Recently, Department of Homeland Security secretary Michael Chertoff said, "We now have [the] capability of someone to radicalize themselves over the Internet," according to news service Reuters. Chertoff, speaking of homegrown terrorists, not necessarily international terrorists, went on to say, "They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else, and that diffusion…of hatred and technical skills in things like bomb-making is a dangerous combination." He concluded that we may not be able to detect these individuals using the Web.
Buzz regarding terrorists using the Web is nothing new. Back in 2001 there was considerable chatter about Osama bin Laden using steganography, the practice of embedding an image or text inside an image. The theory was that members of Osama bin Laden and his associates downloaded pornographic images on the Web, with detailed terror plot instructions embedded within. The truth is, years later, there isn't any evidence to support this theory, and it's now gone out of favor. But what Chertoff is talking about here is slightly different; he says that Web sites are hosting Web seminars on terror tactics, and community sites are networking terror-minded individuals. Although Chertoff didn't say this, it sounded to me that he was criticizing the use of anonymizing Web services in general.
Is there anonymity on the Internet?
A few weeks ago, I wrote about the myth of online anonymity, based on research by Dr. Neal Krawetz of Hacker Factor Solutions, which suggests that how you type can reveal a lot about you. Part of Krawetz's research involves resolving the user's true IP address. IP addresses are assigned whenever you access the Internet; either it's a static address that's previously been assigned to you or one that is assigned on the fly by your Internet Service Provider. While you surf, that IP address follows you, allowing Web sites to glean some information about the type of Internet service you have (geography, ISP service, connection speed). In some cases, law enforcement can also deduce who was using the Internet from a specific location.
 |
Andrew Christensen, a Danish researcher at PacketStormSecurity.org, decided to see if he could determine who was using TOR by breaking the network's supposed anonymity.
|
|
But what if you could obscure your IP address? While there are commercial services, one free network exists. The Onion Router (TOR) network is basically a tunneling system that allows users to connect to the Internet without revealing their true IP address. TOR uses encrypted data through various nodes located around the world. The target Web site sees only the last node, or exit node, which may be thousands of miles away from the real user. Taking advantage of TOR requires some browser configuration. That's why Torpark, a browser based on the Mozilla Firefox 1.5 browser, was created. Torpark immediately connects to the TOR network and even allows you to change exit nodes every few minutes. When we tried Torpark, our default home page came up, variously, as Google France, Google Denmark, and even Google USA (but from a state other than our own).
Hacking TOR
TOR is endorsed by the Electronic Frontier Foundation (EFF) and is designed for individuals to circumvent Web censorship in countries such as China, however, the network could be used by criminals or even terrorists. Andrew Christensen, a Danish researcher at PacketStormSecurity.org, decided to see if he could determine who was using TOR by breaking the network's supposed anonymity. His theories about how he might do this appeared last spring in a paper entitled Peeling the Onion (coauthored with Dan Fearch of ScanNet). Now, Christensen's published workable code is in a paper called Practical Onion Hacking (a PDF).
Christensen concluded that he could find no obvious flaws within the TOR network itself.
Instead, he decided to exploit flaws in Web traffic, namely flaws within JavaScript and Schockwave/Flash. Christensen set up an exit node under his control, then injected TOR traffic with an iframe containing JavaScript and Flash components designed to phone home, allowing him to see who it was that used the network. Basically, Christiansen needed to bypass TOR completely by installing code that communicated directly with the real IP address.
|
Christensen found the users of his TOR exit node were mostly Chinese. Previously, Christensen reported seeing traffic through his exit node from Germany and Eastern Europe as well.
| |
|
So who is using TOR?
Christensen found that the users of his TOR exit node were mostly Chinese, although he admits that "we don't know if this simply proportional to who is using TOR or is a result of popular browser types / settings in China." Previously, Christensen reported seeing traffic through his exit node from Germany and Eastern Europe as well.
So are criminals using anonymizing services to arrange crimes over the Internet? Yes, but security experts agree that criminals (and possibly terrorists) have their own methods of anonymizing their Web traffic. So far, the bad guys aren't really using the TOR network.
So will DHS protect us?
So where are the homegrown terrorists? Secretary Chertoff made his comments about online terrorism boot camps while announcing that DHS hopes to have up to 35 cyberinvestigators in place by next year. That's not good enough. DHS, which only recently found an undersecretary of cybersecurity after an vacancy of 18 months, has other technical problems as well. A report by the Office of the Inspector General for DHS found that computer systems within DHS still have not been certified, nor is there a contingency plan for emergencies. For example, DHS lacks its own procedures for contacting law enforcement in the case of data breaches. As researchers Dr.Krawetz and Christensen have shown, the means to discover clandestine operations on the Internet exist, but as Chertoff concludes, we just don't have the bodies to go and find them.
As for legitimate users who want to surf anonymously, Christensen says that turning off enhancements such as Flash, ActiveX, Java, and JavaScript will help make his detection methods fail. He also advises against using the TOR network to stream video (since his method uses media plug-ins to detect a user's true IP address). This will, of course, break sites like Google, Yahoo, and YouTube, but TOR networks aren't recommended for recreational use.
Do you worry about criminals and terrorists using the Internet? Or is this just a product of the media and politicians? Talk back to me.
