The Beginners Guide to The Internet Underground

Jeremy Martin Sr. Security Researcher

This doc covers the basics of anonymity, hactivism, & hidden parts of the Internet underground, along with some of the things you may find there.
Disclaimer: Do NOT break the law. This was written to explain what the Darknet / Tor hidden service) is and what kind of things you may find. It is not an invitation to break the law without recourse. Just like any network, this one has both good and bad guys. If you break the law, you will get caught. Bad guys have to be lucky EVERY time. The Good guys only have to be lucky once. Images within this document were taken directly off the Internet or from screenshots at the time of research. The content of these pages are subject to update, discussion and dispute, and comments are welcome.

Information Warfare Center, LLC www.informationwarfarecenter.com (719) 359-8248

7/ 1/ 2 0 1 3

If you know both yourself and your enemy, you can win a hundred battles without a single loss rough translation; Sun Tzus Art of War. "Trust but verify" - Ronald Reagan or the Russian proverb ", "

The Story Can there be true anonymity on the Internet? The Internet Underground: Tor Hidden Services - Tips Hacker Groups - The Hactavist - The Cyber Criminal - Cyber Espionage / Warfare - The Cyber Jihadists The Activist Group Anonymous - Messages from Anonymous: Information sharing - Security Research - Internet Piracy Digital Forensics and investigation - Disk forensics - Network forensics - Misc forensics - Anti-forensics example Resources About the Author

Creating your own Darknet home Other Internet hidden networks: I2P: Anonymizing network

Page 4 5 10 13 14 15 17 17 18 21 22 23 23 29 29 30 33 34 35 36 37 38 39

It's half past midnight. The glow of computer screens flicker off empty energy bottles strewn across the room. Moving images of Japanese anime irradiates from a monitor while the beat of progressive house music leaks out of speakers throughout the room. Pictures on the television show news bulletins filled with thoughts of terrorism, espionage, and a cyber-apocalypse. This fear mongering preceded an Executive Order to allow both companies and government agencies to monitor everything from emails to telephones without a search warrant. This has inflamed the hacker community along with a small portion of the population who consider themselves freedom fighters and patriots. One of the laptops sitting on a nearby desk (a customized Linux) starts to flash, catching a hacker's attention. A script designed to crawl government and military websites, found and defaced the 17th website tonight with cyber-patriot propaganda. Another laptop views a pastebin information leak where thousands of email accounts and millions of emails from those in the law enforcement, government, and intelligence agencies are listed with a note saying If you want to watch us, let the public watch you. The sites publishing the information are getting shut down quickly at first, but soon the data spreads like wildfire. Within a couple hours, the television across the room showcases the major networks as they are commenting on misdeeds of a few corrupt officials due to leaked cables. An IRC chat window starts to become active. Several hackers, known only by their handle, start to laugh (lolz). At first they were hacking for the lolz, but now it is different. They all feel invincible and are doing it for ideology. The chat turns more organized, and plans for future attacks start to solidify. It is now three in the morning and the sound of rain drowns out the scream of police sirens racing down the street. Tires screech as over a dozen vehicles swarm the suspects house. Within a minute, there are over twenty fully armed S.W.A.T. and federal agents moving towards the red door in the front of the house. 1, 2, 3 one of the officers motions This is the police! another yells as two cops swinging a door knocker, busts the weak wooden door off of the hinges. Black clothed bodies flood the portal. The Special Agent (SA) in charge of the operation walks through the shattered home immediately after being cleared by the shock troops. Once he gets to the back bedroom where the suspects are located, he finds an elderly couple terrified lying in their bed. Surrounded by weapons drawn, the SA simply asks if the couple had any knowledge of the cyber-attacks plaguing the country. In tear soaked speech, the wife mutters, No.", as the SA shakes his head in frustration. A couple of miles away from the flashing of police lights, the actual criminal gazes through his window laughing at how untouchable he thinks he is. The hacker perpetrated the attack by purchasing a high power wireless card with a directional antenna during his travels. Using cash, the transaction was practically untraceable. He used a Linux distribution called Reaver Pro to crack the elderly couples wireless WPS key. This only took a few hours and gave the hacker the WPA password, which happened to be their sons name. Now, even if they change the WPA key, the broken WPS key will instantly give him their new password unless they change the WPS key as well. He then proceeded to change or spoof his MAC address (hardware fingerprint) to that of the couples personal computer and then piggybacked off their service.

None of the exploits used or information leaked to the public was ever traced back to the original sources. The hacker and his associates continued the attacks believing they are invincible while fighting for a just cause. The fight on both sides escalated over the next year until the freedom fighters hacked a water treatment facility running SCADA or Industrial Control Systems (ICS). The facility's management made a poor descision and connected the secure network to the enterprise network without proper security. This gave our attackers access to some very sensitive systems. Now, the hackers come across a device that looks interesting. They simply listened to the network traffic for a couple of days. After they record the data between the control center and what ends up being a chemical injector, one of the hackers realizes which one is which. As a political statement, the hacker changes the amount of fluoride flowing into the drinking water. He plans to do this for only a few minutes. Almost immediately, lightning strikes a phone pedestal a mile down the road. The DSL line the hacker is using goes dark. Panic finds its way across the hackers face as he realizes he just murdered over a thousand people with fluoride poisoning.

Artwork by Jeremy Martin

The interesting thing is most of it can easily be true. Poor choices by management and improper implementation by staff is rampant. How many malware writers actually get caught let alone convicted? How many hackers actually get caught let alone convicted? Even the hactavists that do get arrested for attacks such as Denial of Service use the defense of activism, free speech, or a cyber sit-in. Most of the ones caught arent even the masterminds behind the attacks. The mentalities of hackers vary from a bored teen doing it because they can to actual state-sponsored espionage to an ideological electronic warfare. Anyone can be a hacker. Anyone can be an activist. Anyone can be a criminal How many cyber laws, just here in the U.S.A., have been passed in the last ten years in the name of antiterrorism? The recently failed and reintroduced CISPA was such a law that violats the 4th amendment and every revision of the wiretap laws ever passed. It is understandable why a government would want to do this. It is also understandable why the people would want to stand up against the illegal activities of its government. Warrantless wiretap Think of this; most cell phones and telephones cross over networks at some point. The voice becomes digital and therefore data, and falls under the monitoring statutes for Provider Protection. Why would this be considered absolutely inconceivable pre-911 and perfectly acceptable post-911? Questions need to be asked before trying to understand the why. Why would people want to be anonymous or exercise their right to privacy and free speech? Why would others want to monitor everyones communications in the name of security? Why would some be considered cyber-terrorists? Can on actually protect themselves from prying eyes? .

To some extent, the answer to the title is yes. However, there are many variables to consider. Just in the United States, there are many laws on the books (especially post-911) that have enabled Big Brother to potentially violate several of the rights granted to Americans by the Bill of Rights. Listed are just a few of the regulations or budget contracts that reference loosening the term reasonable search and seizure covered in the fourth Amendment and why there is such an internet outcry to Internet privacy. Currently, there are several Internet Service providers that may be illegally wiretapping all your traffic. Whether it is foreign or state sponsored activity or the ISP is watching what you are doing so they can censor, filter, or shape your bandwidth, your secrets may not be that secret. Look at the recent classified information leaked by Edward Snowden about the secret wiretapping programs PRISM and NUCLEON.
Just in the USA, there are several interesting federal laws Computer Fraud and Abuse Act (CFAA) USA Patriot Act, Title II (Enhanced Surveillance Procedures) ECPA (Electronic Communication Privacy Act) Title 18, U.S.C 1030 (Computer Fraud and Abuse Act) Title 18, U.S.C 2703 (Disclosure of customer communications) CISPA (Cyber Intelligence Sharing and Protection Act) shot down 2012& resurrected in 2013 NDAA 2011 (The National Defense Authorization Act) Digital Millennium Copyright Act (DMCA) Etc

Constitution of the United States Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances. Amendment IV The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Six Strikes rule With this new wiretap, the parties agreed on a system through which copyright infringers are warned that they are breaking the law. After six warnings, ISPs may then take a variety of repressive measures, which include slowing down offenders connections and temporary disconnection. At the time of this research, some of the ISPs that have already subscribed to this are AT&T, Cablevision, Comcast, Time Warner Cable, and Verizon. This means these service providers are watching everything you do and may be giving that intelligence to t he government or other companies. I hope you like the thought of hundreds of people reading ALL of your emails and listening to your phone conversations.

