This article is the last in my series that explores various parts of the Internet. When discussing the dark web, some might say that one will never find a more wretched hive of scum and villainy. But if that is true, why does it continue to exist? What is stopping law enforcement from shutting it down? To find the answer, it is imperative to understand how the dark web works—and what makes it so difficult to solve its crimes and detect its activity.
The dark web was created by the US federal government to produce an environment in which individuals could maintain their anonymity. The government has many managed attribution environments, some of which I helped develop. The dark web is one that has become quite popular due to its availability and peer-to-peer nature.
Websites on the dark web are hosted separately and distinctly from the open or deep webs. The dark web was founded on the Onion router (Tor). The collection of Tor routers is what provides anonymity within the infrastructure. Accessing the dark web typically requires the use of an entrance node and an exit node, although some sites can be accessed directly if their domain ends in .onion. These nodes are connected using the same communication infrastructure that the open and deep webs use. The entrance node knows where a user is coming from and the exit node knows where they are going. However, the two nodes recognize only each other and do not share points of origin or destination. In order to connect to an entrance node, one must use a certain browser. The first browser was Tor, named after the router on which the dark web is implemented. Today there are several browsers that can be used to access the dark web.
Once a connection to an entrance node has been established, one has entered a network that is layered in encryption tunnels and secure methods for establishing those tunnels. These tunnels serve as end-to-end encryption (i.e., vice link encryption) between the Tor browser and the dark website being accessed. It should be noted that for the most part, websites hosted on the dark web are not crawled or advertised by search engines. This means one must know where they are going if they wish to take advantage of the dark web; however, this does not mean there are not search engines on the dark web, but rather that they are not a complete representation of all hosted websites. This makes sense, as the reason many sites exist on the dark web is to conduct nefarious business activities such as weapon sales, human trafficking, drug sales, criminal operations, credit card sales and more. Unfortunately, there are also hostile sites that attempt to install hostile code onto one’s computer, which can then be used as a zombie or bot to act on malicious intentions.
However, not all uses of the dark web involve illegal activity. This network allows news reporters and people who experience Internet censorship to maintain anonymity while reaching out to the world.
Despite this encryption, tunneling and lack of traceability, it is possible to identify someone who has used the dark web. At one time, the US federal government was the largest owner of entrance nodes and exit nodes to the dark web. This means it is possible that the government could have possessed a tool that put together the point of origin (the Tor browser) and a user’s destination. It also means that the encryption key (i.e., root key) is owned by the US federal government, meaning that it can decrypt all traffic. Remember, this is the same organization that released certified encryption algorithms for public use that contained back doors that it could use to get to your data. The most popular way to overcome this vulnerability is to use a proxy or virtual private network (VPN). Many VPN service providers contend that they flush all their audit trails when one disconnects from their service and do not cooperate with law enforcement. However, most VPN service providers are required to obey the laws of the countries in which they operate, meaning that a subpoena or other legal action could result in one’s identity being revealed.
Traffic analysis is an effective technique for targeting users who are on the dark web to conduct criminal activity. During traffic analysis, an analyst builds networks, observing who is going where and who is talking to whom. The identity of any one individual is not the primary interest; instead, an analyst tries to identify communication patterns that may be susceptible to compromise. Remember, if I can compromise anyone in the network, I can find my way to you.
The next approach to compromising identity on the dark web is the crosspollination of identity from the analog world, to the open or deep web, to the dark web. I know this is almost laughable, but many times someone will compromise their anonymity by buying a product from a commercial website using their cover account and then providing their real name, address and telephone number. On the dark web, the use of an identifying name, tag or callsign that is traceable to the open or deep web is the beginning of success for criminal investigators. Now, based on the user’s activities, they become a person of interest and more resources are expended to discover their identity.
The reality is there is not enough space here to go into extensive technical or operational detail about the dark web, but this introduction should help one achieve a basic understanding of it. The dark web can be an excellent managed attribution system, however, if the wrong entrance and exit nodes are used without protection, one could become much more familiar to the system than they realized. Regardless of why one is using the dark web, they should ensure that all antivirus software on their device is up to date. But it is important to keep in mind that antivirus software protects against known viruses; by choosing to visit the dark web, one may become susceptible to the latest and greatest viruses. This means you may get a virus named after you. Good luck.
Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer ofTWM Associates Inc. In this capacity, he provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.
