Last week, authorities in multiple countries served warrants to take down a Dark Web site generating a reported $600,000-$800,000 a day in sales of illegal drugs and other products. The clue that led authorities to the real-world admin behind the site was a personal email address used in the site’s early days. It provided a tangible link between the virtual world and the physical world. And, it underscored the many difficulties in truly masking one’s identity online.
Oddly, the offensive skills employed by various criminals to run a Dark Web site selling illegal goods can also provide great operational security advice those attending conferences with hostile network (WiFi and mobile) environments. Both Black Hat and DEF CON are taking place this week in Las Vegas and even skilled InfoSec professionals have come away pwned by some of the fun and games that go on. The lesson is never to let your security guard down.
First some definitions. If you think of the entirety of the internet as a giant iceberg, then the internet used every day is only the top part—the visible internet. This visible part is searchable internet. It uses common names (such as synopsys.com) as opposed to it IP address (a string of numbers). On the other hand, the Dark Web is what lies below the water line—the invisible part that is vast and deep. The Dark Web is not very searchable and it doesn’t use common names. So, a 16-digit string of alphanumerics must be used to connect to any Dark Web site, known as hidden service.
There is a third category, the Deep Web, which is stuff hiding behind a password such as the local library or a company intranet. That part isn’t nearly as interesting as the Dark Web, which uses encryption and obfuscation. Nor is the Dark Web easy to access.
To access the Dark Web, one needs a special browser. TOR, the Onion Router, was created by the U.S. Navy in 2003 from a decade-long DARPA project. It was originally designed to help foreign agents communicate securely behind enemy lines. Within the first year as an open source project, licensed through MIT, TOR had 100 nodes in three countries.
The TOR browser is based on Mozilla’s Firefox and allows surfing on both the regular internet and the Dark Web. Other browsers, such as I2P, allow access only to the Dark Web. Connection to a Dark Web site is a three-step process. First, connect to an entry node. The entry node then connects to a secondary node and that in turn connects to an exit node, which may be in another country. That final exit node is the IP address the website sees, obscuring your original IP address. This might seem like a perfect playground for criminals. And it is. But it is not fool proof.
Here’s where we get into the operational security aspect. In 2011, Ross Ulbricht built up an emporium for drugs in the Dark Web. Along with it, he maintained a separate identity—Dread Pirate Roberts, a name taken from the Princess Bride. Silk Road servers were hidden in Iceland and sales over two years rose into the millions. Ulbricht, as his trail revealed, was also paranoid. Rather than use his home network, he conducted his business over TOR via a local public library’s free WiFi.
Ulbricht made several mistakes which resulted in his arrest. At one point, because he ordered several fake driver’s licenses, law enforcement showed up at his San Francisco apartment. It was, however, a few months later that he was arrested in San Francisco’s Glen Park Public Library in the middle of a customer support session. He didn’t realize it at the time, but his customer was an undercover USSS agent.
How were law enforcement agents able to connect the physical Ulbricht with the virtual Dread Pirate Roberts? At one point Ulbricht used his personal gmail account—with his real name—when he posted a question to Stack Overflow about being an administrator of a hidden services account. Later, he went back and changed the address to DPR, but it was too late. The internet remembers—and now there was tangible evidence that Ulbricht was DPR.
A similar instance happened in early July with AlphaBay, another online drug emporium. By July 2017, AlphaBay had 10 times the volume of sales and traffic that Silk Road had in 2013. And, like Ulbricht, its site admin, Alexandre Cazes, was guilty of hacker hubris (which is a good thing for law enforcement).
Early on, Cazes used his real Hotmail address in the “From” field in welcome and password reset messages sent automatically by AlphaBay. That email address was also used on his LinkedIn profile. Additionally, the persona Cazes used online was one he’d previously used to run an illegal carder operation (the sale and use of credit card data).
Like Ulbricht, Cazes was also arrested while logged in to the admin site for AlphaBay. This allowed law enforcement to validate the connection between the virtual persona online and the real-world Cazes. It also allowed them to gain access to the global assets of the site as well as its cryptocurrency wallets. Shortly, after his arrest, Cazes killed himself in a Thai jail cell.
What can security professionals learn from these criminals? It’s important to remember that we’re human. So, what is your goal in bringing electronic devices to a hostile security conference? If the goal is to keep in touch and not infect your personal phone with malware, then a burner phone (a disposable phone) is best. After the conference, you can throw it away. You can also just turn off your personal phone and only use it away from the conference hotel site. Same with a burner laptop. If you need to connect to the internet, do not connect to the conference site (or sites claiming to be the conference site). In this case, bring a personal WiFi device (which will require a separate cellular plan). Also, once online, use a VPN which will encrypt your data for extra security.
If your goal is anonymity, then you have more work to do. If you are using your burner phone and then switch to your personal phone, anyone with access to the cell tower logs has the potential to find you. (At a conference like DEF CON there may also be fake cell towers and base stations that are used only to collect mobile IDs). By looking at the logs, one can infer the coincidence of the two cell phone IDs showing up in the same location as perhaps belonging to the same person. For anonymity, it is a good idea to leave your personal phone at home and only use the burner, if that is your goal.
You might also be tempted to use that burner phone and burner laptop at a cafe. Anonymous, right? Not really. There are security cameras watching you. If you really want to take advantage of the free WiFi, then sit outside the cafe away from the cameras. Preferably in your car or the store next door. Also, you might want to use a temporary email address during the conference. Here, though, you need to remember not to type your real Gmail account information like Ulbricht and Cazes.
It is a hassle to do all this—isn’t that what non-security people always say? But, at the same time, going through this process can be a valuable learning process. Even if you don’t feel you need to take these precautions (you don’t think you’ll get malware, you don’t think you need to be anonymous), it’s good nonetheless to understand the reasoning. As we have seen, lapses in the process have led to the capture of bad actors who at some point felt themselves untouchable. In different circumstances, good people can also get hurt.
The internalization of “security” is what’s important. Having the ability to look at any situation and to analyze your own personal risk. Once you learn to see the world through that security lens, the rest of InfoSec should be a lot easier. Of course, actual mileage may vary.