anonymous searching · anonymous searching workshop for vogin-ip-lezing 20 march 2014, amsterdam,...

*

Anonymous searching

Workshop for VOGIN-IP-LEZING

20 March 2014, Amsterdam, The Netherlands

Arno H.P. Reuser Reuser’s Information Services

[email protected] Leiden, The Netherlands

+31 6 3812 7715

Leiden, The Netherlands

Reuser’s Information Services

Monday 7th April, 2014

OSINT Research Techniques

All material in this document is copyright c©Reuser’s Information Services, Leiden 2006-2013.

Print and typeset using LATEX 2εPublished by Reuser’s Information Services

Edited March 2014Print Monday 7th April, 2014

For questions, please contact Arno H.P. Reuser ([email protected]).

Unless explicitly stated otherwise, all rights including those in copyright in the content of this doc-ument are owned by or controlled for these purposes by Reuser’s Information Services. Except asotherwise expressly permitted under copyright law or Reuser’s Information Services’ Terms of Use,the content of this document may not be copied, reproduced, republished, downloaded, posted,broadcast or transmitted in any way without first obtaining Reuser’s Information Services’ writtenpermission or that of the copyright owner.

The intellectual property rights belong to

Reuser’s Information Services

De Wetstraat 162332 XTLeidenThe Netherlands

Reuser’s Information Services http://www.reuser.biz

c© 2014 reuser’s information services page 1 Monday 7th April, 2014

OSINT Research Techniques LIST OF TABLES

Contents

1 Anonymity issues 3

1.1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Reasons to be anonymous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Simple measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.5 Search engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.6 Tor protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 The Onion Router (Tor) 9

2.1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3 What it looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.4 Alternative access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.5 Anonymous browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6 The .onion pseudo domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 About 15

3.1 Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2 Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

List of Figures

1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Searching by proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Anonymous proxy Kproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 TrackMeNot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Anonymous search engine Disconnect.me . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Anonymous search engine DuckDuckGo . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Anonymous search engine StartPage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Vidalia Tor interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 TOR network start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010 TOR browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111 Tor2Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212 Tor: IP address before starting the Tor network . . . . . . . . . . . . . . . . . . . . . . . 1213 Tor: IP addres before starting the Tor network . . . . . . . . . . . . . . . . . . . . . . . . 1214 Tor: identity after starting the Tor network . . . . . . . . . . . . . . . . . . . . . . . . . 1215 Tor: changing your identity while working . . . . . . . . . . . . . . . . . . . . . . . . . 1316 Tor: a new identity after asking for a new one . . . . . . . . . . . . . . . . . . . . . . . . 1317 Tot: a Tor directory to buy credit cards, drugs, weapons and more. . . . . . . . . . . . . 1418 Tor: black market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419 Tor: buy your money online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

List of Tables


OSINT Research Techniques 1 ANONYMITY ISSUES

1 Anonymity issues

1.1 Contents

1.2 Reasons to be anonymous

Scott McNealy

Someone already has your medical records, someone has your dental records, someone has yourfinancial records, VISA knows what you bought, someone knows just about everything about you.You have no privacy. Get over it! Scott McNealy. 1999

Consider the following

1. Protect your information position

(a) Protect yourself against economic espionage (’computer network exploitation’)

(b) Protect yourself against snooping competitors

(c) Prevent the target of knowing who is looking

Figure 1:

(See figure ˜1)

2. Prevent cyber bullying

3. Prevent cyber crime ”I have nothing to hide”

”There is nothing of interest on my machine”

4. Hide your geographical location For journalists, activists, criminals

5. Protect your medical condition

6. Victims of violence



1.3 Simple measures

Providers

Use different internet providers in different countries

SMTP relay

Use anonymous SMTP relay services or anonymous email services.

1. SilentSender.com 1

2. Tor Mail 2 . Free anonymous email service provider

off line since August 2013

3. Get a client remailer: QuickSilver 3 , OmniMix

Will strip mail from senders’ address. The sender’s address to answer too is in the encrypted messageitself.

Email address

1. Use anonymized email addresses

(a) Not: [email protected]

(b) But: [email protected]

(c) Or: [email protected]

In addition, gmail also removes most mail ’received’ headers.

2. Use aliases

(a) Not: [email protected]

(b) But: [email protected]

(c) Or: [email protected]

And have your mail client forward all this mail to appropriate folders

3. Turn OFF your automatic signature

1SilentSender.com: http://www.silentsender.com2Tor Mail: http://jhiwjjlqpyawmpjx.onion/3QuickSilver: http://www.quicksilvermail.net/


http://www.silentsender.com

http://jhiwjjlqpyawmpjx.onion/

http://www.quicksilvermail.net/

http://www.silentsender.com

http://jhiwjjlqpyawmpjx.onion/

http://www.quicksilvermail.net/


1.4 Proxies

What is a proxy?

