Beware, Maltego Will Find You!

by Ciphas

deep-web-1292333_960_720

A friend of mine recently introduced me to a program called Maltego, made by the South African security company Paterva – and if you use it, it may frighten you. It’s actually been around for a few years, but I only started using it this week.

If it sounds unfamiliar, Maltego is a data mining and pentesting tool that finds relationships between information found on different internet sources. Its “map” of data looks exactly like this:

maltego_graph_censored

So yeah, I’m sort of telling you about the “real me” here. Each dot on that graph represents places online that Maltego connected to you in one way or another. This may be via your email address, IP address or via an “alias” that you used in more than one place. As an example, if you use the username “aisettagess” on more than one website or service, it will find that!

Interestingly, some of the data that it found out about me was via Have I been pwned?, which I mentioned in an earlier post. Likely what happened was that the pwned site scanned for data on numerous sites, and then kept some of that information, so it was available to Maltego. If you consider using that site, keep in mind that it will probably log some data about you, unless you request otherwise.

Just so that I don’t dox a real person, let’s create a fictitious online user with Fake Name Generator.

David A. Bass
879 Burning Memory Lane
Tullytown, PA 19007

Mother’s maiden name: Scott
SSN: 192-42-XXXX

Email address: ftjaqxpl@sharklasers.com (thanks, GuerrillaMail!)

You get the idea. So, using Mr. Bass’ info there, let’s have Maltego gather data on him. It figures out what web servers he’s using, what top level domains he uses, what email servers he sends messages from, etc.

After gathering all this data, it combines it all into a graph like the one above, to get a complete picture. It also has a command line tool, but for the purpose of this post, I’m using the GUI version.

If you click on the green dots on your graph, it will show you the information tied to your various online aliases. Let’s say Mr. Bass there uses the following usernames: PennMan988, AllAboutThatBass859, and DBass1. And let’s say he has these email addresses: ftjaqxpl@sharklasers.com (the one above), and dbass345@guerrillamail.com.

Maltego will find any social media profiles or sites on which David used those email addresses – made even easier if he filled out his real name on the site. The graph illustrates using this key:

maltego_graph_key

Plus, based on information available online, it may figure out your relatives, employment history, average annual income, phone numbers, and even location. By the way, if you want more technical information about Maltego, Concise Courses did a great writeup on it – I suggest you check this out.

So why is this useful? Well, as I’d said in some other recent posts, if any of this information isn’t the kind of thing that you want to be available online, then you can now do something about it.

If you want to delete your profiles (or at least certain information) from any of these websites, take the opportunity and do it.

And for the future, consider what kind of information you’re putting out there before you do so.

Think of that next time you consider posting a nude selfie on Tumblr.

 

 

Advertisements

Dear FCC – I Care About Net Neutrality

what-is-net-neutrality-video-blocked

It occurred to me that as a writer, particularly one who talks about controversial subjects, that “net neutrality” should matter to me. And it should matter to you too.

Without it, ISPs (the big guys like Comcast, AT&T, and Time Warner Cable) would have full ability to create so-called “Internet fast lanes” that give preference to certain websites over others. Is that what you want?

On July 12, 2017, net neutrality allies sent 1.6 million comments to the FCC, many in creative ways, demonstrated what would happen if net neutrality were abandoned, and the reins given over to such big-name ISPs. For a few examples, stop by Massive protest to save #NetNeutrality sweeps the internet

twitter_netneutrality

While the big day of protest is over, on the site Dear FCC, It’s Our Internet and We’ll Fight to Protect It, they give you a chance to write a letter to the FCC and explain why net neutrality is important to you.

I did so today, and you can too – I urge all of you who care about freedom on the internet, and the liberty to use and access what you want, to do the same!

It feels as though we’re going backwards in time, with a whole lot of pro-censorship laws being enacted right now, such as the anti-encryption bills in the US, Australia, and the UK.

We, the people, need to speak out. Join me in this fight.

And of course, if you have suggestions, feel free to add them here!

Can You Access .Onion Sites Without Tor Browser?

by Ciphas

(Note: Thanks to Ben Tasker’s Security Blog and traudt.xyz for being references.)

Can you access .onion sites without the Tor Browser? Short answer? Yes, you can – but I don’t recommend it…I cannot stress this enough.