A simple way to prevent from being tracked back (as in the story) is to use someone elses Internet. With the proliferation of wireless devices, finding someone elses internet is very easy. This is a method of blending in. The attacker assumes someone elses digital identity and piggybacks off their internet connection. At a minimum, this is theft of services, but this theft is far easier than most people believe. If you boot off a live Linux CD, you can see the WiFi traffic without even connecting to the targeted network. At the time of this research, Backtrack is one of the best security distributions. Once you have booted into the operating system, you can use a program called airmon-ng. This will allow you to turn your current wireless card into a monitoring device. After you see a wireless access point and decide who is a top talker on that device, use a program called macchanger to alter your network fingerprint to the top talkers MAC. Use ifconfig to turn the wireless card on. Then connect to the same remote access point. Even though you are spoofing the target MAC address, but you are usually going to be another Internet Protocol (IP) address A lot of analysts may miss this. If they have a service proxy, you may have to use programs like Burpe suite or Paros proxy to fake other connection information like browser or paid connection information. I have seen some providers associate the paid account with a specific access point which is just as easy to bypass as the other methods. The command line examples would look like (Cli = Command line interface :) Cli1: Cli1: Cli2: Cli2: Cli2: Cli2: Cli2: Cli2: Cli2: air0mon start wlan0 <enter> air0dump-ng <enter>: View the top talker macchanger wlan0 m top talker MAC address ifconfig wlan0 up iwconfig iwconfig wlan0 mode Managed iwconfig wlan0 essid target ssid iwconfig wlan0 key wireless password (if password is needed) dhclient wlan0 or dhcpcd wlan0 (to get a DHCP IP address)

At this point, they should be connected to the target network. If someone was trying to track back the source address; they would get the victims IP address. Further investigation may reveal that the victim was being hacked, but that is about all. If the hacker connected to a personal account or services such as email, Facebook, LinkedIn, or other targeted personal info, other evidence could be acquired from the ISP. If the suspect uses a long range card with long range antenna, chances of tracking them drastically decreases to almost nil. Again, piggybacking on someone elses internet without authorization is illegal. Do NOT break the law.

There are legitimate reasons why governments want to monitor and control the communications of the populace and/or foreign entities. Threats against Intelligence and National Security are valid concerns. However, many countries used those excuses and violated the basic trust they once had with their citizens. Tunisia, Egypt, and Syria are just some of the more recent countries that have fallen to the temptation to censor or monitor. The need for some to pass information without prying eyes has spawned many different methods of anonymous communication or covert channels. To understand how people are hiding what they are sending and where they are sending from, you need to know the basics of the communication mechanism they are using. I am going to focus on the Internet as the backbone medium. There is always a fingerprint on every packet that is sent. If all the systems or nodes on a network are monitored and logged, the origin can always be traced. The challenge with the Internet is that nobody controls everything (even though there is a current power struggle in this area). This means that if you cannot get the logs, you may not get the origin or the original fingerprint. There are several reasons you do nt get the logs. The two most common are political and the lack of storage. During the uprising in Tunisia, the government at the time tried to stop transmissions and effectively turned off the traditional paths to the Internet. Several groups then helped re-open the communication channels by sending dialup numbers, IRC channels, proxy addresses, and VPN servers. Soon after, the twitter feeds and videos started to stream out of the country again. On the other side of this coin, many people use these types of jump points to download movies, music, and pirated software or send out malicious attacks against targets. The MPAA allegedly hired people in India to attack thepiratebay.se in a massive DDoS attack. The hactavist group Anonymous then attacked back, effectively shutti ng down the MPAA websites. Anonymous has even taken to the Tor network for protection from cyber spying with the old site Anonops.org being moved to anonops532vcpz6z.onion. Many Internet Service Providers (ISPs) are working with the local government or copyright owners such as MPAA, RIAA, Microsoft, etc to monitor your entire Internet traffic looking for evidence for possible pirated Intellectual Property. To get around this, suspects can use methods to make their origins anonymous on the Internet. Encryption is still the best solution to keep your information private. For whatever reason you want to protect your identity and data on the Internet, there are several options. Proxy servers are one of the most common routes. There are free and commercial proxy servers all around the world that offer access without logging the connections. Some of these proxies offer SSH encryption or even AES 256 bit encryption tunnels such as the services from BTGaurd. Using network encryption makes network forensics virtually impossible. Finding the source is also difficult outside knowing that the IP address of the proxy and getting the answer from that system.

The TOR community or Onion network is another service that contains thousands of public proxies and thousands more that are not publically known. With this being said, blacklisting TOR network addresses does not work. The basic TOR client that comes with the TOR Browser Bundle (TBB) even allows you (the client) to be a proxy into the TOR network. TOR however does not support Bit torrent, but it does support browsing, chat, email, and other basic Internet services. However, once on the TOR network, others on the same network will know your original IP address. There are many secure live operating systems you can use to log into TOR. The first one I want to talk about is Tails. The Amnesic Incognito Live System is a live CD/USB distribution preconfigured so that everything is safely routed through Tor and leaves no trace on the local system. This can be found on thetorproject.org. The second one I would like to mention is Whonix (called TorBOX or aos in past) is an anonymous general purpose operating system based on Virtual Box, Debian GNU/Linux and Tor. By Whonix design, IP and DNS leaks are impossible. Not even malware with root rights can find out the user's real IP/location. Both of these are pre-configured operating systems that will let you automatically connect to the TOR network with little to no work on your part. Whonix is based of two different virtual machines and does require more resources and a running OS. The Tail OS, if burned to a CD, doesnt leave a forensic trail on the local hard drive. Live Operating systems usually run in memory only. Some of the live Linux distributions will even prevent automatic mounting of drives and network cards after the OS boots up. If the drives are mounted, they can be mounted as read only. Programs like MacChanger will allow the user to spoof the hardware finger print to obfuscate the vendor/identification at the OSI layer 2 (datalink layer). This allows for plausible deniability, especially if connecting to unsecured wireless networks. Once the system is shut down, everything in memory is wiped out. A USB drive can be used to substitute the CD. The simple fact is, if people investigating do not have the original USB, the game is over. Coming from someone with a computer forensics background, I can attest that a suspect using live Linux makes the investigation a nightmare. Another Live Linux system that is very popular in the security community is BackTrack Linux (backtrack-linux.org).

The other method to completely hide all your traffic is the traditional VPN. A VPN server essentially hides your IP address because you are virtually connected to a completely separate network. Once you touch the Internet, it is going through their gateway. The downside is that there is a bandwidth bottleneck. You are also on a network with others trying to hide their identity. Once you are on the network, your source is known by the other people on the network. Now from the investigation standpoint; if the logs do not exist, there is no forensic footprint. If the evidence has been tampered with or does not exist, there is no case. If you are not on the same network as those using these services, especially the proxies, you may never find the origin or the suspect. If you are on the same network or inline between the suspect and the proxy, you may be able to see what is going through the wire if it is unencrypted. However, you need to be careful of wiretap laws. Not even the ISPs have the right to monitor your traffic without probable cause and more than likely a court order. However, there is legislation and activities that are pushing this into a very grey area ISPs are using the excuse that too many people are sharing illegal or protected IP content and should be able to protect themselves. Just be aware of your environment, the jurisdiction, and monitoring laws in your area. This is a major security threat for companies that want to control all of their traffic. If you blacklist, there will only be other covert channels popping up to bypass the blocking. It comes down to managing acceptable risk. Going back the beginning of this article, some laws are being pushed that wiretaps may be a normal part of everyday life and that National Security trumps right to privacy as it is in most other countries around the world. If you are not a member of a hacking group/hactavist community/state sponsored cyber army, you may not have the access to a private VPN or proxy. In this case, there are several resources you can choose from, but it all comes down to researching the product that is right for you. Here is a list of services that some people use to hide their origin.

