2. Who AM I
Viral Parmar
ComExpo Cyber Security Foundation
Cyber Security Researcher
Mozilla Reps, Mozilla Foundation
Given 500+ session all over the world
Solved 200+case of cyber crime and aware more then
6 lakh people about privacy and security
Always remember: Know hAckiNG, but no HaCKing.
@viralparmarhack
4. What is Steganography
Steganography is a technique of hiding a secret message within a an ordinary
message and extracting it at the destination to maintain confidentiality of data
Utilizing a graphics image as a cover is the most popular method to conceal the
data files
6. Application of Steganography
Privacy (Secret)
Digital control System
Copy prevention (Copyrights)
Unauthorized duplication
Metadata hiding
Covert Communication
7. Classification of Steganography
Technical Steganography
Hides a message using scientific methods
Linguistic Steganography
Hides a message in carrier, chose medium to communicate
8. Technical Steganography
Use physical or chemical means to hide the existence of message.
Tools, device, methods.
Invisible ink
Microdots
Computer based – text, picture, video
9. Linguistic Steganography
Hiding a message in carrier
It is categorized into semagrams and open codes
Types of Semagrams
Visual semagrams
Every day physical object is used to convey the message
Text semagrams
Sudden change in the handwriting, fonts, size.
10. Types of Open Codes
Jargon code
It is language which can b understand by group of people
Covered Ciphers
Message is hidden openly in the carrier medium so that anyone who
know the secret can recover it .
o Null ciphers
Encryption - Plain text is mixed with large amount of non cipher text
o Grille ciphers
A grille is created by cutting holes in paper
Place grille on paper and can retrieve the plain text
14. Video Steganography
Our secret
Steganalysis
Based on Motion vector
Statistical analysis
Time stamp
Odd distortion
Some unrelated gestures in video
15. Audio Steganography
o Using LSB and Frequency which are non-audible to human
o Echo data hiding
o Spread spectrum method
o MP3Stegz
o Stegostick
21. Hidden Services
• Location-hidden services allow a server to offer a TCP service without revealing its IP address.
• Tor accommodates receiver anonymity by allowing location hidden services
• Design goals for location hidden services
• Access Control: filtering incoming requests
• Robustness: maintain a long-term pseudonymous identity
• Smear-resistance: against socially disapproved acts
• Application transparency
• Allows to access onion websites and deep web.
23. Tor Node 1 Tor Node 2 Tor Node 3
Tor Node 6Tor Node 5Tor Node 4
Tor Node 7 Tor Node 8 Tor Node 9
Unencrypted link
Encrypted link
SERVER
WORKING OF TOR: 1
24. Tor Node 1 Tor Node 2 Tor Node 3
Tor Node 6Tor Node 5Tor Node 4
Tor Node 8 Tor Node 9Tor Node 7
SERVER
Unencrypted link
Encrypted linkWORKING OF TOR: 2
25. Tor Node 1 Tor Node 2 Tor Node 3
Tor Node 6Tor Node 5Tor Node 4
Tor Node 8 Tor Node 9Tor Node 7
SERVER
Unencrypted link
Encrypted linkWORKING OF TOR: 3
27. How to access Deep Web?
• Step 1 : https://www.torproject.org/download/download
• Step 2 : Download Software according to your System OS
• Step 3 : After installation, Open Tor Browser
• Step 4 : You will get option of “Configure” and “Connect” , so select
“Connect: and proceed To Explore Tor
28.
29. • Tor can't solve all anonymity problems. It focuses only on protecting the transport of
data.
• You need to use protocol-specific support software if you don't want the sites you
visit to see your identifying information.
• To protect your anonymity, be smart. Don't provide your name or other revealing
information in web forms.
• Be aware that, like all anonymizing networks that are fast enough for web browsing,
Tor does not provide protection against end-to-end timing attacks: If your attacker
can watch the traffic coming out of your computer, and also the traffic arriving at
your chosen destination, he can use statistical analysis to discover that they are part
of the same circuit.
