Opinion: The value of unmasking Tor's dark side
The anonymizing browser Tor is an ideal tool for political activists – especially those living in repressive countries – and journalists dealing with sensitive information or anyone who wants to navigate the Web with a strong layer of security and privacy.
But because of the secrecy it affords users, unfortunately Tor has also become the province of criminal hackers, online drug dealers, child pornographers, and merchants of malicious software. That's why being able to monitor what happens under the shelter of Tor – to the best of our abilities – is increasingly important for cybersecurity firms to determine where the bad guys are going, how they are operating, and what they are planning on doing next.
While many might think this undermines the intent of Tor and threatens the integrity of the service, it's critical to identify illicit use of Tor to have insight into hacker targets and techniques. That information is so valuable that numerous others have attempted to break the anonymity that Tor provides, but that's not necessary, or warranted. There are enough identifiers that exist on the edges of Tor – through its entry points – to track many people who use it to shroud their activities.
Regardless of anyone's reasons for using Tor, one thing to remember while using it is that it doesn't provide bulletproof security.
In fact, my firm recently honed in on a specific hacker group that unsuccessfully used Tor to hide its activities. We identified their e-mails, passwords, connections, and the geographic regions where they operated. We know their hacker handles and where they like to trade their information on the open Web.
What often opens up Tor users to being compromised – and therefore tracked – is that the service is only as private as the actual website users visit and services they are using while logged into Tor.
Even though Tor masks Internet traffic to keep users' identities hidden, it still works by connecting to the same Internet that we all use. This happens with Tor exit nodes – the gateways where encrypted Tor traffic hits the Internet. Because these addresses are identifiable (an excellent service is available here), we are able to search for their usage elsewhere on the Web. They may show up in a piece of malware code, in a traffic log indicating a distributed denial of service (DDoS) attack or in some more interesting places as well.
Our analysts have identified all known Tor exit node internet protocol (IP) addresses and executed a massive, automated scan of the entire Web for any references for them.
The results were shocking. We were able to uncover multiple databases for illegal hacking and DDoS services as well as references to hundreds of users who were likely using Tor in hopes for anonymity. However, we were able to tie these "anonymous" users to specific individuals by cross-referencing the information we found with other uniquely identifying data such as hacker nicknames, personal e-mail addresses, passwords, and using this information to conduct link and network analysis.
In short, we were able to trace criminal hackers from the edges of Tor to the open Web social media sites, services, and hacker groups they connected with elsewhere on the Internet. As a result, we gained a fuller picture of their activities, habits, and the other illegal services – and practices – they're involved in.
"There are multiple lessons here. For one, Tor can't cloak all Internet activities. There are many solid references for how to cleverly use Tor data – find them and follow them."
Christopher Ahlberg is the cofounder and chief executive officer of the threat intelligence firm Recorded Future, which received funding from Google Ventures, IA Ventures, and the CIA backed venture capital outfit In-Q-Tel.
