Several recent cybercriminal busts have brought The Onion Router (TOR) network, and the “dark Internet” that it protects, out of the shadows and into the spotlight. Tor, which gets its named from the multilayered way in which it processes traffic to disguise user identity, is essentially an anonymity service for privacy-minded Web users. For now, its scope is limited. In mid-August 2013, it had approximately 500,000 users, prior to its takeover by a botnet that temporarily spiked the number to almost 3 million.
That infection, although subsequently resolved, revealed how Tor could be used for ill purposes with ramifications that extend far beyond its core user base. The malware’s architects specifically targeted Tor because of the network’s ability to disguise Web traffic and make it difficult for cybersecurity professionals to identify threats.
Moreover, Tor has evolved from a fringe privacy tool into a powerful asset for would-be attackers. The recent FBI raid on Silk Road, a furtive Tor-protected online marketplace for assassins and controlled substances, stands as the most prominent example of Tor’s power to cause headaches for both the cybersecurity and traditional law enforcement communities.
Amid this criminal activity that uses Tor for cover, it may be necessary for security professionals to devote more resources to monitoring the dark Internet. Agencies like the FBI may have already rooted out some of the parties associated with Silk Road.
However, any attempt to clamp down on anonymous cybercrime must be carefully executed, so as to avoid infringement upon the privacy of individuals using Tor for legitimate purposes. This is the key challenge of addressing crime on the dark Internet, and it will require new thinking about what technologies and tactics are ethical in unusual contexts like Tor.
How Tor keeps users – and cybercrime – anonymous
Thanks to its technologically savvy clientele and contributors, Tor is a sophisticated service that effectively make its users invisible online. The Tor Project’s official page explained that development began in the U.S. Naval Research Laboratory and was intended to create an elaborate mechanism for securing government communications.
Since that time, it has gained popularity among civil liberties activists and political dissidents seeking anonymity, not to mention businesses wanting security from eavesdroppers and location-based attacks. When someone uses Tor, the service relays computer messages through a long series of encrypted virtual tunnels.
By creating a complex traffic path, Tor makes it difficult if not impossible for anyone to pinpoint a user’s location. Unlike normal Web traffic, Tor traffic does not feature a direct path between the user’s computer and a specific server, and no single Tor point knows the complete path that any message took.
Mevade malware used TOR to mask activity
Unsurprisingly, cybercriminals have shown interest in Tor’s byzantine structure. Dark Reading’s Kelly Jackson Higgins recently commented on the Mevade botnet that used Tor to disguise its command-and-control servers. Mevade first appeared in 2009 and rapidly grew in size, infecting up to 5 million machines, including a number of seemingly secure enterprise endpoints.
Ironically, Mevade’s shift to Tor exposed it to cybsecurity professionals. It moved from SSH to Tor via Port 443, attracting attention that only increased once Tor’s user numbers went through the roof. Threatpost’s Dennis Fisher reported that the number of Tor clients was nearly 3 million following the August 2013 Mevade infection and that Tor officials affirmed that such growth could not have been organic.
However, security researchers may need to avoid getting too complacent about safety in light of the mistakes that Mevade’s architects made.
“In the security arms race, sometimes the bad guys screw up too,” Damballa researcher Mark Gilbert told Dark Reading. “But you can be sure they have taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward.”
FBI actions involving Silk Road, Freedom Hosting demonstrates potency of Tor
Almost on cue from Gilbert’s remark, several separate, more elaborate Tor-related threats came to the fore.
Reporting for Forbes, Andy Greenberg analyzed the FBI’s takedown of the secretive Silk Road online marketplace that had been a locus of drug trading and professional killer contracting. It remains unclear what exact methods the FBI used to pinpoint the site amid Tor’s tangled web, although details about its proprietor’s time zone, email address and IP address may have been factors. As was the case with Mevade, minor oversights proved to be Silk Road’s undoing.
“This is supposed to be some invisible black market bazaar. We made it visible,” an FBI spokesperson told Forbes. “No one is beyond the reach of the FBI. We will find you.”
Silk Road’s owners had tried to keep transactions out of sight by allowing visitors to use the crypto-currency bitcoin. Its secretive server network, now being analyzed by the FBI, DEA and IRS, ran through countries including Iceland, Latvia and Romania.
After the Silk Road discovery, Tor’s leadership affirmed that the illegal operation was exposed because of the FBI’s diligent detective network rather than any actual flaw within Tor’s architecture. Tor recommends that individuals on the network use the official Tor Browser, visit only HTTPS websites and avoid risky behaviors like downloading suspicious plugins
“[W]hile we’ve seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor’s hidden service feature (a way to publish and access content anonymously) won’t keep someone anonymous when paired with unsafe software or unsafe behavior,” stated a Tor blog post.
Tor’s advice on best practices may provide guidance on how the network can be used for legitimate purposes. At the same time, the FBI’s careful dissection of Silk Road illustrates how law enforcement can take targeted action against anonymous cybercrime, without compromising the integrity of Tor as a whole.
The FBI pursued a similar tack in July 2013 when it temporarily took control of the Freedom Hosting servers that support Tor. In that case, it created a vulnerability in the Mozilla Firefox browser that allowed the organization to identity Tor users and track down criminals trafficking in child pornography. As Tor continues to grow in popularity, cybersecurity professionals will need to be mindful of how to address cybercrime that uses it for cover, and how they can work with law enforcement to make Web users safer while respecting concerns about privacy and anonymity.