Can the dark web help to prevent your next breach?
When you hear of a data breach in the world today you often hear that each credit card, or each name or each social security number was worth ten cents. Or if the name was associated with and address it was worth 25 cents. Or maybe if the name and address were associated with a credit card number its worth 75 cents. And if that credit card also has the CVV code its worth $2.
I’m just making the numbers up. Sure, there are statistics. But where can you go to buy a credit card number with all the credentials for $2? I looked on Amazon, they are not for sale. So how do you criminals make money by selling stolen information? Is it like in the movies 20 years ago where you make a call from a pay phone and someone shows up with a large suitcase of unmarked bills? No. Not today.
Before we get into where let’s define a couple of things. The Internet to start. It’s a very large web of interconnected computer systems that allow you to do anything from shop, to sell, to socialize, to learn, to work. It’s a very useful and organized collection of systems that is setup for mostly good reasons. It is indexed and it is very easy for most people to use.
Next is the deep web. The deep web runs on the very same infrastructure as the Internet, however it is hidden from sight using several techniques that range from no DNS entries to the prohibition of web crawlers. So, the deep web is readily accessible if you have directions on where to go. There are no street signs and no maps, just personalized directions for specific people for specific reasons. You may have found yourself there at one time, thought how did I get here and quickly closed your browser.
Finally, is the dark web. It, like the deep web uses the same infrastructure as the Internet. It also is not indexed by web crawlers. However, there is one other characteristic. You need special software to visit. The software is called a few different things, but the one thing it will do is to make you anonymous when you visit.
Anonymity in and of itself can give you the courage to do something that you may not otherwise do. For example, if you knew you would not be caught, would you steal from a store, would you buy things you would rather no one ever knew about, sell things you would never think of selling otherwise? Put in simpler terms, if you knew there were no cops out would you do the speed limit? Probably not.
So now we have this inherently anonymous place, where you can do anything you want without much risk, if any, of being caught. This clearly attracts the criminal element. The only problem is how can you sell something online where the only type of currency available is a very traceable electronic bank or credit card transaction? That is where bitcoin enters the picture.
Anyone can open a bit coin wallet, create an account and enter the dark web to do, buy or sell whatever it is they need or want. And it’s all legitimate. Bitcoins are not bad nor are they illegal. Anonymizers are not bad when used for a good purpose such as a whistle blower or domestic abuse victim.
But back to the story that I originally started. If you just stole a million credit cards with full names and numbers, where would you go to sell them? That’s right. The dark web. What else can you get on the dark web? Drugs like heroine, crack, ecstasy. You name it. Do you want to buy a zero-day exploit so you can compromise a system without anti-virus being able to stop you? Yup. You can get that. How about passwords from a LinkedIN hack? Or passwords from a Yahoo breach? Yup. They are there.
How about passwords from a breach that are tied to an email address? What do email addresses and passwords get you? Generally, access to a website, right? How many people have different passwords for each website they access? The answer unfortunately is not many (as a percentage). If you don’t believe that statistic just ask my wife. Or my Mom, or your Mom or your brother or sister. Nine out of ten times it’s the same one, two or three passwords used based on the perceived level of importance to the site. But the same passwords none the less.
Now let’s think about if those names are tied to a corporate domain. And the email address is not firstname.lastname@example.org, its email@example.com. Or its firstname.lastname@example.org. Or its email@example.com. Sure, it is important for you as an individual to protects your data, but as a corporation if you are not looking at the dark web for the precursor to an attack – you need to start. And you need to start today.
If you currently have the responsibility for cyber security, risk, compliance, assurance, governance and you are not looking at the dark web you are failing at your job. The information is there. Its readily available. You just need to be careful when you are going there and you need to follow some basic rules. The most basic being that when you find something, don’t email it to yourself at your work domain. Don’t even email it to your legitimate Gmail account. Have those decoy accounts setup before you go in. Also, check back often. Data breaches occur all the time.
The more you visit and the more you contribute the more you will be accepted. The more you are accepted the more access you will have. I am certainly not condoning anything illegal, but if you can gain trust you can gain access. If this is too far over your head, but the topic is important to you we can help.
Whether you are being proactive and you want to explore. Or if you have had a breach and you need help. Or if you know you need to explore the dark web and you just need help getting started. We can give you the information you need to make an informed decision that works for your business.
The only wrong thing to do is to do nothing. Contact us today to get started.
Click here to register for Dark Web & Incident Response Lunch and Learn in Charlotte NC May 31st, 2017.