A U.S. Airman inserts a hard drive into the network control center retina server at Altus Air Force Base, Okla., Jan. 24, 2014.

A U.S. Airman inserts a hard drive into the network control center retina server at Altus Air Force Base, Okla., Jan. 24, 2014. DoD photo by Senior Airman Franklin R. Ramos

How the Military Will Fight ISIS on the Dark Web

ISIS already is on the Dark Web raising money through Bitcoin. The military is on the Dark Web, too.

The Dark Web is not so much a place as it is a method of achieving a level of anonymity online. It refers to web sites that mask the IP addresses of the servers on which they reside, making it impossible to know who or what is behind the site or sites. They don’t show up on search engines like Google so, unless you know exactly how to reach them, they’re effectively invisible. Activists and dissidents in countries like China and Iran use the Dark Web to get around state surveillance; journalists use it to reach sources and whistleblowers rely on it to spread the word about institutional abuse or malpractices. New evidence suggests that the Islamic State, or ISIS, or at least ISIS supporting groups, are seeking the Dark Web’s anonymity for operations beyond simple propaganda. Thus yet another challenge for law enforcement and the military: to track users on the Dark Web in a way that’s effective against ISIS but that doesn’t violate privacy.

Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, speaking at the Cybersecurity for a New America Event on Monday in Washington said that groups like ISIS raising money on the Dark Web was “clearly a concern. It’s something that we’re paying attention to.” Without addressing explicitly how the NSA, goes about the task of paying attention, he added simply: “We spend a lot of time tracking people that can’t be found.”

A new report from the Chertoff Group illustrates some of the ways that the national security community will be keeping tabs on those who have taken steps to make themselves untraceable online.

First, while the Dark Web is incredibly valuable as a tool for dissident action, it also has some real dark spots. Ido Wulkan, the senior analyst at S2T, a Singapore-based technology company that develops Dark Web harvesting technologies, recently revealed to Israeli newspaper Haaretz that his company has found a number of websites raising funds for ISIS through bitcoin donations.

Though researchers and journalists have reported on some indications of Bitcoin use by ISIS and supporting groups, this is the first actual documented case, Wulkan told Defense One. “This specific website was found in several of the online communities which share information concerning the Dark Web. I originally came across it on a closed Turkish forum used by hackers.”

Some Dark Web content is accessible only via special software like Tor, a package that encrypts a user’s IP address and routes Internet traffic through a series of volunteer servers around the world (so-called onion routing.) Like the Internet itself, Tor was a product of the military, originally designed by the Office of Naval Research to give sailors a secure means of communication.

We spend a lot of time tracking people that can’t be found.
Adm. Michael Rogers, commander of U.S. Cyber Command and director of the NSA

Today, an explosion of Tor usage in a specific place or among a certain group is one indicator of increased secret communication activity. That could mean different things in different places. In June 2014, when the government of Iraq blocked Twitter and Facebook as part of its response to the growing ISIS situation, Tor usage in that country exploded, according to Tor metrics data. Usage has since calmed down in Iraq significantly.

ISIS activity on the Dark Web is growing, particularly on Tor sites, said Wulkon.

“For several years now Jihadists have been sharing information online concerning Tor and its usage thus indicating clearly that [Tor] is used by many of them. However, up until now I have not come across specific websites used for Jihadi purposes. I therefore assume many of them use Tor in the same way the general population does, through black markets and general forums where they can achieve material and information and remain anonymous. Moreover, since the Dark [Web] is far less indexed and far harder to come across than regular Websites are, there is the possibility that there are Websites used by ISIS of which we do not know yet.” 

This does not suggest that people aren’t looking. Last year, an investigation of the source code in one NSA program called XKeyscore, (revealed by the Edward Snowden leaks) showed that any user simply attempting to download Tor was automatically fingerprinted, essentially enabling the NSA to know the identity of millions of Tor users. But there’s a difference between finding people who are on the Dark Web and revealing the nature of their interest and their behaviors within it.

