The Web as an Iceberg
The Deep Web, DarkNet, The Hidden Net, The Invisible Net: It has many different names.
Many experts believe that approximately 30% of the Internet is indexed by searched engines such as Google. If this is true then we can infer that 70% of the content available online is not searchable by Google or other search engines. This remaining content is commonly referred to as the Dark Web, Deep Web, or Invisible Web. This is the equivalent of an information iceberg, whereas a small percentage is visible and exists within the viewable or searchable Internet ecosphere. The Dark Web is what lurks out of sight or even beyond the reach of common Internet users. Like an iceberg, the majority of the Internet’s information mass hiding.
The Many Levels of the Deep Web
An iceberg is made of…well, ice. All the way down. Depending on the size of it, the iceberg can reach impressive depths. However, it is simply ice. Within the Deep Web there are layers of abstraction that are differentiated by content, secrecy and difficulty in connecting to them. I am aware of the following ones, so let’s explore them a little.
This is the common Internet or Web. We all know and understand it, and use it pretty much daily. We do searches on it, look at news and other items, and it is generally comprised of the ‘Open to the Public’ part of the Web.
This level is known as the Surface Web, It includes services such as Reddit, Digg, and temporary email services. It is essentially a communications platform, where you find chat boards and other social enabling content. It is not difficult to reach or obscured in any fashion.
This level is known as the Bergie Web. This actually includes other services besides WWW or Web services. It includes Internet newsgroups. FTP sites, honeypots (for trapping the unwary), Google locked results, and other sites such as 4Chan. Again, this level is relatively simple to reach if you know where you are going.
This level is known as the Charter Web or Deep Web. These Websites consist of hacker groups, banned media, activist communications, and other darker layers of the online society. This is basically what we refer to as Deep Web. Sites on this layer are simply not found using typical Web search engines. In order to be able to access these sites you have to be invited by an existing member.
This level is known as the DarkWeb, and yes, this is where things get a little creepy. These websites are not accessible thru the normal Internet. You will need to get on the TOR network, or some other private networks to access this level. On the TOR network, DarkWeb sites are also referred to as TOR Hidden Services, or .onion sites. There is a variety of legal and illegal content on these sites. They include illegal materials such as drugs, human trafficking, bounty hunters, rare animal trade, hacker exploits, and other black market items and topics. When we refer to DarkWeb, we normally are referring to the TOR network.
What is TOR?
TOR is short for The Onion Router. This refers both to the software that you install on your computer to run TOR, and the network of computers that manages TOR connections. To put it quite simply, TOR enables you to route web traffic through several other computers in the TOR network so the party on the other end of the connection can’t trace the traffic back to you. Since you are using other computers to route your connections and sessions, more TOR users means more protection for your information. As the name implies, it creates a number of layers that conceal your identity from the rest of the world.
Basic TOR Operation
Computers handling intermediary traffic are known as TOR relays, and there are three different kinds of them: middle relays, end relays and bridges. End relays, as the name implies, are the final hop in a chain of connections. Middle relays move traffic between the source and destination. Bridges are simply TOR relays that aren’t listed publicly, perhaps to shield them from IP blockers and other means of cutting the connection.
Anybody can sign up to be a middle router from the comfort of their home without fear of being implicated in illicit activity within the connection they are providing. Those who host end relays bear more of the legal burden, and they are the targets of police, copyright lawyers, and other watchdogs if illicit activity is detected.
It should be made clear that you don’t have to run a relay to use TOR, but it’s a nice thing to do. I know we are talking about the Dark Web, but in context of using TOR for good versus evil purposes, it is polite to share your resources since others are sharing theirs for you.
Please understand that the average TOR user, however, is probably legitimate. The software is used by everyone from journalists to political dissidents. For safety, they have protect their privacy and security because it is difficult to track someone who is using TOR. It is even used by a branch of the Navy for intelligence operations. In fact, it was originally built as part of a Navy project whose purpose was developing ways to protect U.S. government communications. Naturally, someone thought that if it works for the Navy, the rest of the world would benefit. However, be aware the NSA is now paying very close attention the TOR operations within the Internet.
TOR Hidden Services
TOR makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or providing an instant messaging service. Using TOR ‘rendezvous points’, other TOR users can connect to these hidden services, each without knowing the other’s network identity. I describe how this works below, but for a more direct how-to guide see our configuring hidden services page.
