The Deep Dark Web
What is the Dark Web used for; how does it work; how can it be countered? 5-minute analysis.
Beneath the surface of the web, technology is being used to do harm.
The Dark Web contains content, market-places and services that enable anti-social behaviour, threats to national security, and extreme depravity.
It directly and indirectly affects us all.
There is a 1 in 3 chance that you have been DOXed – ie your personal details have been stolen and are stored in the Dark Web(1).
Cybercrime is a $1.5 Trillion a year industry(2).
What is the Dark Web?
The ‘Surface Web’ is where public content is made visible for everyone.
Anything on the web that is not public or visible is considered “Deep Web”.
The Dark Web is a small but significant part of the Deep Web.
Hyperion Gray, a research company, counted, mapped and clustered 6,608 dark web sites in January 2018(3),(4).
What is the Dark Web used for?
- Selling drugs.
- Credit card fraud.
- Feeding hatred with conspiracy theories, doctored imagery and dis-information.
- Weapons.
- Assassination.
- 80% of Dark Web traffic is to child abuse sites(5).
“Black Market” traders can earn $500k a day.
The goal for many Dark Web criminals is to own an “Exit Node”.
Exit Nodes host the services that enable buyers and sellers to exchange money.
How does the Dark Web work?
Most of the Dark Web requires access through ‘Tor’ — free software for enabling anonymous communication.
Tor is used to disguise a real IP address.
Tor is legally used by journalists, sources, bloggers, and dissidents to ensure privacy and safety.
But Tor is exploited extensively by criminals and states.
Tor – “The Onion Router” – uses multiple routers to connect a client browser with an Exit Node.
Instead of sending a packet directly to the destination Exit Node, Tor chooses an indirect route.
The first node only sees who is sending the packet, and sends it to the second node.
The second node only sees that the packet came from the first, and sends it to the third node.
The third node sees it came from the second node and sends it to the Exit Node.
Tor is slow, and there are other technologies emerging such as I2P and Freenet.
Other widely used technologies on the Dark Web include Blockchain for Bitcoin transactions.
What can be done about it?
Traffic analysis can help trace activities.
If a node is creating a lot of traffic made of same sized packets (512 bytes), it’s probably Tor(1).
Networks can be protected by AI & Bio-based systems like Dark Trace.
Detection is often about understanding motivation, and then finding patterns of behaviour that fit. The arrest of “Dread Pirate Roberts”, founder of Silk Road makes a very interesting case study.
What can you do?
If you have responsibility for a network –
- Block TCP/8333
- Block self generated SSL certificates
- Block multihopping
- Block ports (e.g. 443)
- Use http://badips.com to find, report and block bad IPs
As a web citizen –
- Stay well away from the Dark Web
- Use anti-virus
- Report crime anonymously https://crimestoppers-uk.org/give-information
References
1Professor Claudio Chille, BSC presentation, 10th January 2019
2https://www.experian.com/blogs/ask-experian/cybercrime-the-1-5-trillion-problem/
3https://www.forbes.com/sites/thomasbrewster/2018/03/13/dark-web-map-6000-webpages/#72426ca218e7
4https://www.hyperiongray.com/dark-web-map/
5https://www.theguardian.com/technology/2014/dec/31/dark-web-traffic-child-abuse-sites
Useful sources
Infosec Institute
https://resources.infosecinstitute.com/
http://www.bbc.co.uk/guides/z9j6nbk
https://www.blackhat.com/docs/eu-15/materials/eu-15-Balduzzi-Cybercrmine-In-The-Deep-Web.pdf (warning – contains disturbing content and dangerous links)