Analytics
9/16/2015
08:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Darknet Is Full Of Criminals & Governments Giving TOR A Bad Name

Human traffickers, crowd-sourcing murderers, child pornographers, and governments in the market for juicy zero-days are flooding the Dark Web -- making it hard for the good guys to defend it.

It can take 30 seconds to load just one webpage on the Darknet. There are only between 200,000 and 400,000 sites in it, but good luck finding the one you want when the only things that remotely resemble search engines are full of phony or out-of-date links. Who would use something so frustrating?

Researchers at Bat Blue Networks today released a report outlining the main actors and activities on the Darknet (or Dark Web) -- a subset of the Internet where the sites are unindexed and accessible only through the onion router (TOR) network.

First and foremost, they found a wide assortment of criminal marketplaces -- for human trafficking, child pornography, and murder.

Babak Pasdar, ethical hacker and CEO of Bat Blue, says that one of the most surprising findings in the research is "how innovative folks have gotten in gamifying certain acts, such as murder." He describes how some sites offer prizes for proof of kills.

From the report: "The Darknet is also a platform for new and innovative ways to commit crime. Empowered by the Darknet’s global reach and emboldened by the anonymity it offers, gamification and crowdfunding of crimes like murder and human trafficking represent an increasingly grim aspect of the Darknet."

As Gillian Ibach, Bat Blue lead cyber intelligence analyst explains, there is no honor among thieves. The lawlessness of the Darknet is so pervasive, that the criminals are scamming each other. She points to the example of human trafficking site Black Death requiring buyers to submit Bitcoin deposits in order to bid on "Nicole" -- an 18-year-old American girl whom the Bat Blue researchers believe didn't actually exist. The report cites other examples of sites that shut down suddenly, and made off with all the Bitcoins left in their customers' escrow accounts. 

In addition to the traditional crimes, of course, there were marketplaces for cybercrime -- and government agencies were among the buyers.

"What's most surprising is how engaged and involved governments are in supporting and growing the Darknet," says Pasdar. As he explains, although the FBI and other government agencies are often shutting these sites down, they're also keen to be a part of the marketplace where some of the juiciest zero-day exploits will be bought and sold. "They want to be first to have dibs on it."

Of course, the Darknet is not just a place where illicit goods are bought and sold.

"It's also a platform for people who are desperate," says Pasdar, explaining the necessity of the Darknet's anonymity for individuals who live in oppressive governments. "They need a means and a method to communicate."

As the report states: "The United States government has a complex relationship with the Darknet. ... the U.S. Naval Research Laboratory originally created and released TOR browser. The U.S. government continues to research ways to anonymously browse the Internet and release new technology. The United States also releases new technology to foreign populations to promote dissidence against authoritarian regimes. At the same time, intelligence agencies monitor activity and attempt to trace TOR users for their own strategic purposes."

Although the U.S. may actively release TOR technology to foreign populations, there was some mild unrest recently when an American library decided to host a TOR relay node, to allow its visitors to surf the web anonymously, and access the Darknet. After Ars Technica ran a story about the Kilton Public Library in Lebanon, N.H. becoming the first library on the TOR network, the U.S. Department of Homeland Security reached out to the library's local police department to notify them about the dangers related to child exploitation on the dark web. (According to a report released in June by Trend Micro's Forward-Looking Threat Research Team, a startling 26 percent of the sites on the Darknet are child exploitation sites.)

The library volunteered to take down the TOR node until the library trustees could vote on it. Tuesday, the library trustees voted to restore TOR service, citing its usefulness not only to people in oppressive government regimes, but also to those suffering from domestic abuse. As the Concord Monitor reported:

"With any freedom there is risk,' library board Chairman Francis Oscadal said. 'It came to me that I could vote in favor of the good . . . or I could vote against the bad.

“I’d rather vote for the good because there is value to this.”

Pasdar is suspicious of the DHS's motivations for alerting the local police about the library's TOR node. "My concern is that government has other motives for doing what they're doing," he says. As he explains, government agencies might publicly discourage others to use onion routing -- because it inhibits intelligence agencies' ability to conduct surveillance -- and yet they may be happy to use the Darknet themselves, to shop on the marketplace for cyberweaponry. "I don't think they're as kind-hearted as they seem."

See the full report at batblue.com/the-darknet.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dante1984
50%
50%
Dante1984,
User Rank: Apprentice
10/10/2015 | 11:50:18 PM
Re: Readable Image
It os offeed on the link. You need a business domain to obtain it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/23/2015 | 9:42:34 PM
TOR vs. Darknet
Alas, government officials and other fearmongerers have taken to giving public statements that TOR users are all criminals, without demonstrating or appreciating the difference between a TOR user (for TOR can be used to anonymously browse the "regular" WWW) and illicit Darknet customers.

tl;dr: TOR and Darknet are not the same.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/17/2015 | 5:35:43 PM
Re: Readable Image
You can probably find it in the full report http://www.batblue.com/the-darknet/ but you will need to register to download it... 
george_cupp
50%
50%
george_cupp,
User Rank: Apprentice
9/17/2015 | 4:54:19 PM
Readable Image
Is there a link somewhere to the info graphic that is actually readable?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.