5 March 2018


A writer who goes by the ‘handle’ Wagas, posted a February 23, 2018 article to the security/technology website, HackRead.com, about the ever-expanding Dark Web. As Wagas notes, “the Dark Web is a strange place, where one can conduct all sorts of illegal activities like: selling illegal drugs, weapons/firearms, social security numbers, documents, and stolen data. Recently,” Wagas noted, “the social engineering experts at the breach notification website, Hacked-DB, discovered a massive trove of data, containing log in credentials of millions of users on the Dark Web.”

“In total, Hacked-DB told HackRead they have discovered 3,000 databases, containing 200 million unique user accounts, including email addresses, potentially, personal identification information, potential financial accounts, unique IP addresses, unique account identifiers, and other highly sensitive information linked to organizations, and individuals across the globe,” Wagas wrote. 

“The vast majority of these compromised databases were not detected prior to this leak; and the overall size of the files leaked is 9GB,” Wagas noted. “The leak included databases from 2011, to today, 2018; and, the information includes personal accounts with cleartext, or hashed passwords that can easily be reversed [reverse engineered] to the password itself.”

Hacked-DB Chief Operation Officer, Mr. Yogev Mizrahi told HackRead that: “This leak is extremely interesting from a hackers point of view, since it can give potential adversaries a fairly large ground of identifiers to work with – when it comes to identifying theft and such.”

Hacked-DB CEO Chen Heffer told Wagas that: “These leaks go mostly under the radar since they are not published to the pubic anywhere, and by no one. Our team of White Hat hackers in Hacked-DB, work 24/7 in looking for this type of information in the dark web, to bring the value-ad to our clients; and, help organizations protect their IP and identifies.”

“What might be worrisome,” Wagas noted, “is the fact that the information is available for anyone to download on a file-sharing website; and, it is only a matter of time before malicious hackers get their hands on it.

Some Random Thoughts/Takeaways

“The Man In The Iron Mask,” is one of the most enduring mysteries in history. While many of the myths surrounding this event have been dispelled, the mask was not made of iron — the fact that there is still debate about who this individual was over four hundred years ago, is remarkable. But, the ability to hide one’s true identity is a tall task in the 21st century. DNA shedding, facial and iris recognition, body scans at airports and elsewhere, the shape of one’s ears and veins, and yes — one’s digital footprints — are all working against someone who is trying to stay hidden. No wonder there is a burgeoning off-the-grid movement; and a growing/expansive Dark Web. 

And, thanks to upgrades/changes to the anonymity tools underlying the Dark Net, in the past year, by the TOR Project, anyone who wants to create their own dark corner of the Internet that’s anonymous, untraceable, and practically undiscoverable without an invite. I say practically, because with enough time, money, resources, and digital talent, I do not think anything digital is entirely untraceable. But, it is much more difficult and challenging to unmask someone on the Dark Web, who takes proactive measures to muddy their digital bread crumbs.

Last spring/2017, the non-profit Tor Project, began to “upgrade the privacy and security of the so-called, “onion services,” or “hidden services,” that enable the Dark Net’s anonymity,” Andy Greenberg wrote in a January 1, 2017 article posted to WIRED.com. “While the majority of people who run the Tor Project’s software use it to browse the web anonymously; and, circumvent censorship in countries like Iran and China, the group also maintains code that allows anyone to host an anonymous website or server, — the basis for the Dark Net,” he added.

Tor co-founder Nick Mathewson, told Andy Greenberg last year that “code is now getting a revamp, set to go live sometime later this year [2017], designed to both strengthen its encryption, and let administrators easily create fully secret darknet sites that can only be discovered by those who know a long string of unguessable characters. And, those software tweaks,could not only allow tighter privacy on the Dark Net; but, also help serve as the basis for a new generation of encryption applications. Someone can create a hidden service just for you that only you would know about; and, the presence of that particular hidden service would be non-discoverable,” said Mr. Mathewson — who, Mr. Greenberg noted in a January 1, 2017 article on WIRED, “helped code some of the first versions of Tor in 2003. “As a building block, that would provide a much stronger basis for relatively secure and private systems that we’ve had before,” Mathewson said at the time. Fast forward a year later in 2018 and it would seem these upgrades to anonymity have accelerated the growth and expanse of the Dark Web, as noted by HackRead.

