You are on page 1of 42

The Beginner’s Guide to The Internet Underground

Jeremy Martin Sr. Security Researcher
This doc covers the basics of anonymity, hactivism, & hidden parts of the Internet underground, along with some of the things you may find there.
Disclaimer: Do NOT break the law. This was written to explain what the Darknet / Tor hidden service) is and what kind of things you may find. It is not an invitation to break the law without recourse. Just like any network, this one has both good and bad guys. If you break the law, you will get caught. Bad guys have to be lucky EVERY time. The Good guys only have to be lucky once. Images within this document were taken directly off the Internet or from screenshots at the time of research. The content of these pages are subject to update, discussion and dispute, and comments are welcome.

Information Warfare Center, LLC (719) 359-8248

7/ 1/ 2 0 1 3

“If you know both yourself and your enemy, you can win a hundred battles without a single loss” – rough translation; Sun Tzu’s Art of War. "Trust but verify" - Ronald Reagan or the Russian proverb "Доверяй, но проверяй"


The Story Can there be true anonymity on the Internet? The Internet Underground: Tor Hidden Services - Tips Hacker Groups - The Hactavist - The Cyber Criminal - Cyber Espionage / Warfare - The Cyber Jihadists The Activist Group “Anonymous” - Messages from Anonymous: Information sharing - Security Research - Internet Piracy Digital Forensics and investigation - Disk forensics - Network forensics - Misc forensics - Anti-forensics example Resources About the Author

Creating your own Darknet home Other Internet hidden networks: I2P: Anonymizing network

Page 4 5 10 13 14 15 17 17 18 21 22 23 23 29 29 30 33 34 35 36 37 38 39



“No. let the public watch you. Surrounded by weapons drawn. The chat turns more organized. the broken WPS key will instantly give him their new password unless they change the WPS key as well. Within a minute. One of the laptops sitting on a nearby desk (a customized Linux) starts to flash. 2. An IRC chat window starts to become active. A couple of miles away from the flashing of police lights. Tires screech as over a dozen vehicles swarm the suspect’s house. but now it is different. This has inflamed the hacker community along with a small portion of the population who consider themselves freedom fighters and patriots. there are over twenty fully armed S. Once he gets to the back bedroom where the suspects are located. They all feel invincible and are doing it for ideology. At first they were hacking for the lolz. and a cyber-apocalypse. Pictures on the television show news bulletins filled with thoughts of terrorism. Several hackers. busts the weak wooden door off of the hinges. This only took a few hours and gave the hacker the WPA password. Using cash. espionage. the transaction was practically untraceable.". Black clothed bodies flood the portal. … It is now three in the morning and the sound of rain drowns out the scream of police sirens racing down the street. found and defaced the 17th website tonight with cyber-“patriot” propaganda. He then proceeded to change or spoof his MAC address (hardware fingerprint) to that of the couple’s personal computer and then piggybacked off their service. catching a hacker's attention. Another laptop views a pastebin information leak where thousands of email accounts and millions of emails from those in the law enforcement. and intelligence agencies are listed with a note saying “If you want to watch us. start to laugh (lolz).A. Moving images of Japanese anime irradiates from a monitor while the beat of progressive house music leaks out of speakers throughout the room.It's half past midnight.” The sites publishing the information are getting shut down quickly at first.W. known only by their handle. The hacker perpetrated the attack by purchasing a high power wireless card with a directional antenna during his travels. he finds an elderly couple terrified lying in their bed. and plans for future attacks start to solidify. 3 one of the officers motions… “This is the police!” another yells as two cops swinging a “door knocker”.T. 1. In tear soaked speech. Within a couple hours. the wife mutters. which happened to be their son’s name. and federal agents moving towards the red door in the front of the house. as the SA shakes his head in frustration. He used a Linux distribution called “Reaver Pro” to crack the elderly couple’s wireless WPS key. the television across the room showcases the major networks as they are commenting on misdeeds of a few corrupt officials due to leaked cables. The Special Agent (SA) in charge of the operation walks through the shattered home immediately after being cleared by the shock troops. the actual criminal gazes through his window laughing at how untouchable he thinks he is. but soon the data spreads like wildfire. the SA simply asks if the couple had any knowledge of the cyber-attacks plaguing the country. This fear mongering preceded an Executive Order to allow both companies and government agencies to monitor everything from emails to telephones without a search warrant. 4 . The glow of computer screens flicker off empty energy bottles strewn across the room. even if they change the WPA key. government. Now. A script designed to crawl government and military websites.

Anyone can be an activist. or a “cyber sit-in. Artwork by Jeremy Martin The interesting thing is most of it can easily be true. Why would this be considered absolutely inconceivable pre-911 and perfectly acceptable post-911? Questions need to be asked before trying to understand the why. Warrantless wiretap… Think of this. How many malware writers actually get caught let alone convicted? How many hackers actually get caught let alone convicted? Even the hactavists that do get arrested for attacks such as Denial of Service use the defense of activism. The DSL line the hacker is using “goes dark”. one of the hackers realizes which one is which. The facility's management made a poor descision and connected the secure network to the enterprise network without proper security. The mentalities of hackers vary from a bored teen doing it because they can to actual state-sponsored espionage to an ideological electronic warfare. It is understandable why a government would want to do this. The voice becomes digital and therefore data. Why would people want to be anonymous or exercise their right to privacy and free speech? Why would others want to monitor everyone’s communications in the name of security? Why would some be considered cyber-terrorists? Can on actually protect themselves from prying eyes? . Most of the ones caught aren’t even the masterminds behind the attacks. The fight on both sides escalated over the next year until the freedom fighters hacked a water treatment facility running SCADA or Industrial Control Systems (ICS). the hacker changes the amount of fluoride flowing into the drinking water. Panic finds its way across the hacker’s face as he realizes he just murdered over a thousand people with fluoride poisoning. lightning strikes a phone pedestal a mile down the road. free speech. Poor choices by management and improper implementation by staff is rampant. They simply listened to the network traffic for a couple of days. The hacker and his associates continued the attacks believing they are invincible while fighting for a “just” cause. Almost immediately.. It is also understandable why the people would want to stand up against the illegal activities of its government. just here in the U. most cell phones and telephones cross over networks at some point. He plans to do this for only a few minutes. As a political statement. and falls under the monitoring statutes for “Provider Protection”.A. the hackers come across a device that looks “interesting”. Anyone can be a criminal … How many cyber laws. Anyone can be a hacker. have been passed in the last ten years in the name of “antiterrorism”? The recently failed and reintroduced CISPA was such a law that violats the 4th amendment and every revision of the wiretap laws ever passed. This gave our attackers access to some very sensitive systems. After they record the data between the control center and what ends up being a chemical injector.S. 5 .None of the exploits used or information leaked to the public was ever traced back to the original sources. Now.

shall not be violated.To some extent. Listed are just a few of the regulations or budget contracts that reference loosening the term “reasonable search and seizure” covered in the fourth Amendment and why there is such an internet outcry to Internet privacy. against unreasonable searches and seizures. your secrets may not be that secret. and effects. there are many laws on the books (especially post-911) that have enabled “Big Brother” to potentially violate several of the rights granted to Americans by the Bill of Rights. After six warnings. supported by oath or affirmation. Amendment IV The right of the people to be secure in their persons. At the time of this research. papers. the answer to the title is yes. U. Comcast. or the right of the people peaceably to assemble.S. or prohibiting the free exercise thereof. or shape your bandwidth. Cablevision. ISPs may then take a variety of repressive measures. U.C §1030 (Computer Fraud and Abuse Act) Title 18. or abridging the freedom of speech. and Verizon. Just in the United States. Currently. but upon probable cause. and the persons or things to be seized. houses. which include slowing down offenders’ connections and temporary disconnection. and no warrants shall issue. or of the press. the parties agreed on a system through which copyright infringers are warned that they are breaking the law. Look at the recent classified information leaked by Edward Snowden about the secret wiretapping programs PRISM and NUCLEON. Title II (Enhanced Surveillance Procedures) ECPA (Electronic Communication Privacy Act) Title 18. filter. 6 . some of the ISPs that have already subscribed to this are AT&T. Just in the USA.C §2703 (Disclosure of customer communications) CISPA (Cyber Intelligence Sharing and Protection Act) – shot down 2012& resurrected in 2013 NDAA 2011 (The National Defense Authorization Act) Digital Millennium Copyright Act (DMCA) Etc… Constitution of the United States Amendment I Congress shall make no law respecting an establishment of religion. and to petition the government for a redress of grievances. there are many variables to consider. and particularly describing the place to be searched.S. This means these “service providers” are watching everything you do and may be giving that intelligence to t he government or other companies. However. there are several Internet Service providers that may be illegally wiretapping all your traffic. I hope you like the thought of hundreds of people reading ALL of your emails and listening to your phone conversations. Whether it is foreign or state sponsored activity or the ISP is watching what you are doing so they can censor. “Six Strikes” rule With this new wiretap. Time Warner Cable. there are several interesting federal laws          Computer Fraud and Abuse Act (CFAA) USA Patriot Act.

