TOR (The Onion Router) is a volunteer-based distributed overlay network that allows anonymous publishing of websites and other TCP services inside the Darknet. These location Hidden Services (HS) operate under the .onion TLD & can only be accessed through the TOR network, whilst maintaining anonymity of the Visitors as well as the HS Operators. Operators run HSs for a multitude of reasons. Some Operators want their HS to be public & advertise its existence in the Clearnet, whereas many want to keep the HS’s existence as private & hidden from even regular TOR users.
The research questions that arise here are, “Are TOR Hidden Services really Hidden?”, “Is someone monitoring the HS Directories for private .onion addresses?”. The main idea of this paper is to answer these questions by methodologically running private unannounced HSs (aka Onion Decoys) inside the TOR Network to detect whether there is any surveillance done on HS Directories. The Onion Decoys were implemented with docker containers as honeypots for this research. The paper details the observations made from the scanning activity done on the Onion Decoys.
Keywords: TOR Hidden Services, Private Onion Decoys
This document discusses various types of fraud including identity theft, account takeover, loyalty fraud, triangulation fraud, card testing, policy abuse, chargeback fraud, and returns fraud. It also provides tips for mitigating fraud risks such as conducting internal risk assessments, quantifying risks, developing fraud response strategies, creating user awareness, and maintaining secure systems through patching, password best practices, and antivirus software.
The document discusses e-mail forensics. It begins by describing the architecture of e-mail systems, including mail user agents, message stores, mail submission and transfer agents, and mail delivery agents. It then discusses common e-mail client attacks like malware distribution, phishing, spam, and denial-of-service attacks. The document outlines techniques for e-mail forensic investigation such as header analysis and server investigation. It also presents tools that can be used for e-mail forensics and summarizes a research paper on detecting e-mail date and time spoofing through analysis of header fields.
Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for root cause analysis. It is a branch of digital forensic science that applies techniques of computer investigation and analysis. The goal is the discovery, collection, and analysis of digital evidence found on computers and networks to identify the source of security attacks or crimes.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
This document discusses the history and techniques of phishing attacks. It notes that phishing originated in the 1990s as a way to steal AOL account passwords but has since evolved to target banks, PayPal, and other financial institutions to steal credit card numbers and bank account credentials. Modern phishing uses official-looking websites, email messages, links, and social engineering to trick users into providing sensitive information. The document recommends ways for individuals and businesses to protect themselves, including being wary of unsolicited messages requesting personal details, verifying website URLs, keeping software updated, and reporting suspicious activity.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
This document proposes a cyber security model for cloud computing environments. It discusses key cloud concepts like service and deployment models. It then covers cyber security threats in cloud computing, including those originating from the host, between the customer and datacenter, and from virtual machines. The document also presents a mean failure cost approach to measure security and quantify risks through stakeholder, dependency, and impact matrices. Finally, it argues the model can support cloud business decisions by pricing security upgrades and assessing enhancement cost effectiveness.
This document discusses various types of fraud including identity theft, account takeover, loyalty fraud, triangulation fraud, card testing, policy abuse, chargeback fraud, and returns fraud. It also provides tips for mitigating fraud risks such as conducting internal risk assessments, quantifying risks, developing fraud response strategies, creating user awareness, and maintaining secure systems through patching, password best practices, and antivirus software.
The document discusses e-mail forensics. It begins by describing the architecture of e-mail systems, including mail user agents, message stores, mail submission and transfer agents, and mail delivery agents. It then discusses common e-mail client attacks like malware distribution, phishing, spam, and denial-of-service attacks. The document outlines techniques for e-mail forensic investigation such as header analysis and server investigation. It also presents tools that can be used for e-mail forensics and summarizes a research paper on detecting e-mail date and time spoofing through analysis of header fields.
Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for root cause analysis. It is a branch of digital forensic science that applies techniques of computer investigation and analysis. The goal is the discovery, collection, and analysis of digital evidence found on computers and networks to identify the source of security attacks or crimes.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
This document discusses the history and techniques of phishing attacks. It notes that phishing originated in the 1990s as a way to steal AOL account passwords but has since evolved to target banks, PayPal, and other financial institutions to steal credit card numbers and bank account credentials. Modern phishing uses official-looking websites, email messages, links, and social engineering to trick users into providing sensitive information. The document recommends ways for individuals and businesses to protect themselves, including being wary of unsolicited messages requesting personal details, verifying website URLs, keeping software updated, and reporting suspicious activity.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
This document proposes a cyber security model for cloud computing environments. It discusses key cloud concepts like service and deployment models. It then covers cyber security threats in cloud computing, including those originating from the host, between the customer and datacenter, and from virtual machines. The document also presents a mean failure cost approach to measure security and quantify risks through stakeholder, dependency, and impact matrices. Finally, it argues the model can support cloud business decisions by pricing security upgrades and assessing enhancement cost effectiveness.
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
Cyber forensics deals with the investigation and analysis of computer systems involved in cyber crimes, while digital forensics involves any digital device for the purpose of a legal investigation. Cyber forensics is a branch of digital forensics that focuses specifically on computer systems and networks. Both fields involve the identification, collection, preservation, analysis and presentation of digital evidence from various devices in relation to crimes. Proper collection and preservation of digital evidence requires following protocols like photographing devices, noting identifying details, removing power sources safely if destructive devices are suspected, and securely storing devices to prevent damage prior to analysis.
Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
Digital certificates certify the identity of individuals, institutions, or devices seeking access to information online. They are issued by a Certification Authority which verifies the identity of the certificate holder and embeds their public key and information into the certificate. Digital certificates allow for secure online transactions by providing identity verification, non-repudiation of transactions, encryption of communications, and single sign-on access to systems. They are commonly used in applications that require authentication and encryption like SSL, S/MIME, SET, and IPSec.
This document provides information about the CS8792 CRYPTOGRAPHY & NETWORK SECURITY course. It discusses cryptography, the course outcomes, syllabus, and key concepts in cryptography including symmetric encryption, asymmetric encryption, data integrity algorithms, and authentication protocols. It also covers essential network and computer security requirements, legal and ethical issues, security policies, OSI security architecture including security attacks, mechanisms, and services.
This document provides an introduction to cyber security. It defines cyber security as protecting online information through online services. It discusses the increasing security threats as more people go online. It then defines the term "cyber" and discusses major security problems like viruses, hackers, malware, Trojan horses, and password cracking. It provides examples of each threat and recommends solutions like installing security suites, using strong passwords, and being aware of international cyber crime statistics. The conclusion encourages spreading cyber security awareness.