Function to store popular webpages at the servers of the Internet provider to save bandwidth

Protection function to hide IP address or temporarily assign another one

Anonymous proxy clients

A proxy was originally intended to preserve Internet bandwith by storing high demand pages in atemporary cache. Today, an Anonymous Proxy offers the possibility to surf the Web in a more or less’anonymous’ way.

Today, a proxy is also used to search in anonymity. There are many ”anonymous proxy’s” out there,some for free, but these tend to be very slow.

1. Anonymizer TotalNetshield

Figure 2: Searching by proxy

(See figure ˜2)

2. Kproxy Alternatively, try using a free anonymous proxy, like Kproxy 4 . Drawback are theadds and annoying pop-up screens off course.

(See figure ˜3)

Activate private surfing mode

Modern browsers offer a possibility for private surfing. Check your history settings as well as yourcookie settings. Some browsers offer an option to search ’anonymously’.

In Mozilla Firefox start private browsing to prevent the browser of storing your private surfbehaviour (passwords, history, cookies, etc.). in MS Internet Explorer 8 InPrivate Browsing andInPrivate Filtering .

4Kproxy: http://www.kproxy.com


http://www.kproxy.com

http://www.kproxy.com


Figure 3: Anonymous proxy Kproxy

Firefox Add-ons

Annoy the search engines

Flood your favourite search engines with fake search queries by using a tool like TrackMeNot suchthat your real query gets more difficult to identify. TrackMeNot is a Firefox add-on.

Figure 4: TrackMeNot

(See figure ˜4)

1.5 Search engines

Alternative search engines

The below are a few examples of search engines that more or less protect your identity when search-ing. Care is required however. Searching may be done via a proxy, but clicking a link may unveilyour identity.

1. Scroogle Is no more. Supposedly dealt with by Google...

2. Disconnect.me 5

(See figure ˜5)

3. DuckDuckGo 6

5Disconnect.me: https://disconnect.me6DuckDuckGo: http://www.DuckDuckGo.com


https://disconnect.me

http://www.DuckDuckGo.com

https://disconnect.me

http://www.DuckDuckGo.com


Figure 5: Anonymous search engine Disconnect.me

Figure 6: Anonymous search engine DuckDuckGo

(See figure ˜6)

4. Startpage 7 (ixquick)

Figure 7: Anonymous search engine StartPage

(See figure ˜7)

1.6 Tor protocol

Introduction

Tor gives access to part of the deep web consisting of top level pseudo domain .onion, and, Torprovides a protocol for anonymous searching.

7Startpage: https://startpage.com/


https://startpage.com/

https://startpage.com/


Tor encrypts the message and sends it through multiple anonymous proxies making identificationvery difficult.

Figure 8: Vidalia Tor interface

(See figure ˜8)


OSINT Research Techniques 2 THE ONION ROUTER (TOR)

2 The Onion Router (Tor)

2.1 Contents

2.2 Introduction

The Onion Router

1. Tor = The Onion Router

2. Multiple layers of encryption around each packet, like an onion

3. Designed, implemented, and deployed as a third-generation onion routing project of the U.S.Naval Research Laboratory. Originally developed with the U.S. Navy

4. Decvelopment started in 1995 (!)

5. Second-generation Onion Router presented in 2004 8

6. Builds a circuit of encryptes nodes, a chain of anonymous proxies.

How it works

1. Encryption encrypts the data package, not the headers

2. Data packages take a random path on the internet through several relays to cover your tracks

3. Each path/realy know only which relay it got the package from, and which relay to give it datato

4. No relay knows the entire path. Each relay sees only one hop.

5. Each package has multiple layers of encryption

6. Each node decodes one layer of encryption to find the next recipient.

Use

TOR is being used for

1. Anonymous browsing and anonymous working

2. Accessing the .onion pseudo domain network (deep web)

Target audience

8Dingledine 2004 – Tor : the second-generation Onion Router / Roger Dingledine, Nick Mathewson. - In:13th USENIX Security Symposium, July 2004. - p.303-3320



1. Businesses

2. Journalists

3. Law enforcement, police, fraud investigators

4. Activists

5. Criminals, thiefs

6. Terrorists

What you need

1. Tor Browser bundle Holds Vidalia package and a dedicated Mozilla Firefox Browser for anony-mous browsing.

2. Tor project 9 with packages for Linux, Mac, Android, and Windows.

3. Tip: the Tor bundle does not install. Simply unpack by double clicking and run.

4. Do NOT unpack and run from c:files , but somewhere else

5. Alternatively, unpack and run from your flash drive.

2.3 What it looks like

Run Vidalia

Figure 9: TOR network start

(See figure ˜9)

9Tor project: http://www.torproject.org


http://www.torproject.org

http://www.torproject.org


Mozilla Firefox will start

The Tor browser bundle comes with it’s own stripped down version of Firefox, where only ’safe’add-0ons are loaded.