other evidence could be acquired from the ISP. this is theft of services. Facebook. they would get the victims IP address. If you boot off a live Linux CD. but this theft is far easier than most people believe. Use “ifconfig” to turn the wireless card on. Do NOT break the law. The attacker assumes someone else’s digital identity and piggybacks off their internet connection. you may have to use programs like Burpe suite or Paros proxy to fake other connection information like browser or paid connection information. The command line examples would look like (Cli = Command line interface :) Cli1: Cli1: Cli2: Cli2: Cli2: Cli2: Cli2: Cli2: Cli2: air0mon start wlan0 <enter> air0dump-ng <enter>: View the “top talker” macchanger wlan0 –m “top talker MAC address” ifconfig wlan0 up iwconfig iwconfig wlan0 mode Managed iwconfig wlan0 essid “target ssid” iwconfig wlan0 key “wireless password” (if password is needed) dhclient wlan0 or dhcpcd wlan0 (to get a DHCP IP address) At this point. use a program called “macchanger” to alter your network fingerprint to the top talker’s MAC. This is a method of blending in. If the suspect uses a long range card with long range antenna. This will allow you to turn your current wireless card into a monitoring device. If someone was trying to track back the source address. If they have a service proxy. finding someone else’s internet is very easy. 7 . At the time of this research. but you are usually going to be another Internet Protocol (IP) address… A lot of analysts may miss this. Then connect to the same remote access point. At a minimum. Again. chances of tracking them drastically decreases to almost nil. I have seen some providers associate the paid account with a specific access point which is just as easy to bypass as the other methods. you can use a program called “airmon-ng”. With the proliferation of wireless devices. you can see the WiFi traffic without even connecting to the targeted network. Further investigation may reveal that the victim was being hacked. Even though you are spoofing the target “MAC address”. Backtrack is one of the best security distributions. they should be connected to the target network. but that is about all.A simple way to prevent from being tracked back (as in the story) is to use someone else’s Internet. If the hacker connected to a personal account or services such as email. Once you have booted into the operating system. piggybacking on someone else’s internet without authorization is illegal. or other targeted personal info. After you see a wireless access point and decide who is a “top talker” on that device. LinkedIn.

The need for some to pass information without prying eyes has spawned many different methods of “anonymous” communication or covert channels. If all the systems or nodes on a network are monitored and logged. There are free and commercial proxy servers all around the world that offer access without logging the connections. The hactavist group “Anonymous” then attacked back. Several groups then helped re-open the communication channels by sending dialup numbers. IRC channels. and VPN servers. the twitter feeds and videos started to stream out of the country again. Anonymous has even taken to the Tor network for protection from cyber spying with the old site Anonops.onion. To get around this. The MPAA allegedly hired people in India to attack thepiratebay. Soon after. proxy addresses. the government at the time tried to stop transmissions and effectively turned off the traditional paths to the Internet. Using network encryption makes network forensics virtually impossible. RIAA. The two most common are political and the lack of storage. For whatever reason you want to protect your identity and data on the Internet. suspects can use methods to make their origins anonymous on the Internet. Many Internet Service Providers (ISPs) are working with the local government or copyright owners such as MPAA. music. many countries used those excuses and violated the basic trust they once had with their citizens. The challenge with the Internet is that nobody controls everything (even though there is a current power struggle in this area). many people use these types of jump points to download in a massive DDoS attack. Tunisia. Threats against Intelligence and National Security are valid concerns. you may not get the origin or the original fingerprint. effectively shutti ng down the MPAA websites. However. Finding the source is also difficult outside knowing that the IP address of the proxy and getting the answer from that system. the origin can always be traced. you need to know the basics of the communication mechanism they are using. etc… to monitor your entire Internet traffic looking for evidence for possible pirated Intellectual Property. 8 .org being moved to anonops532vcpz6z. and Syria are just some of the more recent countries that have fallen to the temptation to censor or monitor. There are several reasons you do n’t get the logs. I am going to focus on the Internet as the backbone medium. and pirated software or send out malicious attacks against targets. Egypt. there are several options.There are legitimate reasons why governments want to monitor and control the communications of the populace and/or foreign entities. Microsoft. On the other side of this coin. There is always a fingerprint on every packet that is sent. Proxy servers are one of the most common routes. To understand how people are hiding what they are sending and where they are sending from. This means that if you cannot get the logs. Some of these proxies offer SSH encryption or even AES 256 bit encryption tunnels such as the services from BTGaurd. Encryption is still the best solution to keep your information private. During the uprising in Tunisia.

if people investigating do not have the original USB. others on the same network will know your original IP address. This allows for plausible deniability. The Tail OS. However.” This can be found on thetorproject. Coming from someone with a computer forensics background. “The Amnesic Incognito Live System is a live CD/USB distribution preconfigured so that everything is safely routed through Tor and leaves no trace on the local system. Some of the live Linux distributions will even prevent automatic mounting of drives and network cards after the OS boots up. The simple fact is. I can attest that a suspect using live Linux makes the investigation a nightmare. Not even malware with root rights can find out the user's real IP/location. There are many “secure” live operating systems you can use to log into TOR. email. By Whonix design. Whonix is based of two different virtual machines and does require more resources and a running OS. they can be mounted as read only. doesn’t leave a forensic trail on the local hard drive.The TOR community or Onion network is another service that contains thousands of public proxies and thousands more that are not publically known. 9 .org. A USB drive can be used to substitute the CD. the game is but it does support browsing. IP and DNS leaks are impossible. once on the TOR network. TOR however does not support Bit torrent. chat. The basic TOR client that comes with the TOR Browser Bundle (TBB) even allows you (the client) to be a proxy into the TOR network. The second one I would like to mention is Whonix “(called TorBOX or aos in past) is an anonymous general purpose operating system based on Virtual Box. Live Operating systems usually run in memory only. Once the system is shut down. Debian GNU/Linux and Tor.” Both of these are pre-configured operating systems that will let you automatically connect to the TOR network with little to no work on your part. Programs like MacChanger will allow the user to spoof the hardware finger print to obfuscate the vendor/identification at the OSI layer 2 (datalink layer). everything in memory is wiped out. especially if connecting to unsecured wireless networks. blacklisting TOR network addresses does not work. Another Live Linux system that is very popular in the security community is BackTrack Linux (backtrack-linux. if burned to a CD. The first one I want to talk about is Tails. and other basic Internet services. If the drives are mounted. With this being said.

your source is known by the other people on the network. It comes down to managing acceptable risk. the jurisdiction. However. In this case. there are several resources you can choose from. Going back the beginning of this article.The other method to completely hide all your traffic is the traditional VPN. However. If the evidence has been tampered with or does not exist. Once you touch the Internet. it is going through their gateway. there is legislation and activities that are pushing this into a very grey area… ISPs are using the excuse that too many people are sharing illegal or protected IP content and should be able to protect themselves. A VPN server essentially hides your IP address because you are virtually connected to a completely separate network. there is no case. you may not have the access to a private VPN or Okayfreedom Cryptocloud Services that do not support anonymity (Log a lot)      hidemyass Hotspot Shield VyprVPN SwissVPN StrongVPN 10 . If you are on the same network or inline between the suspect and the proxy. You are also on a network with others trying to hide their identity. some laws are being pushed that wiretaps may be a normal part of everyday life and that National Security trumps right to privacy as it is in most other countries around the world. you need to be careful of wiretap laws. and monitoring laws in your area. If you are not a member of a hacking group/hactavist community/state sponsored cyber army. If you are not on the same network as those using these services. there will only be other covert channels popping up to bypass the blocking. Just be aware of your environment. there is no forensic footprint. Once you are on the network. but it all comes down to researching the product that is right for you. especially the proxies. Not even the ISP’s have the right to monitor your traffic without probable cause and more than likely a court order. you may be able to see what is going through the wire if it is unencrypted. The downside is that there is a bandwidth bottleneck. Here is a list of services that some people use to hide their origin. Services that may not log               BTguard Private Internet Access TorrentPrivacy TorGuard ItsHidden Ipredator Faceless IPVanish AirVPN PRQ BlackVPN Privacy. This is a major security threat for companies that want to control all of their traffic. If you blacklist. you may never find the origin or the suspect. if the logs do not exist. Now from the investigation standpoint.

