How the Military Will Fight ISIS on the Dark Web

A U.S. Airman inserts a hard drive into the network control center retina server at Altus Air Force Base, Okla., Jan. 24, 2014.

DoD photo by Senior Airman Franklin R. Ramos

AA Font size + Print

A U.S. Airman inserts a hard drive into the network control center retina server at Altus Air Force Base, Okla., Jan. 24, 2014.

ISIS already is on the Dark Web raising money through Bitcoin. The military is on the Dark Web, too.

The Dark Web is not so much a place as it is a method of achieving a level of anonymity online. It refers to web sites that mask the IP addresses of the servers on which they reside, making it impossible to know who or what is behind the site or sites. They don’t show up on search engines like Google so, unless you know exactly how to reach them, they’re effectively invisible. Activists and dissidents in countries like China and Iran use the Dark Web to get around state surveillance; journalists use it to reach sources and whistleblowers rely on it to spread the word about institutional abuse or malpractices. New evidence suggests that the Islamic State, or ISIS, or at least ISIS supporting groups, are seeking the Dark Web’s anonymity for operations beyond simple propaganda. Thus yet another challenge for law enforcement and the military: to track users on the Dark Web in a way that’s effective against ISIS but that doesn’t violate privacy.

Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, speaking at the Cybersecurity for a New America Event on Monday in Washington said that groups like ISIS raising money on the Dark Web was “clearly a concern. It’s something that we’re paying attention to.” Without addressing explicitly how the NSA, goes about the task of paying attention, he added simply: “We spend a lot of time tracking people that can’t be found.”

A new report from the Chertoff Group illustrates some of the ways that the national security community will be keeping tabs on those who have taken steps to make themselves untraceable online.

First, while the Dark Web is incredibly valuable as a tool for dissident action, it also has some real dark spots. Ido Wulkan, the senior analyst at S2T, a Singapore-based technology company that develops Dark Web harvesting technologies, recently revealed to Israeli newspaper Haaretz that his company has found a number of websites raising funds for ISIS through bitcoin donations.

Though researchers and journalists have reported on some indications of Bitcoin use by ISIS and supporting groups, this is the first actual documented case, Wulkan told Defense One. “This specific website was found in several of the online communities which share information concerning the Dark Web. I originally came across it on a closed Turkish forum used by hackers.”

Some Dark Web content is accessible only via special software like Tor, a package that encrypts a user’s IP address and routes Internet traffic through a series of volunteer servers around the world (so-called onion routing.) Like the Internet itself, Tor was a product of the military, originally designed by the Office of Naval Research to give sailors a secure means of communication.

We spend a lot of time tracking people that can’t be found.
Adm. Michael Rogers, commander of U.S. Cyber Command and director of the NSA

Today, an explosion of Tor usage in a specific place or among a certain group is one indicator of increased secret communication activity. That could mean different things in different places. In June 2014, when the government of Iraq blocked Twitter and Facebook as part of its response to the growing ISIS situation, Tor usage in that country exploded, according to Tor metrics data. Usage has since calmed down in Iraq significantly.

ISIS activity on the Dark Web is growing, particularly on Tor sites, said Wulkon.

“For several years now Jihadists have been sharing information online concerning Tor and its usage thus indicating clearly that [Tor] is used by many of them. However, up until now I have not come across specific websites used for Jihadi purposes. I therefore assume many of them use Tor in the same way the general population does, through black markets and general forums where they can achieve material and information and remain anonymous. Moreover, since the Dark [Web] is far less indexed and far harder to come across than regular Websites are, there is the possibility that there are Websites used by ISIS of which we do not know yet.” 

This does not suggest that people aren’t looking. Last year, an investigation of the source code in one NSA program called XKeyscore, (revealed by the Edward Snowden leaks) showed that any user simply attempting to download Tor was automatically fingerprinted, essentially enabling the NSA to know the identity of millions of Tor users. But there’s a difference between finding people who are on the Dark Web and revealing the nature of their interest and their behaviors within it.

