistical analysis and resource-intensive techniques that appear the most effective methods of revealing the locations of Tor users are the kind of things that such organisations would potentially excel at. For law enforcement, the kind of information that intelligence organisations could come across on their fishing trips into the Deep Web would appear to be featuring on their menu of resources more and more (see boxout), which simultaneously means that more and more interesting stories about exactly how such evidence was come across will start to feature too.

For organisations such as the Silk Road and SR2, the inside man is always going to be this big risk, though - as it has always been for criminal organisations. The nature of the Deep Web may well mean that multiple markets will pop up again to fill the void, and those sites will take increasingly advanced steps to obfuscate their location and participants, but they will always be team efforts, and they will be emerging into an ever brighter spotlight. If such sites are compromised from day one, eventually they will all fall to the same fate.