*

Anonymous searching

Workshop for VOGIN-IP-LEZING 20 March 2014, Amsterdam, The Netherlands

Arno H.P. Reuser Reuser’s Information Services [email protected] Leiden, The Netherlands +31 6 3812 7715

Leiden, The Netherlands Reuser’s Information Services

Monday 7th April, 2014 OSINT Research Techniques

All material in this document is copyright c Reuser’s Information Services, Leiden 2006-2013.

Print and typeset using LATEX 2ε Published by Reuser’s Information Services

Edited March 2014 Print Monday 7th April, 2014

For questions, please contact Arno H.P. Reuser ([email protected]).

Unless explicitly stated otherwise, all rights including those in copyright in the content of this doc- ument are owned by or controlled for these purposes by Reuser’s Information Services. Except as otherwise expressly permitted under copyright law or Reuser’s Information Services’ Terms of Use, the content of this document may not be copied, reproduced, republished, downloaded, posted, broadcast or transmitted in any way without first obtaining Reuser’s Information Services’ written permission or that of the copyright owner.

The intellectual property rights belong to

Reuser’s Information Services

De Wetstraat 16 2332 XT Leiden The Netherlands

Reuser’s Information Services http://www.reuser.biz

c 2014 reuser’s information services page 1 Monday 7th April, 2014 OSINT Research Techniques LIST OF TABLES

Contents

1 Anonymity issues 3 1.1 Contents ...... 3 1.2 Reasons to be anonymous ...... 3 1.3 Simple measures ...... 4 1.4 Proxies ...... 5 1.5 Search engines ...... 6 1.6 Tor protocol ...... 7

2 The Onion Router (Tor) 9 2.1 Contents ...... 9 2.2 Introduction ...... 9 2.3 What it looks like ...... 10 2.4 Alternative access ...... 11 2.5 Anonymous browsing ...... 11 2.6 The .onion pseudo domain ...... 13

3 About 15 3.1 Disclaimer ...... 16 3.2 Warning ...... 16

List of Figures

1 ...... 3 2 Searching by proxy ...... 5 3 AnonymousproxyKproxy ...... 6 4 TrackMeNot ...... 6 5 Anonymous search engine Disconnect.me ...... 7 6 Anonymous search engine DuckDuckGo ...... 7 7 Anonymous search engine StartPage ...... 7 8 Vidalia Tor interface ...... 8 9 TORnetworkstart ...... 10 10 TOR browser ...... 11 11 Tor2Web ...... 12 12 Tor: IP address before starting the Tor network ...... 12 13 Tor: IP addres before starting the Tor network ...... 12 14 Tor: identity after starting the Tor network ...... 12 15 Tor: changing your identity while working ...... 13 16 Tor: a new identity after asking for a new one ...... 13 17 Tot: a Tor directory to buy credit cards, drugs, weapons and more...... 14 18 Tor: black market ...... 14 19 Tor: buy your moneyonline ...... 14

List of Tables

c 2014 reuser’s information services page 2 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

1 Anonymity issues

1.1 Contents

1.2 Reasons to be anonymous

Scott McNealy

Someone already has your medical records, someone has your dental records, someone has your financial records, VISA knows what you bought, someone knows just about everything about you. You have no privacy. Get over it! Scott McNealy. 1999

Consider the following

1. Protect your information position

(a) Protect yourself against economic espionage (’computer network exploitation’) (b) Protect yourself against snooping competitors (c) Prevent the target of knowing who is looking

Figure 1:

(See figure ˜1)

2. Prevent cyber bullying

3. Prevent cyber crime ”I have nothing to hide” ”There is nothing of interest on my machine”

4. Hide your geographical location For journalists, activists, criminals

5. Protect your medical condition

6. Victims of violence

c 2014 reuser’s information services page 3 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

1.3 Simple measures

Providers

Use different internet providers in different countries

SMTP relay

Use anonymous SMTP relay services or anonymous email services.

1. SilentSender.com 1

2. Tor Mail 2 . Free anonymous email service provider off line since August 2013

3. Get a client remailer: QuickSilver 3 , OmniMix

Will strip mail from senders’ address. The sender’s address to answer too is in the encrypted message itself.

Email address

1. Use anonymized email addresses

(a) Not: [email protected] (b) But: [email protected] (c) Or: [email protected]

In addition, gmail also removes most mail ’received’ headers.

2. Use aliases

(a) Not: [email protected] (b) But: [email protected] (c) Or: [email protected]

And have your mail client forward all this mail to appropriate folders

3. Turn OFF your automatic signature

1SilentSender.com: http://www.silentsender.com 2Tor Mail: http://jhiwjjlqpyawmpjx.onion/ 3QuickSilver: http://www.quicksilvermail.net/

c 2014 reuser’s information services page 4 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

1.4 Proxies

What is a proxy?

Function to store popular webpages at the servers of the Internet provider to save bandwidth

Protection function to hide IP address or temporarily assign another one

Anonymous proxy clients

A proxy was originally intended to preserve Internet bandwith by storing high demand pages in a temporary cache. Today, an Anonymous Proxy offers the possibility to surf the Web in a more or less ’anonymous’ way.

Today, a proxy is also used to search in anonymity. There are many ”anonymous proxy’s” out there, some for free, but these tend to be very slow.

1. Anonymizer TotalNetshield

Figure 2: Searching by proxy

(See figure ˜2)

2. Kproxy Alternatively, try using a free anonymous proxy, like Kproxy 4 . Drawback are the adds and annoying pop-up screens off course. (See figure ˜3)

Activate private surfing mode

Modern browsers offer a possibility for private surfing. Check your history settings as well as your cookie settings. Some browsers offer an option to search ’anonymously’.

In Mozilla Firefox start private browsing to prevent the browser of storing your private surf behaviour (passwords, history, cookies, etc.). in MS Internet Explorer 8 InPrivate Browsing and InPrivate Filtering .

4Kproxy: http://www.kproxy.com

c 2014 reuser’s information services page 5 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

Figure 3: Anonymous proxy Kproxy

Firefox Add-ons

Annoy the search engines

Flood your favourite search engines with fake search queries by using a tool like TrackMeNot such that your real query gets more difficult to identify. TrackMeNot is a Firefox add-on.

Figure 4: TrackMeNot

(See figure ˜4)

1.5 Search engines

Alternative search engines

The below are a few examples of search engines that more or less protect your identity when search- ing. Care is required however. Searching may be done via a proxy, but clicking a link may unveil your identity.

1. Scroogle Is no more. Supposedly dealt with by Google... 2. Disconnect.me 5 (See figure ˜5) 3. DuckDuckGo 6 5Disconnect.me: https://disconnect.me 6DuckDuckGo: http://www.DuckDuckGo.com

c 2014 reuser’s information services page 6 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

Figure 5: Anonymous search engine Disconnect.me

Figure 6: Anonymous search engine DuckDuckGo

(See figure ˜6)

4. Startpage 7 (ixquick)

Figure 7: Anonymous search engine StartPage

(See figure ˜7)

1.6 Tor protocol

Introduction

Tor gives access to part of the deep web consisting of top level pseudo domain .onion, and, Tor provides a protocol for anonymous searching.

7Startpage: https://startpage.com/

c 2014 reuser’s information services page 7 Monday 7th April, 2014 OSINT Research Techniques 1 ANONYMITY ISSUES

Tor encrypts the message and sends it through multiple anonymous proxies making identification very difficult.

Figure 8: Vidalia Tor interface

(See figure ˜8)

c 2014 reuser’s information services page 8 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

2 The Onion Router (Tor)

2.1 Contents

2.2 Introduction

The Onion Router

1. Tor = The Onion Router

2. Multiple layers of encryption around each packet, like an onion

3. Designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. Originally developed with the U.S. Navy

4. Decvelopment started in 1995 (!)

5. Second-generation Onion Router presented in 2004 8

6. Builds a circuit of encryptes nodes, a chain of anonymous proxies.

How it works

1. Encryption encrypts the data package, not the headers

2. Data packages take a random path on the internet through several relays to cover your tracks

3. Each path/realy know only which relay it got the package from, and which relay to give it data to

4. No relay knows the entire path. Each relay sees only one hop.

5. Each package has multiple layers of encryption

6. Each node decodes one layer of encryption to find the next recipient.

Use

TOR is being used for

1. Anonymous browsing and anonymous working

2. Accessing the .onion pseudo domain network (deep web)

Target audience

8Dingledine 2004 – Tor : the second-generation Onion Router / Roger Dingledine, Nick Mathewson. - In: 13th USENIX Security Symposium, July 2004. - p.303-3320

c 2014 reuser’s information services page 9 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

1. Businesses

2. Journalists

3. Law enforcement, police, fraud investigators

4. Activists

5. Criminals, thiefs

6. Terrorists

What you need

1. Tor Browser bundle Holds Vidalia package and a dedicated Mozilla Firefox Browser for anony- mous browsing.

2. Tor project 9 with packages for Linux, Mac, Android, and Windows.

3. Tip: the Tor bundle does not install. Simply unpack by double clicking and run.

4. Do NOT unpack and run from c:files , but somewhere else

5. Alternatively, unpack and run from your flash drive.

2.3 What it looks like

Run Vidalia

Figure 9: TOR network start

(See figure ˜9)

9Tor project: http://www.torproject.org

c 2014 reuser’s information services page 10 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

Mozilla Firefox will start

The Tor browser bundle comes with it’s own stripped down version of Firefox, where only ’safe’ add-0ons are loaded.

Figure 10: TOR browser

(See figure ˜10)

2.4 Alternative access

Access the .onion domain without the Tor Browser Bundle

Via a public gateway one can access the Tor domain from the ’normal’ web without using Vidalia or the Tor Browser Bundle.