and many others. Well. Naval Research Laboratory. you may still leak the originating IP address and there is a risk of someone capturing your traffic. counterfeit items. 3 Nodes from a pool of thousands will be chosen with the route changing often. the military. It is free and very easy to install and then use.onion” extension and can only be seen using a Tor proxy or TorVPN. The Tor network was designed to give a and download TBB and within minutes you will be connected. SR has evolved over the years and has recently dropped its weapon sales section. we'll give you an autopsy report!”).S. “semi -safe”. There are legitimate reasons to use Tor. The easiest way to get onto the Tor network is with the Tor Browser Bundle (TBB). activists. If you are on the same network. law enforcement officers. for the primary purpose of protecting government communications. They have also banned assassination services to minimize attention from showing up on Law Enforcement’s radar. These hidden servers usually have a “. There are darker usages of the hidden servers.Some people think onion routing or the Tor network is for criminals and people with something to hide. One of the most popular “secret” sites called “The Silk Road” or SR has almost anything you can think of. Some will even stay on the proxy network and use services like Tor mail. implemented. they are half right. it is used every day for a wide variety of purposes by normal people. 11 . The onion-like encrypting assures the anonymity and can be a way to bypass traffic filters or monitors.” . It was originally developed with the U. What most people do not realize is that there is an entire underground out there called “Darknet”. “Tor was originally designed. passage to those that needed to get information out. especially for those that are trying to hide their identities from oppressive governmental regimes or reporters trying to minimize leaking the identity of informants. Others just call the underground Internet Tor network “hidden servers”. and deployed as a third generation onion routing project of the U. Most of the sites trade their goods with an e-currency called Bitcoins. Some will even go as far as only using HTTPS (SSL encryption) or reverting back to the good old VPN.torproject. a web based email service. journalists. All you have to do is go to the torproject. There are still some anonymity challenges. They still have plenty of drugs. and stolen goods. This medium has been recognized as a “safer” way to communicate over the Internet. Today. There are E-Black Markets all over this network that sell anything from Meth to Machine guns and services that range from assembling credit card data to assassinations (“you give us a picture. an anonymous electronic commodity that can purchase almost With Tor.S. Navy in mind.

12 .

onion/ Informational LiberaTor (weaponry & training): http://p2uekn2yfvlvpzbu. 6.onion/ Onion-ID (fake ID): http://g6lfrbqd3krju3ek. 4. 3.) Enjoy a little more anonymity for research.onion/ The Hidden Wiki: http://kpvz7ki2v5agwt35.onion/ Social Network mul.onion/ So let’s take this step by Download “Tor Browser Bundle” from torproject.) The Tor Browser should automatically open.onion/ C'thulhu (“organized criminal group”): http://iacgq6y2j2nfudy7.There are still plenty of other sites that focus on arms dealing or unfiltered auction site. You can now access “. 1.) Create a TorPM account on 4eiruntyxxbgfv7o.) You should then see Vidalia connecting to Tor. 2.onion/snapbbs/2e76676/ CC4ALL (Credit Card site): http://qhkt6cqo2dfs2llt.onion/ Quality Counterfeits: http://i3rg5diydpbxkewu.onion/ EU Weapons & Ammunition: http://4eiruntyxxbgfv7o.onion/ Swattingservice (fake bomb threats): http://ofrmtr2fphxkqgz3.php Black Market Reloaded: http://5onwnspjvuk7cwvk. You are now on the “Tor network”.onion/wiki/ Search The Tor Hidden Service Search: http://www.php Zanzibar's underground marketplace: http://okx5b2r76olbriil.) Create a TorMail account on jhiwjjlqpyawmpjx. 13 . 5.onion E-Black Market sites The Silk Road: http://silkroadvb5piz3r. the next thing you would have to do to communication with some of these sites is to get an anonymous Tor based email. Once you are on Tor.onion/ Torch: http://xmh57jrzrnw6insl.onion/ TorBlackmarket: http://7v2i3bwsaj7cjs34. Another popular communications mechanism is TorPM.onion/ Torlinks: http://torlinkbgs6aabns.tiver. Tor Communications Tor Mail – http://jhiwjjlqpyawmpjx.onion/ CC Paradise: http://mxdcyv6gjs3tvt5u.onion/index. This is a web based email that you log into that acts just like a regular email except it only exists in the Tor world.onion/pm/ 7.) Double left click in “Start Tor Browser”.onion” domains.onion/ Assassination Board: http://4eiruntyxxbgfv7o.ahmia.onion/ Another hitman: http://2v3o2fpukdlpk5nf.

you are not truly anonymous. The more layers of security used. This will help protect you from getting dinged for the possible illegal activity. surface web. There are many . It is amazing how many people check their regular email. upstream providers. Just like a settlement in a lawsuit is not an admission of guilt. Example 2 change their MAC address Connect to a VPN Connect to Tor Example 3 change their MAC address Connect to a VPN Connect to a Proxy Connect to Tor 14 . The effort you want to put into being just another face in the crowd versus the effort of those that want monitor. Be aware that there is more offensive material on that network per capita than on the normal Internet. the Tor network may not be visible. Investigating these sites can be problematic since the addresses are only available through the Tor system. be extremely careful. The need to be anonymous is not a representation of a guilty conscience. make sure you do not log into identifiable accounts. If you are researching in this realm. This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. stolen credit cards. If you fear that your connection is being monitored through deep packet inspection. illegal weapons. An extra step that can be taken to keep them from seeing your data is to also use a VPN service. or uses their nicknames and it makes investigations a lot easier.onion” extensions. I would document your research and report the CPKP sites to the proper authorities. and fake IDs. This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. drugs. and then connect to the Tor network. Example 1 Connect directly This leaves a direct fingerprint to the source. While trying to be faceless and hide your true identity. Here are some examples of levels on how someone can decrease the probability of them getting caught.onion sites that are benign. the more effort will be needed to peeled back to investigate. if the VPN or Proxy servers log the information. This is never suggested and usually points to a novice or script kiddie. In the end. and law enforcement sometimes disagree. chat. bounce through a Socks5 proxy using an SSL tunnel. or deepweb. it all comes down to level of effort. However.Tips: The Tor network has been around for many years and there are many hidden servers out there with “. This changes the fingerprint of the hardware This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside. but there are many out there that contain contraband materials such as child pornography. management. Just remember. This changes the fingerprint of the hardware This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. assassination services.

You can add the Tor Browser Bundle and xampp (a self-encapsulated webserver bundle). This means that someone could have a Darknet hidden service on a thumbdrive and run the server on any computer they are currently at.0. If you were to open a web browser and visit http://127. In many cases. Now. It will generate a couple configuration files for you to use and keep with the webserver. In here. xampp is running and apache is listening on port 80 and 443. Once this is done. you should be rendering your personal custom website. every time you run the Tor Browser. allowing more Anonymity for hosting the service. drug dealers. but this is the easiest and most mobile method. Choose either port 80 or 443 for standard HTTP and then add.Anyone can setup a “Darknet storefront”.0. there is a settings button that gives you access to the proxy configuration. and terrorists already know this.1. In this window. knowledge of web development isn’t can make this a trivial process. Now to create an onion domain.portableapps.html file directly into the PortableApps\xampp-portable\htdocs folder. Using a program called PortableApps from www. To customize the website. Vidalia control panel should open. there is a services area that allows pointing to your local web server. just copy a index. As shown in the image above. Open the Tor Browser. 15 . you would see the welcome page. you will have a link back to your web server. Unfortunately. This does take a few minutes to prorogate across the onion router network. pedophiles.

bandwidth usage. and latency. along with all of the other security issues we've come to know and love with normal Internet traffic. deploy. I2P is designed to allow peers using I2P to communicate with each other anonymously — both sender and recipient are unidentifiable to each other as well as to third parties” "The I2P/Tor outproxy functionality does have a few substantial weaknesses against certain attackers once the communication leaves the mixnet." . with no trusted parties. and outproxies are prone to abuse. All data is wrapped with several layers of encryption. In addition. I2P doesn't try to provide anonymity by hiding the originator of some communication and not the recipient. offering a simple layer that identity-sensitive applications can use to securely communicate. and maintain a network supporting secure and anonymous communication.” “Unlike many other anonymizing networks. or the other way around.www. reliability. People using I2P are in control of the tradeoffs between anonymity. I2P Tor Cell Client Circuit Directory Directory Server Entry Guards Entry Node Exit Node Hidden Service Hidden Service Descriptor Introduction point Node Onion Proxy Relay Rendezvous Point Router Descriptor Server I2P Message Router or Client Tunnel NetDb Floodfill Router Fast Peers Inproxy Outproxy Eepsite or Destination LeaseSet Inbound Gateway Router I2PTunnel Client (more or less) Router somewhat like Inbound Gateway + Outbound Endpoint RouterInfo Router 16 ." “I2P is a project to build. and the network is both distributed and dynamic. the outproxies have access to the cleartext of the data transferred in both directions."I2P is an anonymizing network.i2p2. global passive adversaries can more easily mount traffic Terminology of Tor Vs.