This document summarizes different types of network scans that can be performed using Nmap, including TCP connect scans, SYN scans, FIN scans, Xmas scans, Null scans, and least traffic scans. It also discusses why vulnerability scanning is important and compares the features of the free Nessus Home Feed versus the paid Professional Feed for vulnerability scanning. The Professional Feed provides more frequent plugin updates, policy compliance checks, unlimited PCI audits, operating system audits, and technical support compared to the free Home Feed.
This document summarizes a project on cloud forensics. It discusses cloud computing models like SaaS, PaaS, and IaaS. It describes implementing a private Eucalyptus cloud and testing live forensics via virtual introspection and recovering ephemeral data from previous cloud tenants. It demonstrates recovering data from a physical disk but not from a new virtual instance due to sparse files. The document concludes ephemeral data is not accessible to new tenants in Eucalyptus clouds due to sparse files and zero-filling.
IP spoofing involves lying about the source IP address in network packets. This allows an attacker to conduct various types of attacks, such as session hijacking, denial of service attacks, and spoofing attacks. Notable examples include Kevin Mitnick's 1994 attack on Tsutomu Shinomura where he determined the victim's TCP sequence number algorithm, and session hijacking attacks where the attacker can eavesdrop or take over communications between two parties. Defenses against IP spoofing involve making it more difficult for attackers to guess sequence numbers or determine addressing patterns if they are blind on the network. However, IP spoofing continues to evolve as a threat as long as different layers of the internet architecture implicitly trust each other.
Network security involves protecting a network and its data through hardware and software that manages access and blocks threats. It combines multiple layers of defenses at the edge and within the network, implementing policies and controls to authorize access for users while blocking malicious actors. Network security protects proprietary information, reputation, and allows organizations to securely deliver digital services that customers and employees demand. It utilizes various technologies including access control, antivirus software, firewalls, intrusion prevention, and more.
This document discusses symmetric encryption, also known as conventional or single-key encryption. Symmetric encryption uses a single key that is known to both the sender and receiver to encrypt plaintext into ciphertext and decrypt ciphertext back to plaintext. The document defines basic terminology related to symmetric encryption like plaintext, ciphertext, cipher, key, encryption, and decryption. It also discusses the principles of cryptography used in symmetric encryption like substitution and transposition ciphers. The document outlines advantages of symmetric encryption like speed but also disadvantages related to securely distributing the shared secret key between communicating parties.
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
Botnets are networks of compromised computers that are used to conduct criminal online activities like spamming and phishing. They are controlled by botmasters through command and control servers. The document discusses how botnets utilize platforms like Windows and Unix machines, and spyware, adware, and malware to conduct spamming, phishing, denial of service attacks, and steal personal information. It also summarizes various network security measures that can help prevent the spread of botnets, including user education, firewalls, IPSec, SSL/TLS, RADIUS authentication, security tokens, and biometrics.
Computer forensics involves preserving, identifying, extracting, documenting, and interpreting computer data for legal evidence or root cause analysis. It is used by law enforcement, businesses, and individuals in cases involving theft, fraud, harassment, and other crimes. The process generally involves acquiring the digital device, identifying and recovering data using forensic tools, evaluating the evidence, and presenting findings in a clear manner for legal purposes. Specialized skills and software are needed to perform forensic analysis while addressing techniques used by suspects to hide or corrupt digital evidence.
This document discusses cyber forensics and investigating large scale data breaches. It begins by defining cyber forensics as an electronic discovery technique used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. It then discusses challenges in investigating corporate networks due to different operating systems, file systems, and administrative access used. When investigating large data breaches, security exploits and employee devices are common entry points, while pace of growth and lack of evidence erasure complicate progress. The Yahoo breach example turned tides by providing data to investigators that aided geopolitical understanding. Immediate actions include response and isolation, while tools like COFEE, SIFT, and ProDiscover aid forensic analysis at different levels.
This document discusses computer security basics and malicious software. It covers the following key points:
- Types of malware include viruses, adware, spyware, and browser hijacking software. Viruses can self-replicate and spread to other programs/disks.
- Common security threats are malicious software, denial of service attacks, email spoofing, cyber stalking, spamming, and money laundering. Firewalls and passwords are important security measures.
- Good security practices involve locking computers when away, using boot passwords, and being cautious of unauthorized access to prevent data compromise. Understanding the risks of malware and different attack types is essential for computer security.
This document provides an overview of computer forensics. It defines computer forensics as identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The objective is to find evidence related to cyber crimes. Computer forensics has a history in investigating financial fraud, such as the Enron case. It describes the types of digital evidence, tools used, and steps involved in computer forensic investigations. Key points are avoiding altering metadata and overwriting unallocated space when collecting evidence.
Virtualization allows multiple operating systems to run on a single physical system by sharing hardware resources. It provides isolation between virtual machines using a virtual machine monitor. Virtualization provides benefits like server consolidation, running legacy applications, sandboxing, and business continuity. However, it also presents risks if not properly secured, such as increased attack channels, insecure communications between virtual machines, and virtual machine sprawl consuming excess resources. Security measures are needed at the hypervisor, host, virtual machine, and network layers to harden the virtualization environment against threats.
SET was developed by Visa and MasterCard to securely transmit credit and debit card information over the internet. It uses public key encryption and digital certificates to authenticate parties and encrypt transactions for confidentiality. All parties must have digital certificates and information is only shared when necessary to protect privacy. SET supports common transaction types and uses technologies like 3DES, RSA signatures, and SHA-1 hashing to provide security.
Network security involves implementing physical and software measures to protect a network from unauthorized access and enable authorized access. It aims to maintain confidentiality of data, integrity of data, availability of resources, and privacy of personal data. Key aspects of network security include encryption to scramble data, firewalls to control access to networks, and securing wireless networks through standards like WPA2. Common security processes also involve backing up data regularly, using access controls like passwords, and encrypting data during storage and transmission.
Internet of 'Hidden' Things: How to Build a Confidential IOT Network using TO...Abhinav Biswas
TOR (The Onion Router) is a volunteer-based distributed overlay network that allows anonymous publishing of TCP services. These location Hidden Services (HS) operate under the .onion Top-Level Domain & can only be accessed through the TOR network, whilst maintaining anonymity of the Client as well as the Hidden Server. Docker on the other hand is a software containerization technology which provides an additional layer of abstraction & automation to OS-level virtualization, allowing a developer to package up an application with all of its libraries & dependencies into one container and ship it. Docker containers are lightweight by design and ideal for enabling accelerated development of microservices, which make it easy to compose, deploy and maintain complex cloud applications.