I’ve mentioned Tor2web proxies in a few previous posts, but didn’t elaborate on it much. onionto

In their own words, “Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser.” Tor2web and Web2Tor are reverse proxies which allow clearnet users (such as someone using Chrome, Firefox, etc.) to access Tor hidden services.

reverse_proxy

The proxy listens on port 80 (or sometimes 443) on a clearnet server, and then proxies requests to the Tor hidden service.

If you’re unfamiliar with proxy servers, Indiana University gives a great definition of one: What is a proxy server?  (Psst…I talked about this a little in my earlier post ‘Anonymous’ Proxy List?)

The example they use to illustrate on Tor2web.org is that when you see an onion URL, for example, http://pbfcec3cneb4c422.onion/, if you add “.to,” “.link,” “.cab,” etc. to the end of the URL (e.g. http://pbfcec3cneb4c422.onion.to), and that proxy will connect you to the onion service. Great, right?

Well, no – not great. In spite of its convenience, the problem with using these proxies is that whomever is operating the Tor2web proxy can spy on your web traffic. While this may not sound like a bad thing, if said proxy operator has malicious intent, then you (the user) are basically a sitting duck. Plus, if the point of Tor is being anonymous, and someone can detect your web traffic that defeats the whole purpose!

In fact, even onion.cab themselves – the proxy service, that is – warns users when they first try to access a site this way:

onion

If this doesn’t sound bad, then it should be noted that not only can the operator see your web traffic, but they can also modify it and inject code if they so desire.

Ben Tasker Security Blog has an excellent post about this called Don’t Use Web2Tor/Tor2web (especially Onion.cab) – the example he gives is that some Web2Tor services “have some pretty bad habits, including playing fast and loose with your privacy.”

If you visit  https://6zdgh5a5e6zpchdz.onion, but do so through onion.cab instead of through Tor, the proxy service injects piwik analytics code into the page, which looks something like this:

piwik_tracking

So why should you care? Well, the proxy service who injected the code now knows that your IP address accessed said onion service at a specific time. In addition, they’re also executing code on your browser that the operator of the original site is unaware of.

Within the code, some of the information that it can discover about you is:

  • The title of the page you’re viewing
  • An ID for the site
  • The time that you made the request
  • The exact URL you were looking at
  • The page that sent you to that URL
  • Details of which plugins you have installed
  • Whether cookies are enabled
  • Your screen resolution
  • A unique ID for you

Alternately, this third party operator can inject code into the site that may track you across hidden services – that is, if you’re using the onion.cab proxy.

You can even contract malware via some Tor2web proxies – read this article by Virus Bulletin – Vawtrak uses Tor2web to connect to Tor hidden C&C servers. Granted, this article is over two years old, but it can still give you an idea of what might happen if you rely on these proxies.

Thus, if your concern is privacy, it should be obvious why you don’t want to give this information away. The same goes for any proxy, really, but again, if you’re using Tor for anonymity, then accessing so-called “hidden services” via the clearnet is pointless.

I know that a lot of people who explore the “dark web” for fun just say, “Give me links!” But if you want to explore those links, do so in the right way – use the Tor Browser (from https://www.torproject.org/), and don’t try to do so via the clearnet.

There’s a reason it’s called the “dark web,” after all.

creepy_eyes

What’s the State of AlphaBay Market?

alphabay (1)

Update: AlphaBay has definitely exit scammed and is gone for good. Please don’t get your hopes up about it coming back.

If you’re interested in darknet markets and have seen the news lately, you probably know that AlphaBay, which up until now has been one of the most successful markets, is down (and has been since July 4th).

(NOTE: If you’re curious to see some sites you can use in place of it, check DNStats, or its Tor hidden service, http://dnstatstzgfcalax.onion.)

DNStats_alphabay

Numerous media outlets have already covered this story, including the New York Times, The Verge, and Gizmodo. If you haven’t heard about this, here are a few links to catch you up:

AlphaBay, Biggest Online Drug Bazaar, Goes Dark – The New York Times

A Dark Web marketplace is down and users suspect foul play – The Verge

World’s largest online illegal drug marketplace goes dark – Axios

While many of these stories are written by mainstream media outlets and are geared toward the layperson, it’s interesting to think about it from the point-of-view of someone who spends a lot of time on the dark web (or someone who’s bought and/or sold goods on the market, for that matter).

The subreddit /r/DarkNetMarkets, which is your guide to all things darknet market-related, has a bit more inside info, although even those involved with the market aren’t necessarily sure what happened.

rdarknetmarkets_censored

Though he did not give proof, one of the vendors on this subreddit speculated that the market’s downtime might be due to a hardware seizure in Quebec of dark web site owners: Vente dans le «Dark Web»: la police procède à deux perquisitions (As you can see, the article is in French, but you can loosely translate.)

In English, the article says that “…the RCMP’s integrated technology crime group conducted two searches in connection with a global network of illicit drug sales in the Dark Web [sic].” At least that’s the Google translation – no, I don’t speak French.

This points to a couple of possibilities: either the FBI seized one of AlphaBay’s servers (and all the data that would be included, such as hashed passwords, vendor information, private messages, etc.); or that the admins of the site closed it down in anticipation of a raid. Even if it’s the former, I doubt they were able to confiscate everything.

Again, however, just like those in the conversation over on Reddit, I’m just hypothesizing, so don’t take what I’m saying here as gospel. I’m not a member of LE (I swear!), nor do I want to be. Even if the feds did seize evidence from AlphaBay, I hope that it will be up and running again.

If that’s not the case, then I suppose you’ll have to take your business elsewhere.

In the meantime, I’ll be keeping an eye on the developments.

Stay trippy, my friends!

tumblr_opp8kzYMgL1vhy2fao1_540

 

A Few Pseudo-Random Onion Links

randomnumbers

I’ve been told repeatedly that there is no such thing as “true” randomness, because everything has some kind of pattern to it.

That aside, I’ve been trying to constantly come up with onion links to share, and thought that perhaps I could do this by using the onion list at All Onion Services. What I’m going to do is hit the “Random” button a few times, and then list some of the links that come up.

Unfortunately, I can’t guarantee that there will be anything on these links, but it’s worth a shot. If there isn’t anything on the page, either it’s down, it’s unreachable, or no one has built a site at that particular address yet.

WARNING: Visit these at your own risk. I haven’t checked them all out personally.

http://n77rmxpuyhpr2g22.onion/

http://awhrkdwx3qsmgnot.onion/

http://22qbqzw6qcs2eku3.onion/

http://25sewxptlwhap3c2.onion/

http://wmrumtlwo3l37w22.onion/

http://nb2awtjoa4vpmwha.onion/

http://rscnq5uvtwj5x6od.onion/

http://cszmfevi6owywum6.onion/

http://xioqywsfdtsjr33d.onion/

http://li5w5cnmaeuqceou.onion/

http://5tepdchtxovcecp3.onion/

http://3y5d7pcjxpbukzxf.onion/

http://e6o5qjghi2umqech.onion/

http://pa3ldnwz2tyv7hcw.onion/

Tell me in the comments if you found anything interesting. If not, maybe I’ll try this again!

 

Discontinued Darknets??

Given that privacy and anonymity are such a hot topic these days, there are many projects that various people and organizations are developing for just that reason. Several of these I’ve already mentioned multiple times, including Tor, I2P, Freenet, and ZeroNet.

Nonetheless, I find the defunct ones to be just as interesting, partly because some of them used different methods for disguising one’s identity. A few that I’ve had a chance to check out are:

  1. Osiris Serverless Portal System
  2. anoNet: Cooperative Chaos
  3. Umbra (by the Shadow Project)
  4. StealthNet

Some of these, in spite of no longer being developed, are still available for download, so you can check them if you’re just curious.

I thought I would give a brief explanation of each of these, and then let you explore on your own, if you wanted to find out more.

Osiris SPS

osiris

Osiris is a program used to create web portals that are distributed via P2P networking, and are not reliant on central servers (hence the name “serverless portal system”). Data on Osiris portals are shared between all participants. According to the Wikipedia article on Osiris, these are some of its key features:

  • The system is anonymous. It is not possible to make an association between a user and their IP address, hence one cannot trace the person who created a content.
  • Even with physical access to an Osiris installation it is impossible to trace the actual user without knowing his password.
  • 2048-bit digital keys guarantee the authenticity of content (digitally signed in order to prevent counterfeiting) and the confidentiality of private messages (encrypted between the sender and recipient).
  • To prevent the ISP from intercepting traffic, connections and data transfer to a portal (called alignment), Osiris uses random ports which are cloaked during handshake and encrypted point-to-point via 256-bit AES.
  • The P2P distribution allows content to be present in multiple copies as a guarantee of survival in case of hardware failure or nodes off-line.
  • As the portals are saved locally, one can read the contents even if one works off-line.

In some ways, Osiris is also like Freenet, in that it uses P2P distribution of content, has a reputations system, and uses cryptographic keys as identifiers.

