Today on Cybersound, Jason, Steve, and Matt set out to demystify the Dark Web and the Deep Web. Is that possible? Did you know there was a difference?
Dark Web 101
Listen to this episode on
[00:00:01.210] – Speaker 1
This is CyberSound, your simplified and fundamentals-focused source for all things cyber security with your hosts, Jason Pufahl and Steve Maresca.
[00:00:11.510] – Jason Pufahl
Welcome to CyberSound. I’m your host, Jason Pufahl. Joined us is always by Steve Maresca and Matt Fasaro. Hey, guys.
[00:00:17.730] – Steve Maresca
Hi there. I feel bad for Matt. He’s not in the intro. We need to fix that.
[00:00:21.140] – Jason Pufahl
We do need to fix that. As the podcast continues to evolve, there’s always going to be something we have to do. So, today you mentioned it 10 seconds before Steve, we’re going to demystify the Dark Web, which I think is great. The reality is people hear about it all the time. And I think most people probably don’t understand what it is other than probably this vague idea that somewhere you want to be or it’s bad.
[00:00:52.840] – Jason Pufahl
We have the commercial or common Internet, the Deep Web, and the Dark Web. Either of you want to take a step? I think everybody knows what the Internet is. We can probably skip that. But how is that distinct maybe from the Deep Web as that middle ground?
[00:01:08.330] – Steve Maresca
So, the Deep Web has had many different descriptions over the last 20 years. I think is probably the best way to start out. But bottom line, it’s stuff that isn’t easy to find by your typical search engine. We’re talking FTP servers, file transfer media, things of that sort, private networks, archives, things that aren’t indexed in general.
[00:01:35.460] – Jason Pufahl
So maybe the things that don’t turn up directly in search results easily.
[00:01:38.540] – Steve Maresca
[00:01:40.610] – Jason Pufahl
But they’re not necessarily nefarious, right? They’re not bad?
[00:01:45.690] – Steve Maresca
Now, the Deep Web is what your researchers will end up using as their primary source for a lot of information. It’s where your data resides, less so than your written word content.
[00:01:57.320] – Jason Pufahl
Okay, that’s reasonable. Matt, would you want to take a stab at the Dark Web?
[00:02:02.870] – Matt Fasaro
Sure. Contrary to how clear network which you reference as a commercial Internet, Dark Web isn’t something you can just browse to the Web page for. You’ll need some special tools, special browsers. Sometimes you might have heard of like an Onion router or a tour site or something like that where you essentially create a VPN connection. You’ll need some type of app access to get into these dark nets.
[00:02:35.750] – Matt Fasaro
It’s not necessarily illegal either. And that’s something that should probably be talked about, too. It’s not always legal content that’s on the Dark Web. It’s a good portion of it. Let’s not get me wrong there. But it’s not necessarily illegal to have a Dark Web. There may be good reasons for it, but essentially getting to that, there’s some type of gateway to get there.
[00:02:58.740] – Matt Fasaro
Once you use the tools you can get on there. And a lot of them are an invitation only type community where you’ll need some way of getting in there or some type of credentials or a member of some organization.
[00:03:16.300] – Jason Pufahl
What’s interesting about, you’re talking about the tools is the Onion router—or Tor—was not really originally intended to be a way to access this Dark Web. It was really in response to being more private when you’re browsing ultimately. And that was the whole point and then it eventually evolved more into, well, how do you really remain anonymous or how do you get that level of security and privacy that you want. And it really turned into the gateway to the Dark Web?
[00:03:48.410] – Steve Maresca
I wouldn’t even say that necessarily. It’s just a way to access material that is lumped under the giant amorphous term the Dark Web. Tor has its roots in peer-to-peer networking, file transfer, basically, two-point, Privacy oriented, separate routing for Internet traffic. That’s it. It’s a way of introducing some resiliency and geographic independence in network traffic that doesn’t otherwise exist in the traditional hub and spoke model of the Internet.
[00:04:20.750] – Steve Maresca
However, it happens to be a convenient way to host content that is shifting, that doesn’t have a geographic home per se that might be illicit. And it’s been appropriated that way over time. But the Dark Web could be as simple as a closed form in a traditional Internet site. It’s a spectrum of places that you might visit. I think that’s the best way of describing it.
[00:04:48.890] – Matt Fasaro
Yeah. And just a buyer beware statement with this, too. A lot of the, what are called Tor Exit nodes. A Tor exit node would be, okay, you’ve done your traversing through this Tor network where it’s essentially trying to anonymize your traffic. That’s usually the goal of using one of those. You anonymize the traffic, has to exit at some point to get to the content that you’re actually looking for.