Now, with the advent of IOT, every electronic 'Thing' is getting Smart, which brings a plethora digital threats into the physical world. The ubiquitous connectivity to Internet is bringing up new Privacy & Anonymity challenges which are rising as never before. Our purchasing patterns, browsing patterns, driving habits, eating habits, health indicators, places we visit, social data, contacts and pretty much every personally identifiable data is being collected by Smart devices and are sent to huge Server Farms or the Cloud which then knows all, remembers all, and happily shares and/or monetizes them all. There’s a lack of transparency between the data being collected and what it is being used for. Hence, the contemporary situation demands a paradigm shift in the existing infrastructure of IOT Businesses, where Proprietary protocols, indigenous hardware & air-gapped networks are not just enough for security & privacy in the era of Industry 4.0.
This workshop will sensitise the audience about how we can leverage the anonymity & containerisation benefits of TOR & Docker technologies to address the security & privacy challenges in IOT Businesses and stop Surveillance Capitalism. There will be several Live Demos on how to build an Internet of 'Hidden' Things by creating confidential, authenticated and anonymous IOT Applications using TOR Hidden Services amalgamated with Docker Containers. The demos will show that these 'Hidden' Things/Devices can even hide the fact they exist at all, if you don’t know the necessary cookie. One can neither crawl nor probe your IOT device through the Internet while your device uses the Onion Authentication feature of TOR Hidden Services. The workshop would also cover the dark-side of using Internet of Hidden Things in future.
IEW EFYCON 2018 Workshop
Presentation of "Anonymity in the web based on routing protocols" technical report developed for the Web Security course of the Master Degree in Engineering in Computer Science curriculum in Cyber Security at University of Rome "La Sapienza".
Link: https://www.slideshare.net/BiagioBotticelli/anonymity-in-the-web-based-on-routing-protocols
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
Cyber forensics deals with the investigation and analysis of computer systems involved in cyber crimes, while digital forensics involves any digital device for the purpose of a legal investigation. Cyber forensics is a branch of digital forensics that focuses specifically on computer systems and networks. Both fields involve the identification, collection, preservation, analysis and presentation of digital evidence from various devices in relation to crimes. Proper collection and preservation of digital evidence requires following protocols like photographing devices, noting identifying details, removing power sources safely if destructive devices are suspected, and securely storing devices to prevent damage prior to analysis.
Computer forensics involves the collection, analysis and presentation of digital evidence for use in legal cases. It combines elements of law, computer science and forensic science. The goal is to identify, collect and analyze digital data in a way that preserves its integrity so it can be used as admissible evidence. This involves understanding storage technologies, file systems, data recovery techniques and tools for acquisition, discovery and analysis of both volatile and persistent data. Computer forensics practitioners must be aware of ethical standards to maintain impartiality and integrity in their investigations.
Digital certificates certify the identity of individuals, institutions, or devices seeking access to information online. They are issued by a Certification Authority which verifies the identity of the certificate holder and embeds their public key and information into the certificate. Digital certificates allow for secure online transactions by providing identity verification, non-repudiation of transactions, encryption of communications, and single sign-on access to systems. They are commonly used in applications that require authentication and encryption like SSL, S/MIME, SET, and IPSec.
This document provides information about the CS8792 CRYPTOGRAPHY & NETWORK SECURITY course. It discusses cryptography, the course outcomes, syllabus, and key concepts in cryptography including symmetric encryption, asymmetric encryption, data integrity algorithms, and authentication protocols. It also covers essential network and computer security requirements, legal and ethical issues, security policies, OSI security architecture including security attacks, mechanisms, and services.
This document provides an introduction to cyber security. It defines cyber security as protecting online information through online services. It discusses the increasing security threats as more people go online. It then defines the term "cyber" and discusses major security problems like viruses, hackers, malware, Trojan horses, and password cracking. It provides examples of each threat and recommends solutions like installing security suites, using strong passwords, and being aware of international cyber crime statistics. The conclusion encourages spreading cyber security awareness.
This document summarizes different types of network scans that can be performed using Nmap, including TCP connect scans, SYN scans, FIN scans, Xmas scans, Null scans, and least traffic scans. It also discusses why vulnerability scanning is important and compares the features of the free Nessus Home Feed versus the paid Professional Feed for vulnerability scanning. The Professional Feed provides more frequent plugin updates, policy compliance checks, unlimited PCI audits, operating system audits, and technical support compared to the free Home Feed.
This document summarizes a project on cloud forensics. It discusses cloud computing models like SaaS, PaaS, and IaaS. It describes implementing a private Eucalyptus cloud and testing live forensics via virtual introspection and recovering ephemeral data from previous cloud tenants. It demonstrates recovering data from a physical disk but not from a new virtual instance due to sparse files. The document concludes ephemeral data is not accessible to new tenants in Eucalyptus clouds due to sparse files and zero-filling.
IP spoofing involves lying about the source IP address in network packets. This allows an attacker to conduct various types of attacks, such as session hijacking, denial of service attacks, and spoofing attacks. Notable examples include Kevin Mitnick's 1994 attack on Tsutomu Shinomura where he determined the victim's TCP sequence number algorithm, and session hijacking attacks where the attacker can eavesdrop or take over communications between two parties. Defenses against IP spoofing involve making it more difficult for attackers to guess sequence numbers or determine addressing patterns if they are blind on the network. However, IP spoofing continues to evolve as a threat as long as different layers of the internet architecture implicitly trust each other.
Network security involves protecting a network and its data through hardware and software that manages access and blocks threats. It combines multiple layers of defenses at the edge and within the network, implementing policies and controls to authorize access for users while blocking malicious actors. Network security protects proprietary information, reputation, and allows organizations to securely deliver digital services that customers and employees demand. It utilizes various technologies including access control, antivirus software, firewalls, intrusion prevention, and more.
This document discusses symmetric encryption, also known as conventional or single-key encryption. Symmetric encryption uses a single key that is known to both the sender and receiver to encrypt plaintext into ciphertext and decrypt ciphertext back to plaintext. The document defines basic terminology related to symmetric encryption like plaintext, ciphertext, cipher, key, encryption, and decryption. It also discusses the principles of cryptography used in symmetric encryption like substitution and transposition ciphers. The document outlines advantages of symmetric encryption like speed but also disadvantages related to securely distributing the shared secret key between communicating parties.