1. Disadvantege: it is not anonymous

2. Advantage: no need for the Tor Browser Bundle

3. Address of websites: domain names ending on .onion.to

4. Gateway: Tor2Web 10

(See figure ˜11)

2.5 Anonymous browsing

Who are you?

(See figure ˜12)

(See figure ˜13)

After starting the Tor network (Vidalia)

10Tor2Web: https://www.onion.to/

c 2014 reuser’s information services page 11 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

Figure 11: Tor2Web

Figure 12: Tor: IP address before starting the Tor network

Figure 13: Tor: IP addres before starting the Tor network

Figure 14: Tor: identity after starting the Tor network

(See figure ˜14)

Changing your identity while working

c 2014 reuser’s information services page 12 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

Figure 15: Tor: changing your identity while working

(See figure ˜15)

Figure 16: Tor: a new identity after asking for a new one

(See figure ˜16)

2.6 The .onion pseudo domain

The .onion domain is not official

The top level domain is not a regular domain as specified by ICANN and/or IANA, but a .onion pseudo domain. The origin of the domain websites is almost impossible to find.

(See figure ˜17)

An underground Internet

(See figure ˜18)

(See figure ˜19)

c 2014 reuser’s information services page 13 Monday 7th April, 2014 OSINT Research Techniques 2 THE ONION ROUTER (TOR)

Figure 17: Tot: a Tor directory to buy credit cards, drugs, weapons and more.

Figure 18: Tor: black market

Figure 19: Tor: buy your money online

c 2014 reuser’s information services page 14 Monday 7th April, 2014 OSINT Research Techniques 3 ABOUT

3 About

Contact information and biographical information on the owner of Reuser’s Information Services

Who:

• Arno H.P. Reuser ; OSINTian ; information professional ; librarian ; information freak ;

Work:

• CEO, owner and founder Reuser’s Information Services ; • Senior policy advisor OSINT at NL ministry of Defence ;

Activities:

• Founder: Reuser’s Information Services ; Dutch Open Source Intelligence Branch ; • Writer: OSINT in Inlichtingen- en Veiligheidsdiensten (Kluwer) ; co-editor Advances in Social Net- work Analysis and Mining (Springer) ; journal articles ; book reviews ; • Interviews: in several magazines (GO magazine, IK Kapital) ; PODcast (International Spy Mu- seum Washington D.C.) ; • Teacher/speaker; Uni.Amsterdam, Uni.Utrecht, NLDA Breda, DIVI, GOBI The Hague, Uni. South Denmark, Uni.Kaohsiung Taiwan, Clingendael, United Nations IAEA, EU (EUlex, EUMM Georgia, Eurojust, Europol, Consilium), Interpol, Folke Bernadotte Academy Sando SE ; • OSINT Trainer: training programmes, courses and workshops in Austria, Australia, Belgium, Denmark, France, Netherlands, Sweden, Switzerland, Ukraine, United Kingdom, Unites States ; • Awards: Life time award OSS 2007 ; Golden Candle Award 2003 ; Nomination for Information Professional of 2010 ; Winner National Information Retrieval Contest ; • Websites: Reuser’s New Repertorium (Internet Resource Discovery Toolkit) http://rr.reuser.biz ; home page http://www.opensourceintelligence.eu; NEDBIB discussion list http://nedbib.reuser.biz ; • Programming/research: ISOLDE building blocks search engine ; Delphi Search Engine Com- parison device ;

Contact:

• e-mail: [email protected] • Skype (arnoreuser) ; Twitter (arnoreuser, OSINT) ; Facebook ; LinkedIn ; WhatsUp ; SMS ; • Websites Company home page: http://www.reuser.biz Reuser’s New Repertorium: http://rr.reuser.biz Isolde search engine: http://isolde.reuser.biz New home page: http://www.opensourceintelligence.eu • Phone: +31 6 3812 7715 (GMT+1) • Address: De Wetstraat 16, 2332 XT Leiden, The Netherlands

c 2014 reuser’s information services page 15 Monday 7th April, 2014 OSINT Research Techniques 3 ABOUT

3.1 Disclaimer

All statements made in this document, all the content in this document is based on the personal experience, study and knowledge of the writer and owner. No statement is endorsed by whatever offical institute or government institute or government agency in The Netherlands or anywhere else. The writer, speaker and owner cannot be held liable for the use of the information or any damage whatsoever resulting from its use wether direct or indirect. Use at your own risk.

3.2 Warning

Techniques, procedures, tools and documents used and/or demonstrated may in your country or organisation be illegal, an offence, a misdemeanour, a felony or worse, punishable by law.

DO NOT TRY ANYTHING!

unless you are absolutely sure about the ethical and legal consequences. Try at your own risk.

c 2014 reuser’s information services page 16 Monday 7th April, 2014