Cryptomining Malware – How criminals use your devices to get wealthy!

Has your computer ever been slow and you couldn’t tell what the problem was? Nowadays, illicit cryptomining can cause those performance problems. It dethroned ransomware as the top cybersecurity threat in 2018. (Webroot Threat Report 2018) A simple website visit can start the mining process as a javascript running in the background of the browser or an accidentally installed malware on your computer. These two examples for different modes of illicit cryptomining are called browser-based cryptojacking and binary-based cryptomining. In both cases hash-rates can be up to medium-sized mining farms. This blog article will give an overview over binary-based cryptomining malware. In that case the mining process is embedded in the payload of a malware. Criminals hide it as good as possible which makes it hard to detect to gain a massive income. All the tools they need to start a malicious cryptomining business are easy to get in underground markets. For example Malware can be purchased for a few dollars (e.g. the average cost for an encrypted miner for Monero XMR is 35$). We will also take a quick look at how companies are legally using cryptomining to monetize web content as an alternative business model.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

Basics

In this part we will have a look on basics which are required for this article.

Mining Pools

Since more and more computational power is required to calculate cryptocurrencies mining pools are popular. A mining pool is a collection of miners who pooled their resources together to mine a cryptocurrency and share their rewards for every calculated block. But there are advantages and disadvantages of mining pools. One main advantage is a more stable income by using mining pools due better chances to solve a cryptographic puzzle for the next block. On the other hand miners have to share their rewards which can be seen as a disadvantage, but without enough resources the outcome is potentially lower. (Mining Pools and How They Work 2019)

Cryptocurrency Wallets

Cryptocurrency wallets are not exactly like wallets we know from daily life. Users can  monitor their balance and send money or execute other operations. The virtual wallets contain a private and public key to perform operations. The keys are used to access the public blockchain adresse and confirm a transaction. The private key is used for the transaction of the wallet owner an the public key is similar to a international Bank Account Number. For example, if someone wants to transfer money to your wallet this person needs your public key, but you don’t get actual money on your account. The transaction is only identified by a transaction record on the blockchain and a balance change in your cryptocurrency wallet. Important to know is that the private key is totally unique and in the case of a lost of it the wallet won’t be accessible anymore for its owner. (What is a wallet 2019)

Binary-based Mining

Binary-based mining is the common way to mine cryptocurrency. Users install a program or application on a device to mine. That would be the legitimately way as the user gets the rewards for accomplished performance. It gets illicitly if a malicious actor gains access to the users computer power through a malware and mines for their own benefits. The mining software would be installed on the computer and drains the CPU performance of the victim and the payments for the rewards are going to the wallet of the attacker.

Browser-based Mining

In addition to the two types of illicit cryptomining we will have a brief look at browser-based cryptojacking. Illicit browser-based mining is continually rising in the past years. As in the introduction mentioned it is really simple to run into it. As long as an user navigates on a website and uses the services the mining process is running. The browser of the victim performs scripts which execute the mining progress. It is only illicit if the user is not aware of it. There are some websites that use this method to generate money legally for maintenance, as donations or as a substitute for advertising. For example the UNICEF organization in Australia used this method to provide donations. (UNICEF Donation 2019)

Source: thehopepage.org

UNICEF notifies the users about the procedure and started the mining operation after an agreement to the terms on the devices of the users which makes the activity legitimate.

Key Enablers of Illicit Cryptomining

The factors of key enablers of the malicious actors to conduct were analyzed by the cyber threat alliance in 2018 (The illicit Cryptocurrency Mining Threat 2018). Let’s have a look on these factors :

  • It’s more profitable since the increased value of cryptocurrencies.
  • Cryptocurrencies with anonymity for transactions, such as Monero and Ethereum that can be mined with personal computers or IoT devices and create a potential attack surface.
  • Malware and browser-based exploits are easy to use and easily available.
  • The number of mining pools is increasing, facilitating the pooling of resources and providing a scalable method for mining.
  • Enterprises and individuals with inadequate security measures are targets for malicious actors and are unaware of the potential impact on their infrastructure and operations.