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
Botnets are networks of compromised computers that are used to conduct criminal online activities like spamming and phishing. They are controlled by botmasters through command and control servers. The document discusses how botnets utilize platforms like Windows and Unix machines, and spyware, adware, and malware to conduct spamming, phishing, denial of service attacks, and steal personal information. It also summarizes various network security measures that can help prevent the spread of botnets, including user education, firewalls, IPSec, SSL/TLS, RADIUS authentication, security tokens, and biometrics.
Computer forensics involves preserving, identifying, extracting, documenting, and interpreting computer data for legal evidence or root cause analysis. It is used by law enforcement, businesses, and individuals in cases involving theft, fraud, harassment, and other crimes. The process generally involves acquiring the digital device, identifying and recovering data using forensic tools, evaluating the evidence, and presenting findings in a clear manner for legal purposes. Specialized skills and software are needed to perform forensic analysis while addressing techniques used by suspects to hide or corrupt digital evidence.
This document discusses cyber forensics and investigating large scale data breaches. It begins by defining cyber forensics as an electronic discovery technique used to determine and reveal technical criminal evidence, often involving extracting electronic data for legal purposes. It then discusses challenges in investigating corporate networks due to different operating systems, file systems, and administrative access used. When investigating large data breaches, security exploits and employee devices are common entry points, while pace of growth and lack of evidence erasure complicate progress. The Yahoo breach example turned tides by providing data to investigators that aided geopolitical understanding. Immediate actions include response and isolation, while tools like COFEE, SIFT, and ProDiscover aid forensic analysis at different levels.
This document discusses computer security basics and malicious software. It covers the following key points:
- Types of malware include viruses, adware, spyware, and browser hijacking software. Viruses can self-replicate and spread to other programs/disks.
- Common security threats are malicious software, denial of service attacks, email spoofing, cyber stalking, spamming, and money laundering. Firewalls and passwords are important security measures.
- Good security practices involve locking computers when away, using boot passwords, and being cautious of unauthorized access to prevent data compromise. Understanding the risks of malware and different attack types is essential for computer security.
This document provides an overview of computer forensics. It defines computer forensics as identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The objective is to find evidence related to cyber crimes. Computer forensics has a history in investigating financial fraud, such as the Enron case. It describes the types of digital evidence, tools used, and steps involved in computer forensic investigations. Key points are avoiding altering metadata and overwriting unallocated space when collecting evidence.
Virtualization allows multiple operating systems to run on a single physical system by sharing hardware resources. It provides isolation between virtual machines using a virtual machine monitor. Virtualization provides benefits like server consolidation, running legacy applications, sandboxing, and business continuity. However, it also presents risks if not properly secured, such as increased attack channels, insecure communications between virtual machines, and virtual machine sprawl consuming excess resources. Security measures are needed at the hypervisor, host, virtual machine, and network layers to harden the virtualization environment against threats.
SET was developed by Visa and MasterCard to securely transmit credit and debit card information over the internet. It uses public key encryption and digital certificates to authenticate parties and encrypt transactions for confidentiality. All parties must have digital certificates and information is only shared when necessary to protect privacy. SET supports common transaction types and uses technologies like 3DES, RSA signatures, and SHA-1 hashing to provide security.
Network security involves implementing physical and software measures to protect a network from unauthorized access and enable authorized access. It aims to maintain confidentiality of data, integrity of data, availability of resources, and privacy of personal data. Key aspects of network security include encryption to scramble data, firewalls to control access to networks, and securing wireless networks through standards like WPA2. Common security processes also involve backing up data regularly, using access controls like passwords, and encrypting data during storage and transmission.
Internet of 'Hidden' Things: How to Build a Confidential IOT Network using TO...Abhinav Biswas
TOR (The Onion Router) is a volunteer-based distributed overlay network that allows anonymous publishing of TCP services. These location Hidden Services (HS) operate under the .onion Top-Level Domain & can only be accessed through the TOR network, whilst maintaining anonymity of the Client as well as the Hidden Server. Docker on the other hand is a software containerization technology which provides an additional layer of abstraction & automation to OS-level virtualization, allowing a developer to package up an application with all of its libraries & dependencies into one container and ship it. Docker containers are lightweight by design and ideal for enabling accelerated development of microservices, which make it easy to compose, deploy and maintain complex cloud applications.
Now, with the advent of IOT, every electronic 'Thing' is getting Smart, which brings a plethora digital threats into the physical world. The ubiquitous connectivity to Internet is bringing up new Privacy & Anonymity challenges which are rising as never before. Our purchasing patterns, browsing patterns, driving habits, eating habits, health indicators, places we visit, social data, contacts and pretty much every personally identifiable data is being collected by Smart devices and are sent to huge Server Farms or the Cloud which then knows all, remembers all, and happily shares and/or monetizes them all. There’s a lack of transparency between the data being collected and what it is being used for. Hence, the contemporary situation demands a paradigm shift in the existing infrastructure of IOT Businesses, where Proprietary protocols, indigenous hardware & air-gapped networks are not just enough for security & privacy in the era of Industry 4.0.
This workshop will sensitise the audience about how we can leverage the anonymity & containerisation benefits of TOR & Docker technologies to address the security & privacy challenges in IOT Businesses and stop Surveillance Capitalism. There will be several Live Demos on how to build an Internet of 'Hidden' Things by creating confidential, authenticated and anonymous IOT Applications using TOR Hidden Services amalgamated with Docker Containers. The demos will show that these 'Hidden' Things/Devices can even hide the fact they exist at all, if you don’t know the necessary cookie. One can neither crawl nor probe your IOT device through the Internet while your device uses the Onion Authentication feature of TOR Hidden Services. The workshop would also cover the dark-side of using Internet of Hidden Things in future.
IEW EFYCON 2018 Workshop
Presentation of "Anonymity in the web based on routing protocols" technical report developed for the Web Security course of the Master Degree in Engineering in Computer Science curriculum in Cyber Security at University of Rome "La Sapienza".
Link: https://www.slideshare.net/BiagioBotticelli/anonymity-in-the-web-based-on-routing-protocols
Onion routing and tor: Fundamentals and Anonymityanurag singh
Onion Routing and Tor: Fundamentals and anonymity discusses anonymity on the internet and how Tor works to provide anonymity. It explains that traditional IP addresses and browser tracking can be linked to a user's identity. Tor creates circuits through multiple relay nodes to hide a user's location and communications. Key features of Tor include using volunteer-run relay nodes, protecting against traffic analysis, and enabling hidden services to host anonymous websites. While Tor enhances anonymity, it cannot prevent all timing attacks if the start and end of a user's traffic can be observed.
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
This document provides an overview and background of a wireless security researcher known as the WiFiCactus. It summarizes their interests and work analyzing wireless networks at DEFCON and other conferences over the years, including wardriving experiments and building tools to analyze large datasets captured from wireless monitoring. It also shares some findings from analyzing these datasets, such as visualizing the locations of detected devices and instances where APIs or software leaked private information over wireless networks.
This document discusses tools and techniques for investigating network traffic. It provides overviews of network protocols and layers of the OSI model. It describes types of network attacks investigators may encounter and reasons for examining network traffic, such as locating suspicious activity. Methods of gathering evidence are covered, including sniffing packets and acquiring traffic using DNS poisoning. Specific tools are outlined, such as Wireshark, Tcpdump and Windump, that can capture and analyze network packets.
IETE mid-term symposium on digital forensics and information security : 23 M...anupriti
While anyone of us discusses cryptocurrency, we invariably hover around BITCOIN only , but as on date we have 2000+ cryptocurrencies in the world and the sad thing is CRYPTOCURRENCY CRIMES ARE RISING FAST undeterred.This presentation, given at the IETE mid term symposium on 23rd May 2020 ,brings a brief over view of how cryptocrimes work and what are the challenges around?
This document discusses design aspects of the Internet of Things (IoT). It begins with an introduction that defines IoT as connecting devices over the internet to control things remotely and make life easier. Key points include IoT allowing any thing, place, and time connections. By 2020, it is estimated that 50 billion objects will be connected. The document then discusses technologies used in IoT like RFID, Bluetooth, and WiFi. It also addresses open challenges like interoperability, scalability, and security. The proposed architecture includes network, system, and device levels. Changes to the IPv6 protocol are suggested to address issues with addressing billions of devices. The document concludes by outlining how the proposed approach could benefit IoT applications
Task Force on IoT Security
About CISO Platform
Largest DDOS Attack Against DYN
How can we minimize the risk?
IoT Architectural Layers
Components of an IoT Node
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
This document discusses detecting and confronting flash attacks from IoT botnets. It begins by providing background on the Internet of Things and how IoT devices are increasingly being compromised to form botnets. It then describes the architecture of the Mirai malware, which uses a scanner to find vulnerable IoT devices and a command-and-control server to direct attacks. The document proposes using a sparse autoencoder neural network to detect IoT botnets by analyzing network traffic patterns. It also details methods to detect cryptojacking activities on infected devices by analyzing network protocols and abnormal resource usage. Finally, it discusses setting up a Mirai botnet on a virtual private server to further study flash attacks and confrontations.
WebRTC introduces new security considerations for real-time communications. The document discusses various VoIP attacks that could impact WebRTC like denial of service, fraud, and illegal interception. It also examines vulnerabilities from accessing devices, signaling sent in plain text, and cross protocol attacks. The presentation recommends using TLS for signaling, getting user permission for devices, DTLS-SRTP for media encryption, and identity management through providers. Integrating WebRTC with IMS can leverage the authentication of IMS subscriptions for web credentials.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
The document discusses the five phases of a hacking attack: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. It provides details on various reconnaissance techniques like searching publicly available information, whois databases, and DNS records to learn about a target organization. Scanning involves probing open ports using techniques like port scanning, war dialing, and tracerouting to map out a network.
The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network. Later, we will review main tools for discover hidden services in tor network with osint tools. Finally we will use python for extracting information from tor network with specific modules like stem https://stem.torproject.org/
These could be the main points of the talk:
- Introduction to Tor project and hidden services
- Discovering hidden services with osint tools
- Extracting information from tor network with python
Layer 2 protocols like CDP, VTP, DTP, and HSRP are vulnerable to attacks if not properly secured. An attacker can use tools like Yersinia to perform reconnaissance on layer 2 protocols to gain information about devices, protocols, and network topology. Common attacks include denial of service attacks, traffic hijacking, and bypassing network restrictions. To prevent attacks, companies should secure switches, use secure trunking configurations, disable unused ports and protocols, and deploy security features like DHCP snooping.
This document discusses computer network security. It begins by defining security and explaining why security is needed, then discusses common security threats like firewalls, denial of service attacks, and TCP hijacking. The most vulnerable targets are listed as financial institutions, internet service providers, and government agencies. The document then explains specific security mechanisms and attacks in more detail, such as firewalls and intrusion detection systems, different types of denial of service attacks, and how TCP hijacking works. It stresses the importance of security updates and patching known vulnerabilities.
This document discusses how network monitoring can be used to detect and manage threats. It describes Cisco's Stealthwatch solution, which leverages NetFlow data to provide network visibility. Stealthwatch collects and analyzes NetFlow records to generate conversational flow records that provide context about network communications. This enriched flow data can be used to identify anomalies, track indicators of compromise, and monitor for potential insider threats or data exfiltration. The document also outlines how Stealthwatch features like host groups, reports, behavioral analysis and policy monitoring can aid in network security investigations.
Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of network nodes called onion routers, each of which "peels" away a single layer, uncovering the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes.
Onion routing was developed in the mid-1990s at the U.S. Naval Research to protect U.S. intelligence communications online. It was further developed by the Defence Advanced Research Projects Agency (DARPA) and patented by the Navy in 1998. Onion Routing is implemented The Onion Routing project or TOR project.
Welcome to the world of 'network security' which is an unavoidable term in cyber security. This white paper of Network security encompasses the most significant and predominantly used networking security concepts which are highly important for maintaining your network environment secure.
Similar to Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance by injecting Decoys inside TOR! (20)
Demystifying the Dark-Side of Internet of Things (IOT): A Journey through Sec...Abhinav Biswas
1. The document discusses the convergence of the physical and digital worlds through sensors, cloud computing, and machine-to-machine communication.
2. It notes security challenges like ransomware infecting smart devices and the need to design security into connected systems from the start.
3. The author advocates approaches like decentralization, trustworthy distribution, immutability, and public verification to build security and privacy into Internet of Things technologies from the early stages.
The document discusses various topics related to cybersecurity including the increasing digitization of physical devices, high-profile data breaches, privacy concerns over connected devices, and challenges posed by new technologies like virtualization and containers. It also covers security issues on the deep web/dark web and anonymity networks like Tor. The need for advanced defense techniques like behavior profiling and machine learning is discussed. The document promotes formal education, certifications, and industry experience to build a career in cybersecurity and stresses the importance of continual learning.
The document discusses concepts related to sensors, the cloud, machine-to-machine communication, and the convergence of the physical and digital worlds. It notes challenges like security, privacy, and resource constraints. Key ideas presented are that the physical is becoming digital, digital is becoming physical, and that we tend to overestimate short term impacts and underestimate long term impacts of new technologies.