Recently, the Chertoff Group put out a new paper detailing some of the methodologies that they advise law enforcement to use to monitor Tor users and sites. Since it was co-written by former DHS director and Jeb Bush national security team member Michael Chertoff, it’s safe to say it provides a good indication of current law enforcement thinking. The name of the paper is the Impact of the Dark Web on Internet Governance and Cyber Security, co-written with Toby Smith.

The recommendations include mapping the hidden service directory, customer data monitoring, social site monitoring, hidden service monitoring and marketplace profiling.

Most of those are fairly self-explanatory. Customer data monitoring refers to watching the visible web to see how user behavior relates to or telegraphs attempted connections to non-standard domains. Social site monitoring applies in this case not the usual players like FaceBook (though Facebook does have a Tor link) but also sites like Pastebin, which the paper refers to as a site “often used to exchange contact information and addresses for new hidden services.” Hidden service monitoring just means staking out Dark Web sites and marketplace profiling means constructing models of how deals on the Dark Web go down.

Mapping the hidden service directory presents a technical challenge that’s a bit more unique. Tor uses a domain database built on what’s called a distributed hash table. If Tor were a city, the distributed hash table, DHT, would be the architectural plans for the structures in it. Each node in a DHT can store information that, in turn, is retrievable if the user knows the exact address of that node. Mapping the DHT can reveal how those nodes relate to one another, providing a sense of shape for the broader network. The rest of the recommendations are somewhat self-explanatory.

Will they do any good? To what extent do they represent future potential privacy violations?

Cooper Quintin, a technologist with the Electronic Frontier Foundation, a privacy watchdog group, answered: “the recommendations about monitoring Pastebin, semantic analysis of hidden services and grabbing snapshots of hidden services are fine and ethical things to do. I am concerned about the customer data monitoring suggestion however. To me, that seems like it could easily become a pretty serious invasion of privacy. Even if the IP address is not collected (as recommended in the report) it may still be possible to de-anonymize someone just through the metadata.”

In making this statement, Quintin is echoing the concerns of others in the data research community, such as MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo who have shown how easy it is to identify cloaked IP addresses, work that could conceivably be useful to Dark Web searching.

(Related: Terrorism Finance Trackers Worry ISIS Already Using Bitcoin)

The privacy concerns of the techniques outlined in the Chertoff report are small relative to some other tactics that law enforcement uses to conduct investigations, so it’s reasonable to expect that the above methods would play a role in future Dark Web investigations, if they don’t play a part already.

But law enforcement would hardly be limited to the strategies described in the report.

Recently disclosed court documents show that the FBI has used some code from a software product called the Metasploit Decloaking Engine for Dark Web investigations. Metasploit isn’t new. It’s been an essential hacker tool for years. Kevin Paulson describes it for WIRED thus “If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought.” The court documents Paulson discovered reveal that in 2012, the FBI retooled an aspect of that code for something called Operation Torpedo, which was effective in revealing the activities of Tor users.

It’s becoming easier to find people on Tor as well as discover the sites they’re visiting. Recently, Dan Kaufman, director of the information innovation office at the Defense Advanced Projects Research Agency, or DARPA, appeared on 60 Minutes to discuss the agency’s Memex project, which some have called a search engine for the Dark Web. Memex, according to Kaufman, has played a role in 20 different investigations.

But you don’t have to be DARPA or the NSA to search the unsearchable. A new service called Onion City (named after Tor’s onion routing structure) claims to offer “search and global access to Tor's onionsites.”

As the Dark Web evolves, people will begin to organize within it in order to make it more useful. That’s inevitable. As any organism grows it becomes complex; and as it becomes complex it seeks organization as a means to grow efficiently and minimize cost. It is in that organization that the hidden Web is revealing itself both to individuals who would seek to give funds to groups like ISIS and to spies who would seek out those people. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.