[00:05:14.670] – Matt Fasaro
A lot of those exit nodes are already popped. They’ve been specifically targeted. Governments know about them, other criminals know about them. A lot of the data that you think might be totally off the record, if you will, not so much. There are other ways to get to the data you’re looking for. If you’re looking to do a list of things or look for a list of material.
[00:05:43.190] – Steve Maresca
I think the main takeaway for the average person is that the Dark Web, as it’s been described in advertising from Experian, Equifax and all the big names that talk about identity theft, it’s really just a harder to reach area of the Internet. Where some people with things that want to be hidden tend to congregate. But some of it operates in plain sight just as much as the rest of the Internet.
[00:06:06.350] – Jason Pufahl
But that’s a good segue? Because we deal an awful lot in ransomware, and we’re seeing now the Dark Web utilized. And of course, we’ve seen this but we’re seeing now almost in every ransomware event, data is stolen and maybe parts, portions of the data are published on the Dark Web to demonstrate or validate that your data has been taken as a company.
[00:06:32.330] – Jason Pufahl
They’re using it to transact. If you get financial information that might have value for another threat actor, they’ll sell that on the Dark Web. I feel like we’re always looking at the Dark Web as a place where illicit or illegal activities are occurring. But I think it’s particularly relevant in these ransomware schemes because that’s where the data is posted. And it’s the medium that makes stealing that data valuable in certain ways.
[00:06:59.630] – Steve Maresca
Right. I think that’s reasonable to mention as well. The intersection with Dark Web conversation is simply that the double-extortion, triple-extortion type threats where data is moved from an organization during a ransomware event, ends up often in a site only accessible by a Tor. That’s simply where the victim of shaming sites exist. It’s just a trend. The Dark Web itself is just a means of getting there.
[00:07:27.530] – Jason Pufahl
You mentioned, and I think it’s fair just to spend a second on it, even though it’s not specific to Dark Web. From a ransomware standpoint, the original ransomware simply was encrypting your data and asking for a ransom. That double extortion part was encrypting your data, asking for a ransom, publishing your data and asking for a ransom to take it down.
[00:07:48.410] – Jason Pufahl
Interestingly now that triple extortion, we’re seeing the threat actors actually go directly now to employees of a company and say, we’ve stolen data from your company. Your company hasn’t paid us to delete the data so we’re going to ask you individually if you want the opportunity to pay for us to delete your data. We’re seeing these threat actors now get really creative on ways to maximize their profit. Frankly, in a lot of ways, all leveraging the ability of the Dark Web to keep their activities reasonably anonymous or protected.
[00:08:27.290] – Matt Fasaro
They’re always looking for ways to monetize the activity they did. They spent their time and money to get into those organizations, they want to monetize it. It’s fair to say, too, that’s getting increasingly more difficult for them to operate on Dark Web. There’s tons of services out there that have put the time and effort to get onto the forums, the groups, discord servers that they shouldn’t be on to find out information.
[00:08:56.870] – Matt Fasaro
But up until now, it’s been hard to do all that. You also have to get people to know different languages in order to be able to read a lot of this stuff because obviously, it’s not all in English. There’s plenty of stuff and tons of other languages that you have to read through to actually know what’s going on.
[00:09:14.510] – Steve Maresca
One thing that we haven’t touched on yet, and I think it’s adjacent to this subject is the fact that marketplaces for exchanging information, credentials, and stolen illicit material are often introduced in the context of the Dark Web. Because it’s easier to transact via or transact for things that are illicit or illegal in an area that’s slightly out of sight.
[00:09:39.500] – Steve Maresca
In the context of ransomware, in the context of identity theft, there will be forums and bidding sites for actually paying for stolen pieces of information. The Dark Web is how you might get to it. Where this intersects with the average business or the average person really is where you are getting it in terms of the extortion of the ransomware or the identity theft. Businesses, if they are subject to ransomware, may be presented with a ransom note that has a Tor link or an Onion link to a website.
[00:10:14.090] – Steve Maresca
You need to know how to get there to evaluate whether the threat actor has stolen your information. Tor browsers are easy to acquire through the Tor project. They’re free, they’re safe. You can use them. Individuals might want to do that as well if they believe their information has been stolen or if they simply want to see what the Dark Web has to offer.
[00:10:32.270] – Steve Maresca
There are search engines within the Dark Web in and of itself. It’s not entirely foreign. It’s just a different landscape. And finally, what it means to people, in general, is that the Dark Web, when you see it as a term, is often used in a fear-oriented delivery. It’s just another place.
[00:10:56.560] – Jason Pufahl
It’s just a place.
[00:10:57.210] – Steve Maresca
Yeah. And it’s not dark. It’s not insidious. It’s not necessarily something that you need to fear. It’s simply a term for a place where you can have information that is harder to reach, and you can reach it as easily as anybody else.
