You may have seen a lot of buzz around something called the dark web recently, with the recent leaks of classified documents regarding the Air Force drone program, the first ever national level bust of underground vendors selling various illegal contraband, and a large data breach that exposed over 230 million American’s basic Personal Identifiable Information (PII). Most users think they aren’t a target on the dark web, but it couldn’t be further from the truth.
For readers who may not know what the dark web is, let’s start with a quick intro to get up to speed. The “dark web” is a small extension of what we call the “deep web”, which is the un-indexed portion of the web that search engines can’t find and index, which can be for numerous legitimate and illegitimate reasons.
Content included in this section of the web includes pages that are protected, like online banking services, web mail, and anything behind a paywall. Because of its nature, a lot of people will use the term “deep web” to describe the “dark web”, but they are indeed different – instead of just comprising of non-indexed information, the dark web is typically a private network that users access and browse anonymously. Content within the dark web can include a multitude of both legal and illegal content, including hacking forums and services, drug markets, and Bitcoin services.
Let’s remember that the dark web has numerous markets for illicit activity – the services offered (that we worry about for this article) can include hacking services, software exploits, and PII sales. These markets provide bad actors an easy avenue to generate money and create havoc for businesses and individuals by selling tools and information that can directly impact individuals daily.
One of the most common threats to the average person, regarding online services, is credential theft. This can happen in a multitude of ways, but most commonly happens either via malware on the individual’s computer, phishing via email, or by compromising a web service or application that the individual uses.
Considering that most users only have a handful of passwords, it’s easy to assume that one compromised password will affect numerous services that the user may utilize. As such, these bad actors make a living on selling ill-gotten credentials.
What buyers do with the credentials is always a guessing game and depends on the service affected – effects could be:
In this information driven world, another major threat that is often overlooked is identity theft. For example, with the recent Exactis data breach, affected users saw personal information leaked that included names, addresses, contact information, interests, pets, and religions. This information is usually packaged and sold (cheaply) on the dark web, which is then used for pointed attacks, such as recovering accounts using security questions answered with this data, or even impersonating the user to get into other systems. Other online services have had credit card and SSN information stolen, which can then be used for illegal purchases or account creations when coupled with other information grabs.
Since we can’t control third party services and their security, we can only control the data we provide to them and the means of access. Thankfully, the means of access is an easy one to address, but has multiple parts that need to be considered.
The first mitigation I always suggest is to use multifactor authentication (MFA) where available. The concept of MFA isn’t new, but a lot of vendors have been behind in offering it to their users. The idea is that you provide multiple layers of authentication that aren’t in the same category with each other. We generally look at four categories when considering MFA:
MFA dictates that we must provide at least two of the above to be trusted. The most common combo we see is a password coupled with a token, whether it be a soft token or hard token. Banking institutions have been doing this for ages with fobs that provide a random token that is only good for a set period of time and is no good after being used.
Our Unmaskify service provides actionable stolen credential data to make informed decisions. Unmaskify leverages human and sophisticated dark web intelligence to proactively monitor the dark web to identify your organization’s compromised or stolen employee and customer data.
The second mitigation to credential theft is to minimize the use of duplicate passwords. This can be achieved easily by using a password manager that will centrally store all your passwords in an encrypted database, usually protected with your choice of MFA. Most services will even generate the random passwords automatically for you and do the management and categorization, plus autofill the login credentials if the user is properly authenticated. This simplifies the ordeal of having many credentials while still keeping those services accessible easily. Some services will even auto-change your password for you if a breach has been detected.
Lastly, the best mitigation to credential theft is user awareness training. Users need to be aware of what is on the web, how their data is stored and accessed, and how to minimize their threat landscape. Users are fallible and can be deceived if they don’t know what they are looking for, which is exactly what phishing campaigns are looking to exploit. A business will typically have numerous protections in place to minimize the amount of phishing, impersonation, and targeted attacks, but no system is perfect and cannot detect everything malicious, so it falls back to the user to be vigilant.
From a reactionary standpoint, there are services that allow a user to scan the dark web and find if their passwords are being passed around on forums and sites, then alert the user of what has been found. This will give the user insight into what information has been leaked and what passwords need to be changed. In addition to just passwords, PII and other identifiable information can be searched for, which will give insight into any possible credential theft.