Understanding the Deep Web, the Dark Web, & How to Guard Your Network
Think back to December of 2001. The world was a very different place. America was struggling to get a grip on the double-whammy of the dot-com bubble bursting and global terrorism hitting us at home. In the midst of that confusion, a shoe bomber tried to blow up an airplane.
What did we do back then to prevent that type of attack for occurring in the future? Ever since then, passengers have been lining up barefoot so that their shoes can be inspected.
Although that may be comforting to some, that is an example of reactive security. Reactive security is finding a problem after it occurs and then putting a barrier in front of it. The same thing happens with most network security. Anti-virus and anti-malware depends on fixing a known flaw (patching) or previous attack, like the shoe bomber, before putting up the road block—taking off your shoes for the TSA. These are examples of reactive security.
Today, if you are not preventing attacks before they happen, you are behind the curve.
This post will attempt to clarify between the Visible Web, the Deep Web, and the Dark Web. We’ll dive into the Dark Web, what is occurring there, and why it is becoming more prevalent. To explain how to use the Dark Web safely to your advantage. Plus, just a few stories from The Teneo Group’s seminar in Charlotte this week about the Dark Web and how companies were saved before an attack ever occurred.
I will start by saying if you are not looking in the Dark Web for impending attacks on your organization, YOU NEED TO BE. Or, you can be reactive like the TSA and wait for the event to occur. This blog is going to focus on being PROACTIVE.
What is the Dark Web?
The Dark Web is becoming more widely known. While many people have heard of it, most are probably not sure what it is. Even engineers in high-tech fields are somewhat unfamiliar with it.
The way I like to describe the internet is in layers. Imagine the World Wide Web as a three-zoned water column from the ocean. Each zone is defined by different depths and your ability to see and reach them. In this example, we would have the “Surface Web,” the “Deep Web,” and the “Dark Web.”
The Surface Web: The topmost zone, and the easiest to reach, is defined as the “Surface Web” or the “Visible Web”, with all of the boats (websites) visible on the horizon. This zone is readily available to the public and can be accessed with the standard Web browsers. This zone is able to be indexed by the major search engines: Google, Bing, Yahoo!, etc., using their programmed “Web crawlers”. These Web crawlers will automatically traverse websites looking for content that can be cataloged: HTML tags, meta tags, page titles, and other contextual content. Examples of Surface Web sites would be Google, Bing, Yahoo!, CNN, Fox News, and Wikipedia.
The Deep Web: Diving below the surface, to the next layer of the Web, you reach what is known as the “Deep Web”. The Deep Web is believed to make up over 90% of the internet and is not indexed automatically by search engine crawlers. Content is hidden behind manual input elements in the form of checkboxes, radio buttons, submit buttons, text fields, etc. Examples include scheduling a flight on an airline site (departure date/time, arrival date/time), social media sites, academic databases, and government resource sites.
The Dark Web: As you dive into the dark water below the Deep Web, you reach what is known as the “Dark Web”. The Dark Web is not indexed by the major search engines and requires specialized browsers configured for onion routing. This is where the creatures that only inhabit the mind of Jules Verne live: drug trafficking sites, counterfeit electronics, hitmen, P2P file sharing, weapons, explicit materials, and stolen corporate and other illegal information can all be found in the Dark Web.
The illustration below depicts the different layers of the Web traffic, the Surface Web, the Deep Web, and the Dark Web.
How Does the Dark Web Work?
The Dark Web exists as an overlay on the World Wide Web. Specialized software, such as Tor browser created by The Tor Project, Inc., is required to reach it. After installing a Tor browser, the user is connecting to a volunteer network of other “onion routers”. These are known as onion routers because the initial data connection from your machine is encapsulated in multiple layers of encryption, similar to the layers of an onion. Each layer is encrypted at a specific router using encryption keys and only contains the information for the next destination node in the chain.
To protect the identity of the sender and ensure anonymity, no node in the chain knows how many intermediary nodes are required to reach the end of the chain or where it falls within the circuit to the destination. Only the final node in the chain, the exit node, is able to identify its exact position on the circuit to the intended destination. That is how anonymity is kept.
This network of onion routers and onion browsers are not by definition bad. Tor browsers were developed to protect anonymity for things like domestic, spousal abuse, tip lines, and U.S. citizens who are concerned about “Big Brother”. But just like every other technology in the world, if it can be used for good, it can also be used for evil. The technology is useful, but what the users do with it has become the concern.