Most popular Cryptocurrency

Since the popularity of Bitcoin dropped for illicit cryptomining over time, because of the increased amount of time to calculate a single coin, underground economies focus other cryptocurrencies like Monero (XMR). Monero is the most popular cryptocurrency for illicit cryptomining, because of the use of innovative ringsturcutres and decoys to retain transactions completely untraceable. (Webroot Threat Report 2019) Researchers found out that 4,32% of the circulating XMR was mined with cryptomining malware which has an estimated revenue of nearly 57 million USD. (First Look 2019)

Damage caused by Cryptomining

Cryptomining can cause serious damage in different ways. It is draining the CPU usage which could be detected easily during the use of an infected computer, but criminals use distinct methods to evade detection of the mining process. These methods will be explained later in the article. Another main damage is the increased power supply of the CPU or GPU which cause high electricity bills. Through the excessive load of computer components during the process the hardware deteriorates rapidly.

How Criminals spread the Malware

The common approach to spread the malware is to host it in public cloud storage sites such as Amazon Web Services (AWS), Dropbox, Google Drive, Github and so on. Criminals often hide the malware in stock mining software for instance xmrig or xmr-stak to get access. Another approach is the use of botnets which are offered as pay-per-install (PPI) services in the deep web markets. (First Look 2019)

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

A Further and probably the oldest approach to transfer these executables to a user is to deliver malicious spam or exploit kits by email. The malware starts to infect the computer after opening the attachment. Once the machine installs the malicious mining software it starts to mine cryptocurrency. In some cases the malware begins to scan the network for more accessible devices and tries to infiltrate them with an exploit.

Mechanisms to evade Detection

As earlier mentioned most of the cryptomining malware make use of stealth techniques. The more difficult it is to detect them, the longer the malware can utilize the computing power. The method idle mining starts the mining process only when the computer is in idle state and no operations are running for a certain time. For example if you leave your computer without turning it off for a longer time the mining process starts and lasts as long as there is no interaction with the computer. After an interaction the process shuts down and the performance is free for the user. The programmers of the malware take care in many ways to evade detection. There are cryptomining malwares with different modes for desktop  and laptop to get the best computing power for the infected device. For instance the malware on the laptop would take just as much performance as possible to keep the fans quiet. Another technique is the execution stalling code which makes the process almost invisible when Task Manager is running. If the Task Manager is running the mining process is slowing down the CPU utilization. It is possible to bypass this execution stalling code by using other process monitoring applications. Furthermore cryptomining campaigns use domain aliases (e.g. CNAME) to prevent blacklisting of mining pools.

Source: coindesk.com [Accessed 4. September 2019]

The image above shows how the execution stalling of the malicious miner called Norman works. It is based on a XMRig-based crypto-miner and avoids detection. After the Task Manager opens the malware stops operating and re-injects itself as soon as the Task Manager is closed.

Source: “THE ILLICIT CRYPTOCURRENCY MINING THREAT” by the Cyber Threat Alliance

In the figure above we can see another stealth technique which was described by Palo Alto Networks. This cryptomining malware uses only 20 percent of the machines CPU. The benefits of using this method is to persist longer on the infected machine and avoid detection as the mining performance is lower than possible.

Campaigns

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

If we have a look on the illicit cryptomining campaigns we see a small number of actors that monopolize the cryptomining malware ecosystem. It is common to see campaigns mining in various pools. The most popular are crypto-pool, dwarfpool and minexmr and there are successful campaigns that are running for over 5 years without getting detected. In the next part we will have a look on the most profitable campaigns which were still active in 2018 and were analysed by Sergio Pastrana of the Carlos III University of Madrid and Guillermo Suarez-Tangil of the King’s College London and which this article is based on.

The Freebuf Campaign

The Freebuff Campaign was and probably is still active since 2016 and has mined over 163K XMR (approx. 18 million USD). It is named “Freebuf” because of the main domain xt.freebuf.info. Statistics of two banned wallets have shown that they were connected from 5,352 and 8,009 different IPs and had mined 362.6 and 1,283.7 XMR. The campaign used 7 wallets which are connected to the mining pools minexmr and crypto-pool by using domain aliases. After the ban of the two wallets the operator changed to another mining pool.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

In the figure above we can see the structure of the Freebuf campaign. The green nodes are malware miners and are connected to wallets shown as blue nodes. Gray and pink nodes represent the infrastructure of the campaign. Therefore the gray nodes represent the contacted domain server and the pink node shows the malware hosts. The red and orange nodes symbolize additional malware. As earlier mentioned the campaign uses 7 wallets which we can see in this graph. All the malware miners are connected to one of the wallets and linked to one mining pool which is hidden behind a CNAME alias domain. We can see three different domain servers in this graph: xt.freebuf.info, x.alibuf.com and xmr.honker.info. All of them have been aliases of common used mining pools. For example xt.freebuf.info and xmr.honker.info are aliases for minexmr and x.alibif.com for crypto-pool.

