Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance by injecting Decoys inside TOR!

Recently, I spoke at the C0C0N X Security & Hacking Conference 2017 held at Le Meridien, Kochi. The talk focussed on the 'Hiddenness' of TOR Hidden Services specific to the detection of HS Directory Surveillance by injecting Decoys or Honeypots inside the TOR network. Here’s the digest of the presentation.


What is TOR?
The Onion Router – Gateway to Anonymity
How TOR works?
Establishing the Circuit
Directory Authorities - The Gatekeepers of TOR

Introduction to TOR Hidden Services (HS)
Why run a TOR HS? - Sneak peek into HS features
How TOR HS works? - HS Rendezvous Protocol

Analysis of hiddenness of TOR HSs 
Research Hypothesis - Are TOR HS really Hidden?
The HS Honeypot Approach
Setting up the Onion Decoy Project

Live Demo
Hosting Tor Hidden Service in seconds with Docker Containers
How to setup Honeypots (aka Onion Decoys) inside TOR Network
Live probing of Onion Decoys to detect intrusions by attackers

Results of the Onion Decoy Experiment 
Private Hidden Services are not really hidden

Conclusion & Takeaways
Everything can be a Honeypot, if you don’t know it fully
The more you hide, The more somebody wants to know why



The Source Code of the Onion Decoy Project is available at https://github.com/OnionDecoy


Below is the presentation for the delivered talk.

How the next Edward Snowden should access Internet for maintaining privacy? - Rethink VPN & TOR

In the present era of Mass Surveillance by intelligence agencies like NSA, GCHQ & RAW, you should know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route is in the hands of some electronic system whose reach is unlimited, but whose safeguards are questionable. This amount of metadata collected about you is more than enough to create simulations of you and predict your behaviour in any given circumstance. It involves a systematic interference with individual’s right to privacy in terms of subjection to significant indiscrimination, monitoring and censorship. Hence, Privacy & Anonymity are rising concerns among informed citizens, journalists, whistleblowers and Edward Snowdens of the world.

When it comes to technology, privacy and anonymity enthusiasts extensively use encrypted proxy services like VPN & TOR Anonymity network to hide their identities & activities online. But let’s understand how useful & worthy they are, what are the differences and how can we leverage the potential of both.

VPN is faster than TOR, and is suitable for P2P downloading. The major downside however (and reason VPN is said to provide privacy rather than anonymity) is that it requires your trust the VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.

On the contrary, TOR is much slower because of the built-in Onion Routing, is often blocked by websites, and is unsuitable for P2P, but it does not require your truston anybody, and is therefore much more secure & truly anonymous.

Interestingly, VPN & TOR can be clubbed and used together in order to provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside, however, of doing so combines the speed hit of both technologies, making connections more secure but slow. It is also important to understand the difference between connecting VPN to TOR and connecting TOR to VPN for accessing the Internet. Order Matters!

Dark-Side of Internet of Things (IOT): Security & Privacy Challenges

Recently, I was invited to deliver a talk at the Global IOT Conclave held at The Chancery Pavilion, Bangalore. The talk focussed on the Dark-Side of Internet of Things specific to Security & Privacy Challenges in IOT. Here’s the digest of the presentation.

• Why is everything getting Smart with the advent of IOT?  Sensors or Cloud or M2M.
• IOT is bridging the gap between the Physical world & the Digital world and how Digital threats are becoming Physical threats?
• Top IOT Hacks: Chrysler's Jeep Cherokee, Mattel's Wi-fi Hello Barbie.
• Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs. What if the smart doll teaches offensive things to your kid.
• Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps. How Smart TVs have been hacked & infected by malware for automated Ad Clicks and Cryptocurrency mining.
• IOT Ransomeware is now reality. How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?
• Denial of Service (DOS) attacks on & through IOT devices. How hackers can turn a Smart Fridge into a spam-bot?
• Why can't we make smart devices smart enough to be secure? The IOT Security Challenges: Resource Constraints, STRIDE Threat vectors.
• Security vs Privacy vs Anonymity. Importance of Trust in IOT Privacy.
• Security by Obscurity vs Security by Design: Proprietary protocols, indigenous hardware & air-gapped networks.
• Security can not be an afterthought. It has to considered & implemented in all of stages of IOT Business: Planning, Design, Implementation, Verification, Validation, Deployment & Operations.
• IOT Business Model needs to change. Earlier we used to Build product, Ship them & forget about them until we had to Service them, but now we have to Ship & Remember.

Below is the presentation for the delivered talk.

Touring the Dark-Side of Internet: A Journey through IOT, TOR & Docker

Recently, I had the privilege of delivering a talk at ThoughtWorks GeekNight Hyderabad along with my co-speaker @Sarath. The session focussed on the Dark-Side of Internet touching upon the following theme.

With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? Is it just a marketing gimmick? 

People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you? 

The talk focused on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk also sensitised the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.

The detailed Agenda of the delivered talk: