Earlier in November, Europol, the FBI and the Department of Homeland Security coordinated a global sting against the “Dark Web” drug trade.
Codenamed “Operation Onymous,” the international legal effort arrested 17 people and shut down a number of drug and contraband Internet underground websites, including Topix, Cloud 9, Black Market and the infamous Silk Road 2.0.
In all, the operation seized more than 400 websites with the “.onion” domain, which belongs to the anonymity service Tor that grants users access to public networks without requiring the forfeiture of their privacy.
How the domains were found currently remains a mystery—a degree of uncertainty that has many Tor users worried about the security of the service’s anonymity shield.
To understand the full implications of this takedown, a little background on Tor is helpful.
An Onion Surfs the Web
Tor, otherwise known as “The Onion Routing” program, was a project originally designed by the U.S. Naval Research Laboratory. Its intention was to protect governmental communications by safeguarding interlocutors’ identity.
Today, Tor has expanded into the private sector. All kinds of users, from cyber drug lords to journalists and dissidents who wish to conceal their online activities from repressive governments, allegedly employ the anonymizing service.
Put simply, onion routing encrypts users’ data that is sent through the web in multiple layers, thereby mimicking the layers of an onion, and transmits user traffic through several different computers.
The service’s functionality depends on a unique infrastructure of middle relays, bridges and end relays. Any user can supply a middle router from the comfort of their own home and not fear retaliation from law enforcement. Bridges go a level deeper, acting as private relays that are protected from those who wish to block users’ IP addresses.
End relays, by contrast, are the final relays in a chain of connections and, as such, are often targeted by law enforcement and copyright holders.
Operation Onymous: The Dark Side of Tor
Many have celebrated Tor for its Browser Bundle package, which does not require users to download any software, and for its multi-language interface.
Additionally, human rights advocates approve of the service because of its roundabout accessibility in states that censor the web. If network firewalls block users from accessing Tor’s website, even in states like China and Iran, users can send a message to a particular email address, from which a reply message will be sent to them with installation instructions.
These benefits to users notwithstanding, Operation Onymous has revealed that Tor – once thought to be impenetrable – can successfully be infiltrated by government agencies.
To some, including Craig Young, a security researcher at Tripwire, this does not come as much of a surprise:
“The FBI has generally demonstrated in recent years that they can and will go after cybercriminals operating in the relative anonymity of the TOR network. Although the legality of some of the law enforcement tools has been called into question at times, there is no denying the effectiveness with which US law enforcement has been able to identify and shutdown illegal services provided over the dark web.”
Meanwhile, others, including those who help run the Tor Project, are still trying to figure out how law enforcement agencies located and took control of so many hidden services.
In a letter posted to users, the editors of the Tor blog propose a number of possible attack vectors that may have been used in the takedown, such as operational security shortcomings on the part of the affected websites, SQLi attack and Bitcoin deanonymization.
Regardless of the method of exploit, the fact that the international community broke into Tor is, in a larger sense, a testament to the dangers of the service’s growing popularity.
“Until recently, Tor was mainly utilized by the technically savvy and security communities,” said Valerie Thomas, Principal Consultant at Securicon. “Now that Tor is widely known, it has caught the attention of several organizations and federal agencies.”
The level of anonymity afforded by Tor, when exercised in a networked society, constitutes an unacceptable threat to those charged with defending national security. This explains why the NSA has a surveillance program called X-Keyscore that collects information on people who have used or been invited to install anonymizing services, such as Tor.
But many users are unaware of these risks to their anonymity and privacy, with most assuming that their use of Tor’s services is enough to protect them online.
According to Chris Czub, Security Research Engineer at Duo Security, that’s just not the case. “The major issue with Tor is that it can’t protect people from operational security or software error,” he explains. “This makes lay-users feel a sense of security and privacy that isn’t necessarily justified.”
The insecurities of Tor are perhaps best evident in our fluid understanding of the “Dark Web,” as John Walker, CTO of Cytelligence, suggests:
“When we use the tagline ‘Dark Web,’ we need to take care that we are not placing our subject in a box that limits its characterization to either this or that. . . .We can conceive of the Dark Web as anything from a closed environment that uses dynamic URL to share information system-to-system with the support of securely encapsulated lines, to a full blown space residing in a public cloud, to an environment of an unwitting company that has allowed unauthorised and illicit hosting to occur.”
These variable manifestations of the Dark Web mean that the same issues that plague the regular web are still issues for Tor. If attackers were to compromise a web app hosted on a Tor service, Czub explains, this could potentially lead to a breach in user data and perhaps even deanonymization.
With this in mind, Tor comes down to the issue of trust and whether users feel their privacy and anonymity are safe in the hands of others.
The Future of Onion Routing
Operation Onymous, in the words of Young, “is a great example of how 20th century law enforcement tactics and undercover operations are still viable in the 21st century.”
Undoubtedly, the international community’s seizure of 400 hidden websites has rocked Tor users and advocates of web anonymity.
Even so, that doesn’t mean Tor is out for the count. In fact, those who maintain the Tor Project can learn from this experience to make its networks stronger and more secure.
As the service is open-source, one recommendation is to periodically host bug bounty competitions. Lamar Bailey, Director of Security Research and Development for Tripwire, is a strong proponent of this idea:
“It’s obvious from the recent takedowns that TOR users are very aware they’re targets for law enforcement. Starting a bug bounty program is an interesting counter measure. If issues can be fixed before they are exploited by law enforcement, it will help keep their users’ privacy more secure.”
Another option is for Tor to continue to partner with popular websites, such as Facebook, to make it easier for users to access the sites they love. This could lead to more users installing Tor, which would translate into additional bridges and relays, thereby making the service more secure for all.
Ultimately, it is the role of Tor’s users and admins to learn from Operation Onymous. As noted by Claus Houmann Cramon, an information security curator and librarian, “There shouldn’t be any need to be an OPSEC expert to be able to have a reasonable expectation of security and privacy online. We as information security experts need to build our devices and software securely by default. Once we have, we need to enforce this to prevent future attacks.”
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.