The USA-138 Campaign

The USA-138 has mined at least 6,709 XMR (approx. 651K USD) using 5 wallets. An interesting point about this campaign is it has mined the cryptocurrency Electroneum (ETN) with earnings of 314.18 ETN in late 2018. It was worth less than 5 USD, but it was a speculative for the future.

Source: “A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth”
by S.Pastrana and G.Suarez-Tangil

The figure above shows the structure of the USA-138 campaign. The meaning of the nodes are the same as previously described in the Freebuf campaign chapter.

Countermeasures

The simplest method to prevent cryptomining malware is to keep the anti virus updated and avoid to download tools from suspicious websites. Furthermore the operating system should stay updated to seal vulnerabilities and prevent injections. Another possibility is to track the network data transfers and web-proxies to detect attacks. In case of suspicions that the computer performance is slower than normal and illicit cryptomining might drain the CPU/GPU load it’s useful to monitor the activities and analyse if any suspicious services are running. (Cryptominer Protection 2019)

The most successful approach to stop illicit cryptomining was the change of the Monero PoW (Proof-of-Work) algorithm in 2018 which stopped approximately 73% to 90% of the campaigns, because their malware couldn’t adjust to the changes.

Conclusion

The fact is that cyberattacks with cryptomining malware is constantly rising and the enterprises and individuals are most of the time not aware of the situation. It causes enormous performance problems and hardware deterioration. The attackers are getting more and more creative with the use of stealth techniques which makes it hard to detect. They got an almost anonymous platform to generate money on victims devices with the cryptocurrency and cryptomining. That’s why it is unlike ransomware, where the victim is aware of the situation and can deal with it. Cryptomining attacks are most of the time silent and without an awareness of this problem it will go on. As an common user you can only have a monitor your CPU/GPU performance if there are any suspicious performance drops. Keep your antivirus software and operating system updated.

References

Social Engineering – Learn From the Best!

Kevin David Mitnick, Social Engineering, Hacker, Manipulation

It isn’t always necessary to attack by technical means to collect information or to penetrate a system. In many cases, it’s more effective to exploit the human risk factor. To successfully protect yourself and your company from social engineering, you’ve to understand how a social engineer works. And the best way to do this is by listening to the world’s most wanted hacker Kevin David Mitnick. Nowadays, the former social engineering hacker uses his expert knowledge to advise companies on how to protect themselves against such attacks. This blog entry is based on his bestseller “The Art of Deception: Controlling the Human Element of Security”. It sheds light on the various techniques of social engineering and enumerates several ways in which you can arm yourself against them.

Continue reading

Security and Usability: How to design secure systems people can use.

Security hit a high level of importance due to rising technological standards. Unfortunately it leads to a conflict with Usability as Security makes operations harder whereas Usability is supposed to make it easier. Many people are convinced that there is a tradeoff between them. This results in either secure systems that are not usable or in usable systems that are not secure. Though developers are still struggling with the tradeoff, this point of view is outdated somehow. There are solutions that do help to design secure systems people can use.

Continue reading

How does Tor work?

Written by Tim Tenckhoff – tt031 | Computer Science and Media

1. Introduction

The mysterious dark part of the internet – hidden in depths of the world wide web, is well known as a lawless space for shady online drug deals or other criminal activities. But in times of continuous tracking on the Internet, personalized advertising or digital censorship by governments, the (almost) invisible part of the web promises to bring back lost anonymity and privacy as well. This blogpost aims to shed light into the dark corners of the deep web and primarily deals with the explanation of how TOR works.

