What is Tor and the Dark Web?

Posted by Geraldine Hunt on Wed, Sep 1st, 2021

There's a lot of talk about the dark web these days, including how cybercriminals use it to spread malware, sell stolen data and publish user account credentials.

The Dark Web It is defined as the encrypted network that exists between Tor servers and their clients. It is completely separate from the World Wide Web. Tor, an acronym for "The Onion Router", enables users to surf the Internet, chat, and send instant messages anonymously. In and of itself, it is not nefarious. Here is how Tor developers view their creation on https://www.torproject.org/: “Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. “

There has been a 24 percent growth rate of onion sites on the Dark Web between 2014 and 2015, according to Flashpoint research. Tor use jumped again in the last year since the revelation of the National Security Agency's surveillance program.

A little history

Negative stereotypes about the Dark Web abound. In March, a CIGI study showing 7 in 10 people want the Dark Web shut down. Many people heard of the Dark Web for the first time in 2013 when the FBI dismantled the Silk Road, the largest black market site (at the time) trafficking in guns and drugs. But the Dark Web did not start out as haven for criminals. Tor was developed in the mid-1990s by computer scientists and U.S. government agencies. In 2006, the Tor Project was created as a nonprofit organization to maintain Tor for public use.

There are plenty of reasons that people might want to anonymize their web activity using Tor:

In countries where many websites are blocked, Tor provides a way to access those sites. For example, in mainland China as of September 2015, around 3,000 websites were blocked. These includes most of Google’s offerings, Facebook, YouTube, Twitter, and Instagram. Anonymity is critical when communicating sensitive information or whistle-blowing. Today, news outlets like The Guardian, The Intercept, and The New Yorker all host Dark Web drop sites for anonymously leaked tips and documents. So, of course, does WikiLeaks. Tor and the Dark Web was used to mobilize the Arab spring. Some people use Tor to keep websites from tracking them for advertising purposes.

How does Tor work?

Tor is not the only tool to access the Dark Web; it is simply the most popular. Other systems include Freenet or the Invisible Internet Project (I2P). Here is how Tor works. Tor forwards network traffic from the user’s computer and shuffles it through a random series of relays to reach its destination. Each node (or onion router) in the path knows its predecessor and successor, but no other nodes in the circuit. Traffic flowing down the circuit is sent in fixed-size packets which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream. This process anonymizes the user’s location and makes it difficult to monitor the user’s activity.

Tor encryption is performed by the Tor servers, not on your desktop. Traffic between two Tor nodes is not traceable, but traffic entering or exiting Tor gateways to or from the “normal” Internet is, unless SSL encryption is in effect. Tor is not an end-to-end encryption mechanism; if communication is not encrypted using separate software before entering the Tor network, anyone can read it at the gateways. Since the U.S. National Security Agency is suspected of administering a high percentage of all the world’s public Tor exit gateways, you can bet that any unencrypted traffic is monitored by the NSA.

Many users access Tor through a VPN. Here’s why:

• A VPN allows you to spoof your geographic location. 
• As mentioned above, anyone at the Tor exit gateway can read unencrypted communication passing through.
• A VPN provides privacy.
• Some ISPs block Tor. An ISP will not know you are accessing the Dark Web if you use a VPN.
• The Tor entry gateway will see the IP address of the VPN server, not the user’s true IP address.

However, Tor exit gateways are often blocked. Also, a VPN provides no protection from malicious Tor exit gateways. Instead of using a VPN, some Tor users route through a Tor bridge such as Obfsproxy. This can be effective at hiding Tor use if deep packet inspection is not configured to detect Tor.

What does the Dark Web look like?

The first thing to notice is how slow the Tor browser is; even slower if a VPN is used in tandem. The URLs also look a bit strange. An example is wlupld3ptjvsgwqw.onion, the Dark Web site for Wikileaks. Protocols outside the standard HTTP/HTTPS abound, most commonly IRC, IRCS, Gopher, XMPP, and FTP. A long-term survey by TrendMicro showed that 41% of URLs are Russian, while 40% are English.

Finding what you are looking for is a bit of a challenge since many sites appear and disappear within days. This is not to say that there are no search engines; the drug search engine Grams looks like Google. Since there are many malicious webpage links, some users rely on Tor .onion link lists or a friend’s tip to get around. An alternative is one of the Dark or Deep Web search engines that talks to the onion service via Tor and relays, resolves the .onion links, and then delivers the final output to your regular browser on the World Wide Web.

The Dark Web has some of the same kinds of sites available on the “normal” internet. Deep Web Radio is a worldwide music radio station. There are dedicated hosting services, anonymous email and chat; even Twitter clones. Of course, there are blogs and forums. in January 2016, ProPublica launched the Dark Web’s first major news site.

Whistleblowers, human rights activists, journalists, military, and law enforcement all have a presence. Victims of domestic abuse use the Dark Web to communicate without being tracked by their abusers.

A description of the Dark Web would not be complete without mentioning the .BIT financial sites involving Bitcoin, markets for stolen information and illegal goods, and exploit kits and information for blackhats. Daniel Moore and Thomas Rid in their book Cryptopolitik and the Darknet report that 57% of the Dark Web consists of illegal activity. It is fair to say that Deep Web is an immense information-sharing tool that facilitates criminal activity. Cryptocurrencies like bitcoin and anonymization networks such as Tor make it easy for adversaries to enter the malware market and quickly begin generating revenue.

Spear Phishing Threats Rise as Dark Web Grows

Over 90% of all cyber attacks an data breaches begin with a phishing attack.  Spear Phishing threats are rising as the data on the dark web expands. Spear phishing attacks are multipurpose attacks used to deliver ransomware, malware and steal valuable data that can be easily sold on the dark web. Phishing is the most successful, growing, and dangerous of all cyber-attacks!

DNS has an important role to play because it underpins the network activity of all organizations and because around 90% of malware uses DNS to cause harm.

DNS provides organization with an opportunity to intercept malware before it contacts its command and control infrastructure. DNS visibility enables organizations to see other indicators of compromise such as spikes in IP traffic and DNS hijacking.

Being able to track and monitor DNS activity is important as it enables organizations to identify phishing campaigns and the associated leakage of data. It also enables them to reduce the time attackers are in the network and spot new domains being spun up for malicious activity and data exfiltration. 

By enabling DNS protection, you can filter out phishing sites altogether. That means if an employee opens and clicks on a phishing email, the link in the email won't work.

WebTitan DNS Filtering blocks access to malware, ransomware, phishing attacks, viruses, malicious sites, spyware, etc. It eliminates malicious content at the source.

Find out more about how WebTitan DNS Filtering provides real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.

 

 

How to Protect Users form Data Breaches and Sophisticated Email Attacks

Without the right cybersecurity tools in place, organizations are vulnerable to phishing scams. This malware could cost an enterprise millions in disaster recovery and ransom fees if they’re paid. The only way to avoid them is to have the right email security using DMARC and content filtering.

SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. SpamTitan's sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files.

Phishing attacks are highly complex and  on the rise. One of the most effective ways to protect against phishing scams is with a modern, robust email security solution such as SpamTitan.  SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing.  Few vendors offer all of these solutions in one package.

SpamTitan is a multi-award-winning email protection, anti-phishing, and email filtering solution. Start your free trial for SpamTitan today to discover how we can prevent malware attacks.

 

Stay tuned…

In an upcoming article, we will discuss the technical ramifications of the Dark Web and measures that will (or will not) stop Tor from being accessed from your network.