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
Presentation delivered for Management Development Programme on "Information and Cyber Security" at Institute of Public Enterprise, Hyderabad on 12th September, 2015.
Insights Into Modern Day Threat ProtectionAbhinav Biswas
This document discusses cybersecurity threats and strategies for mitigation. It covers topics like advanced persistent threats, zero-day attacks, exploit kits, and common attack vectors involving social media, email, mobile apps, and the web. The document also summarizes traditional threats compared to more advanced threats, outlines a 7-stage threat model, and emphasizes the importance of prevention, detection, and rapid response for effective cybersecurity.
Ion Mobility Spectrometry (IMS) based Explosive DetectorAbhinav Biswas
An IMS based Explosive detector can analyze explosive ions by computing the drift time of the ions based on the peak value of the collected ADC sample data and comparing it with the available library data. The IMS application was developed using Qt 4.5 which was ported to the ARM board running embedded Linux.
ABSTRACT The Virtual Trial Room (VTR) application software simulates an apparel dressing room by the implementation of a virtual mirror, portraying an augmented view of the user with virtual superimposed clothes. Traditional approach to the design and implementation of virtual dressing rooms have been wildly using either normal webcams with Tag/Marker based tracking or expensive 3D depth & motion sensing cameras like Microsoft Kinect. The main idea of this paper is to methodologically devise a novel VTR solution deploying ubiquitous 2D webcams with tag-less tracking, in a real-time live video mode using open source tools and technologies. The solution model implements a tag-less or marker-less Augmented Reality (AR) technique with face detection technology and provides an intuitive motion-augmented User Interface (UI) to the VTR application, in the form of an interactive human-friendly Virtual Mirror using simple hand gestures. A qualitative performance analysis of the application is evaluated at the end of the paper to determine the fundamental susceptibility of the VTR system against varied illumination conditions.
https://github.com/Project-VTR
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. http://AbhinavBiswas.github.io@Abhinav_BIswas
Electronics Corporation of India Limited
A Govt. of India (Dept. of Atomic Energy) Enterprise
Security Leader of the Year Award - 2016
by DSCI, NASSCOM
Playing with Dark-Side of IOT
NCSS Summit, 2017
IBM Blue Scholar, 2012CISCO Certified CyberOps,
EHCE by US-Council
& more…
Cybernetic modeling of ICS
IEEE Journal, 2015
Top 100 InfoSec Maestros 2016,
DynamicCISO Security Excellence
Awards etc.
3. The Onion Router – Gateway to Anonymity
A volunteer-based distributed overlay network
that simply makes you anonymous online.
Conceals its users’ identity and their online activity from surveillance and
traffic analysis.
Used by Activists, Whistle Blowers, Journalists, Sensitive Businesses,
Bloggers, Military
Illicit Uses: Buying/Selling Drugs &Weapons, Silk Route, Child Pornography
4. It’s all about Onion Routing
Layers of Encryption,
Peeled off at every subsequent node
Each relay node knows only which node gave it data
& which node it is giving data to
Separate set of encryption keys for each node along
the complete Circuit
No observer at any single point can tell
where’s the original source & where’s the final destination
DataDataDataData
5. Establishing The Circuit
Client
Server
Tor Cloud
Relay
Tor Circuit
3 Random Relays
Entry/Guard Node
Middle Node
Exit Node3
1
2
1
2
3
DataDataDataData
Data
Data
Data
Tor Cloud
Relay
6. Directory Authorities – The Gatekeepers of TOR
Client
Server
9 Directory Authorities
DA 6
Tor Cloud
Relay
Tor Circuit
Dir AuthorityDA
DA 2
DA 7
DA 4
DA 9
DA 5
DA 1 DA 3
DA 8
8. Sneak peek into HS Features
Bidirectional Server & Client Anonymity
No need to buy a Domain Name
No need to have a public IP address
Smear-Resistance
PUBLIC HS PRIVATE HS
NAT Punching
Self-Authentication of the Service
End-to-End Encryption
Perfect Forward Secrecy (PFS)
It takes hardly a minute to host a Tor HS
9. HS Rendezvous Protocol
By Routing all communication between Client & HS
through a Rendezvous Point (RP)
The RP connects 2 Tor Circuits one each from Client & HS
6 Relay in Total including RP
- 3 picked by Client ( 3rd being the RP)
- Other 3 are picked by HS
Client HS
RP
10. HS Rendezvous Protocol
By Routing all communication between Client & HS
through a Rendezvous Point (RP)
The RP connects 2 Tor Circuits one each from Client & HS
6 Relay in Total including RP
- 3 picked by Client ( 3rd being the RP)
- Other 3 are picked by HS
RP
HSClient
Tor Cloud
Relay
11. Tor Cloud
Relay
Tor Circuit
Client
HS
HS Rendezvous Protocol
HSDir 6
IP 1
IP 2
IP 3
HSDir 1
HSDir 2
HSDir 3
HSDir 4
RP
Tor Cloud
Relay
IP Introduction PointsIP Introduction Points
HS Directory AuthoritiesHSDir
IP Introduction Points
HS Directory Authorities
Rendezvous Point
HSDir
RP
HSDir 5
12. Research Hypothesis
Information about all existing HSs is distributed across many Tor relays (HSDirs)
Any regular Tor relay may work as HSDir
Anyone who deploys such HSDir nodes can also harvest onion addresses from it
The adversary may find addresses that have not been publicly shared ever
Is someone monitoring the HS Directories
for private onion addresses?
How frequently this happens &
what sort of services are targeted?
Interesting to Note:
13. Setting up the Onion Decoy Project
Run Private Unannounced HSs as
Honeypots (aka Onion Decoys) inside the Tor Network
Implemented with Docker Containers
Composed with two popular open source honeypots:
&
- Glastopf for HTTP - Cowrie for SSH & Telnet
Exposed three ports:
Port 80 (HTTP) Port 22 (SSH) Port 23 (Telnet)
Experiment
Decoys
Days
14. Lots of theory… Show me how it works.
1. Hosting Tor Hidden Service in seconds with Docker Containers
2. How to setup Honeypots (aka Onion Decoys) inside TOR Network
3. Live probing of Onion Decoys to detect intrusions by attackers
15. Private Hidden Services are not really hidden…
Out of the 50 Onion Decoys,
about 32 were revealed
No SSH or Telnet traffic was
detected
Only port that received any
traffic was the port 80 (HTTP)
No SQL injection attempts
were detected.