Services that may not log BTguard Private Internet Access TorrentPrivacy TorGuard ItsHidden Ipredator Faceless IPVanish AirVPN PRQ BlackVPN Privacy.io Okayfreedom Cryptocloud

Services that do not support anonymity (Log a lot) hidemyass Hotspot Shield VyprVPN SwissVPN StrongVPN

10

Some people think onion routing or the Tor network is for criminals and people with something to hide. Well, they are half right. The Tor network was designed to give a masked, semi -safe, passage to those that needed to get information out. Tor was originally designed, implemented, and deployed as a third generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others. - torproject.org With Tor, 3 Nodes from a pool of thousands will be chosen with the route changing often. The onion-like encrypting assures the anonymity and can be a way to bypass traffic filters or monitors. This medium has been recognized as a safer way to communicate over the Internet. What most people do not realize is that there is an entire underground out there called Darknet. Others just call the underground Internet Tor network hidden servers. These hidden servers usually have a .onion extension and can only be seen using a Tor proxy or TorVPN. The easiest way to get onto the Tor network is with the Tor Browser Bundle (TBB). It is free and very easy to install and then use. All you have to do is go to the torproject.org and download TBB and within minutes you will be connected. There are legitimate reasons to use Tor, especially for those that are trying to hide their identities from oppressive governmental regimes or reporters trying to minimize leaking the identity of informants. Some will even stay on the proxy network and use services like Tor mail, a web based email service. There are still some anonymity challenges. If you are on the same network, you may still leak the originating IP address and there is a risk of someone capturing your traffic. Some will even go as far as only using HTTPS (SSL encryption) or reverting back to the good old VPN. There are darker usages of the hidden servers. There are E-Black Markets all over this network that sell anything from Meth to Machine guns and services that range from assembling credit card data to assassinations (you give us a picture; we'll give you an autopsy report!). Most of the sites trade their goods with an e-currency called Bitcoins, an anonymous electronic commodity that can purchase almost anything. One of the most popular secret sites called The Silk Road or SR has almost anything you can think of. SR has evolved over the years and has recently dropped its weapon sales section. They have also banned assassination services to minimize attention from showing up on Law Enforcements radar. They still have plenty of drugs, counterfeit items, and stolen goods.

11

12

There are still plenty of other sites that focus on arms dealing or unfiltered auction site. Once you are on Tor, the next thing you would have to do to communication with some of these sites is to get an anonymous Tor based email. This is a web based email that you log into that acts just like a regular email except it only exists in the Tor world. Another popular communications mechanism is TorPM. Tor Communications Tor Mail http://jhiwjjlqpyawmpjx.onion E-Black Market sites The Silk Road: http://silkroadvb5piz3r.onion/index.php Black Market Reloaded: http://5onwnspjvuk7cwvk.onion/index.php Zanzibar's underground marketplace: http://okx5b2r76olbriil.onion/ TorBlackmarket: http://7v2i3bwsaj7cjs34.onion/ EU Weapons & Ammunition: http://4eiruntyxxbgfv7o.onion/snapbbs/2e76676/ CC4ALL (Credit Card site): http://qhkt6cqo2dfs2llt.onion/ CC Paradise: http://mxdcyv6gjs3tvt5u.onion/ C'thulhu (organized criminal group): http://iacgq6y2j2nfudy7.onion/ Assassination Board: http://4eiruntyxxbgfv7o.onion/ Another hitman: http://2v3o2fpukdlpk5nf.onion/ Swattingservice (fake bomb threats): http://jd2iqa4yt7vqvu5o.onion/ Onion-ID (fake ID): http://g6lfrbqd3krju3ek.onion/ Quality Counterfeits: http://i3rg5diydpbxkewu.onion/ Social Network mul.tiver.se: http://ofrmtr2fphxkqgz3.onion/ Informational LiberaTor (weaponry & training): http://p2uekn2yfvlvpzbu.onion/ The Hidden Wiki: http://kpvz7ki2v5agwt35.onion/wiki/ Search The Tor Hidden Service Search: http://www.ahmia.fi/ Torch: http://xmh57jrzrnw6insl.onion/ Torlinks: http://torlinkbgs6aabns.onion/ So lets take this step by step. 1.) Download Tor Browser Bundle from torproject.org. 2.) Double left click in Start Tor Browser. 3.) You should then see Vidalia connecting to Tor. 4.) The Tor Browser should automatically open. You are now on the Tor network. You can now access .onion domains. 5.) Create a TorMail account on jhiwjjlqpyawmpjx.onion. 6.) Create a TorPM account on 4eiruntyxxbgfv7o.onion/pm/ 7.) Enjoy a little more anonymity for research.

13

Tips:
The Tor network has been around for many years and there are many hidden servers out there with .onion extensions. There are many .onion sites that are benign, but there are many out there that contain contraband materials such as child pornography, illegal weapons, assassination services, drugs, stolen credit cards, and fake IDs. Investigating these sites can be problematic since the addresses are only available through the Tor system. If you are researching in this realm, be extremely careful. Be aware that there is more offensive material on that network per capita than on the normal Internet, surface web, or deepweb. I would document your research and report the CPKP sites to the proper authorities. This will help protect you from getting dinged for the possible illegal activity. If you fear that your connection is being monitored through deep packet inspection, the Tor network may not be visible. An extra step that can be taken to keep them from seeing your data is to also use a VPN service, bounce through a Socks5 proxy using an SSL tunnel, and then connect to the Tor network. Just remember, if the VPN or Proxy servers log the information, you are not truly anonymous. The more layers of security used, the more effort will be needed to peeled back to investigate. The need to be anonymous is not a representation of a guilty conscience. Just like a settlement in a lawsuit is not an admission of guilt. However, upstream providers, management, and law enforcement sometimes disagree. While trying to be faceless and hide your true identity, make sure you do not log into identifiable accounts. It is amazing how many people check their regular email, chat, or uses their nicknames and it makes investigations a lot easier. In the end, it all comes down to level of effort. The effort you want to put into being just another face in the crowd versus the effort of those that want monitor.

Here are some examples of levels on how someone can decrease the probability of them getting caught. Example 1 Connect directly This leaves a direct fingerprint to the source. This is never suggested and usually points to a novice or script kiddie. This changes the fingerprint of the hardware This will act as a proxy by adding them to a completely different network and having the VPN gateway as the originating address from the outside. This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. This changes the fingerprint of the hardware This will act as a proxy by adding them to a completely different network and having the VPN gateway as the originating address from the outside This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.

Example 2

change their MAC address Connect to a VPN Connect to Tor

Example 3

change their MAC address Connect to a VPN Connect to a Proxy Connect to Tor

14

Anyone can setup a Darknet storefront. In many cases, knowledge of web development isnt needed. Using a program called PortableApps from www.portableapps.com can make this a trivial process. You can add the Tor Browser Bundle and xampp (a self-encapsulated webserver bundle). This means that someone could have a Darknet hidden service on a thumbdrive and run the server on any computer they are currently at.

As shown in the image above, xampp is running and apache is listening on port 80 and 443. If you were to open a web browser and visit http://127.0.0.1, you would see the welcome page. To customize the website, just copy a index.html file directly into the PortableApps\xampp-portable\htdocs folder. Once this is done, you should be rendering your personal custom website. Now to create an onion domain. Open the Tor Browser. Vidalia control panel should open. In this window, there is a settings button that gives you access to the proxy configuration. In here, there is a services area that allows pointing to your local web server. Choose either port 80 or 443 for standard HTTP and then add. It will generate a couple configuration files for you to use and keep with the webserver. Now, every time you run the Tor Browser, you will have a link back to your web server. This does take a few minutes to prorogate across the onion router network, but this is the easiest and most mobile method, allowing more Anonymity for hosting the service. Unfortunately, drug dealers, pedophiles, and terrorists already know this.

15

"I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties." I2P is a project to build, deploy, and maintain a network supporting secure and anonymous communication. People using I2P are in control of the tradeoffs between anonymity, reliability, bandwidth usage, and latency. Unlike many other anonymizing networks, I2P doesn't try to provide anonymity by hiding the originator of some communication and not the recipient, or the other way around. I2P is designed to allow peers using I2P to communicate with each other anonymously both sender and recipient are unidentifiable to each other as well as to third parties "The I2P/Tor outproxy functionality does have a few substantial weaknesses against certain attackers once the communication leaves the mixnet, global passive adversaries can more easily mount traffic analysis. In addition, the outproxies have access to the cleartext of the data transferred in both directions, and outproxies are prone to abuse, along with all of the other security issues we've come to know and love with normal Internet traffic." - www.i2p2.de Terminology of Tor Vs. I2P

Tor
Cell Client Circuit Directory Directory Server Entry Guards Entry Node Exit Node Hidden Service Hidden Service Descriptor Introduction point Node Onion Proxy Relay Rendezvous Point Router Descriptor Server

I2P
Message Router or Client Tunnel NetDb Floodfill Router Fast Peers Inproxy Outproxy Eepsite or Destination LeaseSet Inbound Gateway Router I2PTunnel Client (more or less) Router somewhat like Inbound Gateway + Outbound Endpoint RouterInfo Router

