Operation Onymous - are the FBI's claims transparent enough?

News by Steve Gold

Most sites taken down in operation Onymous were spam or clone sites says researcher.

Further details of `Operation Onymous' - a joint law enforcement action against the so-called Dark Web-based drug trade at the start of this month - are now emerging, and the mystery surrounding the claimed actions of Europol, the FBI and the Department of Homeland Security has deepened.

As widely reported at the time `Operation Onymous' - which centred on an investigation of Internet resources using the TOR (The Onion Router) anonymising service - resulted in the arrest of 17 people and closed down more than 400 Dark Web websites, including Cloud 9, Topix, Black Market and the infamous Silk Road 2.0.

At the time, TOR watchers were deeply concerned that the law enforcement organisations had managed to decode the complex process by which IP traffic traverses the TOR network, which was originally developed by the US Naval Research Lab with the specific intention of masking Internet traffic in those countries and regions where governments were monitoring for anything untoward.

Today, TOR is used by a wide variety of users, ranging from people in oppressed countries, all the way to Dark Web and illegal Internet users who do not want their activities to become known to law enforcement agencies.

Today's TOR works with users installing an anonymised router or a bridge that acts as a conduit for obfuscated IP traffic. Coupled with end relays - aka ingress and egress points - an open source fully anonymised IP network is the end result.

Up in arms

It's the anonymous nature of the network that had security experts up in arms in early November, as fears that the `digital exhaust' of TOR users had been decoded.   

Reports are now circulating that, whilst the FBI was able to take down a number of popular Dark Web sites - including Silk Road 2 - many of the websites were/are fake.

According to security researcher Nik Cubrilovic, 153 of the 276 websites were spam sites or clones, with 20 being scam/phishing sites, and the remaining 133 being clones.

The clones, SCMagazineUK.com notes, are the apparent end result of a botnet - the Onion Cloner - developed by hackers to harvest the credentials of a number of popular Dark Web sites and pages. Put simply, this means that, alongside the legitimate sites that law enforcement officials wanted to take down, there are a large number of outright fakes.

According to Cubrilovic, several legitimate personal websites on the TOR network were also taken down but were not mentioned in the FBI's press release or court filings. Most damning, he says, the FBI took down a Jihadi donation site clone on one TOR address while leaving the real site up and running.

As a result of the revelations, Cubrilovic is asking site admins to contact him regarding their sites in order to assess how the FBI found and shut down the affected sites.

Denting the FBI claims

Whilst it is difficult to say - at this stage - to what extent Cubrilovic's revelations change the tenor of the FBI's claims about Operation Onymous, some experts are now saying there is a lot more than meets the eye to the takedown.

As Cubrilovic observes, "that the FBI seized so many clone and fake websites suggests a broad, untargeted sweep of hidden services rather than a targeted campaign."

The diverse nature of how sites were seized suggests: "that rather than starting with an onion address and then discovering the host server to seize, this campaign simply vacuumed up a large number of [TOR] websites by targeting specific hosting companies. We have tracked down the hosting companies affected and the details will be published in a follow-up," he says in his analysis.

What actually happened?

To answer the questions that Cubrilovic's revelations clearly raise, SC asked digital forensics specialist Professor Peter Sommer, a visiting professor with de Montfort University, for his observations.

He explained that Cubrilovic's very interesting article adds yet more puzzles to what took place during Operation Onymous.

"The initial puzzle was the `new forensic technique' said to have been deployed by Europol/FBI/NCA. The people running the TOR network say that they are pretty sure that it has not been broken at a fundamental level," he said.

"On the other hand there is a compelling article in The Stack which reports research by Sambuddho Chakravarty that 81 percent of TOR clients can be de-anonymised (their IP real IP addresses revealed) by using Cisco's Netflow and traffic analysis," he said.

"In an earlier case involving the original Silk Road, the FBI offered various unconvincing explanations - and the courts did not press them. One can see why law enforcement is keen to conceal its methods for as long as possible," he added.

The second puzzle, Professor Sommer went on to say - and one which extends well beyond Operation Onymous - concerns the policy of going for disruption (aka takedowns) as opposed to prosecution.

"In a prosecution a law enforcement agency's suspicions have to be turned into a trial against a specific offence and with specific evidence that is fully tested in court. What are the disciplines behind decisions to disrupt?  How do we test for effectiveness - and how do we protect those against whom the suspicions turn out to be mistaken?," he explained.

Tim Keanini, CTO with Lancope, expressed worries about the integrity of the TOR network, noting that TOR cannot afford any flaws and, even if it is true, would quickly remediate as all software needs to do in the face of advanced threat.

If you realise that, even if TOR went away, another would quickly fill its place, because the need for anonymity in the net is in demand by all sides, he said, adding that it is important that folks who use TOR ensure that it is from a reliable source as compromised software is bad all around.

Over at Imperva, Amichai Shulman, the firm's CTO, said the whole saga is reality check for everyone.

"If you scratch the painting off a car in the street, even in broad daylight no one is going to come after you even if you clearly stare into each security camera on the street. If you think you pulled off the perfect heist and took a Van Gogh from the museum, most chances are that you'll get caught," he said.

"For the most part TOR provides enhanced privacy protection for individuals who are sensitive to their online anonymity and unfortunately also to small time criminals. Law enforcement and state actors have already proven - and in practice rather than in theoretical papers - that TOR is not a bullet-proof shield for major, persistent crimes or people of special interest to their governments," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews