Published: Demonsaw: bypassing anonymity utilizing social engineering, 2600 magazine.

PUBLISHED IN 2600 Magazine, Summer 2017 issue. (Raw unedited text, beware tons of misspelling and grammar mistakes!)

Demonsaw: bypassing anonymity utilizing social engineering.
by Hristo I. Gueorguiev

2600 Summer 2017

Demonsaw is in the creators own words “a secure and anonymous information sharing application that makes security simple and gives you back control of your data.”

Eijah who created the app truly did a great job brining an easy to use secure information sharing application to the masses.
It’s mutli-platform and doesn’t require installation, just download the executable and you can create or join a pre-existing network to share information on.
Because data is encrypted, it’s disguised as HTTP traffic and transfered over a decentralized, mesh-based network its a wonderful way to communicate safely and anonymously.
And he isn’t finised yet he has teamed up with no other than John Mcafee and is taking aim to change the internet as you know it, from data sharing apps, to cloud storage and Video Chat/Voip … and more ! That is story for a different time however, let’s talk shop now.

2600 Summer 2017 Demonsaw

So then how we can exploit the weakest link this security chain, the human mind.
It has become common place in online text communication to insert links to relevant video clips, images and etc. in the conversation. We see this phenomenon across platforms and cultures, it has become part of the way we express ourselves online.
Of course you can see the same being done in public chats across Demonbucket (The offcial public network of Demonsaw). The app does not process links in the chat in any special way, they appear as plain text. It is up to the user to copy and paste them in a browser to open them.

Now since a link to something innocuous as an funny image or video on a reputable sharing site is nor illegal or has a high chance of malware infection most folks aren’t going to start up the old Tor browser or go browsing through a proxy. All but the most paranoid are going to simply copy and paste the link to their normal browser window and have a laugh. This is where the shenanigans begin.

Imagine having a bunch of people in a Demonsaw chat … the conversation is flowing and you share a link to topical video, the crux being that the video is on a youtube account you control and is set to unlisted. Now like all things Google, Youtube has some lovely tools to handle metrics so it kindly collects all of the IPs of everyone that clicked that particular link. Combine that with a chat log where everything is time stamped you can get a blurry picture of who’s who based on what and when was said as a reaction to your video and when a certain IP accessed it.

An attacker can also share multiple links at different times and by cross referencing who was in the group at what times narrow down which IP belongs to whom as he get collects more and more reference points. With enough data collected it is possible to narrow down on users point of origin even if their IP changes over time.

Demonsaw allows the user to create groups within a network as another level of privacy, only people with the right “key” can see data shared or chat in the group, this is accomplished using socialcripto allowing for great flexibility in exchanging the group “key”. An attacker can take advantage of this by befriending a specific target in a public chat then inviting them in a group he has created, this way when the bait link there is only one possibility as to whom the IP belongs to.

2600 Summer 2017 Demonsaw

Of course a driven attacker can even create multiple aliases and pretend to be multiple people to make a more convincing conversions. Since anonimity is built in part of the network there isn’t a way to see if mulitpe aliases are actauly the same person (Well other than the one disscussed here). Drawing in the target and peeking their curiosity by stagging a conversation around the bait link. This creates a perceived “IN” peer group to the target that he would be naturally drawn to check out as long as he is in rapport with the members of the group, which in this case are of course all driven by the attacker. Since the only two real members of the Demonsaw group are the attacker and the target once he follows the link in a regular browser his IP will be again available to the attacker.

What makes this possible is that the target feels safe with in the confines of Demonsaw and for a good reason, and also has no worries about just clicking a regular old youtube link. One can be very easily drawn in to a false sense of safety even if they are very technologically literate, not to mention if not. However when the attacking party has access to information from both of those sources it becomes possible to shatter the privacy wall put by the network.

As you can see there are countless variations on such ploy that can be as simple or as elaborate as you need or like.

Once the attacker has the IP they can proceed to more common forms of surveillance and infiltration esp. if they have law-enforcement authority.

So kids just be careful what you click copy and paste out there because what happens in Vegas really stays in Vegas !