16

Lets take a step back and compare the two different networks Tor and I2P. Onion routing wraps your traffic or packets in multiple layers of encryption. Each router in the chain has its own key and can only decrypt the traffic at the layer that it encrypted. Tor, based off C, has been around for a longer period of time and has more nodes or proxies. This network also has the capability to use TLS and bridges. Tor acts as a Socks proxy so all traffic is forwarded as a relay, exit, or client node. With government and commercial funding, the Tor community has a solid base in research and development. This also means that a lot of the exit nodes are known and blacklisted. However, there are many private proxies listed in the network that change frequently or you can set up a relay. Another big bonus is that Tor is hard to block, even at the state-level borders. Unfortunately, this network uses a centralized directory based management. I2P is based off Java which means that there is naturally a higher footprint. However, it is a fully distributed network which focuses on services instead of the entire TCP/IP stack which makes the communications faster and more portable (port forwarding is now available). The encryption tunnels also have less of a life span. This makes crypto-analysis attacks more difficult. Here is another example of how someone can decrease the probability of them getting caught. Example 4 Change MAC address Connect to WiFi Hotspot Connect to a VPN Connect to a Proxy Use an encrypted tunnel to Proxy Connect to IP2 This changes the fingerprint of the hardware Hide in plain sight but not on your network This will act as a proxy by adding them to a completely different network and having the VPN gateway as the originating address from the outside. This again adds a layer of obfuscation to the target by ripping of the source information and adding its own. This distorts the view from prying eyes This again adds a layer of obfuscation to the target by ripping off the source information and adding its own.

The attacker can also bounce through multiple proxies, but the more connections you go through, the slower the connection will be. Bouncing through multiple servers is nothing new. The average attacker usually goes through 2-3 hop points. It is also not as easy to trace back as most of the movies seem to show. As mentioned before, if the server does not log, the job of the forensics analyst becomes a LOT more difficult if not impossible. This is where you may have to get several court orders from multiple countries to trace back the source of the attack. Reminder: When connecting to any proxy or using anonymizing methodology, NEVER use personal identifiable indicators. That means do not log into email, facebook, bank, or any other site you would normally connect to. Use a different browser and or even a different system if you dont want to spoof fingerprints. Do not cache or save bad data. Its better not to even search for bad data or contraband.

17

There are plenty of hacking groups. The range goes from hacktivists to bored fourteen year olds to organized crime to state sponsored actors. There are many websites out there on the regular Internet that monitors or allows hackers to post their conquests. Zone-h.org is one of these sites. Zone-h disclaimer: all the information contained in Zone-H's cybercrime archive were either collected online from public sources or directly notified anonymously to us. Zone-H is neither responsible for the reported computer crimes nor it is directly or indirectly involved with them. You might find some offensive contents in the mirrored defacements. ZoneH didn't produce them so we cannot be responsible for such contents. Some of the groups that post here claim to be politically motivated and others are just doing it because they can. Either way, it is still damaging to the victim. The methods of the website defacements range from simple SQL injection to advanced buffer overflows that allow the attacker to take complete control of the server. The nice thing about this site is, they keep tabs on what group attacks what sites and how many defacements each group has accomplished. Zone-h has been the target of hackers themselves over the years. There are hackers out there that no longer trust the site because of the vulnerabilities they have had in the past. The simple fact still rings true If your domain is published on the site, there is a problem. Your site has been defaced. Many of the actors here have been recorded as threats to nation-states and have active arrest warrants out for top members of the groups. There are other sites out there such as hack-db.com that contains similar information and xssed.org that lists sites verified to be vulnerable to cross site scripting (XSS). Even on the Tor network, there are a few resources available such as HackBB: clsvtzwzdgzkjda7.onion & Rent-a-Hacker: ugh6gtz44ifx23e7.onion. The interesting thing about most of these sites is that they will not post the event until after they verify. These sites are a third party that manually validates each entry before the posts get listed into the archive. Team GhostShell is another hacking group that targets governments, companies, and universities. They have leaked millions of records from top universities and the Russian government onto the Internet. Ashiyane Digital Security Team, china hacker, Iran Black Hats Team, and Fatal Error are groups that seem to focus more on website defacements and recognition. Many of the defacements are either simple fix your security suggestions or complete political hactavist change your ways statements.

18

The cyber-criminal underworld has many faucets, but the common thread most of them share is that each caveat or sub-group usually focuses on money. This is a completely different mindset from hactavists or people trying to find out how things work. It is about the money. Lets dissect some of the sub-groups into basic Cyber sections. The Carder deals with stolen credit card numbers and card replication The Counterfeiter deals with creating reproductions or falsified documents The Pirate deals with copyright and intellectual property trade The Bot herder deals with botnets and Comma nd & Control servers The Extortionist deals with stealing, hiding, or threatening to release data for a fee The Spook deals with industrial or state secrets for a fee

The Carder
The Carding industry is a multi-million dollar data trade. There are market places that allow people who steal databases or even skim or double swipe cards. The more reliable the data, the higher the price seller can demand. Many of the players in this space will even guarantee a minimum of $1,000 to $5,000 on the card for less than a tenth of the price.

The Counterfeiter
The Counterfeiting realm isnt that prominent, but it is a staple of any black market. For a nominal fee, a person can get an entirely new identity to include a fully functional passport, drivers license, proof of car insurance, credit card, and possibly even a social security card. This isnt always for basic identity theft (financial reasons). Some people want a new identification to hide from something, frame someone, or start life fresh as a new person or citizen.

The Pirate
The Pirating community focuses on trading IP. Movies, music, software, and more fall under here.

19

The Bot herder

The Botnet world is an interesting one. There are many uses for a bot net, but the basics are always the same. That is to compromise as many systems as they can. Most of the bots have a Command & Control server that the herder will connect to and from there, the bots or zombies can be told what to do. These distributed systems are used to make money. They can be rented out for DDoS attacks, used for spam email to generate revenue, or for click fraud. Click fraud is when an individual registers for an affiliate click through marketing program where the affiliate will pay for a certain amount of clicks or links followed. The click fraud comes into play when the software imitates the actions of a fake user and automates the click / link following action, thus generating revenue. Cell phones are the newest target to this ever growing threat.

The Extortionist
The cyber extortion is similar to the traditional form. Think of the good old mob shows. The criminal goes up to the store owner and offers protection for a price. Now from the cyber side Someone from across the world breaks into your system, encrypts all of your data, and leaves a message on your screen that says Pay $1,000 and we will give you the password to your data. A more simple approach I have seen ran a program that stopped other programs from running, then popped up a picture that claimed it was the FBI that locked the computer out for downloading movies. Send $200 to an offshore account as a fine and the computer will be unlocked.

The Spook The espionage isnt just government to government. Sometimes the actors are corporations stealing trade secrets from one another. This is a multi-billion dollar industry and can make or break companies or even countries. Much of the US threat from this involves China and Russia considering they are persistent collectors. Nortel Networks was a victim for almost 10 years. The Office of the National Counterintelligence Executive even published a report highlighting the dangers of cyber espionage. This is NOT the legal cousin OSINT or Competitive Intelligence (CI).

20

"New York Times hacking: A sign of things to come?" "Washington Post Joins List of News Media Hacked by the Chinese" "Nortel hacked: Nortel faced corporate espionage from China-based hackers for more than a decade" "Evidence of more China-led 'cyber-espionage' against US increases" "Bank Hacking Was the Work of Iranians, Officials Say" "BofA, JPMorgan, Citi Repeatedly Hacked by Iran" "How Iran hacked super-secret CIA stealth drone" "Defense Secretary Leon Panetta: Iranians hacked oil companies" "Out in the Wild, Government-Created Stuxnet Virus Now Infecting Corporations" These headlines are getting more and more common every day. It is a will known fact that countries and even businesses engage in the act of espionage. This activity has been going on for thousands of years and has even earned a chapter in Sun Tzus Art of War. The Foreign Econimic Collection report released in October, 2011 to Congress by the Office of the National Counterintelligence Executive (ONCIX) states: Pervasive Threat from Adversaries and Partners Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries. Chinese actors are the worlds most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible. Russias intelligence services are conducting a range of activities to collect economic information and technology from US targets. Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities. Estimates from academic literature on the losses from economic espionage range so widely as to be meaninglessfrom $2 billion to $400 billion or more a yearreflecting the scarcity of data and the variety of methods used to calculate losses. It has been accepted that it occures, but the theme from everyone is that know one knows truly how much damage is being caused by the theft of state and corporate secrets. What everyone does agree on is that there are common actors in this space and the damage is great. The shadows have always been throughout the internet. As for the military warriors, the active aggressors, are just now starting to make their presence know. 'If you shut down our power grid, maybe we will put a missile down one of your smokestacks,' unnamed official