Figure 10: TOR browser

(See figure ˜10)

2.4 Alternative access

Access the .onion domain without the Tor Browser Bundle

Via a public gateway one can access the Tor domain from the ’normal’ web without using Vidalia orthe Tor Browser Bundle.

1. Disadvantege: it is not anonymous

2. Advantage: no need for the Tor Browser Bundle

3. Address of websites: domain names ending on .onion.to

4. Gateway: Tor2Web 10

(See figure ˜11)

2.5 Anonymous browsing

Who are you?

(See figure ˜12)

(See figure ˜13)

After starting the Tor network (Vidalia)

10Tor2Web: https://www.onion.to/


https://www.onion.to/

https://www.onion.to/


Figure 11: Tor2Web

Figure 12: Tor: IP address before starting the Tor network

Figure 13: Tor: IP addres before starting the Tor network

Figure 14: Tor: identity after starting the Tor network

(See figure ˜14)

Changing your identity while working



Figure 15: Tor: changing your identity while working

(See figure ˜15)

Figure 16: Tor: a new identity after asking for a new one

(See figure ˜16)

2.6 The .onion pseudo domain

The .onion domain is not official

The top level domain is not a regular domain as specified by ICANN and/or IANA, but a .onionpseudo domain. The origin of the domain websites is almost impossible to find.

(See figure ˜17)

An underground Internet

(See figure ˜18)

(See figure ˜19)



Figure 17: Tot: a Tor directory to buy credit cards, drugs, weapons and more.

Figure 18: Tor: black market

Figure 19: Tor: buy your money online


OSINT Research Techniques 3 ABOUT

3 About

Contact information and biographical information on the owner of Reuser’s Information Services

Who:

• Arno H.P. Reuser ; OSINTian ; information professional ; librarian ; information freak ;

Work:

• CEO, owner and founder Reuser’s Information Services ;

• Senior policy advisor OSINT at NL ministry of Defence ;

Activities:

• Founder: Reuser’s Information Services ; Dutch Open Source Intelligence Branch ;

• Writer: OSINT in Inlichtingen- en Veiligheidsdiensten (Kluwer) ; co-editor Advances in Social Net-work Analysis and Mining (Springer) ; journal articles ; book reviews ;

• Interviews: in several magazines (GO magazine, IK Kapital) ; PODcast (International Spy Mu-seum Washington D.C.) ;

• Teacher/speaker; Uni.Amsterdam, Uni.Utrecht, NLDA Breda, DIVI, GOBI The Hague, Uni.South Denmark, Uni.Kaohsiung Taiwan, Clingendael, United Nations IAEA, EU (EUlex, EUMMGeorgia, Eurojust, Europol, Consilium), Interpol, Folke Bernadotte Academy Sando SE ;

• OSINT Trainer: training programmes, courses and workshops in Austria, Australia, Belgium,Denmark, France, Netherlands, Sweden, Switzerland, Ukraine, United Kingdom, Unites States;

• Awards: Life time award OSS 2007 ; Golden Candle Award 2003 ; Nomination for InformationProfessional of 2010 ; Winner National Information Retrieval Contest ;

• Websites: Reuser’s New Repertorium (Internet Resource Discovery Toolkit) http://rr.reuser.biz; home page http://www.opensourceintelligence.eu ; NEDBIB discussion list http://nedbib.reuser.biz;

• Programming/research: ISOLDE building blocks search engine ; Delphi Search Engine Com-parison device ;

Contact:

• e-mail: [email protected]

• Skype (arnoreuser) ; Twitter (arnoreuser, OSINT) ; Facebook ; LinkedIn ; WhatsUp ; SMS ;

• WebsitesCompany home page: http://www.reuser.bizReuser’s New Repertorium: http://rr.reuser.bizIsolde search engine: http://isolde.reuser.bizNew home page: http://www.opensourceintelligence.eu

• Phone: +31 6 3812 7715 (GMT+1)

• Address: De Wetstraat 16, 2332 XT Leiden, The Netherlands


OSINT Research Techniques 3 ABOUT

3.1 Disclaimer

All statements made in this document, all the content in this document is based on the personalexperience, study and knowledge of the writer and owner. No statement is endorsed by whateveroffical institute or government institute or government agency in The Netherlands or anywhere else.The writer, speaker and owner cannot be held liable for the use of the information or any damagewhatsoever resulting from its use wether direct or indirect. Use at your own risk.

3.2 Warning

Techniques, procedures, tools and documents used and/or demonstrated may in your country ororganisation be illegal, an offence, a misdemeanour, a felony or worse, punishable by law.

DO NOT TRY ANYTHING!

unless you are absolutely sure about the ethical and legal consequences. Try at your own risk.


anonymous searching · anonymous searching workshop for vogin-ip-lezing 20 march 2014, amsterdam,...

Documents