A hidden service needs to advertise its existence in the TOR network before clients will be able to contact it. Therefore, the service randomly picks some relays, builds circuits to them, and asks them to act as ‘introduction points’ by providing a public key.
Note that in the following figures the green links are circuits rather than standard packet-switched connections. Packet-switched networks move data in separate, small blocks (packets) and are based on the destination address in each packet. When received at that far end, the packets are reassembled in the proper sequence to make up the message. This is how the basic Web works. Circuit-switched networks require dedicated point-to-point connections during the session and move data in a more direct manner.
By using a full TOR circuit, it’s hard for anyone to associate an introduction point with the hidden server’s IP address. While the introduction points and others are told the hidden service’s identity (which is communicated via public key/private key encryption), we don’t want them to learn about the hidden server’s location (which is the IP address).
Using good old, generic Bob as our TOR user, we start with step 1. He looks at a few introduction points (see below).
The next step is the hidden service assembling a hidden service descriptor, containing its public key and a summary of each introduction point, and signs this descriptor with that private key. It uploads that descriptor to a distributed hash table in the database (DB). The descriptor will be found by clients requesting XYZ.onion where XYZ is a 16 character name derived from the service’s public key. After this step, the hidden service is established.
Establishing the Hidden Service
Although it might seem impractical to use an automatically generated service name, it actually serves an important purpose. Everyone…to include introduction points, the distributed hash table directory (database), and of course the clients…can verify they are talking to the correct hidden service.
Side note – see Zooko’s conjecture that out of Decentralized, Secure, and Human-Meaningful, you can achieve at most two. Perhaps one day somebody will implement a Petname design for hidden service names?
Setting the Rendezvous Point
The third step is setting up the rendezvous point. A client that wants to contact a hidden service needs to learn about its .onion address first. After that, the client can initiate establishing the connection by downloading the descriptor from the distributed hash table in the database. If there is a descriptor for XYZ.onion, the client now knows the set of introduction points and the right public key to use. During this time the client also creates a circuit to another randomly picked relay and asks it to act as the rendezvous point by telling it a one-time secret.
Note: if you are having a hard time connecting to the service, please remember that it be offline, abandoned, or there could be a typographical error in the onion address.
Step four is the introduction. When the descriptor is present and the rendezvous point is ready, the client assembles an introduce message (encrypted with the hidden service’s public key). It includes the address of the rendezvous point and the one-time secret. The client sends this message to one of the introduction points, requesting it be delivered to the hidden service. Again, communication takes place via an established TOR circuit. Since you cannot set the direct relationship between the introduce message and the client’s IP address, the client remains anonymous.
In step five, the hidden service decrypts the client’s introduce message, thus finding the address of the rendezvous point and the one-time secret in it. The service creates a circuit to the rendezvous point and sends the one-time secret to it in a rendezvous message.
At this point it is of special importance that the hidden service stays with the same set of entry guards when creating new circuits. Otherwise an attacker could run his own relay and force a hidden service to create an arbitrary number of circuits, hoping that the corrupt relay is picked as an entry node and he learns the hidden server’s IP address via timing analysis. This attack was described by Øverlier and Syverson in their paper titled Locating Hidden Servers.
In the sixth step, the rendezvous point notifies the client that the connection was successfully established. After this occurs, the client and hidden service can use their respective circuits to connect with the rendezvous point for communicating with each other. The rendezvous point simply relays messages using end-to-end encryption from client to service and vice versa.
One of the reasons for not using the introduction circuit for actual communication is that no single relay should appear to be responsible for a given hidden service. This is why the rendezvous point never learns about the hidden service’s identity.
In general, the complete connection between client and hidden service consists of 6 relays: 3 of them were picked by the client with the third being the rendezvous point, and the other 3 were picked by the hidden service.
I have kept this introduction at a fairly simple level. There are certainly more detailed descriptions about the hidden service protocol available to you. See the TOR design paper for an in-depth design description and the rendezvous specification for the message formats.
Is TOR Really Anonymous?
Many people believe TOR is anonymous. However, many criminals using TOR to carry out illegal activities have recently been apprehended by law enforcement agencies. There are also rumors that the US and other governments may have broken TOR, and have the ability to track users throughout the sessions. I simply do not know if that is true or not.
From my experience TOR could be anonymous. The problem is that many people do not use it correctly, resulting in leaked identities. Additionally there have been intentional and unintentional exploits in the past that have compromised identities of TOR users.
