Analytics
9/16/2015
08:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Darknet Is Full Of Criminals & Governments Giving TOR A Bad Name

Human traffickers, crowd-sourcing murderers, child pornographers, and governments in the market for juicy zero-days are flooding the Dark Web -- making it hard for the good guys to defend it.

It can take 30 seconds to load just one webpage on the Darknet. There are only between 200,000 and 400,000 sites in it, but good luck finding the one you want when the only things that remotely resemble search engines are full of phony or out-of-date links. Who would use something so frustrating?

Researchers at Bat Blue Networks today released a report outlining the main actors and activities on the Darknet (or Dark Web) -- a subset of the Internet where the sites are unindexed and accessible only through the onion router (TOR) network.

First and foremost, they found a wide assortment of criminal marketplaces -- for human trafficking, child pornography, and murder.

Babak Pasdar, ethical hacker and CEO of Bat Blue, says that one of the most surprising findings in the research is "how innovative folks have gotten in gamifying certain acts, such as murder." He describes how some sites offer prizes for proof of kills.

From the report: "The Darknet is also a platform for new and innovative ways to commit crime. Empowered by the Darknet’s global reach and emboldened by the anonymity it offers, gamification and crowdfunding of crimes like murder and human trafficking represent an increasingly grim aspect of the Darknet."

As Gillian Ibach, Bat Blue lead cyber intelligence analyst explains, there is no honor among thieves. The lawlessness of the Darknet is so pervasive, that the criminals are scamming each other. She points to the example of human trafficking site Black Death requiring buyers to submit Bitcoin deposits in order to bid on "Nicole" -- an 18-year-old American girl whom the Bat Blue researchers believe didn't actually exist. The report cites other examples of sites that shut down suddenly, and made off with all the Bitcoins left in their customers' escrow accounts. 

In addition to the traditional crimes, of course, there were marketplaces for cybercrime -- and government agencies were among the buyers.

"What's most surprising is how engaged and involved governments are in supporting and growing the Darknet," says Pasdar. As he explains, although the FBI and other government agencies are often shutting these sites down, they're also keen to be a part of the marketplace where some of the juiciest zero-day exploits will be bought and sold. "They want to be first to have dibs on it."

Of course, the Darknet is not just a place where illicit goods are bought and sold.

"It's also a platform for people who are desperate," says Pasdar, explaining the necessity of the Darknet's anonymity for individuals who live in oppressive governments. "They need a means and a method to communicate."

As the report states: "The United States government has a complex relationship with the Darknet. ... the U.S. Naval Research Laboratory originally created and released TOR browser. The U.S. government continues to research ways to anonymously browse the Internet and release new technology. The United States also releases new technology to foreign populations to promote dissidence against authoritarian regimes. At the same time, intelligence agencies monitor activity and attempt to trace TOR users for their own strategic purposes."

Although the U.S. may actively release TOR technology to foreign populations, there was some mild unrest recently when an American library decided to host a TOR relay node, to allow its visitors to surf the web anonymously, and access the Darknet. After Ars Technica ran a story about the Kilton Public Library in Lebanon, N.H. becoming the first library on the TOR network, the U.S. Department of Homeland Security reached out to the library's local police department to notify them about the dangers related to child exploitation on the dark web. (According to a report released in June by Trend Micro's Forward-Looking Threat Research Team, a startling 26 percent of the sites on the Darknet are child exploitation sites.)

The library volunteered to take down the TOR node until the library trustees could vote on it. Tuesday, the library trustees voted to restore TOR service, citing its usefulness not only to people in oppressive government regimes, but also to those suffering from domestic abuse. As the Concord Monitor reported:

"With any freedom there is risk,' library board Chairman Francis Oscadal said. 'It came to me that I could vote in favor of the good . . . or I could vote against the bad.

“I’d rather vote for the good because there is value to this.”

Pasdar is suspicious of the DHS's motivations for alerting the local police about the library's TOR node. "My concern is that government has other motives for doing what they're doing," he says. As he explains, government agencies might publicly discourage others to use onion routing -- because it inhibits intelligence agencies' ability to conduct surveillance -- and yet they may be happy to use the Darknet themselves, to shop on the marketplace for cyberweaponry. "I don't think they're as kind-hearted as they seem."

See the full report at batblue.com/the-darknet.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dante1984
50%
50%
Dante1984,
User Rank: Apprentice
10/10/2015 | 11:50:18 PM
Re: Readable Image
It os offeed on the link. You need a business domain to obtain it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/23/2015 | 9:42:34 PM
TOR vs. Darknet
Alas, government officials and other fearmongerers have taken to giving public statements that TOR users are all criminals, without demonstrating or appreciating the difference between a TOR user (for TOR can be used to anonymously browse the "regular" WWW) and illicit Darknet customers.

tl;dr: TOR and Darknet are not the same.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/17/2015 | 5:35:43 PM
Re: Readable Image
You can probably find it in the full report http://www.batblue.com/the-darknet/ but you will need to register to download it... 
george_cupp
50%
50%
george_cupp,
User Rank: Apprentice
9/17/2015 | 4:54:19 PM
Readable Image
Is there a link somewhere to the info graphic that is actually readable?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.