0.0000
0.1000
0.2000
0.3000
0.4000
0.5000
0.6000
0.7000
0 10 20 30 40 50 60
FractionofOnionDecoys
Visited
Days in experiment
Any Access Browser Access
Cumulative accesses of Onion Decoys as function of time
16. Private Hidden Services are not really hidden…
Majority of the traffic came
after 40 days
0
100
200
300
400
500
600
700
800
0 10 20 30 40 50 60
Pageloadsperday
Days in experiment
Daily Page loads of the Onion Decoys
17. 0
100
200
300
400
500
600
700
800
0 10 20 30 40 50 60
User-AgentwisePage
loadsperday
Days in experiment
Any Access Tor Browser Normal Browser
Private Hidden Services are not really hidden…
78% of all the http requests
came from Mozilla browser
About 27% of the visitors with
normal browsers came to the
site with referrer URL
http://skunksworkedp2cg.onion
‘Peace! Harry’
User-Agent wise Daily Page loads of the Onion DecoysDaily Page loads of the Onion Decoys
Majority of the traffic came
after 40 days
18. Everything can be a Honeypot, if you don’t know it fully
HSDir Operators cannot be trusted
HSs would remain unnoticed only for few days with high probability
The adversary is neither very systematic nor intrusive
‘Security by Obscurity’ – Not Applicable
• Little-known HS Authentication Feature
The more you hide,
The more somebody wants to know why.
https://github.com/OnionDecoy
19. “It ain't what you don't know that gets you into trouble.
It's what you know for sure that just ain't so.”
AbhinavBiswas@ecil.gov.in
@Abhinav_BIswas
Editor's Notes
A very good morning to all of you Gentlemen.
It’s a great pleasure and delight to be here at C0C0N X.
First of all I would like to thank the C0C0N team for giving me this platform to share my research on Tor Hidden Services.
There’s a lot of energy, lot of vibrance and a lot of dynamism here.
So, tell me, how many of you here use TOR? Or at least know about TOR. Pretty much everybody it seems. Great
How many of you know about TOR Hidden Services? Good, I can see a few hands.
So, today I am here to talk about the hiddenness of TOR HS.
I will show how you can inject decoys or honeypots inside TOR network using docker containers to detect surveillance attacks.
So, Before I begin…
I am Abhinav Biswas, Currently, working in a Public Sector Enterprise, called the Electronics Corporation of India limited (ECIL), under Department of Atomic Energy (DAE), Government of India.
Talking about ECIL we make strategic electronic products for the Indian Defense & Nuclear establishments. We have our own indigenously made routers, mass encryptors, missile fuzes, the famous EVMs etc. Recently we celebrated our Golden Jubilee year.
I myself have been specialising in diverse security areas like private TOR networks, Security of Industrial Control Systems (ICS), Virtualization & Hardware security, Security in Internet of Things (IOT) etc.
I have been a recipient of the prestigious ‘Security Leader of the Year Award - 2016’ by Data Security Council of India (DSCI), and have won other national accolades like Top 100 InfoSec Maestros, Dynamic CISO Security Excellence Awards etc. I also posses a couple of Certifications. I can be reached on this Twitter handle.
So, without further adieu, lets start with..
The Wikipedia page says,
It’s a volunteer-based distributed overlay network that simply makes you anonymous online.
It conceals your identity and online activities away from prying eyes of governments, advertisers, stalkers and even your boss.
It’s used by Activists, Whistle Blowers, Journalists and lots of other people who don’t want any sureillance.
Quite Obviously there’s a lot of illicit use cases of Tor too like Buying/Selling Drugs &Weapons, the famous Silk Route, Child Pornography etc.
But I don’t want to focus on the dark side of TOR…Lets focus on the technology part of it.
So how tor works,
It uses layers of encryption called Onion Routing.
Before a data packet is sent, it is encrypted layer by layer and every relay node in the path will decrypt one layer and send it to the next node.
Such that, Each node in the path will only know its predecessor and successor, but no other nodes in the circuit.
So, No observer at any single point can tell where’s the original source & where’s the final destination.
One thing to note here is that separate set of encryption keys are used for each node to complete the circuit.
Lets see graphically how this circuit is established.
So, Tor sends the encrypted packets through a series of intermediate computers, called relays.
These relays are located all across the world and run completely by volunteers willing to give up some bandwidth for the cause.
There are about 7000 relays across the world & in India about 50. Quite less indeed.
Tor client randomly chooses these 3 nodes.
Entry/Guard Relay - This is the entry point to the Tor network.
Middle Relay - which transport traffic from the predecessor relay to the successor relay.
Exit Relay - which send traffic to the final destination.
Now, Since exit relays send traffic directly to the end destination, any illicit activity done through Tor appears to come from the exit relay.
Hence, there are special responsibilities to consider when running an exit node.
Because it leads to the rare possibility of Police raids, abuse notices, or more. If you meet an exit relay operator - thank them. They deserve it.
But how do clients know what relays are active? For this, A Master list of all Tor Relays is maintained in a Live Document called the Consensus.
And this Consensus is maintained by the Directory Authorities.
DA’s are the gatekeepers of TOR network that choose what relays are valid, and live.
DA’s update the Consensus every hour by a voting mechanism.
There are currently 9 DA’s whose information is hardcoded into Tor clients.
The tor network has a very interesting feature called Hidden Services that allows anonymous publishing of Websites and other TCP services.
These location Hidden Services (HS) operate under the .onion TLD & can only be accessed through the Tor network.
The HSs are implemented in such a way that neither the HS learns about the actual IP address of the client, nor does the clients learn about the IP address of the HS.
In fact, because no public IP address is used, one can run a HS from behind a firewall. The clients know the HS only by its pseudonymous identifier.
Like facebook can be accessed over TOR HS using this url.
Now, Tor HS provide a lot of features from the service provider’s point of view.
No need to buy a domain name. Rather you can generate easy to remember domain names with a bit of computation using tools like scallion.
Smear-resistance: Nobody can create a bad website and cause damage to your reputation by showing that it’s urs.
NAT Punching: The clients who are behind NAT need not do any sort of port forwarding in the firewall.
Self-Authentication: This onion name of a HS is actually a hash of the public key of the Server. So clients can self-authenticate the server.
PFS: is built in to the encryption mechansim. Hence A compromise of long-term keys will not compromise past session keys.
But, the best thing about Tor HS is it hardly takes a minute to host one. I will show this during the demo.
Now, HS Operators can run HSs for a multitude of reasons. Some want their HS to be public & may advertise its existence in the Internet like Facebook does, whereas many want to keep the HS’s existence as private & hidden from even regular Tor users.