Many people believe a single organization controls the entry and exit nodes on the TOR network, enabling user identification. There have been concerns expressed in the past about a lack of diversity within the crowd of folks controlling TOR nodes. I’m sure there are an abundance of conspiracy theories surrounding TOR as well, but again…I simply do not know.
Getting on the DarkWeb TOR Network
The easiest way to get on the TOR network is to download the TOR Browser bundle. However, more expert users will use the TAILS operating system. TAILS is an operating system designed to be used from a CD or bootable USB. The advantage of TAILS is that all activity occurs in memory, and the memory is readily erased. You could use TAILS on a virtual machine as well, but be aware that some hypervisor platforms have been known to save active memory contents in files when the machine is suspended even shut down.
Once you are on the TOR network, how do find .onion underground sites?
The TOR hidden Wiki is a popular place to start. You can find by running a simple search for it – apparently it isn’t THAT hidden. Other resources could be found using Reddit or Pastebin.
The TOR hidden Wiki contains the most popular sites, but be aware that many of the sites are fake, scams, or just there to attract attention. True DarkWeb sites usually require you to find the addresses using other methods. Sometimes this means looking and reading thru forums, hanging out on Internet Relay Chat (IRC) sites, or having a referral from an existing member of a site.
Google search for the TOR Hidden Wiki shall reveal all
Darkode was a popular hacker forum that was shut down by US law enforcement agencies on July 15th2015. In order to gain access, you were required to submit a resume, a referral, and proof that you were involved in illegal activity.
Although we will are talking about TOR when we discuss the DarkWeb, there are other peer-to-peer projects used specifically for anonymous communications. One such project is Freenet, which is extremely popular.
Freenet is a peer-to-peer platform for resisting censored communications. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web without fear of censorship. Both Freenet and some of its associated tools were originally designed by Ian Clarke, whose goal was to provide freedom of speech on the Internet with strong protection of identity.
Another popular anonymous network is Java Anon Proxy, also known as JONDONYM. It is a proxy system designed to allow browsing the Web with a revocable pseudonymity (false name). It was originally developed as a partial project out of the Technische Universität Dresden and Universität Regensburg, by the Privacy Commissioner of Schleswig-Holstein. The client software is written in the Java programming language.
Cross-platform, free to use, and open source, it sends requests through a cascade of systems and mixes the data streams of multiple users in order to further obfuscate data to outsiders. JONDONYM is available for all platforms that support Java, including Android phones.
Let’s look at some of the other types of sites and activities that can be found on the DarkNet.
Ghost markets are simply black markets. The reason it is called a ghost market is because the site’s address can change. The site may also frequently change physical locations, or may be unavailable at times. Silk Roads is a well-known ghost market that was recently shutdown. Today, a popular ghost market is Agora.
According to Business Insider, Agora launched in September 2013 as a marketplace for illicit goods accessible via the anonymous browser, TOR. See http://www.businessinsider.com/silk-road-wasnt-even-close-to-the-biggest-drug-market-on-the-internet-2015-6 for the whole story.
Agora has thrived ever since, and was unaffected by Operation Onymous — a November, 2014 crackdown that led to the demise of several other high profile ghost markets including Silk Road, Cloud 9, and Hydra.
Between January 29, 2014, and August 22, 2014, Agora’s drug listings increased from from 7,400 to 12,053. This is according to a Digital Citizens Alliance report cited by the International Business Times. The site’s total listings, including weapons and services, grew from 9,158 to 16,137 over the same period.
As of March of this year, Digital Citizens Alliance reports Agora’s drug listings at 16,751 and total listings at 21,951.
The next screen shot is an example taken from a site that shows the sale of 100 credit cards for approximately $150 USD. The transaction currency is listed in Bitcoin, so prices vary somewhat. The latest research indicates the price for credit card numbers can be much less expensive on well-established DarkNet sites. Those sites require invitation and verification of your identity.
Credit card prices depend on a few factors. The least expensive ones simply provide card numbers. Prices go up as you add security codes and billing zip codes. Magnetic stripe information, the card owner’s full identification information, and the billing address fetch the highest prices
DarkNet users also buy and sell PayPal accounts. PayPal accounts have proved popular because attackers use them to buy services that may be more difficult to purchase and retain using stolen credit cards numbers or Bitcoins. When attackers want to distribute malware or create download sites, using a hosted Web service provides site reliability.
Many hosting providers will accept credit cards or PayPal accounts. PayPal accounts may provide slightly better anonymity for attackers. However, the real value is that fraud may take longer to detect, resulting in a longer use of the service. Due to this aspect of PayPal, thieves feel they can use stolen PayPal accounts longer than credit cards.