Reference: Giphy, If Google was a person: Deep Web
  1. Introduction
  2. The Deep Web
    1. 2. 1 What is the Tor Browser?
  3. The Tor-Network
    1. 3.1 Content
    2. 3.2 Accessing the Network
    3. 3.3 Onion Routing – How Does Tor Work?
  4. Conclusion – Weaknesses
  5. References

2. The Deep Web

So, what exactly is the deep web? To explain this, it makes sense to cast a glance at the overall picture. The internet as most people know it, forms only a minimal proportion of the overall 7.9 Zettabyte (1 ZB = 10007 bytes = 1021 bytes = 1000000000000000000000 bytes 
= 1 trillion Gigabytes?) of data available online (Hidden Internet 2018). This huge amount of data can be separated into three parts:

Separation of the worldwide web, Reference: (Search Engines 2019)

As seen in the picture above, we are accessing only 4% available on search engines like Google or Bing. The remaining 96% (90% + 4%) are protected by passwords, hidden behind paywalls or can be accessed via special tools (Hidden Internet 2018). But what separates the hidden parts into Deep Web and Dark Web by definition?

The Deep Web is fundamentally referred to data which are not indexed by any standard search engines as e.g. Google or Yahoo. This includes all web pages that search engines cannot find, such as user databases, registration-required web forums, webmail pages, and pages behind paywalls. Thus, the Deep Web can, of course, contain content that is totally legal (e.g. governmental records). The Dark Web is a small unit of the Deep Web – which refers to web pages that cannot be found by common search engines. The collection of websites that belongs to this dark web​ only exists on an encrypted network that cannot be reached by regular browsers (such as Chrome, Firefox, Internet Explorer, etc.). In conclusion, this area is the well-suited scene of cybercrime. Accessing these Dark Websites requires the usage of the Tor Browser.

…hidden crime bazaars that can only be accessed through special software that obscures one’s true location online.

– Brian Krebs, Reference: (Krebs On Security 2016)

2. 1 What is the Tor Browser?

The pre-alpha version of the Tor Browser was released on September 2002 (Onion Pre Alpha 2002 and the Tor Project, the company maintaining Tor, was started in 2006. The name Tor consists of three subterms and is the abbreviation of The onion router. The underlying Onion Routing Protocol was initially developed by the US Navy in the mid-1990s at the U.S Naval Research Laboratory (Anonymous Connections 1990). The protocol basically describes a technique for anonymous communication over a public network: By encapsulating each message carried in several layers of encryption and redirecting Internet traffic through a free, worldwide overlay network. It is called onion routing because of the layers in this network and the layers of an onion. Developed as free and open-source software for enabling anonymous communication, the Tor-Browser still follows the intended use today: protecting ​personal privacy and communication by protecting internet activities from being monitored.

With the Tor Browser, barely anyone can get access to The Onion Router (Tor) network by downloading and running the software. The browser does not need to be installed in the system and can be unpacked and transported as portable software via USB stick (Tor Browser 2019). As soon as this is done, the browser is able to connect to the Tor network. This is a network of many servers, the Tor nodes. While surfing, the traffic is encrypted by each of these Tor nodes. Only at the last server in the chain of nodes, the so-called​ exit node, the data stream is decrypted again and normally routed via the Internet to the target server, which is located in the address bar of the Tor browser. In concrete terms, the Tor browser first downloads a list of all available Tor servers for the connection over the Tor network and then defines a random route from server to server for data traffic, which is called Onion Routing as said before. These routes consist of a total of three Tor nodes, with the last server being the Tor exit node (Tor Browser 2019).

Conncetion of a Web-Client to Server via Tor Nodes, Reference: (Hidden Internet 2018)

For the reason that traffic to the Onion service runs across multiple servers from the Tor Project, the traces that users usually leave while surfing with a normal Internet browser or exchanging data such as email and messenger messages become blurred. Even though the payload of normal Internet traffic is encrypted, e.g. via https, the header containing routing source, destination, size, timing etc. can simply​ be spied by attackers or Internet providers. Onion routing in contrast​ also obscures the IP address of Tor users and keeps their computer location anonymous. To continuously disguise the data route, a new route through the Tor network is chosen every ten (Tor Browser 2019) minutes. The exact functionality of the underlying encryption will be described later in section Onion Routing – How Does Tor Work?.

3. The Tor-Network

For those concerned about the privacy of their digital communications in times of large-scale surveillance, the Tor network provides the optimal obfuscation. The following section explains which content can be found on websites hidden in the dark web, how the multi-layered encryption works in detail, and what kind of anonymity it actually offers.

