OnionScan Checks for Falsely Advertised Anonymous Sites on Dark Web
July 6, 2016
Dark Web sites are not exempt from false advertising about their anonymity. A recently published article from Vice’s Motherboard shares a A Tool to Check If Your Dark Web Site Is Really Anonymous. The program is called OnionScan and it determines issues on sites that may unmask servers or reveal their owners. An example of this is that could potentially be metadata, such as photo location information, hidden in images on the site. Sarah Jamie Lewis, an independent security researcher who developed OnionScan, told Motherboard:
The first version of OnionScan will be released this weekend, Lewis said. “While doing some research earlier this year I kept coming across the same issues in hidden services—exposed Apache status pages, images not stripped of exif data, pages revealing information about the tools used to build it with, etc. The goal is [to] provide an easy way of testing these things to drive up the security bar,” Lewis added. It works “pretty much the same as any web security scanner, just tailored for deanonymization vectors,” she continued.”
It is interesting that it appears this tool has been designed to protect users from the mistakes made by website administrators who do not set up their sites properly. We suppose it’s only a matter of time before we start seeing researchers publish the number of truly secure and anonymous Dark Web sites versus those with outstanding issues.
Megan Feil, July 6, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Wait, the Dark Web Is Legal?
July 5, 2016
For research purposes, I surf the Dark Web on a regular basis. It is like skulking around the back alleys of a major city and witnessing all types of crime, but keeping to yourself. I have seen a few Web sites that could be deemed as legal, but most of the content I peruse is illegal: child pornography, selling prescription drugs, and even a hitman service. I have begun to think that everything on the Dark Web is illegal, except Help Net Security tells me that “Dark Web Mapping Reveals That Half Of The Content Is Legal.”
The Centre for International Governance Innovation (CIGI) conducted global survey and discovered that seven in ten (71%) of the surveyors believe the Dark Web needs to be shut down. There is speculation if the participants eve had the right definition about what the Dark Web is and might have confused the terms “Dark Web” and “Dark Net”.
Darksum, however, mapped the Tor end of the Dark Web and discovered some interesting facts:
- “Of the 29,532 .onion identified during the sampling period – two weeks in February 2016 – only 46% percent could actually be accessed. The rest were likely stort-lived C&C servers used to manage malware, chat clients, or file-sharing applications.
- Of those that have been accessed and analyzed with the companies’ “machine-learning” classification method, less than half (48%) can be classified as illegal under UK and US law. A separate manual classification of 1,000 sites found about 68% of the content to be illegal under those same laws.”
Darksum’s goal is to clear up misconceptions about the Dark Web and to better understand what is actually on the hidden sector of the Internet. The biggest hope is to demonstrate the Dark Web’s benefits.
Whitney Grace, July 5, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
DuckDuckGo Sees Apparent Exponential Growth
July 1, 2016
The Tor-enabled search engine DuckDuckGo has received attention recently for being an search engine that does not track users. We found their activity report that shows a one year average of their direct queries per day. DuckDuckGo launched in 2008 and offers an array of options to prevent “search leakage”. Their website defines this term as the sharing of personal information, such as the search terms queried. Explaining a few of DuckDuckGo’s more secure search options, their website states:
“Another way to prevent search leakage is by using something called a POST request, which has the effect of not showing your search in your browser, and, as a consequence, does not send it to other sites. You can turn on POST requests on our settings page, but it has its own issues. POST requests usually break browser back buttons, and they make it impossible for you to easily share your search by copying and pasting it out of your Web browser’s address bar.
Finally, if you want to prevent sites from knowing you visited them at all, you can use a proxy like Tor. DuckDuckGo actually operates a Tor exit enclave, which means you can get end to end anonymous and encrypted searching using Tor & DDG together.”
Cybersecurity and privacy have become hot topics since Edward Snowden made headlines in 2013, which is notably when DuckDuckGo’s exponential growth begins to take shape. Recognition of Tor also became more mainstream around that time, 2013, which is when the Silk Road shutdown occurred, placing the Dark Web in the news. It appears that starting a search engine focused on anonymity in 2008 was not such a bad idea.
Megan Feil, July 1, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Dark Web Hacking Site Changes Hands
June 29, 2016
Navigating the Dark Web can be a hassle, because many of the Web sites are shut down before you have the chance to learn what nefarious content, services, or goods are available. Some of these sites go down on their own, but law enforcement had a part in dismantling them as well. Some Dark Web sites are too big and encrypted to be taken down and sometimes they exchange hands, such as Silk Road and now Hell. Motherboard explains that “Dark Web Hacking Forum ‘Hell’ Appears To Have New Owners.”
