Demonsaw: Bypassing Anonymity Utilizing Social Engineering
by Hristo I. Gueorguiev (hristogueorguiev.com
Demonsaw is, in the creators own words, "A secure and anonymous information sharing application that makes security simple and gives you back control of your data."
Eijah, who created the app, truly did a great job bringing an easy to use secure information sharing application to the masses.
It's mutli-platform and doesn't require installation. Just download the executable and you can create or join a pre-existing network to share information on.
Because data is encrypted, it's disguised as HTTP traffic and transferred over a decentralized, mesh-based network. It's a wonderful way to communicate safely and anonymously.
And he isn't finished yet. He has teamed up with none other than John McAfee and is taking aim to change the Internet as you know it, from data sharing apps, to cloud storage and video hat/VoIP and more! That is a story for a different time, however. Let's talk shop now.
So then, how we can exploit the weakest link this security chain: the human mind?
It has become commonplace in online text communication to insert links to relevant video clips, images, etc. in the conversation. We see this phenomenon across platforms and cultures. It has become part of the way we express ourselves online.
Of course, you can see the same being done in public chats across DemonBucket (the official public network of Demonsaw). The app does not process links in the chat in any special way. They appear as plain text. It is up to the user to copy and paste them in a browser to open them.
Now, since a link to something innocuous as an funny image or video on a reputable sharing site is nor illegal or has a high chance of malware infection, most folks aren't going to start up the old Tor browser or go browsing through a proxy. All but the most paranoid are going to simply copy-and-paste the link to their normal browser window and have a laugh. This is where the shenanigans begin.
Imagine having a bunch of people in a Demonsaw chat... the conversation is flowing and you share a link to topical video, the crux being that the video is on a YouTube account you control and is set to unlisted. Now like all things Google, YouTube has some lovely tools to handle metrics, so it kindly collects all of the IPs of everyone that clicked that particular link. Combine that with a chat log where everything is time-stamped and you can get a blurry picture of who's who based on what and when was said as a reaction to your video and when a certain IP accessed it.
An attacker can also share multiple links at different times and, by cross-referencing who was in the group at what times, narrow down which IP belongs to whom as he get collects more and more reference points. With enough data collected it is possible to narrow down on user's point of origin even if their IP changes over time.
Demonsaw allows the user to create groups within a network as another level of privacy. Only people with the right "key" can see data shared or chat in the group. This is accomplished using social-crypto, allowing for great flexibility in exchanging the group "key." An attacker can take advantage of this by befriending a specific target in a public chat, then inviting them in a group he has created. This way with the bait link, there is only one possibility as to whom the IP belongs to.
Of course, a driven attacker can even create multiple aliases and pretend to be multiple people to make a more convincing conversions. Since anonymity is built in part of the network, there isn't a way to see if multiple aliases are actually the same person (well, other than the one discussed here), drawing in the target and piquing their curiosity by staging a conversation around the bait link. This creates a perceived "IN" peer group to the target that he would be naturally drawn to check out as long as he is in rapport with the members of the group, which in this case are of course all driven by the attacker. Since the only two real members of the Demonsaw group are the attacker and the target, once he follows the link in a regular browser his IP will be again available to the attacker.
What makes this possible is that the target feels safe with in the confines of Demonsaw and for a good reason, and also has no worries about just clicking a regular old YouTube link. One can be very easily drawn in to a false sense of safety even if they are very technologically literate, not to mention if they're not. However, when the attacking party has access to information from both of those sources, it becomes possible to shatter the privacy wall put by the network.
As you can see there are countless variations on such ploy that can be as simple or as elaborate as you need or like. Once the attacker has the IP, they can proceed to more common forms of surveillance and infiltration, especially if they have law enforcement authority.
So kids, just be careful when you click copy-and-paste out there because what happens in Vegas really stays in Vegas!