3.1 Content

Reference: Giphy: SILK ROAD GIF BY ANTHONY ANTONELLIS

Most of the content in relation to the darknet involves nefarious or illegal activity. With the provided possibility of anonymity, there are many criminals trying to take advantage of it. This results in a large volume of darknet sites revolving around drugs, darknet markets (sites for the purchase and sale of services and goods), and fraud. Some examples found within minutes using the Tor browser are listed in the following:

  • Drug or other illegal substance dealers: Darknet markets (black markets) allow the anonymous purchase and sale of medicines and other illegal or controlled substances such as pharmaceuticals. Almost everything can be found here, quite simply in exchange for bitcoins.
  • Hackers: Individuals or groups, looking for ways to bypass and exploit security measures for their personal benefit or out of anger for a company or action (Krebs On Security 2016), communicate and collaborate with other hackers in forums, share security attacks (use a bug or vulnerability to gain access to software, hardware, data, etc.) and brag about attacks. Some hackers offer their individual service in exchange for bitcoins.
  • Terrorist organizations use the network for anonymous Internet access, recruitment, information exchange and organisation (What is the darknet?).
  • Counterfeiters: Offer document forgeries and currency imitations via the darknet.
  • Merchants of stolen information offer e.g. credit card numbers and other personally identifiable information can be accessed and ordered for theft and fraud activities.
  • Weapon dealers: Some dark markets allow the anonymous, illegal purchase and sale of weapons.
  • Gamblers play or connect in the darknet to bypass their local gambling laws.
  • Murderers/assassins: Despite of existing discussions about whether these services are real or legitimate, created by the law enforcement or just fictitious websites, some dark websites exist, that offer murder for rent.
  • Providers of illegal explicit material e.g. child pornography: We will not go into detail here.
Screenshot of the infamous Silk Road (platform for selling illegal drugs, shutdown by the FBI in October 2013) , Reference: (Meet Darknet 2013)

But the same anonymity also offers a bright side: freedom of expression. It offers the availability to speak freely without fear about persecution in countries where this is no fundamental right. According to the Tor project, hidden services allowed regime dissidents in Lebanon, Mauritania and the Arab Spring to host blogs in countries where the exchange of those ideas would be punished (Meet Darknet 2013). Some other use-cases are:

  • To use it as a censorship circumvention tool, to reach otherwise blocked content (in countries without free access to information)
  • Socially sensitive communication: Chat rooms and web forums where rape and abuse survivors or people with illnesses can communicate freely, without being afraid of being judged.

A further example of​ that is the New Yorker’s Strongbox, which allows whistleblowers to upload documents and offers a way to communicate anonymously with the magazine (Meet Darknet 2013).

3.2 Accessing the Network

The hidden sites of the dark web can be accessed via special onion-domains. These addresses are not part of the normal DNS, but can be interpreted by the Tor browser if they are sent into the network through a proxy (Interaction with Tor 2018). In order to create an onion-domain, a Tor daemon first creates an RSA key pair, calculates the SHA-1 hash over the generated public RSA key, shortens it to 80 bits, and encodes the result into a 16-digit base32 string (e.g. expyuzz4waqyqbqhcn) (Interaction with Tor 2018). For the reason that onion-domains directly derive from their public key, they are self-certifying. That implements, that if a user knows a domain, he automatically knows the corresponding public key. Unfortunately, onion-domains are therefore difficult to read, write, or to remember. In February 2018, the Tor Project introduced the next generation of onion-domains, which can now be 56 characters long, use a base32 encoding of the public key, and includes a checksum and version number (Interaction with Tor 2018). The new onion services also use elliptic curve cryptography so that the entire public key can now be embedded in the domain, while it could only be the hash in previous versions. These changes led to enhanced security of onion-services, but long and unreadable domain names interfered the usability again (Interaction with Tor 2018). Therefore, it is a common procedure, to repeatedly generate RSA keys until the domain randomly contains the desired string (e.g. facebook). These vanity onion domains look like this for e.g. Facebook (facebookcorewwwi.onion) or the New York Times (nytimes3xbfgragh.onion) (Interaction with Tor 2018). In contrast to the rest of the Worldwide Web, where navigation is primarily done via search engines, the darknet often contains pages with lists of these domains for further navigation. The darknet deliberately tries to hide from the eyes of the searchable web (Meet Darknet 2013)

3.3 Onion Routing – How Does Tor Work?

So how exactly does the anonymizing encryption technology behind Onion Routing work? As said before, the Tor browser chooses an encrypted path through the network and builds a circuit in which each onion router only knows (is able to decrypt) its predecessor and the successor, but no other nodes in the circuit. Tor thereby uses the Diffie-Hellman algorithm to generate keys between the user and different onion routers in the network (How does Tor work 2018). The algortihm is one possible application of Public Key Cryptography that makes use of two large prime numbers which are mathematically linked:

  1. A public-key — public and visible to others
  2. A private-key — private and kept secret

The public key can be used to encrypt messages and the private key is in return used to decrypt the encrypted content. This implicates, that anyone is able to encrypt content for a specific recipient, but this recipient alone can decrypt it again (How does Tor work 2018).