So there are two types of hidden services, Public HS & Private HS
Now the question that arise here are, “Are TOR Hidden Services really Hidden?”, “Is someone monitoring the TOR Netwok for private .onion addresses?”
For answering this let get deeper to understand how Tor HS works
It works by routing all communication between Client & HS through a Rendezvous Point.
The RP connects 2 Tor Circuits one each from Client & the HS.
This looks very simple, but actually very complicated…
Lets get deeper.
So firstly, The HS chooses 3 random relays as Introduction Points and establishes tor circuits to each one of them.
The Introduction Points are listed in a record called the Service Descriptor. These are short digitally signed messages created by the HS. The HS generates two Service Descriptors and uploads them to a set of 6 responsible HSDirs.
The choice of HSDirs is based on a formula and deterministically depends on the onion address and current time.
The HSDirs are changed every 24 hours to prevent them from becoming a good DoS (Denial of Service) target.
Now, the client who wants to communicate with the HS needs to know the list of Introduction Points.
In order to get these the client first computes the list of responsible HSDirs using the onion address name, creates a circuit to one of them and fetches the Descriptors from it.
Next the client chooses a random Rendezvous Point and creates a circuit to it.
After that, the client creates a circuit to one of the IPs and relays the RP details to the HS over the pre-built circuit created by the HS to the Introduction Point and allows the client to begin a DiffieHellman handshake.
Finally, the HS creates a circuit to the RP and complete the handshake.
Huh this seems complicated now. But there are some interesting points to note here.
Information about all existing HSs is distributed across many Tor relays (HSDirs)
Any regular Tor relay may work as HSDir
Anyone who deploys such HSDir nodes can also harvest onion addresses from it
And may find addresses that have not been publicly shared ever
So, it’s time think,
Is someone monitoring the HS Directories for private onion addresses?
If yes, How frequently this happens & what sort of services are targeted?
To answer these I ran a project called Onion Decoy.
The idea was to Run Private Unannounced HSs as Honeypots (aka Onion Decoys) inside the Tor Network.
The Honeypots or Onion Decoys were implemented with Docker Containers.
The reason to choose Docker is that it is good at process and filesystem isolation, which ultimately gives the ability to run more services on the same box instead of having to deal with resource intensive virtual machines. Also, Docker containers can easily be made very clean, containing no identifying data, which makes it difficult to get identified from outside.
The containers were composed with two popular open source honeypots.
So, the honeypots were listening on 3 ports.
Each honeypot container was linked with a separate HS container which together created the Onion Decoy having a unique onion address.
The onion addresses were randomly generated and were not announced publicly anywhere.
In total 50 Onion Decoys were deployed for this experiment and they were run for a period of 60 days.
The attack surface of the Onion Decoys was intentionallykept simple and low-interactive in nature because the aim was to detect automated intrusion & surveillance rather than sophisticated targeted attacks on private unannounced HSs.
The result of the experiment was quite interesting.
But before I share the results, lets see a demo of all this.
How to Host Tor Hidden Service with Docker Containers
How to setup Onion Decoys inside TOR Network
Finally I will be probing the Onion Decoys using ELK stack to detect deliberate intrusions
Now lets come back to the results of the Onion Decoy experiment.
The graph here shows the cumulative accesses of the Onion Decoys by the adversaries.
50 Onion Decoys were run for a period of 60 Days. Out of the 50 about 32 were revealed.
The first access to the Onion Decoys (represented by Red line) was usually by an automated script, which was not trying to hide its nature rather included the Curl or Wget User-Agents in the http headers. The Green line shows the time when the first Tor Browser User-Agent accessed the Onion Decoys.
Now, In the regular Internet or Clearnet, the most common attack vector is targeted for SSH services. Pretty much every public server in the Internet makes a perfect target for botnets to do automated SSH brute force attacks. But, in this Darknet experiment the only port of the Onion Decoys that received any traffic was the port 80 (HTTP). SSH brute forcing attacks, which are so common on the normal Internet were not visible. Also, no SQL injection attempts were detected.
It is interesting to note that, the first http request came on the 13th day after the experiment was started. This means that the unannounced HS space is either not under constant scanning, or the scanning is done with very low resources. Also, the adversary should run quite a few malicious HSDirs, to get all the onion addresses.
This graph shows the Daily Page loads of the Onion Decoys.
It clearly shows that the volume of traffic grew exponentially towards the end of the experiment.
If the experiment would have continued for a longer period, the traffic might have been stabilized to some value.
The observation here is that the majority of the traffic came after 40 days and 600 page loads per day is not a joke rather an indication that Onion Decoys were under the serious eyes of the adversary.
And if you see the User-Agent wise Daily Page loads.
the number of people surfing the Onion Decoys with normal browsers (represented by red color) is surprisingly high.
In total, 78% of all the http requests came from the User-Agent Mozilla browser & not Tor browser. This clearly means that some of the crawlers of the adversary were faking their User-Agents, because it’s certain that normal users can’t access a HS (i.e. the Onion Decoy) with normal browsers.
This also demystifies the fact that adversaries who are after hidden services are also trying to confuse their identities.
One interesting thing I found was that, About 27% of the visitors with normal browsers came to the site with referrer URL http://skunksworkedp2cg.onion, which is a HS whose index page just says ‘Peace! Harry’.
The Conclusion is simple. The experiment clearly shows that HSDirs cannot be trusted and they do surveillance & spying on new onion addresses.
The HSDir Surveillance operations by the malicious Relay Operators is not very large scale but also not negligible to be ignored. Based on the results, it can be said that short-lived HSs should remain unnoticed only for a few days.
Also the adversary is not very systematic nor intrusive.
This is actually a really complicated topic, because there are other ways available to adversaries for learning about onion addresses apart from HSDir Surveillance, each of which has its own ethical questions around how invasive the adversary has to be. For example, the adversary can harvest them by being Verizon & spying on the root name servers or being Comcast & spying on the DNS logs.
The HS operators here should understand that private unannounced TOR Hidden Services does not make much sense and should not be considered as ‘Security by Obscurity’.
There is a little-known feature in Tor known as HS Authentication [8] which allows to set up a HS in an extra-private mode, only accessible by trusted clients. When activated, no one (not even the HSDirs) can derive the onion address from the descriptors. But, this process isn’t so intuitive and requires external out-of-band channel sharing of cookies to the authorized clients.
So finally I would say, Hidden Services is actually a misnomer and hence tor volunteers are proposing a new name for them as onion services rather than hidden services.
With that I would like to conclude my presentation…Thank you all.
And if I’m not running out of time…I’ll be happy to take some questions from the audience.