The Real Deal, a computer exploit market, claimed to take ownership of Hell, the hacking forum known for spreading large data dumps and stolen data. Real Deal said of their acquisition:
“ ‘We will be removing the invite-only system for at least a week, and leave the “vetting” forum for new users,’ one of The Real Deal admins, who also used the handle The Real Deal, told Motherboard in an encrypted chat. ‘It’s always nice to have a professional community that meets our market’s original niche, hopefully it will bring some more talent both to the market and to the forums,’ the admin continued. ‘And it’s no secret that we as admins would enjoy the benefit of ‘first dibs’ on buying fresh data, resources, tools, etc.’”
The only part of Hell that has new administrators is the forum due to the old head had personal reasons that required more attention. Hell is one of the “steadier” Dark Web sites and it played a role in the Adult FriendFinder hack, was the trading place for Mate1 passwords, and hosted breaches from a car breathalyzer maker.
Standard news for the Dark Web, until the next shutdown and relaunch.
Whitney Grace, June 29, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Paradox of Marketing and Anonymity
June 22, 2016
While Dark Web users understand the perks of anonymity, especially for those those involved with illicit activity, consistency in maintaining that anonymity appears to be challenging. Geek.com published an article that showcases how one drug dealer revealed his identity while trying to promote his brand: Drug dealer busted after trying to trademark his dark web username. David Ryan Burchard of Merced, California reportedly made $1.25 million by selling marijuana and cocaine on the Dark Web before he trademarked the username he used to sell drugs, “caliconnect”. The article summarizes,
“He started out on Silk Road and moved on to other shady marketplaces in the wake of its highly-publicized shutdown. Burchard wound up on Homeland Security’s list of top sellers, though they were having trouble establishing a rock-solid connection between him and his online persona. They knew that Burchard was accumulating a large Bitcoin stash and that there didn’t appear to be a legitimate source. Then, finally, investigators got the break they were looking for. It seems that Burchard decided that his personal brand was worth protecting, and he filed paperwork to trademark “caliconnect.””
Whether this points to the proclivity of human nature to self-promote or the egoism of one person in a specific situation, it seems that all covering the story are drawing attention to this foiling move as a preventable mistake on Burchard’s part. Look no farther than the title of a recent Motherboard article: Pro-Tip: If You’re a Suspected Dark Web Drug Dealer, Don’t Trademark Your #Brand. The nature of promotions and marketing on the Dark Web will be an interesting area to see unfold.
Megan Feil, June 22, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Public Opinion of Dark Web May Match Media Coverage
June 17, 2016
A new survey about the Dark Web was released recently. Wired published an article centered around the research, called Dark Web’s Got a Bad Rep: 7 in 10 People Want It Shut Down, Study Shows. Canada’s Center for International Governance Innovation surveyed 24,000 people in 24 countries about their opinion of the Dark Web. The majority of respondents, 71 percent across all countries and 72 percent of Americans, said they believed the “dark net” should be shut down. The article states,
“CIGI’s Jardine argues that recent media coverage, focusing on law enforcement takedowns of child porn sites and bitcoin drug markets like the Silk Road, haven’t improved public perception of the dark web. But he also points out that an immediate aversion to crimes like child abuse overrides mentions of how the dark web’s anonymity also has human rights applications. ‘There’s a knee-jerk reaction. You hear things about crime and its being used for that purpose, and you say, ‘let’s get rid of it,’’ Jardine says.”
We certainly can attest to the media coverage zoning in on the criminal connections with the Dark Web. We cast a wide net tracking what has been published in regards to the darknet but many stories, especially those in mainstream sources emphasize cybercrime. Don’t journalists have something to gain from also publishing features revealing the aspects the Dark Web that benefit investigation and circumvent censorship?
Megan Feil, June 17, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Dark Web Drug Sales Go on Despite One Marketplace Down
June 16, 2016
Another Dark Web drug marketplace has gone offline, at least for now. Vice’s Motherboard published an article that reports on this incident and offers insight into its larger implications in their piece, Dark Web Market Disappears, Users Migrate in Panic, Circle of Life Continues. Nucleus market mostly sold illegal drugs such as cocaine and cannabis. Now, the site is unresponsive and has made no announcements regarding downtime or a return. The article hypothesizes about why Nucleus is down,
“At the moment, it’s not totally clear why Nucleus’s website is unresponsive. It could be an exit scam—a scam where site administrators stop allowing users to withdraw their funds and then disappear with the stockpile of bitcoins. This is what happened with Evolution, one of the most successful marketplaces, in March 2015. Other examples include Sheep Marketplace, from 2013, and more recently BlackBank Market. Perhaps the site was hacked by a third party. Indeed, Nucleus claimed to be the targetof a financially motivated attack last year. Or maybe the administrators were arrested, or the site is just suffering some downtime.”