Tor normally uses 3 nodes by default, so 3 layers of encryption are required to encrypt a message (How does Tor work 2018). It is important to say, that every single Tor packet (called cell) is exactly 512kb large. This is done for the reason, that attackers cannot guess which cells are larger cells e.g images/media (How does Tor work 2018). On every step, the transferred message/package reaches, one layer of encryption is decrypted, revealing the position of the next successor in the circuit. This makes it possible, that nodes in the circuit do not know where the previous message originated or where its final destination is (How does Tor work 2018). A simplified visualization of this procedure can be seen in the picture below.

Removing one layer of encryption in every step to the next node, Reference (How does Tor work 2018)

But how does the network allow different users to connect without knowing each other’s network identity? The answer are so-called “rendezvous points”, formerly known as hidden services. (Onion Service Protocol 2019). The following steps are mainly extracted and summarized from the official documentation of Tor about the Onion Service Protocol 2019 and describe the technical details of how this is made possible:

Step 1: Before a client is able to contact an onion service in the network, it needs to broadcast its existence. Therefore, the service randomly selects relays in the network and requests them to act as introduction points by sending its public key. The picture below shows these circuit connections in the first step as green lines. It is important to mention, that these lines mark Tor circuits and not direct connections. The full three-step circuit makes it hard to associate an introduction point with the IP address of an onion server: Even though the introduction point is aware of the onion servers identity (public key) it does never know the onion server’s location (IP address)(Onion Service Protocol 2019).

Step 1: Reference: (Onion Service Protocol 2019)

Step 2: Step two: The service creates a so-called onion service descriptor that contains its public key and a summary of each introductory point (Onion Service Protocol 2019). This descriptor is signed with the private key of the service and then uploaded to a distributed hash database table in the network. If a client requests an onion domain as described in section Accessing the Network the respective descriptor is found. If e.g. “abc.onion” is requested, “abc” is a 16 or 32 character string derived by the service’s public key as seen in the picture below.

Step 2: Reference: (Onion Service Protocol 2019)

Step 3: When a client contacts an onion-service it needs to initiate the connection by downloading the descriptor from the distributed hash table as described before. If that certain descriptor exists for the address abc.onion, the client receives the set of introduction points and the respective public key. This action can be seen in the picture below. At the same time, the client establishes a connection circuit to another randomly selected node in the network and​ asks it to act as a rendezvous point by submitting a one time-secret key (Onion Service Protocol 2019).

Step 3: Reference: (Onion Service Protocol 2019)

Step 4: Now the client creates a so-called introduce message (encrypted with the public key of the onion service), containing the address of the rendezvous point and the one-time secret key. This message is sent to one of the introduction points, requesting the onion service as its final target. For the reason that the communication is again realized by a gate circuit, it is not possible to uncover the clients IP address and thus its identity.

Step 4: Reference: (Onion Service Protocol 2019)

Step 5: At this point, the onion service decodes the introduce message including the address of the rendezvous point and the one-time secret key. The service is then able to establish a circuit connection to the now revealed rendezvous point and communicates the one-time secret in a rendezvous message to the node. Thereby, the service remains with the same set of entry guards for the creation of new circuits (Onion Service Protocol 2019). By application of this technique, an attacker is not able to create his own relay to force the onion service to create an optional number of circuits, so that the corrupt relay might be randomly selected as the entry node. This attack scenario which is able to uncover the anonymity in the Deep Web networks was described by Øverlier and Syverson in their paper (Locating Hidden Servers 2006).

Step 5: Reference: (Onion Service Protocol 2019)

Step 6: As seen in the last picture below, the rendezvous point informs the client about the successfully established connection. Afterwards, both the client and onion service are able to use their circuits to the rendezvous point to communicate. The (end-to-end encrypted) messages are forwarded through the rendezvous point from client to the service or vice versa (Onion Service Protocol 2019). The initial introduction circuit is never used for the actual communication for one important reason mainly: A relay should not be attributable to a particular onion service. The rendezvous point is therefore never aware of the identity of any onion service (Onion Service Protocol 2019). Altogether, the complete connection between service and onion service and client consists of six nodes: three selected by the client, whereas the third is the rendezvous point and the other three are selected by the service.