21

These hackers are not state sponsored, hactavists, or cyber criminals. There are several groups in the Middle East region trying to cultivate hackers for ideological reasons. For example, a Muslim Brotherhood leader was documented as promoting Cyber Jihad and restoration of the Caliphate; calling out for people to commit electronic terrorism against the enemies of Islam. The main targets of course would be Israel and western nations. encourage young people to undertake electronic jihad. Some of our youth are extremely clever. I hope that a group of hackers will get together, and will wage resistance over the Internet, targeting Israeli and Zionist sites and destroying them electronically. - Tareq Al-Suwaidan with expertise in this domain to target the websites and information systems of big companies and government agencies - Al Qaeda recruitment video http://bcove.me/dtsnmixe

"Electronic jihad is a phenomenon whereby mujahideen use the Internet to wage economic and ideological warfare against their enemies. Unlike other hackers, those engaged in electronic jihad are united by a common strategy and ideology which are still in a process of formation." - jihadwatch.org The following are documents that give you an idea of what some believe. How can I Train Myself for Jihad - qx7j2selmom4ioxf.onion/jihad.html The Al Qaeda Manual - qx7j2selmom4ioxf.onion/alquedatraining.txt

This is not state sponsored activity, is an ideology which makes it far more dangerous. There has been an increase in cyber activity from motivated hackers focusing on financial and Industrial Control Systems (ICS). These attacks included website defacement, Denial of Service, and system exploitation. In August, 2012, a Saudi Oil firm was hit with malware and 30,000 systems were affected. October 12th, Defense Secretary Leon E. Panetta warned of a cyber-Pearl Harbor. The interesting thing about this statement is that we have always been facing such threats since the Internet became an international communication mechanism. If you are on the Net, you are being attacked on a daily basis.

22

No matter what side of the debate you are on, Anonymous has made a mark in cyberspace, politics, and general freedom of speech. Whether it is helping the people of Tunisia get word to the rest of the world of the atrocities occurring against the uprising populace or calling attention to cyber legislation (SOPA, PIPA, CISPA, etc) that would destroy free speech as some see it, the hactavist phenomenon have caused change. Anonymous does not have a membership list, and you can't really 'join' it either. If you identify with or say you are Anonymous, you are Anonymous. No one has the authority to say whether you are Anonymous or not, except for yourself. anonnews.org There are several groups that claim to be part of Anonymous, but as everyone has seen, each group has its own doctrine or political motives. Some of them are informational while others are very destructive. There have even been messages sent under the mask of Guy Fawkes with threats of violence and terrorism. Many of these messages have been shot down as fakes such as the original Westboro Baptist Church and the November 5th 2012 government bomb threat. There has been actual retribution from Anonymous over the past year. Several of their Operations have caused websites from corporations like Sony to Federal government organizations like the CIA, FBI, and DOJ to go down. The group uses very simple methods for Distributed Denial of Service, primarily resource starvation; making thousands of legitimate connections for the attack to use up as much of the resource as they can. If you use more than the victim has, the victim then starts to fail. Other operations have been focusing on the freedom of information, or literally freeing the information from the owners and giving it to the people. Project Mayhem-2012 calls for a program called Tyler (both named after the movie Fight-Club) to leak it all! They believe the operation will help fight political and corporate corruption. Imagine you purchase a USB drive. Imagine you take it to your work place. Imagine you collect evidence of illegality and corruption. Imagine together we expose all lies. Imagine we leak it all. The only thing this section is trying to do is link to news and messages about or from Anonymous over the year years. This is not a piece to state what side you should be on and does not advocate illegal activity without expectations of jail time. Both statements are below. The messages from Anonymous follow the pattern of freedom from oppression/censorship and yet the actions range from targeting pedophiles to governments. The week of this u pdate, the group hacked the Federal Reserve, compromising over 4000 customer accounts from Banks and defaced several government websites. This is beyond the normal actions of cyber sit-ins or hactivism. The message of peace is often overshadowed by the actions of cyber violence. Below are examples of press releases associated with released videos. At this time, there have been over nine thousand (400+) releases.

23

Dear brothers and sisters. Now is the time to open your eyes! In a stunning move that has civil libertarians stuttering with disbelief, the U.S. Senate has just passed a bill that effectively ends the Bill of Rights in America. The National Defense Authorization Act is being called the most traitorous act ever witnessed in the Senate, and the language of the bill is cleverly designed to make you think it doesn't apply to Americans, but toward the end of the bill, it essentially says it can apply to Americans "if we want it to. Bill Summary & Status, 112th Congress (2011 -- 2012) | S.1867 | Latest Title: National Defense Authorization Act for. This bill, passed late last night in a 93-7 vote, declares the entire USA to be a "battleground" upon which U.S. military forces can operate with impunity, overriding Posse Comitatus and granting the military the unchecked power to arrest, detain, interrogate and even assassinate U.S. citizens with impunity. Even WIRED magazine was outraged at this bill, reporting: Senate Wants the Military to Lock You Up Without Trial ...the detention mandate to use indefinite military detention in terrorism cases isn't limited to foreigners. It's confusing, because two different sections of the bill seem to contradict each other, but in the judgment of the University of Texas' Robert Chesney a nonpartisan authority on military detention "U.S. citizens are included in the grant of detention authority." The passage of this law is nothing less than an outright declaration of WAR against the American People by the military-connected power elite. If this is signed into law, it will shred the remaining tenants of the Bill of Rights and unleash upon America a total military dictatorship, complete with secret arrests, secret prisons, unlawful interrogations, indefinite detainment without ever being charged with a crime, the torture of Americans and even the "legitimate assassination" of U.S. citizens right here on American soil! If you have not yet woken up to the reality of the police state we've been warning you about, I hope you realize we are fast running out of time. Once this becomes law, you have no rights whatsoever in America. no due process, no First Amendment speech rights, no right to remain silent, nothing. The US senate does not want us to speak. I suspect even now orders are being shouted into telephones and men with guns will soon be on their way. Why? Because while the truncheon may be used in lieu of conversation, words will always retain their power. Words offer the means to meaning and for those who will listen, the enunciation of truth. And the truth is, there is something terribly wrong with this country, isn't there? Cruelty and injustice...intolerance and oppression. And where once you had the freedom to object, to think and speak as you saw fit, you now have censors and systems of surveillance, coercing your conformity and soliciting your submission. How did this happen? Who's to blame? Well certainly there are those who are more responsible than others, and they will be held accountable. But again, truth be told...if you're looking for the guilty, you need only look into a mirror. I know why you did it. I know you were afraid. Who wouldn't be? War. Terror. Disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. Fear got the best of you and in your panic, you turned to the now President in command Barack Obama. He promised you order. He promised you peace. And all he demanded in return was your silent, obedient consent.

24

More than four hundred years ago, a great citizen wished to embed the fifth of November forever in our memory. His hope was to remind the world that fairness. Justice, and freedom are more than words - they are perspectives. So if you've seen nothing, if the crimes of this government remain unknown to you, then I would suggest that you allow the fifth of November to pass unmarked. But if you see what I see, if you feel as I feel, and if you would seek as I seek...then I ask you to stand beside one another, one year from November 5th, 2011, outside the gates of every court house of every city DEMANDING our rights!! Together we stand against the injustice of our own Government. We are anonymous. We are Legion. United as ONE. Divided by zero. We do not forgive Censorship. We do not forget Oppression. US SENATE... Expect us!! Music by: Wolfgang Amadeus Mozart - Requiem AMERICAN FREEDOM ALERT - CODE RED. The Government has committed TREASON against you! Will you sit and watch while your freedoms are taken away? Or will you walk out your door and fight for your rights? THE CHOICE IS YOURS. THE LATTER IS BEST. Gather an army of people. Flood the streets. If police gives you violence, give them tenfold of that. OCCUPATIONS ARE OVER. REAL REVOLUTION IS HERE. THE FORMER UNITED STATES GOVERNMENT SHALL BE DESTROYED. In his last official act of business in 2011, President Barack Obama signed the National Defense Authorization Act from his vacation rental in Kailua, Hawaii. In a statement, the president said he did so with reservations about key provisions in the law including a controversial component that would allow the military to indefinitely detain terror suspects, including American citizens arrested in the United States, without charge. The president defended his action, writing that he signed the act, "chiefly because it authorizes funding for the defense of the United States and its interests abroad, crucial services for service members and their families, and vital national security programs that must be renewed." Some citizens remain completely confused by the language of the bill, running around the Internet screaming that the law "does not apply to American citizens." This is, naturally, part of the side effect of having such a dumbed-down education system where people can't even parse the English language anymore. If you read the bill and understand what it says, it clearly offers absolutely no protections of U.S. citizens. In fact, it affirms that Americans are subjected to indefinite detainment under "existing authorities."