Recently, the Chertoff Group put out a new paper detailing some of the methodologies that they advise law enforcement to use to monitor Tor users and sites. Since it was co-written by former DHS director and Jeb Bush national security team member Michael Chertoff, it’s safe to say it provides a good indication of current law enforcement thinking. The name of the paper is the Impact of the Dark Web on Internet Governance and Cyber Security, co-written with Toby Smith.

The recommendations include mapping the hidden service directory, customer data monitoring, social site monitoring, hidden service monitoring and marketplace profiling.

Most of those are fairly self-explanatory. Customer data monitoring refers to watching the visible web to see how user behavior relates to or telegraphs attempted connections to non-standard domains. Social site monitoring applies in this case not the usual players like FaceBook (though Facebook does have a Tor link) but also sites like Pastebin, which the paper refers to as a site “often used to exchange contact information and addresses for new hidden services.” Hidden service monitoring just means staking out Dark Web sites and marketplace profiling means constructing models of how deals on the Dark Web go down.

Mapping the hidden service directory presents a technical challenge that’s a bit more unique. Tor uses a domain database built on what’s called a distributed hash table. If Tor were a city, the distributed hash table, DHT, would be the architectural plans for the structures in it. Each node in a DHT can store information that, in turn, is retrievable if the user knows the exact address of that node. Mapping the DHT can reveal how those nodes relate to one another, providing a sense of shape for the broader network. The rest of the recommendations are somewhat self-explanatory.

Will they do any good? To what extent do they represent future potential privacy violations?

Cooper Quintin, a technologist with the Electronic Frontier Foundation, a privacy watchdog group, answered: “the recommendations about monitoring Pastebin, semantic analysis of hidden services and grabbing snapshots of hidden services are fine and ethical things to do. I am concerned about the customer data monitoring suggestion however. To me, that seems like it could easily become a pretty serious invasion of privacy. Even if the IP address is not collected (as recommended in the report) it may still be possible to de-anonymize someone just through the metadata.”

In making this statement, Quintin is echoing the concerns of others in the data research community, such as MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo who have shown how easy it is to identify cloaked IP addresses, work that could conceivably be useful to Dark Web searching.

(Related: Terrorism Finance Trackers Worry ISIS Already Using Bitcoin)

The privacy concerns of the techniques outlined in the Chertoff report are small relative to some other tactics that law enforcement uses to conduct investigations, so it’s reasonable to expect that the above methods would play a role in future Dark Web investigations, if they don’t play a part already.

But law enforcement would hardly be limited to the strategies described in the report.

Recently disclosed court documents show that the FBI has used some code from a software product called the Metasploit Decloaking Engine for Dark Web investigations. Metasploit isn’t new. It’s been an essential hacker tool for years. Kevin Paulson describes it for WIRED thus “If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought.” The court documents Paulson discovered reveal that in 2012, the FBI retooled an aspect of that code for something called Operation Torpedo, which was effective in revealing the activities of Tor users.

It’s becoming easier to find people on Tor as well as discover the sites they’re visiting. Recently, Dan Kaufman, director of the information innovation office at the Defense Advanced Projects Research Agency, or DARPA, appeared on 60 Minutes to discuss the agency’s Memex project, which some have called a search engine for the Dark Web. Memex, according to Kaufman, has played a role in 20 different investigations.

But you don’t have to be DARPA or the NSA to search the unsearchable. A new service called Onion City (named after Tor’s onion routing structure) claims to offer “search and global access to Tor’s onionsites.”

As the Dark Web evolves, people will begin to organize within it in order to make it more useful. That’s inevitable. As any organism grows it becomes complex; and as it becomes complex it seeks organization as a means to grow efficiently and minimize cost. It is in that organization that the hidden Web is revealing itself both to individuals who would seek to give funds to groups like ISIS and to spies who would seek out those people. 

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.