Step 6: Reference: (Onion Service Protocol 2019)

4. Conclusion – Weaknesses

Different from what many people believe (How does Tor work 2018) Tor is no completely decentralized peer-to-peer system. If it was, it wouldn’t be very useful, as the system requires a number of directory servers that continuously manage and maintain the state of the network.

Furthermore, Tor is not secured against end-to-end attacks. While it does provide protection against traffic analysis, it cannot and does not attempt to protect against monitoring of traffic at the boundaries of the Tor network (the traffic entering and exiting the network), which is a problem that cyber security experts were unable to solve yet (How does Tor work 2018). Researchers from the University of Michigan even developed a network scanner allowing identification of 86% of worldwide live Tor “bridges” with a single scan (Zmap Scan 2013). Another disadvantage of Tor is its speed – because the data packages are randomly sent through a number of nodes, and each of them could be anywhere in the world, the usage of Tor is very slow. Despite its weaknesses, the Tor browser is an effective, powerful tool for the protection of the user’s​ privacy online, but it is good to keep in mind that a Virtual Private Network (VPN) can also provide security and anonymity, without the significant speed decrease of the Tor browser (Tor or VPN 2019) . If total obfuscation and anonymity regardless of the performance play a decisive role, a combination of both is recommended.

5. References

Hidden Internet [2018], Manu Mathur, Exploring the Hidden Internet – The Deep Web [Online]
Available at: https://whereispillmythoughts.com/exploring-hidden-internet-deep-web/
[Accessed 27 August 2019].

Search Engines [2019], Julia Sowells, Top 10 Deep Web Search Engines of 2017 [Online]
Available at: https://hackercombat.com/the-best-10-deep-web-search-engines-of-2017/
[Accessed 24 July 2019].

Krebs On Security [2016], Brian Krebs, Krebs on Security: Rise of Darknet Stokes Fear of The Insider [Online]
Available at: https://krebsonsecurity.com/2016/06/rise-of-darknet-stokes-fear-of-the-insider/
[Accessed 14 August 2019].

Anonymous Connections [1990], Michchael G.Reed, Paul F. Syversion, and David M. Goldschlag Naval Research Laboratory Anonymous Connections and Online Routing [Online]
Available at: https://www.onion-router.net/Publications/JSAC-1998.pdf
[Accessed 18 August 2019].

Onion Pre Alpha [2002], Roger Dingledine, pre-alpha: run an onion proxy now! [Online]
Available at: https://archives.seul.org/or/dev/Sep-2002/msg00019.html
[Accessed 18 August 2019].

Tor Browser [2019], Heise Download, Tor Browser 8.5.4 [Online]
Available at: https://www.heise.de/download/product/tor-browser-40042
[Accessed 29 August 2019].

Interaction with Tor [2018], Philipp Winter, Anne Edmundson, Laura M. Roberts, Agnieszka Dutkowska-Zuk, Marshini Chetty, Nick Feamster, How Do Tor Users Interact With Onion Services? [Online]
Available at: https://arxiv.org/pdf/1806.11278.pdf
[Accessed 16. August 2019].

What is the darknet?, Darkowl, What is THE DARKNET? [Online]
Available at: https://www.darkowl.com/what-is-the-darknet/
[Accessed 22. August 2019].

Meet Darknet [2013], PCWorld: Brad Chacos ,Meet Darknet, the hidden, anonymous underbelly of the searchable Web [Online]
Available at: https://www.pcworld.com/article/2046227/meet-darknet-the-hidden-anonymous-underbelly-of-the-searchable-web.html
[Accessed 23. August 2019].

Onion Service Protocol [2019], Tor Documentation, Tor: Onion Service Protocol [Online]
Available at: https://2019.www.torproject.org/docs/onion-services
[Accessed 8. July 2019].

How does Tor work [2018], Brandon Skerritt, How does Tor *really* work? [Online]
Available at: https://hackernoon.com/how-does-tor-really-work-c3242844e11f
[Accessed 8. July 2019].

