dark web markets...dark web threats with chuck easttom dark web realities february 7, 2017 the derry...
TRANSCRIPT
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Dark Web
Markets
HOW TO ADDRESS THE DARK WEB THREATS
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
About the Speaker 23 books (2 more in progress)
Over 40 industry certifications
2 Masters degrees
D.Sc. in Cybersecurity in progress
13 Computer science related patents
Over 25 years experience, over 15 years teaching/training
Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8
Created ECES, created OSFCE
Frequent consultant/expert witness
Frequent speaker/presenter including: Defcon, Hakon India, Hakon Africa,
SecureWorld, ISC2 Security Congress, AAFS, IAFSL, etc.
Conducts security related training internationally
www.chuckeasttom.com
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Tor Networks
TOR, https://www.torproject.org/, is an anonymous
network of proxy servers. One can use the TOR network to
send any sort of network traffic, including emails. This
makes tracing the traffic back to its source extremely
difficult.
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Accessing a website VIA
TOR
Target Server. Onion site
IP address ???
Users Machine Proxy #1
Proxy #2
Proxy #3
Proxy #4
Each proxy just sends
the packet on and only
knows the last and next
hop.
The path can change
each route
The target server only
knows the last hop the
packet came from
The user only knows the
first proxy in the chain
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
What does this mean
Searching from my home in Texas, it appears I am
in Romania
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
How they work6
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Search the dark web
https://hss3uro2hsxfogfq.onion.to/ is a good
general dark web search engine
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Torchhttp://xmh57jrzrnw6insl.onion/
8
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
What’s for sale?
U.S. Bank Account Information Sold on Dark Web
Market Place https://verafin.com/2016/08/u-s-
bank-account-information-sold-dark-web-
marketplace/
April 6, 2017 Tax information for sale on the Dark
Web
https://www.bloomberg.com/news/articles/2017-
04-06/your-tax-refund-is-selling-cheap-on-the-
dark-web
April 24 2017 Health Care Records for sale on the
Dark Web
http://www.csoonline.com/article/3189869/data-
breach/healthcare-records-for-sale-on-dark-
web.html
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Search the dark web http://msydqstlz2kzerdg.onion/ is a good general
dark web search engine
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Dream Market Search for Chase Bank
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Accounts for sale 9/18/2017
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Tor Site #3
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Tor Site #3 – some
products as of 10 Feb 2017
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Traderroute (9/17/2017)15
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Traderroute (9/17/2017)16
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
WallStreet (9/18/2017)17
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
WallStreet (9/18/2017)18
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
EuroGuns (9/18/2017)19
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Valhalla (Finnish) (9/12/2017)20
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
The Blue Moon Group
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Some sites have been
removed
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Dark Web Realities February 7, 2017 the Derry Journal reports 6 people
hospitalized in the last 10 days from drugs purchased on
the dark web.
February 3, 2017 a man in Seattle admits to selling
heroin over the dark web.
February 4, 2017 reports emerge that some dark web
markets are paying bug bounties.
January 31, 2017, reports emerge of dark web markets
paying employees for insider information on their
organizations.
February 7, 2017, ISIS is recruiting via the dark web.
February 8, 2017, Boko Haram is fund raising via the dark
web
23
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Law Enforcement
Techniques
24
Watering Holes
Deanonymizing
Fake Reviews
Monitoring
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Watering Holes
Basically a site to attract the targets of choice.
Watering Holes were used in the Playpen case. The FBI
agents monitored a bulletin board hidden service
launched in August 2014, named Playpen. Playpen was
a hidden service used for in the dark web for “the
advertisement and distribution of child pornography,” it
reached in just one year over 200,000 users, with over
117,000 total posts mainly containing child pornography
content. The FBI agents were able to discover nearly
1300 IP addresses belonging to the visitors.
Servers with contraband images were used to spread a
tool for deanonymizing Tor users.
25
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
NIT Network Investigative Technique used to deanonymize
suspects using TOR.
“The NIT was a Flash based application that was
developed by H.D. Moore and was released as part of
Metasploit. The NIT, or more formally, Metaspolit
Decloaking Engine was designed to provide the real IP
address of web users, regardless of proxy settings.” NIT
was used in the Playpen case.
IP address through the TCP connection, operating
system, CPU architecture and session identification. The
researchers were able to determine that if a TOR
browser accessing the FBI controlled website had
proper up-to-date controls configured the NIT would
not be able to reveal the true IP address of the users.