25

The writers of the bill have managed to fool a lot of everyday people who seem unable to parse language and read plain English with any depth of understanding. That is as much a failure of America's public education system as anything else. I find it astonishing that today's citizens can't even read and understand the grammatical structure of sentences written in plain English. This alone is a highly disturbing subject that must be addressed another day. For now, it's enough just to realize that the NDAA really does apply to you, me, and all our neighbors and friends. In signing it, Obama has cemented his place in history as the enabler of government-sponsored mass murder of its own citizens. History does repeat itself after all. Hitler, Stalin, Mao and now "Obama the enabler." While Obama himself probably won't engage in the mass murder of American citizens, have no illusions that a future President will try to use the powers enacted by Obama to carry out such crimes. The system was built for the 1% not for us. They live because of "we". This must change. Don't stop the fight, don't stop the protest. We will win. Occupy everything, everywhere. This is the beginning, this is the start. So, brothers and sisters. The collective is calling upon the citizens of the United States to protest against the new sections in the national defense authorization act that were passed a short while ago. While we cannot force the American people to protest, we must tell them that this law will strip away any rights they thought they had including, but not limited to, Free speech, Free press, Free access to information, and the right to protest, assemble, and bear arms. This law cannot be changed according to the Feinstein Act.Sections Ten thirty one and ten thirty two of the national defense authorization act have been passed and ratified. It grants unlimited powers to the executive branch of the government to indefinitely detain suspects, even American citizens, without trial. All a person has to do is to commit a belligerent act. What is a belligerent act? Is protesting a belligerent act? Is being Anonymous a belligerent act? This is where we draw the line. This is when we leave our computers. This is when we take out our masks and defy the corrupt rule of law. This is when we revolt.The time has come for you to accept the truth and join us in overthrowing yet another corrupt military regime. Operation Blackout, engaged. We are Anonymous. We are Legion. We do not Forgive. We do not Forget. To the United States government, you should've expected us. Link to NDAA Bill http://www.gpo.gov/fdsys/pkg/BILLS-112hr1540enr/pdf/BILLS-112hr1540enr.pdf Other Link News http://www.naturalnews.com/034538_NDAA_American_citizens_indefinite_detainmen... http://www.cbsnews.com/8301-250_162-57350607/obama-signs-defense-bill-with-re... http://www.thenewamerican.com/usnews/constitution/10396-president-obama-signs...

26

Since those messages, there have been many threats, many protests, and attacks from both sides of the coin. Anonymous has taken down government sites and members have been arrested. Most members evade arrest or harassment by using anonymity services on the Internet. Some of the ones that have been caught have made a mistake such as connecting to an IRC channel without bouncing through proxies and encryption. Some have been caught when using a VPN service that logs traffic and actively works with Law Enforcement (LE) such as HideMyAss. A common LE saying is You have to be lucky every time I only have to be lucky once... As we have already discussed, covering your tracks can be easy, but one mistake can make it to where everyone knows your name. On November 5th 2012 WE THE PEOPLE will march on Washington DC peacefully and unarmed to arrest all members of congress, the president, and all supreme court justices where they will be held without bond until a full independent investigation and trial have been completed. We must re-elect our government within 90 days in order to stave of unrest. This did not have the effect some would have thought it would. The scheduled Tyler leaks have come and gone with no real data leaks. If information was captured or stolen, it has not been given to the masses. However, threats have been given to the Department of Justice after the suicide of Aaron Swartz. In the aftermath of his death, a petition was completed calling for the dismissal of Heymann (the prosecutor). The Whitehouse is now required to respond. Aaron Swartz was persecuted. Now Aaron Swartz is dead. Tonight, the President of the United States will appear before a joint session of Congress to deliver the State of the Union Address and tomorrow he plans to sign an executive order for cyber-security as the House Intelligence committee reintroduces the defeated CISPA act which turns private companies into government informants. He will not be covering the NDAA, an act of outright tyrannical legislation allowing for indefinite detention of citizens completely outside due process and the rule of law. In fact, lawyers for the government have point-blank refused to state whether or not journalists who cover stories or groups the Government disfavors would be subject to this detention. He will not be covering the extra-judicial and unregulated justifications for targeted killings of citizens by military drones within the borders of America, or the fact that Orwellian newspeak had to be used to make words like imminent mean their opposite. He will not be covering Bradley Manning, 1000 days in detention with no trial for revealing military murders, told that his motive for leaking cannot be taken into consideration, that the Government does not have room for conscience. He will not be covering the secret interpretations of law that allow for warrant-less wiretapping and surveillance of any US citizen without probably [sic] cause of criminal acts, or the use of Catch-22 logic where no-one can complain about being snooped on because the state wont tell you who theyre snooping on, and if you dont know youre being snooped on, you dont have a right to complain. We reject the State of the Union. We reject the authority of the President to sign arbitrary orders and bring irresponsible and damaging controls to the Internet The list of high valued targets has just increased for Anonymous and their ilk.

27

28

File sharing is perfectly legal. The challenge comes when people start sharing files that someone else owns the copyright to. The other term you will hear over and over again is Intellectual Property (IP) ownership. Many of the file sharing sites that you will come across will have access to pirated movies, music, software, and other IP. In the United States, one of the biggest laws that gets used against people that share movies and reverse engineer software is the Digital Millennium Copyright Act (DMCA). This is even used several times every year at Defcon/Black hat when security researchers go to give a presentation and the IP owners go to court for a gag order.

Security Research
Some people will leak vulnerability findings from their research or even make fully functional Proof of Concept (also called exploits) and release the information to the public. Some of the sites that deal with information release under the public disclosure mentality would be Packet Storm Security and the Exploit Database. Whatever side you are on, these two locations have a plethora of information for both offensive and defensive usage, including source code for fully operational exploits. A lot of the PoC source code is functional and written for Metasploit. Metasploit is a penetration testing framework designed essentially as a point and click application to speed things up and also allow those that are script kiddies to exploit systems. Because of this, anyone that uses Metasploit can now exploit a vulnerability that the program supports. The DMCA is not the end point for security. Many security researchers have gotten around it by using exemptions for education use. There are exceptions to these exceptions. The U.S. Copyright Office published a document on Oct. 26 2012, specifying that jailbreaking a smartphone is deemed legal. The same rules do not apply to tablets or gaming consoles. This goes to show that intelligence does not dictate policies and law, money does. This will cause a little bit of difficulty with those in the digital forensics field. Two cases previous to this had different ideas. Atari Games v. Nintendo: The author does not acquire exclusive rights to a literary work in its entirety. Under the Act, society is free to exploit facts, ideas, processes, or methods of operation in a copyrighted work. To protect processes or methods of operation, a creator must look to patent laws. Sega v. Accolade: the intermediate copying of the object code of a copyrighted computer program as necessary to disassemble the program to view its expression was a fair use under Section 107 of the copyright laws. Viruses don't harm, ignorance does! - VX Heavens. There are several sites that even specialize in Viruses, Worms, Trojans, and other malicious logic. Most of the sites do not last long doe to legal issues. VX Heavens even has the good old Error 451: Unavailable for legal reasons displayed.

29

The history of file sharing has been an ever evolving and bloody one. From BBS systems to news groups to IRC to P2P, the methods have changed, but the mentality has not. One of the more common mediums used at this point is called Bit Torrent. This allows several people to seed or share a file while others download bits and pieces of all that are hosting. A person can create a torrent from a file or folder. Once the file is created and hashed to verify integrity of the data, it is then posted to torrent trackers. Many of the torrent trackers use UDP protocol while others use an HTTP connection. Some of the sites even force you to make an account and upload the .torrent file manually. This minimizes the same data flooding the trackers. DO NOT TORRENT OVER TOR! Using P2P applications over Tor will DoS the network.

