DeepWeb and Darknet — Part 1
Internet consists of IP addresses of real systems and systems belonging to Deepweb, also known as invisible or hidden web. No normal search engines like Google or Yahoo have access to those deep web addresses. As per the Science and Technology innovation program- Wilson Center, a federal funded security initiative, the deep web with its non-indexed IP addresses is about 500 times larger than the surface web with indexed searchable websites and the data stored on the 60 largest websites alone is 40 times larger than the entire known internet websites. The deep web is not ‘Darknet’, because there are many law abiding white hat hackers who access these websites to get data otherwise unavailable.
These white hat hackers work as
· Detectives for federal agencies investigating on money laundering, illegal betting, stock market crimes etc.,
· Journalists for media networks who probe the corrupt political leaders, business entrepreneurs and other popular celebrities for various reasons
· Hacktivists who oppose socially unacceptable laws and who fight against human rights violations.
These people work on these IP addresses in order to keep their work quiet and under the radar of the known web services and search engines. Nonetheless the Deepweb is not the haven for white hatters alone but also used for many illegal activities like
· Drug and human trafficking
· Illegal firearms trade
· Distribution of child pornography
· White color crimes such as identity theft
· Bribe( Generally involving a public official , which refers to any government employee of any government department or agency, members of Congress etc.,)
· Counterfeit currency trading
· Insurance fraud etc.,
Such websites put together form the real ‘Darknet’. (Though colloquially many academics and professionals alike, call DeepWeb as ‘Darknet’ too, and often use the two words as synonyms, for the sake of this blog and my audience, I have used ‘DeepWeb’ for legal dark web and ‘Darknet‘ for illegal dark web.)
It is essential to understand the spread of such illegal activities and regulate them, in order to prevent innocent people from getting hurt by some rogue excellent minds working in crooked ways.
The idea of this series is to bring more awareness to what is happening in Darknet and how those activities can be brought to light in order to limit the tentacles of these dark activities from reaching and crushing the real do-gooders, who use the internet for knowledge sharing and information exchange.
First of all, let me answer the question, which many students and professionals alike has asked me, “If it is hidden and under the radar, how did we all came to know about it?”
Though many security and IT professionals often anonymously shared resources from Deepweb from time to time with the rest of known internet users, until 2013 ‘DeepWeb’ remained unknown for many normal internet users. But with the arrest of Ross William Ulbright by FBI, on the alleged crime of running a famous ‘Darknet’ marketplace called ‘Silk road’, ‘Deepweb’ and ‘Darknet’ came to be recognized, by many, as another treasure trove of data, knowledge and other ingenious activities. Ulbright was convicted on plenty of white collar crimes which he was involved through his market place, ‘Silk road’, which was considered by many, as Darknet’s amazon.com. He is said to have laundered as much as 80 million US Dollars through his activities and yet one thing which has been circulated by many about ‘Silk road’ being a place where fake passports and illegal work permits were sold and the drugs which were dealt as ‘victimless contraband’.
The definition of Victimless crimes depends largely on the state of law and the Country’s type of constitution. But in general, ‘victimless crime’ refers to crimes such as use or possession of contraband drugs such as Fentanyl laced with heroine, illegal sale of drugs like marijuana, gambling, prostitution, public sex by two consenting adults etc., In general victimless crimes are crimes made by two consenting adults, unlike rape, where one is a victim and the other one is a perpetrator. Also contraband refers to drugs or any other items brought into the country illegally, without paying the import duty.
By the basic definition of victimless contraband, the transactions which happen in darknet seems quite harmless to the normal public, unlike terrorism or shooting, where innocent lives are lost. Nonetheless, the drugs and weapons bought illegally can be used to hurt many innocent people. Hence the concern.
The busting of ‘Silk road’, defined the beginning of a totally new internet world to many academics and professionals and the world came to know about the ‘Darknet’ and ‘Deepweb‘, through legal sources. Since then, there have sprung a few ‘Darknet’ market places where there are no such bounds as victimless contrabands in some websites like Evolution, Agora, Greenberg and Verto, where everything from fake IDs, untraceable weapons, hospital records, stolen or scammed credit cards, illegal narcotics are traded. Some dark websites like ‘Tor carding forum’ even do a $50 monthly subscription for which any illegal drugs to be sold and bought. Nonetheless there are some websites like ‘Cloud 9’ and ‘Majestic Garden’, where the rules are stricter than ‘Silk road’. Irrespective of type of the marketplace ‘Darknet’ marketplaces are on constant increase and more in use than ever after the fall of silk road giving more troubles to the digital law enforcement authorities.
The data packets from the ‘Darknet’ traffic do not contain a payload as they are not connected to any physical systems. Also the ‘DeepWeb’ is not a continuous set of IP addresses stashed at one place in the internet, as many of you might have imagined, but it is dispersed in various sets of IP addresses throughout the internet. It is the same with the ‘Darknet’ marketplaces and other websites inside the ‘DeepWeb’. The ‘Darknet’ is not a cluster of IP addresses representing servers with websites dealing with illegal activities as it is dispersed across various servers situated around the worlds connected through an overlay.