So, now that we have a high-level understanding of what makes up the different levels of entire World Wide Web and how deep the Web goes. Let’s begin to explore. As a disclaimer, you should not enter this area of the Web lightly. You should take precautions to protect yourself and become fully aware of the issues. Then, only use a temporary computing resource.
What Happens in the Dark Web? – The Effect of Anonymity
The effect that anonymity has on people is unnerving. It makes them do things they would otherwise not normally do. For example, if you are completely anonymous on a political blog during election season (or any other time, really), you see some nasty, nasty things said. These are things that would be unlikely be said to a human face-to-face. It’s not just politics, although that’s where it seems most prevalent these days. It could be a sports blog where someone doesn’t like your team. Or, you could be helping someone in a tech blog, and you just get outright attacked.
Imagine what people do if they knew if they could get away with it? How about you? If you know, with 100% certainty, that there are no cops between you and your destination, are going to maintain the speed limit? How about if you know for absolute certain that no one saw you pick up that wallet you just found on the ground? Would you return it? Hopefully, most people would. However the likely percentage drops when the person is anonymous.
If you steal something, and you know you can sell it, or if you create something illegal, and you know you can sell it without getting caught, would you?
What if it can make you A LOT of money?
How to monetize the theft
In 2015, there were 2,122 known data breaches. Why is that seemingly “useless” data is stolen? Who wants it, and why will they pay for it? Have you ever heard the saying one man’s trash is another man’s treasure? Why would someone want my information on Facebook? Who cares if my yahoo email address was stolen? Well… all data has value when used in context or in conjunction with other data. A social security number by itself means nothing. A person’s name by itself has no value. But combine a SSN with a person’s name and now we have useful data. Now combine that with an address, add a date of birth, your mothers’ maiden name, the first concert you attended, the town you were born in. Do you see where I’m going with this?
Think about all of the data thefts that there are. Why is that seemingly “useless” data stolen? Its stolen because it can be sold. But who wants it. It depends on what a person is trying to do.
Let’s look at a theoretical example. The power company and the cable provider just had all of their statements breached. Who cares? What if you had a hacker operation that can now set up a fake payment portal, then they send a legitimate email and then have people log into your fake storefront? Your login credentials are harvested, you are redirected and logged into the legitimate site and your credentials were just compromised. That is an example of how seemingly useless data has value.
There is only one missing piece. How do you sell this seemingly worthless data? One of the reason this is so prevalent is because, in 2017, it’s very easy. Gone are the days of cut-out magazine letters and dropping a bag of unmarked bills. Today, it is very simple. Open a Bitcoin wallet, and go on the Dark Web.
These Are Just a Small Example of What We Found for Sale on the Dark Web
Here are bank accounts for sale, verified with user names and passwords .
If you don’t know how to cash out, here is a guide for withdrawing money from compromised Wells Fargo accounts:
If you are looking to buy or sell drugs, you can go here:
If you are looking for a hitman, you can go here:
These are awful examples, but not the worst that are out there. The power of anonymity and today’s technology allows the threat actors to do anything on the Dark Web that they want. Plus, there are few to no repercussions. But, how does this relate to your organization?
How to Use this Information to Protect Your Organization
As with the terrorism example, there is what’s known as “chatter”. Things are mentioned more, maybe specific names are mentioned. Maybe times are mentioned. Maybe a new domain similar to yours is registered. Maybe a database of names which includes your corporate domains was just sold. Maybe a storefront that mimics your online presence was also sold. Maybe a specific person or VIP is targeted. These are all precursors to an impending attack. They are called “IoCs”, or “Indicators of Compromise”.
What should you be doing? Your security standards have to be observed, reinforced, and enforced at the bare minimum. Stay up-to-date with research trends and link analysis. Do IoC aggregation and investigation (if warranted), culminating with security device integration. Also, sharing of intelligence is key if any is uncovered while doing your own research.
Specific data you should be looking for includes any of your internal data that may have leaked, anything relating to brand security, exploitable data (data about you that by itself is benign but that may be used in conjunction with something else to gain an advantage), Dark Web chatter, and general IoCs.
What Are Your Options?