On 30 June 2010, US government officials seized several file sharing domains including tvshack.net owned by Richard O'Dwyer for "violations of Federal criminal copyright infringement laws". Violating copyright or IP law is big deal because the owners of the material, including the MPAA claim that: The industries contribute over $15 billion in taxes annually. The U.S. economy loses an estimated $25.6 billion per year, and an estimated 375,000 jobs per year, to criminal copyright infringement. The US risks losing our extradition treaty because of TVShack and this order In simple terms, do not share material without permission from the IP owner. That is theft and is illegal. Do NOT break the law. This goes for the vendors and victims as well. Do not break the law The owners of the Intellectual Property that has been claimed to be damaged have also caused damages and break the law themselves. The Sony BGM copy protection rootkit scandal is a prime example of illegal activity in the name of anti-piracy while stealing code themselves. They claimed it was a selfdefense mechanism to stop theft. Only recently have they felt backlash on another issue with being fined in the UK over their failed security policies which allowed Lulzsec to steal customer data. It is said in the dark corners of the Deepweb that other victims have also become the evil aggressors. The MPAA & RIAA have been accused of breaking the law over the years in the name of anti-piracy. The MPAA allegedly paid an Indian software company to perform a DDoS against The Pirate Bay.

30

The Pirate Bay (TPB)

TPB Worlds most resilient tracking is file sharing site that has lasted many court battles. When visiting the site, you can find almost anything you want. The site contains some content that is considered IP theft but some of the links are perfectly legitimate. TPB has two sites. The first one currently is at www.thepiratebay.se while the second has gone on to the Tor network and resides at jntlesnev5o7zysa.onion. The file links used to be torrent only, but has recently moved to magnet links to provide less accountability or traceability for hosting the .torrent files. The documentary The Pirate Bay Away From Keyboard (TPB-AFK) was release at the beginning of February 2013 and can be found for free all over the Internet. This includes the popular website for which it is named after.

* The movie can be seen in the resource section of www.informationwarfarecenter.com.

31

The website www.EZTV.it is another site that allows you to download files using a bit torrent client. The files they specialize in are TV show only. Some people that use this site will argue that it is NOT IP theft if they already pay for the license to watch the content through their cable or satellite TV. That side of the fight claims it to be fair use and the same as using devices like Tivo to record your show for later viewing. Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered fair, such as criticism, comment, news reporting, teaching, scholarship, and research. Section 107 also sets out four factors to be considered in determining whether or not a particular use is fair. 1. The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes 2. The nature of the copyrighted work 3. The amount and substantiality of the portion used in relation to the copyrighted work as a whole 4. The effect of the use upon the potential market for, or value of, the copyrighted work - copyright.gov : FL-102, Reviewed June 2012 The Hactavist group Anonymous released a new evolution of Peer 2 Peer applications called Tyler for their own version of its own 'WikiLeaks' project. It will not be deployed on a static server. TYLER will be P2P encrypted software, in which every function of a disclosure platform will be handled and shared by everyone who downloads and deploys the software. In theory, this makes it sort of like BitCoin or other P2P platforms in that there is virtually no way to attack it or shut it down. It would also obviously be thoroughly decentralized. TYLER is a massively distributed and decentralized Wiki pedia style p2p cipher-space structure impregnable to censorship anonnews.org. The name of this program is called Tyler (after the movie Fight club) and is part of Project Mayhem 2012: Dangerous Idea #1. The video released by Anonymous can be found at http://anonnews.org/press/item/1783. The potential issues of Tyler come down to what is leaked. If it is governmental classified information, lives could be lost. Imagine a list of covert operatives active in a foreign country being leaked out. This has happened in the past and many lives were lost. Robert Hanssen is a prime example of this. He was a spy for the USSR working in the FBI and because of the leak; he is now spending life at a Supermax federal prison in Florence, Colorado. If it is economic/industrial espionage, the penalties are almost as severe. Sometimes the espionage isnt as covert as some would think. In January 2010, the Chinese Chengdu J-20 stealth fighter jet was speculated by some as having been reverse engineered from the parts of a US F-117 Nighthawk stealth fighter shot down over Serbia in 1999. * At the end of January, 2013 there have been no big news releases about information leaked from Tyler. Data warehousing and cloud computing are high value targets for such activity. The funny part is file sharing groups are also taking to this medium for that exact mentality. Spread the wealth and allow everyone access to the data.

32

Basic forensics
Forensics is the science (and art) of finding residual artifacts that prove or disprove an alleged event occurred. Digital forensics in a nut shell, it is the method of string searching a data container (forensic image) with a tool that parses that data in a humanly readable format. None of the tools seem to gather exactly the same information. FTK vs. EnCase, XRY vs. Cellibrite, or Wireshark vs. Microsoft Network Analyzer all come up with similar but different answers. Before you can start a forensic investigation, you need probable cause or a red flag to tell you what to look for. If there is no red flag, there is scope. For example; a manager at a large company does not like one of the employees. He asks the security team to investigate the individuals personal laptop and corporate computer system. The manager then says Just give the results to me for now. There are no allegations of a crime or a policy violation. At this point, any analyst that continues to hack the personal laptop is possibly breaking the law. As for the corporate system, there are possible harassment charges, hostile work environment complaints, and a stalking case that can be pursued by the victim against the manager, analyst, and company. An example of a legitimate investigation; an incident response team notices an alert that a system is downloading inappropriate material from the Internet. This is clearly a violation to the security policy that all employees signed and acknowledged (each employee went through training that that explained the policy along with annual refresher training). Physical security, along with Human Resources, walks to the employees cubicle and remove the system for a forensic acquisition and analysis. After a quick investigation, it is found that there were tens of thousands of policy violations on the system. During an interview, the employee admits to the activity and is released from employment. This real world scenario is a common one. If their personal laptop was found, the company would need consent of the employee to access it. They could then call law enforcement, but this is where it becomes a blurry line. If the employee does not give consent, probable cause is needed for law enforcement to move forward. If this does not occur in a work at will state, the employee still may have recourse if the policies were not perfect, enforced uniformly across the entire organization, and training was not provided. They may have civil and criminal recourse if their personal system was touched. This is where jurisdiction becomes a trickster. In the United States, there are many laws on the books that protect the citizen against unreasonable search and seizure. Then it comes down to what the definition if is is Or what exactly is deemed reasonable. This has changed for some since September 11 th and the term terrorism has been used as reasonable. Many times, these have been proven to be unlawful wiretaps, searches & seizures, and arrests. (EFF Vs. FBI). For as paranoid as I may sound, I know what is out there and how much data can be captured. I capture sensitive data all the time when I am working as a penetration tester or a forensic analyst. To put a spin of reality into the mix comes down to money, time, need, and other resources. The more data captured means the more likely a false negative (a real threat) will slip by unless you hire more analysts. Any way you look at it, you need to know what you are looking for before you start or you will be wasting valuable resources.

33

Post mortem disk forensics

This is related to after the fact; the system is shut down forensics. The probable cause has been tripped; you seize the computer, and make forensically sound copies of the hard drive for further analysis. The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive until overwritten by other data. If you delete a file, there is a possibility of recovering it years later. There are a lot of variables in place here, but if a suspect is breaking policy or the law, there is a good chance there may be artifacts of that activity on the system (computer, tablet, phone, game console, etc) . META information is the data in a file just after the header (first few bytes) and the meat of the file. Graphics, Office files, and a lot of other files have this META data. For example, a lot of graphics have an extra section of META called EXIF. This is usually inserted into pictures taken from a phone or a camera and some editing applications such as Photoshop. Midrange and higher cameras add serial numbers. Phones with location services can even add the GPS location when the picture was taken. This is prime intel for stalkers and undesirables. This is an example of why one should watch what they post online. Some of the information that can be found: Browser history Email / Webmail Documents (PDFs, spreadsheets, videos, pictures, intellectual property, etc.) Physical locations (GPS) Programs (malware, hacker tools, pirated software, etc.) Basically anything to touch your hard drive.

Live system forensics

This is related to incident response live forensics. The probable cause has been tripped; you go to the system to dump memory, look at processes, and current connections. Memory is extremely volatile, if the system powers down, and can be lost forever. The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive until overwritten by other data. Almost all of the devices that would be investigated post mortem (computer, tablet, phone, game console, etc) can also benefit from this as well. It just depends on what you are looking for. If the person has encryption of data at rest or disk encryption, you may have to capture the memory before shutting down the computer or you will not be able to decrypt the hard drive. Some of the information that can be found: Passwords and keys (disk encryption keys, file passwords, etc.) Secure browsing (web browsing, email, chat, etc.) Programs (hacker tools, pirated software, etc.) Malware (rootkits, trojans, worms, viruses, botnets, etc.) Basically anything to touch your volatile memory.

