Leaky Web Pages a Call To Criminals
February 6, 2016
The Dark Web relies on the Tor network’s complex, multi-layered encryption technology to hide Web URLs and traffic sources. As we learned in “Basic Error Can Reveal Hidden Dark Web sites, however, not all hidden searches are actually hidden. Apache, the most widely used Web server software, includes a module that could make it easy for criminals to watch what Dark Web users are doing. A Facebook wizard points out that Apache’s “out-of-the-box” configuration, which is used to hide server-status page information, could inadvertently help hackers follow users as they meander through the Deep Web.
In 2012, Popular Web Sites Were Leaking System Status Information, Private Data and Passwords” confirmed what many had long suspected. Then, in 2015, a researcger discovered a Dark Web search engine not only showed what people were searching for. This begs the question:
What if a malicious actor had found that page instead of Muffet. They could have used it to assemble a trove of search data and, as we learned from the 2006 AOL search data leak, that can be enough Big Data to start unmasking people. And it gets worse. Exposed server status pages are a potential threat to users, but under some circumstances, they can completely unravel the protection that Tor provides to hidden websites.
In a perfect world, only localhost would have access to the mod-status feature. But Tor daemon also runs on localhost. All hackers have to do to access sensitive data is to exploit this weakness and anyone can see what people are looking at in the Deep Web.
Locard’s Principle tells us that criminal not only bring something of themselves to a crime scene, bad actors leave something behind, too. This clues, no matter how small, may help analysts and investigators shine a light on Dark Web criminals.
Martin A. Matisoff, MSc, February 6, 2016.
Sponsored by ArnoldIT.com, publishers of the CyberSINT monograph.