Option 1: Do it in-house, by devoting resources, training, and standalone bandwidth. This is not something you can just task an FTE with. If you have no other options, you should task an FTE with it. Take precautions (which I will list below) if you are going to do it in-house. If you are a smaller organization doing it yourself, itss better than doing nothing. However, if you are doing it yourself and you have clients, customers, and/or partners who entrust their data to you, then you may want to get professional help.
Option 2: Partner with someone who knows about the Deep Web and the Dark Web. This field is like military action. To get the data, you need you need to “fit in”: talking like they talk, using their lingo, speaking different languages, and acting and looking like they look, becoming a trusted asset in the Deep Web. Providing knowledge and resources to people to prove your “street cred”. It is only after you penetrate at that level that you can get the information you need. This is obviously a very costly and time-consuming task to do yourself, and even for the largest organizations, it takes commitment and specialized talent. Our advice is to partner with someone that has experience. You will thank us.
Option 3: Do nothing, and hope your company isn’t targeted in earnest. Then, react when something does happens. If you get compromised, at that time, call in the incident response team and mop up the mess after the fact.
In other words, your three options are to do it yourself, partner with a professional, or do nothing and hope.
In a recent article, Business Insiders reports the average data breech costs companies on average over $7 million in loss. This cost is comprised of customers, business disruption, regulatory fines, legal costs, public relations issues, notification costs, identity theft repair, and monitoring.
Tips and Tricks for Surfing the Dark Web
- Don’t use your everyday computer! Instead, use a fresh laptop, PC, or virtual machine. Get a bran- new 8GB+ USB flash drive, and download Tails from https://tails.boum.org/. This creates an anonymous operating system designed to be used from a DVD, USB stick, or SD card and is separate from your PC’s OS. It’s freeware based on Debian GNU Linux.
- Turn off scripting in security settings in your Tor browser. This will prevent compromised Dark Web sites from executing malicious content on your machine. Never trust the Dark Web!
- Do not maximize your Tor browser window. Sites have scripts that need to format display information based on screen resolution. This can actually be used to gather machine info to report back tracking information.
- When browsing the Dark Web, keep any other surface Web browsers closed. This still has the potential to send information that can be used to track your browsing or machine identifying information.
- When browsing, use directories like Hidden Wiki that provide guided links with descriptions to narrow searches.
Stay away from sites described with “candy”. These sites are associated with child exploitation, and if you are on a compromised exit node, could even be traced back to you by the authorities.
Stories told at our Lunch & Learn in Charlotte.
I can blog forever about these, but I will try to keep them short and sweet.
The first involves a sizable manufacturer. Once we were set up on a trusted system, things were running for about a month, and we were starting to collect data. Then we had received alarms about an impending DDoS attack. My colleague immediately rang the CEO and inform him about the issue and was also asking for permission to go shields up on the DDoS protections that were previously put in place. The CEO asked, “what? Why do you think that?” My colleague responded, “well, did you post on social media that you going to the circus tonight?” The reply was “yes, why?” My colleague stated a well known activist group that really loves animals, and shall remain nameless, did too. Apparently, they were not happy with their perception that this CEO was supporting cruelty to elephants and it responded with the DDoS attack!
Before the conversation was done, the company was under attack, and were easily able to sustain business as normal.
That event crystallized for the CEO the value of proactive security compared to active security. He was able to connect his harmless social media post clearly, with some activists to watch a potential attack and respond to it. After all, if he was not associated with the right people, it would have been just another DDoS attack. So, it gives perspective. Knowledge is power.
There were several more, but one of the more interesting story for me was about a very popular clothing manufacturer. The day they were set up on the new system, alarms uncovered and alerted them to the fact that were 15 different illegal rings that were gearing up for the new line of product release.
These actors would get the first deliveries of the shipment and create counterfeit templates within days. In a week they would be selling knock-off product produced in China, Japan, and other overseas countries.
If I were to tell you what type of product they were producing, you would probably be surprised to the level of criminality around this market. However, with this knowledge, the customer was able to understand the threat better and act accordingly with police assistance.
One last quick one: a very large company asked if we would be able to assist with Dark Web research about one of the competitors they were thinking of buying—trying to determine if there were any skeletons in their competitor’s closet. We did decline that offer, by the way.
If you would like to discuss in further detail or need any other information please contact us today.