Hackers Scan All Tor Hidden Services To Find Weaknesses In The ‘Dark Web’ by Thomas Fox-Brewster.
From the post:
If you go down to the deep web today, you’ll be following hot on the heels of a digital beast. In a matter of hours last week, the entire semi-anonymising Tor network, where activists and criminals alike try to hide from the gaze of their respective authorities, was traversed by PunkSPIDER, an automated scanner that pokes websites to uncover vulnerabilities.
Created by Alejandro Caceres and his girlfriend-cum-business partner Amanda Towler, PunkSPIDER, which provides a simple Google-like search tool for weaknesses in the vast number of indexable websites that exist today, has turned its gaze to Tor-based sites. The plan is to help improve security across the “dark web”, one of its numerous disputed noms de guerre. But the creepy crawler could aid law enforcement, who might not want exploitable bugs on illegal sites patched by their criminal operators. Such flaws might offer investigators a path into the server and, with the right warrants, be useful for future investigations.
…
A couple of interesting security findings:
- Static HTML sites + no attack surfaces on the application side = more security
- HSDir nodes in a Tor network may not be as secure as you think (see post for details)
Sounds like a market opportunity for anyone scanning the ‘Dark Web’ to offer monitoring of sites for vulnerabilities. Residents of the ‘Dark Web’ have greater incentives for security than the average website.
The researchers found a site they found objectionable and are going to “share it with law enforcement before releasing it publicly.” Their call but I do object to “sharing” with law enforcement. Law enforcement budgets are quite large and they should pay for information like everyone else.
Let’s be clear. Your local city or county police may be “on your side” but the folks who need cyber intelligence and high end technical advice, are pursuing their own agendas. They can be clients like anyone else but they should also be paying clients.
Use information to introduce your services, but only the first one should be free. 😉