26
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Fake Reviews Panos Makopoulos and Dmietri Xefteris from the
University of Cyprus and Chrysanthos Dellarocas Boston
University, wrote a paper advocating law enforcement
using fake reviews of Dark Web drug markets to lower
traffic.
http://www.fox.temple.edu/conferences/cist/papers/S
esson%201A/CIST_2015_1A_2.pdf
27
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
MonitoringJason Koebler of Motherboard recommended Law
Enforcement and Intel consider the following:
Mapping the hidden services directory
Looking at web connections to non standard domains.
Social Media monitoring
Snapshot hidden services
Marketplace profiling
http://motherboard.vice.com/read/six-ways-law-
enforcement-monitors-the-dark-web
28
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Scanning Dark Web Siteshttp://ichidanv34wrx7m7.onion/search?query=SSH
29
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Other Tor Link Lists
linkzbg4nwodgic.onion just basic link lists
jdpskjmg5kk4urv.onion Dark Web Links
Note: some of these reference each other.
The following are search engines for the Dark Web
anon4jmy3fozlv6.onion
xmh57jzmw6insl.onion The Torch Search Engine
30
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
OnionDirOnionDir - http://dirnxxdraygbifgc.onion
31
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Other Tor Link Lists
The Hub - http://thehub7dnl5nmcz5.onion
Bugged Planet - http://6sgjmi53igmg7fm7.onion
Doxbin - http://npieqpvpjhrmdchg.onion
Torchan - http://zw3crggtadila2sg.onion
Grams - http://grams7enufi7jmdl.onion
Tor Search - http://kbhpodhnfxl3clb4.onion
Tor Find - http://ndj6p3asftxboa7j.onion
32
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Setup a TOR identity Setup a TOR based email
http://365u4txyqfy72nul.onion/ - Anonymous E-mail
sevice
http://torbox3uiot6wchz.onion/ - [TorBox] The Tor
Mail Box
http://notestjxctkwbk6z.onion/ - NoteBin - Create
encrypted self-destructing notes
Post in some forums
http://2gxxzwnj52jutais.onion/phpbb/index.php -
Onion Forum 2.0 renewed
http://npdaaf3s3f2xrmlo.onion/ - Twitter clone
http://hbjw7wjeoltskhol.onion – social network: File
sharing, messaging and much more. Use a fake
email to register
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Dark Web Search Map
Setup parameters
Create identity
Locate and profile 6 to 12 markets you like
Search engines
At least 2 you have identified you prefer
Search markets
At least 4 or 5
Identify specific items
Verify/profile the seller
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Dark Web General
Guidelines
Safe Searching
Build your identity
Profile Markets – keep dossier
Profile Sellers – keep dossier
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Building the perfect
identity – Basic Identity
Get Email
Post in Forums
Interact
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Building the perfect
identity – intermediate
Steps Build your own website- make it a collection of
links to articles, search engines, etc.
Buy a few low end items. Accounts from your
client, innocuous documents, etc.
Give reviews to sellers, positive reviews
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Building the perfect
identity – Advanced Steps
Have a second (or multiple identities), sell a few
items to yourself. Give yourself good reviews (but
not too good
The perfect identity has
Forum posts
Responds to emails
Makes appropriate commentaries
Has bought and/or sold
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Further Reading Global law enforcement strikes deep into 'Dark Web'
http://www.alternet.org/progressive-wire/global-law-enforcement-
strikes-deep-dark-web-0
The Ultimate Guide To The Dark Web for Law Enforcement
Professionals http://blog.mcafeeinstitute.com/the-ultimate-guide-to-
the-deep-web-for-law-enforcement-professionals/
Operation Onymous
https://www.swansea.ac.uk/media/GDPO%20SA%20Onymous.pdf
Dark Web News https://darkwebnews.com
The rise and challenge of the Dark Web markets
https://www.swansea.ac.uk/media/The%20Rise%20and%20Challenge
%20of%20Dark%20Net%20Drug%20Markets.pdf
Dark Web- The Smart Persons Guide
http://www.techrepublic.com/article/dark-web-the-smart-persons-
guide/
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com
Further Reading Evans and Grothoof of the University presented "Deanonymizing Tor"
at Defcon 16.https://www.defcon.org/images/defcon-16/dc16-
presentations/defcon-16-evans-grothoff.pdf
Motherboard published an article in 2015 Tor Attack Could Unmask
New Hidden Sites in Under Two Weeks
https://motherboard.vice.com/en_us/article/tor-attack-could-
unmask-new-hidden-sites-in-under-two-weeks
The Inside Story of Tor, the Best Internet Anonymity Tool the
Government Ever Built
https://www.bloomberg.com/news/articles/2014-01-23/tor-
anonymity-software-vs-dot-the-national-security-agency