34

Network forensics
To break it down, data is data If a suspect downloads illegal pictures or movies, that data is broken up into smaller pieces and transferred to the system. It is then rebuilt for the user to access. If you were to record the network traffic, every file transferred would be able to be rebuilt on any other system. Lets use an example; John Doe downloaded a .PDF file containing classified information to his personal laptop at a hotel. He had the need to know, but forgot to use an encrypted connection or VPN. The traffic was being monitored through deep packet inspection or packet sniffing and saved to a file. Later the person that captured the transmission ran a s imple program called Networkminer and carved out the .PDF with very little effort. Later the classified document was leaked to the press and John Doe gets blamed for the leak since there was a unique identifier in the META section of the file that connected to his user id. This scenario above is very realistic and happens all the time. Most public services offer unencrypted and unsecured wireless access. This means that any fourteen year old can read your email as you are downloading it if you are not using encryption. Even if you are using encryption like SSL, programs such as Dsniff and Cain can start a man-in-the-middle attack and spoof the SSL certificate. This would cause the average user to assume that they are safe when in fact; every SSL packet they send is going through an attackers system and unencrypted before being forwarded on. If you EVER get an SSL certificate error when going to a website, call and report it to security. There are ONLY two things that cause this The first is a bad guy is hacking your connection. The second is the system administrators are not doing their job and need to fix their mistake, especially if you are using a smart card (It is usually the second) If you are lucky enough to have full packet capture on your network, as mentioned before, you can rebuild everything. The simple reality is, most organizations do not want to spend the resources. It is very expensive. Imagine a network of twenty systems each downloading ten gigs in one day. The normal noise of the network along with the download sessions would be well over two hundred gigs. That would then have to be stored for analysis which is where the cost comes in. That is why a most people usually do not log everything. They only log the red flag events. Network forensics also covers viewing logs from network devices such as routers, intrusion detection systems, firewall, systems, etc Each computer has a hardware fingerprint (MAC address) and an Internet fingerprint (IP address). These can be traced back in several ways to the owner. The website arin.net or the American Registry for Internet Numbers is a good place to start. Some of the information that can be found: Passwords and keys (email, bank accounts, etc.) Internet activity (web browsing, email, chat, etc.) Files downloaded (hacker tools, pirated software, etc.) Malware (rootkits, trojans, worms, viruses, botnets, etc.) Cyber-attacks (denial of services, buffer overflows, SQL injections, known bad ip addresses, etc.) Basically anything to touch your network.

35

Intellectual Property forensics

Sometimes the easiest way to find out who is sharing your data is to download your data from them and look at the remote MAC and IP addresses. Find out who owns it; get a court order for the owner of the IP address to give the information for the user associated with it at that time frame. This is where jurisdiction issues become a nightmare. This is also why the bad guys are using someone elses Internet access or using proxy and VPN services. Methods used in the past by Intellectual Property owners that have been illegal themselves include the rootkit that Sony distributed and loose keyword searches used to automatically trigger lawsuit threats used by the music industry. Be careful of trying to attack the attackers because most of your targets will probably be victims.

Hidden service forensics

We are going to take a look at the Internet underground from the other side of the coin. In networking, everything leaves a footprint or a digital fingerprint, even when the information goes through networks like Tor. If your organization has enough resources, you can set up a large amount of Tor onion routers to act as both exit relays and non-exit relays. What this means is that some of the routers can be set up as the original entry/exit points to the Tor network. The others will be encryption/decryption pass through gateways inside the Tor network. After the routers are set up, it will take time and a lot of data analysis. The biggest challenge is getting the traffic to go through your systems so you can capture the data. This is where the numbers game comes in along with a boatload of patience. The entry points can gleam the origination or source of the person using the client or hidden service. From the non-exit relays, everything is encrypted in layers through the Tor network; you will not be able to see the raw traffic unless you control the layers.

Anti-Forensics
In the end, anti-forensics is nothing more than trying to make it harder for the analyst. As you have read throughout this document, there are many anti-forensic methods. Some will make it almost impossible for evidence to be found. Methods used individually or in combination to hide or destroy evidence Editing timestamps Editing logs Overwriting data or drive wiping Encryption of data, disk, or network traffic Spoofing physical MAC address Internet theft (using someone elses Internet) Bouncing through anonymizers (NAT, proxy, SSL, or VPN servers) Using live Linux CDs Air Gap (bouncing protocols or communication mediums)

36

Now we will tie many of our previous examples together and ad a small twist. An easy way to communicate covertly with someone you already know is to set up am email account. Then share the account with the others in the group. Now we are going to apply this to the internet underground while making it almost impossible for anyone monitoring you to conduct a proper investigation. Steps to follow Use a live custom Linux CD Change the MAC address Connect to the Internet Connect to a VPN service Route through a proxy with an AES 256 bit tunneling client Connect to Tor Set up a TorMail account Share the username and password with those you want to correspond with Only use the email account to write messages and then save them as a draft Only use the live Linux session to use the email The steps above can be automated through the use of scripts so anyone can use it. For example, if your organization was a news agency that had journalists on the ground in a hostile region. Most of the reporters will not have advanced computer knowledge, but could carry around a business card cd or thumb drive. All they would have to do is insert what they have in a computer and boot it up. You could have someone customize a Linux distribution to spoof the MAC address, connect through all of the encryption tunnels, and start a browser in a safe browsing session. There are of course several factors to consider, the biggest being how to connect to the Internet (wireless, cell, phone line, etc ). P.S. Your connection speed is only as fast as your bottleneck (slowest segment). The more hops or connections you go through, the slower your connection will be.

37

This document has covered several aspects of the Internet Underground including the Who, What, When, Where, How, and Why. Knowing the basics of the Internet (Surfaceweb, Deepweb, and Darknet) gives a solid baseline for securing your position. It helps with investigations against such communications if crimes have been involved and it also gives you the framework to use these same methods yourself for secured communications. Using encryption is not illegal yet and it is ALWAYS a good idea when used in moderation. You never know who is watching. It could be your employer, your government, or your governments enemies. Big Brother may just be a bored fourteen year old running the newest version of Backtrack.

38

Resource Name
4Chan Anonymous News Anonymous Operations Archives.org Black Market Reloaded Copyright Office Cornell Law Exploit Database EzTV Hack-DB House.gov I2P Project Information Warfare Center Infosec Instructor Infragard ISSA Packet Storm Security Silk Road The Library of Congress The Pirate Bay The Tor Project Torrent Freak U.S. Copyright Office Xssed Zone-h

Location
4chan.org anonnews.org anonops.org archives.gov 5onwnspjvuk7cwvk.onion copyright.gov law.cornell.edu exploit-db.com eztv.it hack-db.com

rules.house.gov
i2p2.de informationwarfarecenter.com infosecinstructor.com infragard.org issa.org packetstormsecurity.org silkroadvb5piz3r.onion loc.gov thepiratebay.se torproject.org torrentfreak.com copyright.gov xssed.com zone-h.org

39

Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare. Starting his career in 1995, Mr. Martin has worked with Fortune 200 companies and Federal Government agencies. He has received numerous awards for service. He has been teaching Advanced Ethical Hacking, Computer Forensics, Data Recovery, SCADA/ICS security, Security Management, and more since 2003. As a published author he has spoken at security conferences around the world. Current research projects include SCADA security, vulnerability analysis, threat profiling, exploit automation, anti-forensics, and reverse engineering malware. In a past life, he was also a freelance artist Credentials: CISSP-ISSAP/ISSMP, CISM, NSA-IAM/IEM, CHS-III, CEICHFI/CEH/CNDA/ECSA/LPT, A+/Net+/Security+/Linux+, LPIC-I, CPT/CEPT/CCFE/CDRP/CASS/CSSA/CREA, ACSA, Novell CLA, CDCS, etc Board of Directors for Infragard, Denver Chapter (2006-2009) CHS officer of American College of Forensic Examiners Intl (2005 -2008) Advisory Board for the Business Espionage Controls and Countermeasures Association Published work used in post graduate courseware. Also contributing editor for Blacklisted 411, Engine Builder, EthicalHacker.net, Hackin9, IQ Magazine, Successful Dealer, and The Business Espionage Report (TBER)

Editors:

Amy Martin Todd Adams Andy Alford

Copyright 2013 Information Warfare Center, LLC All rights reserved. www.informationwarfarecenter.com

40

41