there are many private proxies listed in the network that change frequently or you can set up a relay. As mentioned before. It is also not as easy to trace back as most of the movies seem to show.Let’s take a step back and compare the two different networks Tor and I2P. The average attacker usually goes through 2-3 hop points. Reminder: When connecting to any proxy or using anonymizing methodology. However. However. Tor. This is where you may have to get several court orders from multiple countries to trace back the source of the attack. NEVER use personal identifiable indicators. Use a different browser and or even a different system if you don’t want to spoof fingerprints. Each router in the chain has its own key and can only decrypt the traffic at the layer that it encrypted. bank. Tor acts as a Socks proxy so all traffic is forwarded as a relay. or any other site you would normally connect to. It’s better not to even search for bad data or contraband. if the server does not log. Example 4 Change MAC address Connect to WiFi Hotspot Connect to a VPN Connect to a Proxy Use an encrypted tunnel to Proxy Connect to IP2 This changes the fingerprint of the hardware Hide in plain sight but not on your network This will act as a proxy by adding them to a completely different network and having the VPN gateway as the “originating” address from the outside. has been around for a longer period of time and has more nodes or proxies. Here is another example of how someone can decrease the probability of them getting caught. this network uses a centralized directory based management. The encryption tunnels also have less of a life span. 17 . Do not cache or save bad data. This network also has the capability to use TLS and bridges. With government and commercial funding. the slower the connection will be. Onion routing wraps your traffic or packets in multiple layers of encryption. This again adds a layer of obfuscation to the target by ripping of the source information and adding its own. This distorts the view from prying eyes This again adds a layer of obfuscation to the target by ripping off the source information and adding its own. This also means that a lot of the exit nodes are known and blacklisted. facebook. Unfortunately. it is a fully distributed network which focuses on services instead of the entire TCP/IP stack which makes the communications faster and more portable (port forwarding is now available). or client node. Bouncing through multiple servers is nothing new. Another big bonus is that Tor is hard to block. That means do not log into email. This makes crypto-analysis attacks more difficult. even at the state-level borders. the Tor community has a solid base in research and development. based off C. exit. I2P is based off Java which means that there is naturally a higher footprint. the job of the forensics analyst becomes a LOT more difficult if not impossible. The attacker can also bounce through multiple proxies. but the more connections you go through.

com that contains similar information and xssed. there is a problem. The interesting thing about most of these sites is that they will not post the event until after they that lists sites verified to be vulnerable to cross site scripting (XSS). it is still damaging to the victim. companies. Many of the actors here have been recorded as threats to nation-states and have active arrest warrants out for top members of the groups. Zone-h has been the target of hackers themselves over the years. ZoneH didn't produce them so we cannot be responsible for such contents. and universities. These sites are a third party that manually validates each entry before the posts get listed into the archive. and Fatal Error are groups that seem to focus more on website defacements and recognition. Either way. Zone-h disclaimer: “all the information contained in Zone-H's cybercrime archive were either collected online from public sources or directly notified anonymously to us. Zone-h. they keep tabs on what group attacks what sites and how many defacements each group has accomplished. Iran Black Hats Team. Ashiyane Digital Security Team. The range goes from hacktivists to bored fourteen year olds to organized crime to state sponsored actors. The simple fact still rings true… If your domain is published on the site. There are other sites out there such as hack-db.There are plenty of hacking groups. 18 . You might find some offensive contents in the mirrored defacements. There are hackers out there that no longer trust the site because of the vulnerabilities they have had in the past.onion. Zone-H is neither responsible for the reported computer crimes nor it is directly or indirectly involved with them. The nice thing about this site is. Even on the Tor network. Many of the defacements are either simple “fix your security” suggestions or complete political hactavist “change your ways” statements. The methods of the website defacements range from simple SQL injection to advanced buffer overflows that allow the attacker to take complete control of the server. there are a few resources available such as HackBB: clsvtzwzdgzkjda7. There are many websites out there on the regular Internet that monitors or allows hackers to post their conquests. Team GhostShell is another hacking group that targets governments. Your site has been is one of these sites. They have leaked millions of records from top universities and the Russian government onto the Internet.” Some of the groups that post here claim to be politically motivated and others are just doing it because they can.onion & Rent-a-Hacker: ugh6gtz44ifx23e7. china hacker.

This is a completely different mindset from hactavists or people trying to find out how things work. Let’s dissect some of the sub-groups into basic “Cyber” sections.       The “Carder” deals with stolen credit card numbers and card replication The “Counterfeiter” deals with creating reproductions or falsified documents The “Pirate” deals with copyright and intellectual property trade The “Bot herder” deals with botnets and Comma nd & Control servers The “Extortionist” deals with stealing. but the common thread most of them share is that each caveat or sub-group usually focuses on money. the higher the price seller can demand. music. Movies. software. driver’s license. Many of the players in this space will even guarantee a minimum of $1. hiding.000 to $5. or start life “fresh” as a new person or “citizen”. frame someone. proof of car insurance. but it is a staple of any black market. The more reliable the data. This isn’t always for basic identity theft (financial reasons). There are market places that allow people who steal databases or even skim or double swipe cards. credit card. The “Counterfeiter” The Counterfeiting realm isn’t that prominent. It is about the money. The “Pirate” The Pirating community focuses on trading IP.000 on the card for less than a tenth of the price. Some people want a new identification to hide from something. 19 . or threatening to release data for a fee The “Spook” deals with industrial or state secrets for a fee The “Carder” The Carding industry is a multi-million dollar data trade. and possibly even a social security card. For a nominal fee. a person can get an entirely new identity to include a fully functional passport.The cyber-criminal underworld has many faucets. and more fall under here.

These distributed systems are used to make money.000 and we will give you the password to your data”. Send $200 to an offshore account as a “fine” and the computer will be unlocked. A more simple approach I have seen ran a program that stopped other programs from running. the bots or zombies can be told what to do. thus generating revenue. Click fraud is when an individual registers for an affiliate click through marketing program where the affiliate will pay for a certain amount of “clicks” or links followed. This is a multi-billion dollar industry and can make or break companies or even countries. Cell phones are the newest target to this ever growing threat. The click fraud comes into play when the software imitates the actions of a fake user and automates the click / link following action. Sometimes the actors are corporations stealing trade secrets from one another. Nortel Networks was a victim for almost 10 years. Most of the bots have a Command & Control server that the herder will connect to and from there. Much of the US threat from this involves China and Russia considering they are persistent collectors. The “Extortionist” The cyber extortion is similar to the traditional form. encrypts all of your data. This is NOT the legal cousin OSINT or Competitive Intelligence (CI). but the basics are always the same. Think of the good old mob shows. and leaves a message on your screen that says “Pay $1.The “Bot herder” The Botnet world is an interesting one. used for spam email to generate revenue. Now from the cyber side… Someone from across the world breaks into your system. They can be rented out for DDoS attacks. The criminal goes up to the store owner and “offers protection” for a price. That is to compromise as many systems as they can. The “Spook” The espionage isn’t just government to government. There are many uses for a bot net. 20 . The Office of the National Counterintelligence Executive even published a report highlighting the dangers of cyber espionage. then popped up a picture that claimed it was the FBI that locked the computer out for downloading movies. or for click fraud.