[00:11:12.240] – Jason Pufahl
Right. So, let’s take this conversation back a tiny bit to what kind of things occur from an incident standpoint that might be meaningful to an employer? And Steve or Matt, I know that you have a very specific example of a workflow where we’ll do some credential validation for clients. And I think that really will drive home what some of the risk is of something as basic as, again, your traditional username and password.
[00:11:45.420] – Steve Maresca
Third-party sites are compromised all the time. LinkedIn is a great example. Many people have LinkedIn accounts. Their password hashes were compromised. Many sites are compromised and reveal user names, email addresses, phone numbers, you name it. The same thing is true of plain text passwords. And what that means in the context of the Dark Web is that there are huge caches of credentials associated with accounts that might be attainable to an attacker. And that may mean to you as an individual, that your username and password is out there and usable within arm’s reach by someone who wants to access your accounts or your systems.
[00:12:28.130] – Jason Pufahl
And these databases of accounts, I mean, they’re for sale. There’s threat actors that specialize in harvesting, and then they will simply sell them to people who want them.
[00:12:37.650] – Steve Maresca
Absolutely. And it might turn into spam. It might be credential use, you name it. There’s a whole spectrum of actual outcomes. But in terms of how we would use that information in a defensive, protective kind of way is, going out looking at some of the aggregated collections of identities, searching for our customers, or encouraging our customers to search for VIPs in their organizations to see if those accounts have been leaked and then taking action.
[00:13:05.770] – Steve Maresca
If you see an account that has been targeted or the password that’s been leaked, you might as well change those account passwords where you can. A process that we perform for some of our customers is actually pulling the credentials that we can obtain with the plain text passwords and testing them within an organization’s servers. We have an example that came up recently where this is an organization with many thousands of users, but a couple of hundred actual accounts had passwords that were usable.
[00:13:33.240] – Steve Maresca
And the immediate outcome is either force a password change or have a conversation for security awareness and education with those users. There are lots of potential improvements that can be made by simply looking at that data and making use of it in an aggregate kind of way.
[00:13:50.850] – Steve Maresca
Even when there isn’t a legit match from authentication, you have a conversation. Hey, John, you’ve used the same password on multiple sites, might want to not do that anymore. So, there are other fringe benefits, even though the data might have been exposed in a way that you might otherwise preferred not be.
[00:14:10.500] – Matt Fasaro
Yeah, there’s a lot of other information too, besides passwords. It’s good to get out ahead of that, know what’s out there. You can’t decide which you don’t know…If you know about a situation, you can put a risk management strategy around it. If customer data was leaked or sales numbers, whatever’s important to your business could have been taken out somehow, and knowing it’s out there helps you create a strategy on how to deal with that.
[00:14:37.670] – Steve Maresca
So, real practical outcome, real practical step that an individual can take visiting a site like Have I Been, pwned.com. Have I Beenpwned.com or Dhash.com. These are sites that provide a way to search for your username, search for your password in a safe way, which is a bit of a complicated discussion in and of itself. But just be rest assured that you can type in your password to these sites and not have it exposed. They’ll tell you if it’s in a leaked data set, and if it is, then you’d better change that password or you’d better recognize that the account that you’ve submitted to search may have exposure.
[00:15:19.220] – Jason Pufahl
Right. And we’ve certainly got a podcast that talks all about good credential management, good password management. The reality is, as always, these are the keys to the Kingdom, and you really want to protect them. In the use case that you outlined around collecting or harvesting credentials and then validating whether or not they’re still good, is one that we do all the time. And we see successful authentication from these in nearly every case.
[00:15:48.830] – Jason Pufahl
While maybe not the biggest risk to an organization, it really represents an easy way for a threat actor to potentially get access to your environment and you want to be mindful of that understand what the risk is. I feel like we’ve really covered everything we set out to cover here today. The intent in a lot of ways was just to give people a better understanding of what the Dark Web is.
[00:16:15.810] – Jason Pufahl
I think I appreciate that it doesn’t have to be a place that only elicited or illegal transactions occur. It just happens to be a place where they can occur and that’s generally the dominant area for it. But be mindful that it exists. Certainly, if you have an incident monitoring and trying to identify whether your data is there, is going to be an important piece of all of this.
[00:16:43.710] – Jason Pufahl
I think understanding the distinction between Deep Web and your more commercial Internet I think is valuable enough. As always, if there are questions about this, there’s a whole lot more to tell here, right? Feel free to reach out to us at Vancord at LinkedIn or VancordSecurity at Twitter. We’re happy to have a continued conversation, let you know what some of the other risks might be. As always, we’re here to help you protect your business or your personal assets.
[00:17:14.390] – Jason Pufahl
And with that, as always, Steve and Matt, thanks for joining today. Thanks, everybody for listening and we hope you have a good day.
[00:17:22.290] – Speaker 1
Stay vigilant, stay resilient. This has been CyberSound.