Both the ‘DeepWeb’ and ‘Darknet’ websites are reachable by a network router such as The Onion Router (TOR). The reference to onion and the logo of the TOR browser states the number of layers of encryption and protection given by the tor browser, similar to the onion core being wrapped around with different layers of onion skin.
TOR was developed by US navy in 2002. Nearly 60% of its funding came from the federal defense budget and the rest was paid by the digital rights lobbyists. TOR network is fully operated by volunteers who value their privacy and anonymity. ‘Darknet’ and ‘Deepweb’ are hosted by a DNS root with .BIT domains which are not controlled or managed by Internet Corporation for Assigned Names and Numbers (ICANN) and are hosted on limited access virtual network infrastructure (Also referred as ‘TOR’ network, using special software . Think this as a virtual machine created over a real machine). The clients need a TOR browser to access the websites hosted on this network and any data available through these websites. Any communication sent or received using TOR browser is anonymous and completely impossible to trace as the network and browser are coded to hide the IP addresses of the device accessing the website along with the identity of the person accessing it.
TOR websites are totally anonymous, decentralized and completely uncensored. The language of websites in the ‘DeepWeb’ are well distributed with the most dominant language being English (66.7%) and the least dominant language being Portugese with 1.2%
The speed of the TOR network is slow compared to the 4G LTE WiFi enabled clear net and hence the downloads from the ‘DeepWeb’ databases are also slow. It is possible to slightly increase the speed by not overloading a single node in the virtual network instead distributing the load over different nodes using round robin scheduler algorithm as a TOR proxy. Every next node or relay is generally chosen randomly, in a way to optimize the routing of the package sent.
The idea of ‘DeepWeb’ is to provide privacy to those who publish the websites and to those who access these websites from both the outside TOR traffic and also from the inside participants.
In most Television series or Movies, the FBI agent or the local cop, might be able to find the identity of an illegal digital transaction, using IP addresses only. Say for example, an alleged drug smuggler transferred 100,000 US dollars to some ID as ‘H1’ in his account. The police knew the ID of the players ‘H1’ and the ‘drug smuggler’ is, but they do not have any proof of ‘what H1 did for the smuggler to acquire that kind of money? which might help them to issue a bail proof arrest warrant to both. So the digital forensics agent will come into the picture. He will track the normal activities of ‘H1’ and find his device IP addresses and set up a software routine to follow this IP addresses and ping him back an alert when it hits a black marked site. But if ‘H1’ is conducting his cyber activities using a TOR browser, the IP address cannot be tracked or the blacklisted website’s address might not be known. Thus the pings will die as soon as the IP address enters the protected network, making the character, remark, “I lost him”.
Similar to TOR, there are other browsers and software overlays, examples: I2P and Freenet, nonetheless, TOR is the widely used Deepweb browser.
The anonymity and privacy is protected by the relays or nodes on route the TOR network infrastructure. Every node or relay only unwraps enough information to know the previous node and the next node. None of the intermediate relays or nodes know the source or the destination IP address. In this way, the first node after the source and the last node before the destination node, only knows the source and destination IP addresses making it utterly impossible to trace back the route from destination to source. The relays might be situated across cities, countries or continents, thus making the TOR browser slower than the usual google chrome or MS edge browsers.
TOR as a VPN:
DLP or data leakage prevention products, protect privacy using encryption, password and P2P protocols and other most advanced bypass techniques involve bridging and VPN dial out. VPN is an end to end encryption standards used to protect your online privacy. The data sent and received through the VPN, travels through a set of routers belonging to a private network overlay created by a software on the top of a small region of the internet. Big organizations have their own VPN network for use of their employees across the world for conference calls and presentations. If a person uses VPN, only the people who logged into the network can see each other and no one else knows the identity of the users. The VPN service can be provided by any ISP. VPN provides a layer2 access and IP through DHCP. (A DHCP server is a network server which automatically allocates IP addresses, default gateways to all the client devices. This is a configuration process using DHCP protocol, Dynamic Host Configuration protocol and it allows any device to access DNS or NTP servers using TCP or UDP communication protocol.)
The ISP of the VPN has full control over the network traffic and can listen or modify any account.
TOR provides the same functionality as a VPN and there are software codes available to create a full VPN over TOR or via TOR. TOR actively resemble HTTP proxy and Socks Proxy. In HTTP proxy, the hacker can do MiTM attacks on all connections including SSL, but in Socks Proxy, the hacker can do MiTM attacks only on unencrypted connections and not secure connections such as HTTPS. Using TOR it is possible to do a MiTM attack from any system on any unencrypted connection.
It is essential to have a TOR VPN as TOR gateway, to avoid the prying eyes and ears of your ISP and it can be configured to be your main router or gateway. This ensures near 100% anonymity as all traffic will be routed via TOR VPN. TOR VPN ensures 2 way anonymity. Thus any trading or transaction or information exchange is 100% anonymous. There is also a possibility of one way anonymity, where a person of known identity and IP address can access a ‘DeepWeb’ server, without knowing its IP addresses or country or identity.
If you have read this far, then I think, you will be interested in my ‘Deepweb and Darknet — part -2’ as well, where I am planning to discuss some interesting topics such as darknet forensics, cryptoanarchism, etc.,