"New York Times hacking: A sign of things to come?" "Washington Post Joins List of News Media Hacked by the Chinese" "Nortel hacked: Nortel faced corporate espionage from China-based hackers for more than a decade" "Evidence of more China-led 'cyber-espionage' against US increases" "Bank Hacking Was the Work of Iranians. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China. academic and research institutions.' unnamed official 21 . Government-Created Stuxnet Virus Now Infecting Corporations" These headlines are getting more and more common every day. As for the military warriors.  Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.” It has been accepted that it occures. The Foreign Econimic Collection report released in October. and citizens of dozens of countries. 'If you shut down our power grid.” “Estimates from academic literature on the losses from economic espionage range so widely as to be meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the variety of methods used to calculate losses. JPMorgan. Some of these states have advanced cyber capabilities. Officials Say" "BofA. maybe we will put a missile down one of your smokestacks. primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. the active aggressors. Citi Repeatedly Hacked by Iran" "How Iran hacked super-secret CIA stealth drone" "Defense Secretary Leon Panetta: Iranians hacked oil companies" "Out in the Wild. It is a will known fact that countries and even businesses engage in the act of espionage. but the IC cannot confirm who was responsible. are just now starting to make their presence know. 2011 to Congress by the Office of the National Counterintelligence Executive (ONCIX) states: “Pervasive Threat from Adversaries and Partners Sensitive US economic information and technology are targeted by the intelligence services. The shadows have always been throughout the internet. This activity has been going on for thousands of years and has even earned a chapter in Sun Tzu’s “Art of War”. What everyone does agree on is that there are common actors in this space and the damage is great. private sector companies.  Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information. but the theme from everyone is that know one knows truly how much damage is being caused by the theft of state and corporate secrets.  Chinese actors are the world’s most active and persistent perpetrators of economic espionage.

In August.000 systems were affected. There are several groups in the Middle East region trying to cultivate hackers for ideological reasons. October 12th.html The Al Qaeda Manual . The interesting thing about this statement is that we have always been facing such threats since the Internet became an international communication mechanism. For example. The main targets of course would be Israel and western nations.onion/alquedatraining." .These hackers are not state sponsored.onion/jihad. “encourage young people to undertake electronic "Electronic jihad is a phenomenon whereby mujahideen use the Internet to wage economic and ideological warfare against their enemies. you are being attacked on a daily basis. Unlike other hackers. or cyber criminals. There has been an increase in cyber activity from motivated hackers focusing on financial and Industrial Control Systems (ICS). hactavists. 2012. is an ideology which makes it far more dangerous.qx7j2selmom4ioxf.txt This is not state sponsored activity. and will wage resistance over the Internet. Denial of Service. These attacks included website defacement.   How can I Train Myself for Jihad .Al Qaeda recruitment video http://bcove. a Muslim Brotherhood leader was documented as promoting ‘Cyber Jihad’ and restoration of the Caliphate. If you are on the Net. a Saudi Oil firm was hit with malware and 30. Defense Secretary Leon E. and system exploitation. those engaged in electronic jihad are united by a common strategy and ideology which are still in a process of formation. 22 .Tareq Al-Suwaidan “with expertise in this domain to target the websites and information systems of big companies and government agencies” . Panetta warned of a “cyber-Pearl Harbor”. targeting Israeli and Zionist sites and destroying them electronically. I hope that a group of hackers will get together.qx7j2selmom4ioxf.” . calling out for people to commit electronic terrorism against the enemies of The following are documents that give you an idea of what some believe.jihadwatch.” … “Some of our youth are extremely clever.

“Anonymous does not have a membership list. Imagine we leak it all. The message of peace is often overshadowed by the actions of cyber violence. politics. compromising over 4000 customer accounts from Banks and defaced several government websites. At this time. etc…) that would destroy free speech as some see it. or literally freeing the information from the owners and giving it to the people.No matter what side of the debate you are on. each group has its own doctrine or political motives. and DOJ to go down. and you can't really 'join' it either. there have been over nine thousand (400+) releases. 23 . primarily resource starvation. making thousands of legitimate connections for the attack to use up as much of the resource as they can. PIPA. the hactavist phenomenon have caused change. The group uses very simple methods for Distributed Denial of Service. the victim then starts to fail. and general freedom of speech. There have even been messages sent under the mask of Guy Fawkes with threats of violence and terrorism. Whether it is helping the people of Tunisia get word to the rest of the world of the atrocities occurring against the uprising populace or calling attention to cyber legislation (SOPA. the “group” hacked the Federal Reserve. Imagine together we expose all lies. Anonymous has made a mark in cyberspace. FBI. Many of these messages have been shot down as fakes such as the original Westboro Baptist Church and the November 5th 2012 government bomb threat. CISPA. Project Mayhem-2012 calls for a program called Tyler (both named after the movie Fight-Club) to “leak it all!” They believe the operation will help fight political and corporate corruption. you are Anonymous. If you use more than the victim has. Some of them are informational while others are very destructive.” The only thing this section is trying to do is link to news and messages about or from Anonymous over the year years.” – anonnews. Other operations have been focusing on the freedom of information. The messages from Anonymous follow the pattern of freedom from oppression/censorship and yet the actions range from targeting pedophiles to governments. but as everyone has seen. Imagine you take it to your work place. This is beyond the normal actions of “cyber sit-ins” or hactivism. Below are examples of press releases associated with released videos. Imagine you collect evidence of illegality and There are several groups that claim to be part of Anonymous. No one has the authority to say whether you are Anonymous or not. Several of their “Operations” have caused websites from corporations like Sony to Federal government organizations like the CIA. “Imagine you purchase a USB drive. Both statements are below. This is not a piece to state what side you should be on and does not advocate illegal activity without expectations of jail time. There has been actual retribution from Anonymous over the past year. If you identify with or say you are Anonymous. The week of this u pdate. except for yourself.

I know you were afraid. How did this happen? Who's to blame? Well certainly there are those who are more responsible than others. because two different sections of the bill seem to contradict each other. And where once you had the freedom to object. but in the judgment of the University of Texas' Robert Chesney — a nonpartisan authority on military detention — "U. it essentially says it can apply to Americans "if we want it to. truth be told. I know why you did it. the U. but toward the end of the bill. military forces can operate with impunity. Words offer the means to meaning and for those who will listen..1867 | Latest Title: National Defense Authorization Act for. the torture of Americans and even the "legitimate assassination" of U. The National Defense Authorization Act is being called the most traitorous act ever witnessed in the Senate. Senate has just passed a bill that effectively ends the Bill of Rights in America. coercing your conformity and soliciting your submission. And all he demanded in return was your silent. no right to remain silent. He promised you order.. Fear got the best of you and in your panic. I suspect even now orders are being shouted into telephones and men with guns will soon be on their way. no First Amendment speech rights. Even WIRED magazine was outraged at this bill. to think and speak as you saw fit.S. — no due process. you need only look into a mirror. interrogate and even assassinate U. He promised you peace.. secret prisons. Why? Because while the truncheon may be used in lieu of conversation. But again. Now is the time to open your eyes! In a stunning move that has civil libertarians stuttering with disbelief.S. words will always retain their power. Bill Summary & Status. the enunciation of truth. Disease. and they will be held accountable. Who wouldn't be? War. passed late last night in a 93-7 vote. obedient consent. unlawful interrogations. indefinite detainment without ever being charged with a crime. declares the entire USA to be a "battleground" upon which U. citizens right here on American soil! If you have not yet woken up to the reality of the police state we've been warning you about. The US senate does not want us to speak.S.intolerance and oppression. and the language of the bill is cleverly designed to make you think it doesn't apply to Americans. nothing. 112th Congress (2011 -. And the truth is. complete with secret arrests. citizens are included in the grant of detention authority." The passage of this law is nothing less than an outright declaration of WAR against the American People by the military-connected power elite. you have no rights whatsoever in America.. If this is signed into law. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. you now have censors and systems of surveillance.Dear brothers and sisters.S.the detention mandate to use indefinite military detention in terrorism cases isn't limited to foreigners..S.. I hope you realize we are fast running out of time. 24 . reporting: Senate Wants the Military to Lock You Up Without Trial . This bill. isn't there? Cruelty and injustice. Once this becomes law. you turned to the now President in command Barack Obama. citizens with impunity. detain. it will shred the remaining tenants of the Bill of Rights and unleash upon America a total military dictatorship. Terror. overriding Posse Comitatus and granting the military the unchecked power to arrest.if you're looking for the guilty.2012) | S. It's confusing. there is something terribly wrong with this country.

We are Legion.S. a great citizen wished to embed the fifth of November forever in our memory. THE FORMER UNITED STATES GOVERNMENT SHALL BE DESTROYED." Some citizens remain completely confused by the language of the bill. THE LATTER IS BEST. The president defended his action. REAL REVOLUTION IS HERE. We do not forgive Censorship. Divided by zero. it affirms that Americans are subjected to indefinite detainment under "existing authorities. Hawaii. We do not forget Oppression. 
 The Government has committed TREASON against you! Will you sit and watch while your freedoms are taken away? Or will you walk out your door and fight for your rights? THE CHOICE IS YOURS.. So if you've seen nothing. writing that he signed the act. In fact." This is. and vital national security programs that must be renewed.. United as ONE. "chiefly because it authorizes funding for the defense of the United States and its interests abroad. President Barack Obama signed the National Defense Authorization Act from his vacation rental in Kailua. and freedom are more than words . But if you see what I see.. without charge.then I ask you to stand beside one another. outside the gates of every court house of every city DEMANDING our rights!! Together we stand against the injustice of our own Government. including American citizens arrested in the United States. US SENATE. if the crimes of this government remain unknown to you. running around the Internet screaming that the law "does not apply to American citizens." 25 . one year from November 5th. OCCUPATIONS ARE OVER. In a statement.they are perspectives.Requiem AMERICAN FREEDOM ALERT . Flood the streets. If police gives you violence.CODE RED. If you read the bill and understand what it says. naturally. then I would suggest that you allow the fifth of November to pass unmarked. part of the side effect of having such a dumbed-down education system where people can't even parse the English language anymore.. citizens. if you feel as I feel. His hope was to remind the world that fairness. the president said he did so with reservations about key provisions in the law — including a controversial component that would allow the military to indefinitely detain terror suspects. give them tenfold of that.More than four hundred years ago. Justice. Expect us!! Music by: Wolfgang Amadeus Mozart . Gather an army of people. In his last official act of business in 2011. crucial services for service members and their families. it clearly offers absolutely no protections of U. 2011. We are anonymous. and if you would seek as I seek.

engaged. We will it's enough just to realize that the NDAA really does apply to you." While Obama himself probably won't engage in the mass murder of American citizens. even American citizens.. brothers and sisters. this is the start. Occupy everything. Free access to information. 26 . This is when we take out our masks and defy the corrupt rule of law. Free speech.pdf Other Link News http://www.thenewamerican. All a person has to do is to commit a belligerent This is when we leave our computers. While we cannot force the American people to protest.cbsnews. everywhere.
 To the United States government. without trial. you should've expected us. Link to NDAA Bill have no illusions that a future President will try to use the powers enacted by Obama to carry out such crimes. Free press. assemble. we must tell them that this law will strip away any rights they thought they had including. Mao and now "Obama the enabler. We are Anonymous. me.

 What is a belligerent act? Is protesting a belligerent act? Is being Anonymous a belligerent act? 

 This is where we draw the line.. This alone is a highly disturbing subject that must be addressed another day. I find it astonishing that today's citizens can't even read and understand the grammatical structure of sentences written in plain English.
 We do not Forget. and bear arms. This must change. The system was built for the 1% not for us. It grants unlimited powers to the executive branch of the government to indefinitely detain suspects. Don't stop the fight. This is the beginning. http://www.
The time has come for you to accept the truth and join us in overthrowing yet another corrupt military regime. In signing it.

Sections Ten thirty one and ten thirty two of the national defense authorization act have been passed and ratified. Operation Blackout. 

This is when we revolt.The writers of the bill have managed to fool a lot of everyday people who seem unable to parse language and read plain English with any depth of understanding. This law cannot be changed according to the Feinstein Act. History does repeat itself after all.. For now. Obama has cemented his place in history as the enabler of government-sponsored mass murder of its own citizens. The collective is calling upon the citizens of the United States to protest against the new sections in the national defense authorization act that were passed a short while ago. Hitler. So. http://www.naturalnews. and all our neighbors and friends.gpo. That is as much a failure of America's public education system as anything else..
 We are Legion.. We do not Forgive.. Stalin. don't stop the protest. but not limited to. They live because of "we". and the right to

He will not be covering the NDAA. He will not be covering the secret interpretations of law that allow for warrant-less wiretapping and surveillance of any US citizen without probably [sic] cause of criminal acts. However.Since those messages. In the aftermath of his death. “… Aaron Swartz was persecuted. and attacks from both sides of the coin. 27 . We reject the authority of the President to sign arbitrary orders and bring irresponsible and damaging controls to the Internet…” The list of high valued targets has just increased for Anonymous and their ilk. “On November 5th 2012 WE THE PEOPLE will march on Washington DC peacefully and unarmed to arrest all members of congress. He will not be covering Bradley Manning. it has not been given to the masses. We reject the State of the Union. and if you don’t know you’re being snooped on. but one mistake can make it to where everyone knows your name. many protests. a petition was completed “calling for the dismissal of Heymann” (the prosecutor). that the Government does not have room for conscience. threats have been given to the Department of Justice after the suicide of Aaron Swartz. covering your tracks can be easy. He will not be covering the extra-judicial and unregulated justifications for targeted killings of citizens by military drones within the borders of America. the President of the United States will appear before a joint session of Congress to deliver the State of the Union Address and tomorrow he plans to sign an executive order for cyber-security as the House Intelligence committee reintroduces the defeated CISPA act which turns private companies into government informants. lawyers for the government have point-blank refused to state whether or not journalists who cover stories or groups the Government disfavors would be subject to this detention. Now Aaron Swartz is dead..” As we have already discussed. A common LE saying is “You have to be lucky every time… I only have to be lucky once. In fact. and all supreme court justices where they will be held without bond until a full independent investigation and trial have been completed. an act of outright tyrannical legislation allowing for indefinite detention of citizens completely outside due process and the rule of law. Most members evade arrest or harassment by using anonymity services on the Internet. Some have been caught when using a VPN service that logs traffic and actively works with Law Enforcement (LE) such as HideMyAss. The scheduled Tyler leaks have come and gone with no real data leaks. The Whitehouse is now required to respond. told that his motive for leaking cannot be taken into consideration. the president. Anonymous has taken down government sites and members have been arrested. there have been many threats.. or the fact that Orwellian newspeak had to be used to make words like “imminent” mean their opposite. Some of the ones that have been caught have made a mistake such as connecting to an IRC channel without bouncing through proxies and encryption. or the use of Catch-22 logic where no-one can complain about being snooped on because the state won’t tell you who they’re snooping on. Tonight. you don’t have a right to complain. If information was captured or stolen.” This did not have the effect some would have thought it would. 1000 days in detention with no trial for revealing military murders. We must re-elect our government within 90 days in order to stave of unrest.

28 .

There are several sites that even specialize in Viruses. anyone that uses Metasploit can now exploit a vulnerability that the program supports. processes.” “Sega v.VX Heavens. “Atari Games v. society is free to exploit facts. Many security researchers have gotten around it by using exemptions for education use. Security Research Some people will leak vulnerability findings from their research or even make fully functional Proof of Concept (also called exploits) and release the information to the public. The DMCA is not the end point for security. The same rules do not apply to tablets or gaming consoles. and other IP. This is even used several times every year at Defcon/Black hat when security researchers go to give a presentation and the IP owners go to court for a gag order. software. including source code for fully operational exploits. Because of this. This goes to show that intelligence does not dictate policies and law. Nintendo: The author does not acquire exclusive rights to a literary work in its entirety. The U. these two locations have a plethora of information for both offensive and defensive usage. A lot of the PoC source code is functional and written for Metasploit. There are exceptions to these exceptions. Worms. music. In the United States. one of the biggest laws that gets used against people that share movies and reverse engineer software is the Digital Millennium Copyright Act (DMCA). a creator must look to patent laws. The challenge comes when people start sharing files that someone else owns the copyright to. ideas. 29 .S. To protect processes or methods of operation.File sharing is perfectly legal. specifying that “jailbreaking” a smartphone is deemed legal. Many of the file sharing sites that you will come across will have access to pirated movies. Most of the sites do not last long doe to legal issues. This will cause a little bit of difficulty with those in the digital forensics field.” “Viruses don't harm. Metasploit is a penetration testing framework designed essentially as a point and click application to speed things up and also allow those that are script kiddies to exploit systems. 26 2012. Some of the sites that deal with information release under the “public disclosure” mentality would be Packet Storm Security and the Exploit Database. Trojans. ignorance does!” . The other term you will hear over and over again is Intellectual Property (IP) ownership. VX Heavens even has the good old “Error 451: Unavailable for legal reasons” displayed. and other malicious logic. money does. Copyright Office published a document on Oct. Whatever side you are on. Under the Act. Two cases previous to this had different ideas. Accolade: the intermediate copying of the object code of a copyrighted computer program as necessary to disassemble the program to view its expression was a fair use under Section 107 of the copyright laws. or methods of operation in a copyrighted work.

A person can create a torrent from a file or folder. Some of the sites even force you to make an account and upload the .” The US risks losing our extradition treaty because of TVShack and this order… In simple terms. Do NOT break the law. The Sony BGM copy protection rootkit scandal is a prime example of illegal activity in the name of anti-piracy while stealing code owned by Richard O'Dwyer for "violations of Federal criminal copyright infringement laws".S. economy loses an estimated $25. DO NOT TORRENT OVER TOR! Using P2P applications over Tor will DoS the network. This goes for the vendors and “victims” as well. It is said in the dark corners of the Deepweb that other victims have also become the evil aggressors. This minimizes the same data flooding the trackers.The history of file sharing has been an ever evolving and bloody one. From BBS systems to news groups to IRC to P2P. Once the file is created and hashed to verify integrity of the data. US government officials seized several file sharing domains including tvshack. The MPAA & RIAA have been accused of breaking the law over the years in the name of anti-piracy. That is theft and is illegal. The U. They claimed it was a selfdefense mechanism to stop theft. the methods have changed. to criminal copyright infringement. Only recently have they felt backlash on another issue with being fined in the UK over their failed security policies which allowed Lulzsec to steal customer data.6 billion per year. Many of the torrent trackers use UDP protocol while others use an HTTP connection. Do not break the law… The owners of the Intellectual Property that has been claimed to be damaged have also caused damages and break the law themselves. and an estimated 375. The MPAA allegedly paid an Indian software company to perform a DDoS against The Pirate Bay. Violating copyright or IP law is big deal because the owners of the material.000 jobs per year.torrent file manually. 30 . On 30 June 2010. One of the more common mediums used at this point is called Bit Torrent. do not share material without permission from the IP owner. it is then posted to torrent trackers. but the mentality has not. including the MPAA claim that: “The industries contribute over $15 billion in taxes annually. This allows several people to “seed” or share a file while others download bits and pieces of all that are hosting.

se while the second has gone on to the Tor network and resides at jntlesnev5o7zysa. The first one currently is at www. The documentary “The Pirate Bay – Away From Keyboard (TPB-AFK) was release at the beginning of February 2013 and can be found for free all over the Internet.The Pirate Bay (TPB) TPB “World’s most resilient tracking” is file sharing site that has lasted many court battles.informationwarfarecenter. The site contains some content that is considered IP theft but some of the links are perfectly legitimate.onion. * The movie can be seen in the resource section of www.torrent files. 31 . but has recently moved to magnet links to provide less accountability or “traceability” for hosting the . This includes the popular website for which it is named after. When visiting the site. The file links used to be torrent only. TPB has two sites. you can find almost anything you

“ The potential issues of Tyler come down to what is leaked. The effect of the use upon the potential market for. the copyrighted work “ . Reviewed June 2012 The Hactavist group Anonymous released a new evolution of Peer 2 Peer applications called Tyler for their own version of its own 'WikiLeaks' project. this makes it sort of like BitCoin or other P2P platforms in that there is virtually no way to attack it or shut it down. In theory. The files they specialize in are TV show only. Spread the wealth and allow everyone access to the data. The purpose and character of the use. Colorado. such as criticism. Robert Hanssen is a prime example of this.” “TYLER is a massively distributed and decentralized Wiki pedia style p2p cipher-space structure impregnable to censorship” – anonnews. or value of. and research. Imagine a list of covert operatives active in a foreign country being leaked out. the penalties are almost as severe. lives could be lost. The funny part is file sharing groups are also taking to this medium for that exact mentality. 2013 there have been no big news releases about information leaked from Some people that use this site will argue that it is NOT IP theft if they already pay for the license to watch the content through their cable or satellite TV. If it is governmental classified information. TYLER will be P2P encrypted software.The website www. “It will not be deployed on a static server. That side of the fight claims it to be “fair use” and the same as using devices like Tivo to record your show for later viewing. If it is economic/industrial : FL-102. Section 107 also sets out four factors to be considered in determining whether or not a particular use is fair. In January 2010. in which every function of a disclosure platform will be handled and shared by everyone who downloads and deploys the software.EZTV. Sometimes the espionage isn’t as covert as some would think. news reporting. The name of this program is called Tyler (after the movie Fight club) and is part of Project Mayhem 2012: Dangerous Idea The nature of the copyrighted work 3. he is now spending life at a Supermax federal prison in Florence. He was a spy for the USSR working in the FBI and because of the leak. “Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered fair. The video released by Anonymous can be found at http://anonnews. teaching. 32 . Data warehousing and cloud computing are high value targets for such activity. This has happened in the past and many lives were lost. including whether such use is of commercial nature or is for nonprofit educational purposes 2. It would also obviously be thoroughly decentralized. The amount and substantiality of the portion used in relation to the copyrighted work as a whole is another site that allows you to download files using a bit torrent client. * At the end of January. comment. 1. scholarship. the Chinese Chengdu J-20 stealth fighter jet was speculated by some as having been reverse engineered from the parts of a US F-117 Nighthawk stealth fighter shot down over Serbia in 1999.

This has changed for some since September 11 th and the term “terrorism” has been used as “reasonable”. At this point. analyst. a manager at a large company does not like one of the employees. it is found that there were tens of thousands of policy violations on the system. Many times. need. or Wireshark vs. hostile work environment complaints. and training was not provided. the company would need consent of the employee to access it. An example of a legitimate investigation. and arrests. For example. it is the method of string searching a data container (forensic image) with a tool that parses that data in a humanly readable format. For as paranoid as I may sound. time. To put a spin of reality into the mix comes down to money. Microsoft Network Analyzer all come up with similar but different answers. there are many laws on the books that protect the citizen against unreasonable search and seizure. As for the corporate system.Basic forensics Forensics is the science (and art) of finding residual artifacts that prove or disprove an alleged event occurred. there is scope. None of the tools seem to gather exactly the same information. The manager then says “Just give the results to me for now”. During an interview. This is where jurisdiction becomes a trickster. Physical security. EnCase. I know what is out there and how much data can be captured. They may have civil and criminal recourse if their personal system was touched. Before you can start a forensic investigation. They could then call law enforcement. (EFF Vs. This real world scenario is a common one. and a stalking case that can be pursued by the victim against the manager. If the employee does not give consent. I capture sensitive data all the time when I am working as a penetration tester or a forensic analyst. you need probable cause or a red flag to tell you what to look for. Then it comes down to what the definition if “is is”… Or what exactly is deemed “reasonable”. Cellibrite. but this is where it becomes a blurry line. any analyst that continues to hack the personal laptop is possibly breaking the law. In the United States. walks to the employee’s cubicle and remove the system for a forensic acquisition and analysis. the employee still may have recourse if the policies were not perfect. there are possible harassment charges. XRY vs. The more data captured means the more likely a false negative (a real threat) will slip by unless you hire more analysts. This is clearly a violation to the security policy that all employees signed and acknowledged (each employee went through training that that explained the policy along with annual refresher training). After a quick investigation. and other resources. enforced uniformly across the entire organization. If their personal laptop was found. along with Human Resources. FTK vs. 33 . searches & seizures. If this does not occur in a “work at will” state. FBI). and company. Digital forensics in a nut shell. probable cause is needed for law enforcement to move forward. There are no allegations of a crime or a policy violation. He asks the security team to investigate the individual’s personal laptop and corporate computer system. Any way you look at it. these have been proven to be unlawful wiretaps. an incident response team notices an alert that a system is downloading inappropriate material from the Internet. the employee admits to the activity and is released from employment. you need to know what you are looking for before you start or you will be wasting valuable resources. If there is no red flag.

it will ALWAYS be on the drive until overwritten by other data. etc…) . worms. etc. and can be lost forever. and current connections. Graphics. 34 . Live system forensics This is related to incident response “live” forensics. If the person has encryption of data at rest or “disk encryption”. phone. etc. it will ALWAYS be on the drive until overwritten by other data. The probable cause has been tripped. etc. There are a lot of variables in place here. trojans.)  Basically anything to touch your volatile memory. Some of the information that can be found:  Browser history  Email / Webmail  Documents (PDFs. the system is shut down forensics. look at processes.)  Basically anything to touch your hard drive. videos. This is prime intel for stalkers and undesirables. It just depends on what you are looking for. botnets. Memory is extremely volatile.)  Physical locations (GPS)  Programs (malware. a lot of graphics have an extra section of META called EXIF. there is a good chance there may be artifacts of that activity on the system (computer. This is usually inserted into pictures taken from a phone or a camera and some editing applications such as Photoshop. META information is the data in a file just after the header (first few bytes) and the meat of the file. pirated software. you go to the system to dump memory. The interesting thing about data is that once it has been written to a drive. The interesting thing about data is that once it has been written to a drive. tablet. if the system powers down. Some of the information that can be found:  Passwords and keys (disk encryption keys. etc. Office files. Midrange and higher cameras add serial numbers.)  Malware (rootkits. For example. Almost all of the devices that would be investigated post mortem (computer. Phones with location services can even add the GPS location when the picture was taken. game console. chat. but if a suspect is breaking policy or the law.)  Secure browsing (web browsing. This is an example of why one should watch what they post online. etc. game console. email. intellectual property. pictures. The probable cause has been tripped.Post mortem disk forensics This is related to after the fact. file passwords. viruses. and a lot of other files have this META data. you seize the computer. spreadsheets. tablet. phone.)  Programs (hacker tools. If you delete a file. etc. etc…) can also benefit from this as well. hacker tools. and make forensically sound copies of the hard drive for further analysis. there is a possibility of recovering it years later. you may have to capture the memory before shutting down the computer or you will not be able to decrypt the hard drive. pirated software.