Locating Hidden Servers [2006], Lasse Øverlier, Paul Syverson, Locating Hidden Servers [Online]
Available at: https://www.onion-router.net/Publications/locating-hidden-servers.pdf
[Accessed 8. August 2019].

Zmap Scan [2013], Peter Judge, Zmap’s Fast Internet Scan Tool Could Spread Zero Days In Minutes [Online]
Available at: https://www.silicon.co.uk/workspace/zmap-internet-scan-zero-day-125374
[Accessed 21. August 2019].

Tor or VPN [2019], Bill Man, Tor or VPN – Which is Best for Security, Privacy & Anonymity? [Online]
Available at: https://blokt.com/guides/tor-vs-vpn
[Accessed 8. August 2019].

About the Robustness of Machine Learning

Glitch

In the past couple of years research in the field of machine learning (ML) has made huge progress which resulted in applications like automated translation, practical speech recognition for smart assistants, useful robots, self-driving cars and lots of others. But so far we only have reached the point where ML works, but may easily be broken. Therefore, this blog post concentrates on the weaknesses ML faces these days. After an overview and categorization of different flaws, we will dig a little deeper into adversarial attacks, which are the most dangerous ones.

Continue reading

Mobile Security – How secure are our daily used devices?

Nowadays, the usage of mobile devices has become a part of our everyday life. A lot of sensitive and personal data is stored on these devices, which makes them more attractive targets for attackers. Also, many companies offer the possibility to work remotely, which results in storing confidential business information on private phones and therefore increases the organizations’ vulnerability. The following content shows what kind of attacks the mobile platform is facing and how secure we really are.

Continue reading

Autonomous War – Which dangers are associated with warfare without human intervention?

The term autonomous war has been a controversial topic for years. But what exactly does the term actually mean? Autonomous war means the use of autonomous lethal weapons (short: LAWs) and machines or vehicles, which are primarily used by the military for modern warfare. Autonomous weapon systems can decide independently about life and death on the battlefield. However, autonomous weapon systems are more commonly known in the media as “killer robots”.

Continue reading

Blockchain Risks and Chances – An 2018 Overview on Public and Private Blockchain, Smart Contracts, DAOs and ICOs

A few years ago, talking about Blockchain was largely consistent with talking about the technology behind Bitcoin. In contrast, Blockchain nowadays comprises a whole technology branch, whereby the Blockchain itself can be implemented in lots of various ways. Not a year ago, on December 17, 2018, the peak of the Bitcoin hype was reached by the breakthrough of $20,000 per coin. With the Bitcoin hype also, the hype around the Blockchain was further fueled. Consequently, we now have over 1800 Blockchain Platforms with Cryptocurrency listed on coinmarketcap.com. In addition, there are numerous frameworks and providers for so-called Private Blockchains, which are mostly used in companies and consortiums. Therefore, I’ll give an overview in this blog article of the current development in Blockchain as well as its chances and risks. I’ll also deal with technologies such as Smart Contracts, DApps, DAOs and ICOs, which are possible or have grown through Blockchain.

Continue reading

Safety Culture – Improve “the way we do things around here”

The safety culture of an organization is the key indication of its performance related to safety. It incorporates the visible rules, norms and practices as well as the implicit factors such as values, beliefs and assumptions. That is why the safety culture reflects “the way we do things around here” which is the most precise definition. Safety is a universal topic since we pursue it permanently and every action is safety related. To improve safety, we first need to understand the organization’s unique safety culture before we can derive tailored actions. This post covers the basic theoretical background of a safety culture and focuses and two central components: just and learning culture. The resulting principles can increase the resistance of an organization towards its operational hazards but only if they are adapted to the unique situation. There is no generally applicable step-by-step manual on how to implement a safety culture.

Continue reading

Smart Meter

Smart meters have been a controversial topic for quite a while. Other countries began the roll out years ago. In Germany this takes way longer and there are still no certified products for the energy companies to install. The BSI (Bundesamt für Sicherheit in der Informationstechnologie) is responsible for certifying the smart meters. There are several smart meters up for certification as you can see on this side of the BSI.

The main reason for installing smart meters is the energy transformation to make the energy net more reliable for renewable energies. Therefore the EU has decided that every country should provide smart meters to their consumers. Thus the Bundesregierung passed the law for Digitalisierung der Energiewende in 2016. It requires 80% of all households to own a smart meter by 2020.
Continue reading