gAtO's thoughts: Anonymity serves different interests for different user groups. To a private citizen it’s privacy, to a business it’s a network security issue.
A business needs to protect trade secrets or have IPs (knowledge base data-centers) communicate with vendors securely, and we all know that business needs to keep an eye on their competition.
The competition can check your stats (http://www.alexa.com/siteinfo/uscyberlabs.com) and see on how your business is doing, what keywords you're using, demographics of users hitting your site, etc...
By the way in the Tor-.onion network, a web site/service cannot be monitored unless you want it to be…
How would a government use a ToR-network I’m asked all the time...
If I were an (agent/business/person) state actor doing business in China (and other countries too), well I would use a ToR-.onion connection to keep my business private from a government that is known to snoop a bit on travelers to their country.
The fact is governments need anonymity for their security - think about it: “What does the CIA Google for?” Maybe they use ToR??? But this is about Hidden services, right?
What is a hidden service in ToR-.onion network?
Simply put, it’s a web site/service, a place in the ToR network, were we have services like:
Search Engine
Directories
web / pop3 email
PM Private Messages
Drop Box’s
Re-mailers
Bulletin Boards BBS
Image Boards
Currency exchange
Blog
E-Commerce
Social Networks
Micro-Blogs
Now how do I keep my IP secret and let you use my services? On the normal web, if you’re at uscyberlabs.com you're on my site - my server - so you can do a WhoIs and get my IP and geolocation - then you can attack my website with DDoS and other IP attack vectors, you also get my location so you can physically find me - my server, my website – and maybe go dumpster diving in the trash and get my company secrets - mAyBe sI – nO.
Well, in the ToR-.onion network you the client ask the business website if you can use the website's services, then decide and start a handshake at a rendezvous POINT to meet - we meet at an OR (onion relay) - a rendezvous POINT not at my server/my IP — so you're never ever on the business site/server when you’re in OnionLand, and you can’t do a WhoIs and get my IP because we met at an OR, and you cannot find my geo-location…..
We have heard of Iranian and Syrian rebels being killed in the news. When an Iranian rebel is fighting for his and his family’s life if they (the government) find his IP or the IP of the website he visited they will hunt that person down and the Iranian police/government may kill the whole family. So keeping an IP from someone is not an evil act, it is an act of privacy for safety on both sides the of client and the business.
Now let’s focus on R2 OR the yellow key. That’s the spot where you (your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business, but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or DDoS you. OK they can still hack you but it’s via software then.
How it’s all done – the magic - the technical thingy to this is below - this is just an outline of events of the client /hidden web/service protocol:
(click image to enlarge)
It goes something like this:
ESTABLISH RENDEZVOUS cell
INTRODUCE1
INTRODUCE2 cell
INTRODUCE ACK cell.
INTRODUCE2 cell
RENDEZVOUS1 cell
sends a RENDEZVOUS2 cell Chat
sends a RENDEZVOUS2 cell Blog
RENDEZVOUS ESTABLISHED cell
1. Jun 03 20:50:02.100 [notice] Tor 0.2.1.0-alpha-dev (r14739) opening new log file.
2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.
3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.
4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm
5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm
6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))
People ask me how can these hidden services can be attacked?
Its all the same as in the surface web - you find the software the hidden service is using (let’s say Wordpress or FlatPress) and if they use an old version with vulnerabilities then that site can be hacked by traditional attack vectors.
gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from (we need funding for these projects)
gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammers, and so it goes everywhere...
Here are some technologies used in the ToR-.onion network:
TorStatusNet – http://lotjbov3gzzf23hc.onion/ is a microblogging service. It runs the StatusNet microblogging software, version 0.9.9, available under the GNU Affero General Public License.
FlatPress is a blogging engine like -Wordpress blog http://flatpress.org/home/ – http://utup22qsb6ebeejs.onion/ -
Snapp BBS works fine in OnionLand - http://4eiruntyxxbgfv7o.onion/ -
PHP BBS – http://65bgvta7yos3sce5.onion/
Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. – http://ay5kwknh6znfmcbb.onion/torbook/
Now a word to the wise - in the ToR-.onion network you have some very tech savvy people and some are very stupid, so be a critical cyber user alway.
gAtO oUt...
Cross-posted from US Cyber Labs
Copyright 2010 Respective Author at Infosec Island
No comments:
Post a Comment