This would cause the average user to assume that they are safe when in fact. chat. The second is the system administrators are not doing their job and need to fix their mistake. Later the classified document was leaked to the press and John Doe gets blamed for the leak since there was a unique identifier in the META section of the file that connected to his user id. Even if you are using encryption like SSL. every file transferred would be able to be rebuilt on any other system.)  Files downloaded (hacker tools. It is then rebuilt for the user to access.)  Internet activity (web browsing. data is data… If a suspect downloads illegal pictures or movies. most organizations do not want to spend the resources.Network forensics To break it down. John Doe downloaded a . pirated software. etc. The normal noise of the network along with the download sessions would be well over two hundred gigs. This means that any fourteen year old can read your email as you are downloading it if you are not using encryption. Imagine a network of twenty systems each downloading ten gigs in one day. SQL injections. worms. firewall. call and report it to security. viruses. bank accounts. The traffic was being monitored through “deep packet inspection” or “packet sniffing” and saved to a file. That is why a most people usually do not log everything. or the American Registry for Internet Numbers is a good place to start. Later the person that captured the transmission ran a s imple program called “Networkminer” and carved out the . This scenario above is very realistic and happens all the time. trojans. He had the need to know. If you were to record the network traffic. as mentioned before. but forgot to use an encrypted connection or VPN. 35 . These can be traced back in several ways to the owner. Network forensics also covers viewing logs from network devices such as routers. etc. buffer overflows.)  Basically anything to touch your network.)  Cyber-attacks (denial of services.)  Malware (rootkits. It is very expensive.PDF file containing classified information to his personal laptop at a hotel. etc. every SSL packet they send is going through an attacker’s system and unencrypted before being forwarded on. They only log the red flag events. etc. programs such as “Dsniff” and “Cain” can start a man-in-the-middle attack and spoof the SSL certificate. Let’s use an example.PDF with very little effort. known bad ip addresses. Most public services offer unencrypted and unsecured wireless access. you can rebuild everything. botnets. that data is broken up into smaller pieces and transferred to the system. intrusion detection systems. The simple reality is. systems. That would then have to be stored for analysis which is where the cost comes in. There are ONLY two things that cause this… The first is a bad guy is hacking your connection. email. The website arin. Some of the information that can be found:  Passwords and keys (email. etc… Each computer has a hardware fingerprint (MAC address) and an Internet fingerprint (IP address). If you EVER get an SSL certificate error when going to a website. especially if you are using a smart card (It is usually the second)… If you are lucky enough to have full packet capture on your network.

The biggest challenge is getting the traffic to go through your systems so you can capture the data. get a court order for the owner of the IP address to give the information for the user associated with it at that time frame. disk. there are many anti-forensic methods. Be careful of trying to attack the attackers because most of your targets will probably be victims. The entry points can gleam the origination or source of the person using the client or hidden service. From the non-exit relays. Methods used in the past by Intellectual Property owners that have been illegal themselves include the rootkit that Sony distributed and loose keyword searches used to automatically trigger lawsuit threats used by the music industry. The others will be encryption/decryption pass through gateways inside the Tor network. it will take time and a lot of data analysis. or network traffic  Spoofing physical MAC address  Internet theft (using someone else’s Internet)  Bouncing through anonymizers (NAT. everything leaves a footprint or a digital fingerprint. Find out who owns it. proxy. even when the information goes through networks like Tor. In networking. As you have read throughout this document. This is where the numbers game comes in along with a boatload of patience. Methods used individually or in combination to hide or destroy evidence  Editing timestamps  Editing logs  Overwriting data or drive wiping  Encryption of data. everything is encrypted in layers through the Tor network. Anti-Forensics In the end. anti-forensics is nothing more than trying to make it harder for the analyst. What this means is that some of the routers can be set up as the original entry/exit points to the Tor network. Some will make it almost impossible for evidence to be found. Hidden service forensics We are going to take a look at the Internet underground from the other side of the coin.Intellectual Property forensics Sometimes the easiest way to find out who is sharing your data is to download your data from them and look at the remote MAC and IP addresses. or VPN servers)  Using live Linux CD’s  Air Gap (bouncing protocols or communication mediums) 36 . After the routers are set up. If your organization has enough resources. This is also why the bad guys are using someone else’s Internet access or using proxy and VPN services. you can set up a large amount of Tor onion routers to act as both “exit relays” and “non-exit relays”. SSL. you will not be able to see the raw traffic unless you control the layers. This is where jurisdiction issues become a nightmare.

Now we will tie many of our previous examples together and ad a small twist. P. Most of the reporters will not have advanced computer knowledge. The more hops or connections you go through. There are of course several factors to consider. Your connection speed is only as fast as your bottleneck (slowest segment). An easy way to communicate covertly with someone you already know is to set up am email account. the biggest being how to connect to the Internet (wireless. You could have someone customize a Linux distribution to spoof the MAC address. but could carry around a business card cd or thumb drive. phone line. the slower your connection will be.S. Then share the account with the others in the group. 37 . For example. connect through all of the encryption tunnels. etc …). Steps to follow  Use a live custom Linux CD  Change the MAC address  Connect to the Internet  Connect to a VPN service  Route through a proxy with an AES 256 bit tunneling client  Connect to Tor  Set up a TorMail account  Share the username and password with those you want to correspond with  Only use the email account to write messages and then save them as a draft  Only use the live Linux session to use the email The steps above can be automated through the use of scripts so anyone can use it. cell. Now we are going to apply this to the internet underground while making it almost impossible for anyone monitoring you to conduct a proper investigation. if your organization was a news agency that had journalists on the ground in a hostile region. and start a browser in a “safe browsing” session. All they would have to do is insert what they have in a computer and boot it up.

It helps with investigations against such communications if crimes have been involved and it also gives you the framework to use these same methods yourself for secured communications. How.This document has covered several aspects of the Internet Underground including the Who. Knowing the basics of the Internet (Surfaceweb. “Big Brother” may just be a bored fourteen year old running the newest version of Backtrack. What. and Why. It could be your employer. or your government’s enemies. your government. Using encryption is not illegal yet and it is ALWAYS a good idea when used in moderation. and Darknet) gives a solid baseline for securing your position. Deepweb. When. Where. You never know who is watching. 38 .

gov torproject.S.onion 39 .com xssed.onion anonnews.Resource Name 4Chan Anonymous News Anonymous Operations I2P Project Information Warfare Center Infosec Instructor Infragard ISSA Packet Storm Security Silk Road The Library of Congress The Pirate Bay The Tor Project Torrent Freak Black Market Reloaded Copyright Office Cornell Law Exploit Database EzTV Hack-DB issa. Copyright Office Xssed Zone-h Location 4chan.

CISM.informationwarfarecenter. Denver Chapter (2006-2009) CHS officer of American College of Forensic Examiners Int’l (2005 -2008) Advisory Board for the Business Espionage Controls and Countermeasures Association Published work used in post graduate courseware. EthicalHacker. Data Recovery. ACSA. Engine Builder. and reverse engineering malware. SCADA/ICS security. Martin has worked with Fortune 200 companies and Federal Government agencies. exploit automation. CEICHFI/CEH/CNDA/ECSA/LPT. Hackin9.Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing. Also contributing editor for Blacklisted 411. CPT/CEPT/CCFE/CDRP/CASS/CSSA/CREA. Computer Forensics. LLC All rights reserved. He has been teaching Advanced Ethical Hacking. Computer Forensics. IQ Magazine. Successful Dealer. he was also a freelance artist Credentials: CISSP-ISSAP/ISSMP. and Cyber Warfare. As a published author he has spoken at security conferences around the world. NSA-IAM/IEM. and more since 2003. anti-forensics. Novell CLA. vulnerability analysis. Mr. etc… Board of Directors for Infragard. A+/Net+/Security+/Linux+. In a past life. 40 . Security Management. and The Business Espionage Report (TBER) Editors: Amy Martin Todd Adams Andy Alford Copyright © 2013 Information Warfare Center. He has received numerous awards for service. threat profiling. LPIC-I. Starting his career in 1995. Current research projects include SCADA security. CDCS.

41 .