“Someone can create a hidden service just for you that only you would know about; and, the presence of that particular hidden service would be non-discoverable,” said Mr. Mathewson. “As a building block, that would provide a much stronger basis for relatively secure and private systems that we’ve had before.”

“The next generation of hidden services [upgrades in 2017] will use a clever method to protect the secrecy of those addresses.”Mr. Greenberg wrote. “Instead of declaring their .onion address to hidden service directories, they’ll derive a unique cryptographic key from that address, and give that key to Tor’s hidden service directories. Any Tor user looking for a particular hidden service can perform that same derivation to check the key and route themselves to the correct Dark Net site. But, the hidden service directory can’t derive the .onion address from the key, preventing snoops from discovering any secret Dark Net address,” Mr. Greenberg wrote. “The Tor network isn’t going to give you any way to learn about an onion address you don’t already know,” said Mathewson.

“The result,” Mathewson says “will be Dark Net sites with new, stealthier applications.” “A small group of collaborators could, for instance, host files on a computer known only to them,” Mr. Greenberg wrote. “No one else could ever find that machine, much less access it. You could host a hidden service on your own computer, creating a way to untraceably connect to it from anywhere in the world, while keeping its existence secret from snoops. Mathewson himself, hosts a password protected family wiki and calendar on a Tor hidden service, and now says he’ll be able to do away with the site’s password protection without fear of anyone learning his family’s weekend plans. (Tor already offers a method to make hidden services inaccessible to all but certain Tor browsers, but it involves finicky changes to the browsers configuration files. The new system, Mathewson says, makes that level of secrecy — far more accessible to the average user),” Mr. Greenberg wrote.

“The next generation of hidden services will also switch from using 1024-bit RSA encryption keys to shorter, but tougher-to-crack ED-25519 elliptic curve keys. And, the hidden service directory changes mean that hidden service urls will change to, from 16 characters to 50. But, Mathewson argues that change doesn’t effect the Dark Web’s addresses’ usability since they’re already too long to memorize,” Mr. Greenberg noted.

All is not lost if we see much more use of the Dark Net, with these new methods and techniques to disguise or hide one’s digital presence. But, these new means and methods of hiding on the Worldwide Web, will no doubt present significant challenges to our ability to surveil the darker angels of our nature. And, even if these same bad guys take all of the precautions as discussed earlier, there are still ways to overcome those obstacles — such as patterns of life research — but, this kind of research effort can be time consuming, complex, rigorous, and demanding. Yes, deep learning, artificial intelligence, and better algorithms will help cut down those time lines; but, my guess is that we still have a ways to go before those techniques mature to the point we need, if faced with an imminent, and potentially catastrophic threat.

Then of course, there is also a young, but robust …off-the-grid movement, which would render all of these techniques useless. 

The bottom line to all of this is: Even with enhanced encryption and other methods to disguise ones digital presence, there is no ‘bullet-proof’ method — as of now, or in the near future — that would guarantee complete anonymity. But, these new means and methods do present a significant enough challenge — that if faced with a situation where the threat is imminent, we will need a little luck on our side to quickly identify a particularly malicious, dangerous individual who is employing all the anonymity tools that this upgraded TOR offers.

The debate between more privacy on the web, versus allowing enough visibility by law enforcement and intelligence agencies to monitor for the really bad guys, isn’t going away anytime soon. In the aftermath of the 9/11 terrorist attack, the Patriot Act was created; and, most Americans understood, or embraced the need to allow for more law enforcement and intelligence collection — because we feared another such attack. As we move further and further away from that catastrophic event, the pendulum has swung back in the direction of more privacy. That will change, if the circumstances change. But in the meantime, stronger border controls, ‘extreme’ vetting of those seeking refuge in the United States from the war zone, a greater emphasis on HUMINT collection in the communities and areas where we believe the threat is highest — is a must. 

Napoleon Bonaparte once said that “one well placed spy was worth two battalions.” Now, once well-placed spy may be worth an entire city, or a nation’s entire electrical grid. 

We have our work cut out for us; but, the darker digital angles of our nature aren’t superhuman digital malcontents. They are human after all; and humans — are flawed individuals, who eventually…..make mistakes. RCP, www.fortunascorner.com

No comments: