In a word, anonymity.

A slew of privacy technique are allowing cyber criminals to buy and sell stolen private information relatively unscathed in most cases.

HTTPS encryption has been around for about a couple decades now . The problem for criminals, though, is when they try to access a web-based resource, before encryption is negotiated between the client and server, a DNS request is made in clear text so ISPs are able to see where criminals are trying to go.

In 2002, The Onion Routing (TOR) project released an alpha version of the anonymous web browsing software known as Tor. The reference to “onion” speaks to the architecture of how Tor works, providing multiple layers of anonymity through a series of encrypting “nodes”.

A key concept of Tor is that the various hops along the way only receive a partial picture of the communication that is happening. However, an anonymity is still not guaranteed. There are privacy issues for cyber criminals both at the beginning (during name resolution) and end (Tor exit node) of the communication path.

To resolve a .onion address (.onion is the dark web’s equivalent of .com), a cyber criminal’s computer still needs to resolve the human-readable address into an IP address. This means that whatever server they’re going to for DNS resolution will know where they’re coming from and where they’re trying to go. This information can then be used by law enforcement to find the cyber criminal.

To get around this issue, cyber criminals are now starting to use DNS-over-HTTPS which is still in IETF draft form but being developed by some sharp engineers at CloudFlare and Google. In fact, both of these companies have a free service to which cyber criminals can subscribe to hide both their internet and dark web activity.

At the end of the communication path, CloudFlare cryptography engineer Mahrud Sayrafi notes that “passive attackers can capture packets exiting the Tor network and malicious Exit Nodes can poison DNS queries or downgrade encryption through sslstripping.”

To close this final privacy issue, cyber criminals can now used what is called a “hidden resolver service”. Sayrafi talks about how this new privacy feature works at his blog post here:

https://blog.cloudflare.com/welcome-hidden-resolver

So a couple of final thoughts…

Thought #1: It’s now clear to see how cyber criminals are able to anonymously buy and sell medical records, credit card data, and other stolen personal information. They simply rely on a series of free technologies aimed at providing anonymity. On top of all the aforementioned technologies, cyber criminals are using anonymous blockchain-based cryptocurrencies to transfer funds to each other undetected.

Thought #2: Tor represents a way to bypass web filtering technologies allowing employees to access blocked or illegal sites. To address this:

– Consider implementing application whitelisting which will prevent the Tor browser from being installed on company computers.

– ‎Block the use of self-signed certificates which are prevalent in the Tor network.

– ‎Restrict the use of Tor in your company’s acceptable use policy.