Cash that will pass black market and UV tests
Rent-a-Hacker is a famous TOR site. Many people believe the site is fake or a scam. It is possible, but there are probably some real hacker services sites that are most likely harder to find, or are not listed on TOR hidden services. The openness and in your face attitude of Rent-a-Hacker makes me believe this is a simply a scam.
However, we do hear of individuals being caught while attempting to hire hackers. Seehttp://www.csoonline.com/article/2134319/malware-cybercrime/suspected-email-hackers-for-hire-charged-in-four-countries.html. It is difficult to estimate how many people hire hackers for criminal intent, since we rarely hear about it in the news.
We have to face the reality that some awful things exist on the DarkWeb. These are things I do not want to talk about within this article. They go well beyond organized crime and rare animal trade. Many people claim the majority of the DarkWeb is made up of those types of sites. Approaching the DarkWeb, even for research purposes, requires common sense and extreme caution.
The good news is that if you are dumb enough to go looking for those types of sites you will probably be:
Possibly all three before you actually get in contact with anyone.
Doxbin is a website that encourages Doxing. Doxing is the act of publically posting information about someone to encourage harassment and hacking. The owner of the site recently stated he had avoided law enforcement for years and was going to shut down his site before his luck run out. However, there are other similar sites still around today. Many of these sites contain the names and addresses of people the site wants harassed.
One of the scariest services on the DarkNet are sites claiming to sell real videos of deaths (such as snuff films), pictures of dead animals, or chats with individuals wearing masks for fetish fantasies. From what I have heard (I have never seen this first hand), these sites are extremely difficult to find and you must actively seek them out.
Casting Light on the Dark
Some of these stories sound unbelievable or even false. This type of activity does occur on the DarkNet, but Hollywood and news sources have exaggerated their scant information to make it seem like a popular reality. In my opinion, it is not. However….if these types of sites really do exit, why aren’t law enforcement authorities actively seeking them?
Most likely they are. We know terrorist organizations use DarkWeb for communications and possibly recruiting efforts. We have also seen a number of DarkWeb sites seized by authorities. Silk Roads was a ghost market that was shut down by the US Government. After it was closed the site resurfaced a few times, but each time it was discovered and shut down again.
The US Government is working on a tool called Memex. There is a little we know about the tool. The things you aren’t supposed to be able to do on the DarkNet include tracking, indexing, and following people. Memex supposedly can do it all. Most likely it is a search engine for the DarkWeb to help with law enforcement investigations.
Credit card and identity theft monitoring companies browse marketplaces and forums to search for compromised IDs for their users. Security companies monitor the DarkNet for computer system exploits to ensure they and their customers are protected against them.
How can threats on the DarkNet be stopped for enterprise organizations? The TOR protocol is a well-known protocol and can be stopped or blocked. This infers that simply by using the protocol, you could subject yourself to additional monitoring from your organization.
Additionally, new firewall technologies incorporate man-in-the-middle type detection capabilities, advanced Data Loss Prevention measures, and advanced application security controls. These layered security measures have advanced the ability to detect anomalous patterns, to include TOR network traffic. This could help enterprises protect themselves from problems or determine if employees are using TOR.
The TOR Project publishes a list of known exit nodes at https://check.TORproject.org/exit-addresses. Many corporations do not want employees using TOR to access public Internet sites. They use these types of lists to block incoming Internet traffic from those exit nodes. I am not a huge fan of this technique, because it limits how people access the Internet. To me it represents forced ideals. I do understand why, I simply do not feel comfortable about it. When I see websites using this method, I usually stop using their services.
First off, I recommend using a VPN service before using the TOR protocol. If you need commercial VPN services, the Private Internet Service and TOR Guard have had excellent reviews regarding the protection of user privacy.
The Deep Web, Hidden Web, or Invisible Web is the non-indexed part of the Internet. It includes Internet Web sites, chat channels, forums, and FTP sites.
The DarkWeb or DarkNet is part of the DeepWeb. It requires specialized software to access it. There are different DarkNets including the TOR network, JONDONYM, and Freenet. It may also include private bulletin board systems and other private networks. Not all content is nefarious or illegal on the DarkNet or Dark Web, it is just hidden and private.
A number of sites have illegal content and support criminal activities within the DarkNet. They pose a very real threat, and it is the dark, hidden world of the Internet.
Please be careful with it.
Written by Aamir Lakhani