Sophos Cloud Optix
When the administrator of Silk Road 2.0 was busted last week, the agent who penned his indictment was tight-lipped about how, exactly, the FBI got its hands on the supposedly hidden server the dark net market was using, saying that the Bureau simply “identified the server located in a foreign country,” and that law enforcement managed to image it sometime around 30 May 2014.
In or about May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time (the “Silk Road 2.0 Server”). On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it. Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.
That’s it. That’s all that law enforcement was willing to share about how it managed to slice through the layers of the Tor network, which is designed to mask users’ identity by means of software that routes encrypted browsing traffic through a network of worldwide servers.
Now, the keepers of Tor – the nonprofit group The Tor Project – are trying to puzzle out how identities were laid bare in the farflung, multi-nation bust, dubbed Operation Onymous, that snared 410+ supposedly hidden services running 27 markets, including Silk Road 2.0.
The Tor user base doesn’t just include bad guys – the drug lords, drug buyers, illicit arms traffickers, money launderers and child-abuse image swappers.
It also includes activists and others for whom it’s crucial to protect privacy so as to ensure safety from persecution, be it from oppressive regimes or dangerous stalkers.
The Tor Project doesn’t know how the anonymizing service was foiled, but it has possibly relevant information it shared on Sunday.
As Tor project executive director Andrew Lewman wrote, in the previous few days, The Tor Project had received reports that several Tor relays had been seized by government officials (The Tor Project doesn’t know how or why) – specifically, three Torservers.net systems (used to run Tor exit nodes) that blinked out of existence.
The “How” of the onion-router slicing has a few possible avenues of inquiry.
One of those paths involves blaming the unmasked victims themselves for using inadequate operational security.
This is “the first and most obvious explanation”, writes Tor project executive director Andrew Lewman:
The project has received reports about websites being infiltrated by undercover agents, while [Benthall's indictment] states various operational security errors.
Other possibilities Lewman suggested:
- SQL injection. Lewman notes that many of the sites discovered in Operation Onymous were likely “quickly-coded e-shops with a big attack surface” that could well have been vulnerable to SQL injection.
- Bitcoin de-anonymization. Recent research from Cornell University describes a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.
- Attacks on the Tor network. Given the number of takedowns and the seizure of Tor relays, the Tor network was possibly attacked to reveal the location of the hidden services. Lewman lists a number of attacks that have been discovered on the Tor network over the past few years – attacks with the potential aftermath of de-anonymizing previously hidden services.
In fact, two Carnegie Mellon researchers canceled a Black Hat 2014 talk about how easy they found it to break Tor.
The researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and promised to discuss examples of their own work identifying “suspected child pornographers and drug dealers.”
From the original description, before Carnegie-Mellon’s lawyers had the talk yanked from the lineup:
There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.
Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...
At the time, The Tor Project confirmed that yes, somebody or somebodies were picking it apart, and the assaults may have unmasked those who run or visit Tor-hidden sites.
In the meantime, Lewman asks relay operators to get in touch if their server was recently compromised or they lost control of it.
Image of head and questions courtesy of Shutterstock.
The following is just uninformed speculation, but I imagine if you were able to obtain a list of sites accessed from a Tor exit node, the sites with the largest amount of traffic would either contain illegal content, or information that repressive countries don’t want their citizens knowing about. You wouldn’t have to know who is accessing those servers (which is what Tor protects) in order to take them down.
LOL.
Online criminal community in a spin.
They can have some fun trying to work it out.
Last I heard they were pinning their hopes on ‘disclosure’ at trial
(At a trial, in many countries, the prosecution has to disclose all the facts behind how they got their evidence or else they may not be allowed to present that evidence in court).
Of course, if the defendant pleads guilty as part of a deal, it may not come to a trial. Or if the prosecution choose not to use certain evidence, then they don’t have to explain how they obtained it. Or they may say they got a tip off from a foreign intelligence agency, they don’t know how that agency got the name/address, but this is what we found on his computer when we did the raid/search. etc etc
Man, you just can’t catch a break when you are just trying to sell a few guns, drugs or child rape videos.
omg, need vpn now
Six times in this article, Ms. Vaas misspells the name of the Tor Project’s Executive Director, Andrew Lewman, whose name should be familiar to any reporter covering this beat.
For the record, it’s “Lewman,” not “Lawman.”
OK, I fixed it. Thanks for letting us know. Let’s all stand down from Red Alert now, eh?
(I am sure you can imagine how that particular lapsus calami might have occurred…law, law enforcement, lawman. At least the error was consistent. I reckon “six times wrong” is a better result than, say, four or three times wrong, wouldn’t you say?)
missed one….
Where? I can’t find it…but maybe I am having a wood-for-trees moment.
TOR isn’t the problem – it’s the people that use TOR. It’s gotten a bad reputation because of the anonymity associated with it. No-one likes dragnet surveillance and government snooping but at the same time no-one likes child molesters / drug traffickers / human traffickers / weapon dealers. Ironically, because of TOR’s reputation, it has attracted more scrutiny than what you would have attracted just using normal internet access. I’m not really surprised that they have found a way to break it. If anything TOR is its own worse enemy.
If TOR operated by purely accessing sites that could be accessed in any normal browser then it would go along way to cleaning up it’s image. The only reason these sites are hidden to the rest of the internet is because they engage in criminal activity.
That said, there is a real demand for anonymity and encrypted communication between tablets / phones and internet access. Firesheep is a real world example of how people abuse the system and harm those that are unaware of using public wifi without proper security. TOR will help in these situations and it is perfectly legitimate to do so.
It’s for these reasons that I tend to opt for a half way house by using DNScrypt which prevents dragnet surveillance (or makes it more difficult) by stopping automated website monitoring, but I do not encrypt the traffic unless the site is using TLS. That way anyone can see the communications are lawful but it has to be a person rather than an automated machine. At the end of the day we have no idea how the information that is gathered today will be used in the future, and it could be against us. The “It’s just meta data” argument just doesn’t stand up in the real world with the right to privacy. An easy example of this is your political views online today could prevent your job prospects in the future, and we shouldn’t fear our rights to free speech.
In terms of cracking it, I would take a guess that they are not targeting the exit nodes, but rather making an assumption that it doesn’t matter how you get from A to B but whether B is running services that respond to TOR services. In other words start at IP address 0.0.0.0 and go through to 255.255.255.255 and check to see if any of the ports respond to TOR services. TOR websites still have to have a physical internet presence. If the scanning was randomised sufficiently then eventually you would build up a map of likely TOR candidates. In turn you could use many of the “undocumented features” to exploit security and gain access.
As for VPN’s – what makes you think that you are any less likely to be spied on by sending all your data to a relatively unknown company rather than your own ISP? The only advantage of a VPN is to encrypt traffic while you are using public wifi to prevent the script kiddies from hacking you.
If I were developing TOR I would seriously consider cleaning up my act by removing the ability to create hidden websites and consider concentrating on free speech, which I am sure no-one would deny is a good thing (unless you are running an oppressive regime / pseudo democracy).