Really Tor?
30. TOR: Limitations
• DNS Leakage : the client reveals the destination to the DNS server
during DNS resolution.
• End-to-end timing correlation: An attacker watching patterns of
traffic at the initiator and the responder will be able to confirm
the correspondence with high probability.
• Eavesdropping by exit nodes: Tor does not encrypt the traffic
between an exit node and the target server. Therefore a malicious
exit node can observe traffic , identify user request and can send
the wrong response.
• Tor is slow: Traffic is bouncing through ORs and even on
volunteers' computers in various parts of the world. This may
cause some bottleneck and network latency.
32. Case Studies : Silk Road
• Famous drug acquisition site - Ross Ulbricht (Dread Pirate Roberts)
• To market his site [The Silk Road] he would post around in clear net
forums (reddit, HF.net etc.)
• The FBI claims the former physics and engineering student even publicly
alluded to his alleged criminal enterprise on his LinkedIn profile
• He put his links on his G+ account and regularly posted that he was using
Ubuntu on the actual Hostes
• He would go as far as the neighbourhood Starbucks or library, which was
just around the corner from his house, to logon to and administrate his
Silk Road onion
33. Case Studies – Harvard Bomb Threat
• On December 16th a bomb threat was made to Harvard’s student newspaper and
some official by Eldo Kim
• He used guerrilamail.com email service via tor to send the threat.
• Kim took several steps to hide his identity but in the end it was the wifi that got
him
• All TOR nodes are publicly know except bridges
34. Case Studies – Harvard Bomb Threat
• The reasons under the sun to do something like this his was that he
wanted to get out of a final exam
• He connected to TOR through his student account
• Because of this fact and the fact that he was the only one connected
to TOR at the time the email was sent it was easy for them to
correlate that he may have sent the threat.
• As if that wasn't enough, Eldo puts the final nail in his own coffin by
actually admitting that he was the one who made the bomb threat.
35. Case Studies : Freedom hosting
In July 2013 the FBI
Compromised freedom
hosting by inserting
malicious JavaScript that
used Firefox exploit bug
CVE-2013-1690 because
they were using an
outdated version 17 ESR,
of tor browser.
36. Case Studies : Freedom hosting
• Freedom Hosting was known for hosting child pornography. This is enough to make
you a mark for all sorts.
• Freedom had already been under attack from Anonymous during Op Darknet because
of the child porn.
• Freedom Hosting did not update their version of the TOR browser.
• The FBI used a payload called Magneto that gave them Freedom's IP address, MAC
address, and Windows host name with the unique serial number that ties a user to a
site visit (Cookie malware!!)
• Magneto phoned home to servers in Virginia using the host ‘s public ip
http://ghowen.me/fbi-tor-malware-analysis
• An irish man eric eoin marques alleged operator of freedom hosting.
• Marques was said to have dived for his laptop to shut it down when police raided him.
37. Case Studies : LulzSec
• Hector Xavier Monsegur (Sabu) was already being watched by the FBI.
However, his mistake was that he became careless
• Slipping up, he connected to IRC without tor, when he normally would.
This allowed the FBI to get his home IP address.
• Jeremy Hammond ( sup_g ), when speaking with Hector on IRC spoke
carelessly of places he had previously been arrested and other groups
that he was involved with. The FBI used this information to narrow their
suspect pool and allowed them to obtain a court order to monitor his
internet traffic.
• Once again correlation proves to be a bitch say this because although
the FBI did not exploit tor to bust Jeremy, they were, however, able to
correlate the times 'sup_g' spoke with 'Sabu' on IRC with when Jeremy
was at home using his computer.
38. Case Study : playpen
• Playpen a child porn website launched on august 2014 in TOR
• It had 215000 member 117000 posts 11000 visitors week
• In February 2015 FBI run the website till 4 march and send NIT
network investigation technique (hacking tool) using that they
traced back to 1300 users