Now, for those of you looking for creepy and disturbing stuff, I’ve never found any of that on Osiris. That wasn’t really my intention when I started using it. I was exploring other anonymity networks and software that I had yet to use.

The problem with Osiris is that it seems as though it’s no longer being developed, as I mentioned. Still, for the curious who just want to check it out, click the link above.

anoNet

anonet_6

anoNet was a Wide Area Network (WAN) created in 2005. Its creators were a few people who were tired of the surveillance and constant data collection that still takes place on the clearnet today.

As on Freenet or ZeroNet, they wanted it to have functions like social networking, messaging, email, and website publishing, but the ability to do all of these anonymously. The network used OpenVPN, tinc, Quagga, BIRD, and QuickTun. OpenVPN and QuickTun were used to quickly connect nodes to one another, while BIRD and Quagga were used to exchange routing information with others on the network, allowing all peers to connect to each other easily.

What I’m not entirely sure of is if you can still connect to the network at all, since various sources have listed it as defunct. It may be similar to Osiris, in that it isn’t actively being developed, but the software is still available.

Umbra

overview_wallet

Umbra, like Osiris, isn’t really defunct, but it isn’t being actively developed. It was a division of The Shadow Project, the creators of the ShadowCash cryptocurrency.

It could be used for anonymous chat, messaging, email, and hosting websites (much like Freenet or ZeroNet). I haven’t had the chance to use it yet myself, but I would enjoy just playing around with it, if for no other reason than learning…and fun!

StealthNet

stealthnet

StealthNet was an anonymous P2P filesharing network, based on an earlier model, called RShare. Like many other P2P networks, traffic was routed through other nodes in the network, helping to keep users anonymous.

For better or worse, this project, too, has been discontinued. If you’re just curious about it, however, it looks as though you can download the software. It’s unlikely that there will be many (if any) peers to connect to, which kind of defeats the purpose of a P2P network!

Anyhow…

Despite the fact that these networks have been discontinued, I expect that others like them are being developed right now, or will be in the future.

As I always say, if you’re a budding developer, why don’t you create one? It could eventually be something big!

 

Fresh Onions: Best Tor Link List?

onionscan-transitive

It doesn’t surprise me in the least that you dark web explorers are constantly looking for new links.

I used to often use Harry71’s Onion Spider as a go-to link list when I was looking for new and unusual onion sites. Unfortunately, he no longer updates the site (even though the URL is still active).

That being said, have you heard of the site Fresh Onions? It can be found at http://zlal32teyptf4tvi.onion/.

freshonions

Fresh Onions has its fair share of onion links, and like Harry71’s former site, it’s updated frequently. I was going to take a screenshot of the whole site, but on the device I’m currently using, that function was disabled.

Basically, the list of onions can be sorted by URL, Title, how recently it was added, when it was last visited, or when it was last up (i.e. active). At the time of this writing, it lists 4470 onions, and growing.

So you may be wondering – what kinds of sites are on it?? Well, at first glance, I see a lot of tech sites, some markets, a few forums, and some scam sites. Just what I expected!

While I have yet to create my own onion crawler, here’s a short sampling of some of the sites that are listed on Fresh Onions (note – I make no claim as to the authenticity of any of these; if it sounds like a scam, it probably is.):

http://geekrakaz7kioics.onion – Dark Forum (an anonymous hacking forum)

http://answerstedhctbek.onion – Hidden Answers

http://atmskima36v2nqdc.onion – ATM Skimmer for Sale (likely a scam)

http://hbwc3pyawkeixqtk.onion – DeepHouse – Bienvenue sur DeepHouse!

http://sourcel3zg2kzu4k.onion – Sourcery

http://by5cptxw44znwsbn.onion – Index of /

http://onicoyceokzquk4i.onion – .onion searcher

http://kwf4zz4colvmzb42.onion – Ooga Booga

http://4pf5lakpitrmnpnp.onion – Dungeon Masters: Welcome to Pier!

http://tordox5bgdpmnong.onion – couldn’t connect to this one, but it sounds like a doxing site.

http://nsz6gzlqldxhrvex.onion – NEMESIS Ransomware

http://dark666b5l2e3lcu.onion – Dark Host – real TORland hosting with onion address

Anyhow, if you want to check out the full list, visit the Fresh Onions link above. Have fun, dark web explorers, and don’t get scammed (or kidnapped, for that matter)! I kid.

6446164fc586e94687ab4f5e3c2ec12e--scary-pictures-old-pictures