The Dark Web poses an interesting case study around the concept of a business lifecycle. As the article suggests, this graph reveals the brief, and staggered, lifetimes of dark web marketplaces. Users know they will be able to find their favorite vendors selling through other channels. It appears the show, and the sales, must go on.
Megan Feil, June 16, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Banks as New Dark Web Educators
June 15, 2016
The Dark Web and deep web can often get misidentified and confused by readers. To take a step back, Trans Union’s blog offers a brief read called, The Dark Web & Your Data: Facts to Know, that helpfully addresses some basic information on these topics. First, a definition of the Dark Web: sites accessible only when a physical computer’s unique IP address is hidden on multiple levels. Specific software is needed to access the Dark Web because that software is needed to encrypt the machine’s IP address. The article continues,
“Certain software programs allow the IP address to be hidden, which provides anonymity as to where, or by whom, the site is hosted. The anonymous nature of the dark web makes it a haven for online criminals selling illegal products and services, as well as a marketplace for stolen data. The dark web is often confused with the “deep web,” the latter of which makes up about 90 percent of the Internet. The deep web consists of sites not reachable by standard search engines, including encrypted networks or password-protected sites like email accounts. The dark web also exists within this space and accounts for approximately less than 1 percent of web content.”
For those not reading news about the Dark Web every day, this seems like a fine piece to help brush up on cybersecurity concerns relevant at the individual user level. Trans Union is on the pulse in educating their clients as banks are an evergreen target for cybercrime and security breaches. It seems the message from this posting to clients can be interpreted as one of the “good luck” variety.
Megan Feil, June 15, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Job Duties of a Security Analyst
June 15, 2016
The Dark Web is a mysterious void that the average user will never venture into, much less understand than the nefarious reputation the media crafts for it. For certain individuals, however, not only do they make a lively hood by surfing the Dark Web, but they also monitor potential threats to our personal safety. The New York Times had the luck to interview one Dark Web security analyst and shared some insights into her job with the article, “Scouring The Dark Web To Keep Tabs On Terrorists.”
Flashpoint security analyst Alex Kassirer was interviewed and she described that she spent her days tracking jihadists, terrorist group propaganda, and specific individuals. Kassirer said that terrorists are engaging more in cybercrimes and hacking in lieu/addition of their usual physical aggressions. Her educational background is very impressive with a bachelor’s from George Washington University with a focus on conflict and security, a minor in religious studies, and she also learned some Arabic. She earned her master’s in global affairs at New York University and interned at Interpol, the Afghan Embassy, and Flashpoint.
She handles a lot of information, but she provides:
“I supply information about threats as they develop, new tactics terrorists are planning and targets they’re discussing. We’ve also uncovered people’s personal information that terrorists may have stolen. If I believe that the information might mean that someone is in physical danger, we notify the client. If the information points to financial fraud, I work with the cybercrime unit here.”
While Kassirer does experience anxiety over the information she collects, she knows that she is equipped with the tools and works with a team of people who are capable of disrupting terroristic plots.
Whitney Grace, June 15, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Ransomware as a Service Deals in Bitcoins of Course
June 14, 2016
Countless “as-a-service” models exist online. A piece from SCMagazine, Dark web forums found offering Cerber ‘ransomware as a service’, reveals more information about one such service called ransomware-as-a-service (RaaS), which we’ve heard about now for quite some time. Ransomware injects a virus onto a machine that encrypts the user’s files where they remain inaccessible until the victim pays for a key. Apparently, an Eastern European ransomware, Cerber, has been offering RaaS on Russian Dark Web forums. According to a cyber intelligence firm Sensecy, this ransomware was setup to include “blacklisted” countries so the malware does not execute on computers in certain locations. The article shares,
“Malwarebytes Labs senior security researcher Jerome Segura said the blacklisted geographies – most of which are Eastern European countries – provide “an indication of where the malware originated.” However, he said Malwarebytes Labs has not seen an indication that the ransomware is connected to the famed APT28 group, which is widely believed to be tied to the Russian government. The recent attacks demonstrate a proliferation of ransomware attacks targeting institutions in the U.S. and Western nations, as recent reports have warned. Last week, the Institute for Critical Infrastructure Technology (ICIT) released a study that predicted previously exploited vulnerabilities will soon be utilized to extract ransom.”
Another interesting bit of information to note from this piece is the going ransom is one bitcoin. Segura mentions the value ransomers ask for may be changing as he has seen some cases where the ransomer works to identify whether the user may be able to pay more. Regardless of the location of a RaaS provider, these technological feats are nothing new. The interesting piece is the supposedly untraceable ransom medium supplanting cash.
Megan Feil, June 14, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
