After data breaches and ransomware attacks, we often hear that customer information was leaked to the dark web. This obviously can have serious implications for both companies and individuals, but for many of us, the dark web is as mysterious as it sounds. So what is the dark web all about, and what’s happening there? How does it affect companies and regular people? F-Secure’s Laura Kankaala and Elias Koivula joined episode 57 of Cyber Security Sauna to help to help demystify the topic.
Janne: Welcome to the show.
Laura: Thanks for having us here.
Elias: Good afternoon.
Let’s start with the basics. What is the dark web, and how do you get there?
Laura: When we talk about the dark web, it’s basically just an overlay of our basic network infrastructure. It’s just not quite available through the means of opening our Chrome browser and going in there. We need some additional plugins or a specific kind of browser to access that.
The dark web itself is part of what we can also call the deep web, and this terminology can alter depending on who you are talking with, but this deep web section of the internet is basically overall, the section of the internet that is not that easily browsable. For example, you cannot find the results on Google or on other search engines that easily.
But the dark web specifically, is then the section that you need specific tooling to access. For example, Tor browser or specific plugins for your browser.
Okay. So if I want to oversimplify, the clear web is the part of the internet that you and I know, and then the deep web is the part of it that is using the same infrastructure but is not part of the general internet, it’s not indexed by Google and easily findable like that. And then the dark web is the part that sort of takes extra steps to hide them a little bit, so they might use different protocols and different means of accessing. Fair enough?
Elias: Yeah, absolutely. There’s this metaphor of an iceberg. And it’s supposed to explain the entire internet, or the connected web. And the top of the iceberg is often shown as the surface web, the clear web. And the rest of the iceberg, the bigger portion, is usually displayed as the deep web/dark web.
Now, that is relatively true, since the surface web, by some estimations and sources, only accumulates to around four to eleven percent of the websites out there. It’s still like billions of sites, but the reason for this is that the biggest portion of the entire internet is the deep web. It’s basically governmental sites, company sites, sites that require user credentials or some other means to access. That’s the biggest portion of the internet. And the dark web, itself, is just a small portion of that.
Okay, so is the deep web just simply things that are behind a credential login, or something like that?
Laura: It could be like that. Or, for example, company intranets and things like that, that are not just directly available to the public internet. So it’s not that full of mystique after all. It’s just things that we can actually access, for example login pages, but whatever is behind that is not directly accessible for us unless we have the required access to that information.
You mentioned one of the things you use to get on the dark web is Tor, the onion routing browser and system. What is that, and does it actually make you anonymous like they say?
Elias: So using Tor does not entirely make you anonymous. It’s pseudo anonymous. And it’s just one step of the entire opsec infrastructure to build yourself a truly anonymous identity.
So to understand the concept of why you’re not necessarily fully anonymous, it could be useful to understand how the Tor network works. Basically, when a Tor circuit is built, when you fire up the Tor, there’s a bunch of starting nodes you connect to.
So I call one of those.
Elias: Yeah, exactly. A computer calls one of those. And that first node contacts another node, the middle node, I think it’s called. And the middle node contacts an exit node. And all of these are in different places, possibly around the world even. And all of these nodes add an additional layer of encryption. So the first node adds a layer of encryption, the second node adds a layer of encryption.
So the node that is currently decrypting and accessing the data cannot tell where exactly that data was initially coming from, it cannot tell the original IP. And then the exit node, that is the third node that connects you to the target website. That one does hold information about your target IP address, for instance.
There’s way of identifying the data if you possibly have access to the exit node, especially if the target website you’re using does not use encryption. So let’s say you’re accessing a site using cleartext protocols, not TLS. The data you send, meaning that if your opsec is not good enough, if you order something to your home address, or create a user with your own email address, all of that data can be viewed through cleartext if the target website is not using TLS.
There’s different ways of using Tor with full anonymity, and those require a bit more than just simply downloading a Tor browser or configuring a browser to use Tor plugins.
Laura: I totally agree with Elias that Tor network and Tor browser, they are just technologies that anyone can use. You can go and download Tor browser for yourself, for example, if you want to use it.
But the reality of things is that even though we have these technologies that would support anonymous use of the internet, it really is just that, it’s just technology. And the fact is that our lives bleed into the internet in such multiple ways. For example, as Elias said, if you register into an application or a website with your own name, or use the same email everywhere outside and inside of Tor network and in these hidden services, then these things can be used to connect you.
And outside of just technical vulnerabilities, there are also these applications that we use, for example that criminals use when conducting criminal business online, so, for example, Bitcoin addresses and things like these, that then tie into this bigger picture of their online identities that can become harder to hide because exposure is wider than just actually using one specific hidden service through Tor browser.
Okay. Sounds both complex and shady. Where did this dark web come from? Why do we have things like the Tor?
Elias: So initially, I think, just as the regular internet, it was a byproduct of the US military. The story I’ve heard is that it was initially used as a mechanism to help spies to discuss secret information.
There’s of course the question of, why was it then released to the public? Well, to help blend the information related by the spies into the crowd, it was opened up to the entire population.
So to lose themselves into the crowd.
Elias: Exactly, yes.
Laura: I think in media it gives out a really shady look to how the dark web is full of criminals, and just bad things happening there, but the truth is that there are all kinds of websites there, and to be honest, some of the websites really remind me of the early days of the internet, like the early 2000s when I first started to make websites myself. So there’s a lot of these self-made websites.
But while it’s true that there is a lot of different types of discussion forums and websites for personal hobbies and use, naturally, because there is a lack of moderation and oversight, there are a lot of hidden services that serve potentially very harmful content, and are also marketplaces for illegal activity such as buying and selling of drugs and guns and so on.
So there’s a lot of different types of things out there, and I would say while some of these illegal services also happen on the clear web, perhaps the hardcore ones happen within the dark web.
Elias: Yeah. Inherently there’s nothing evil about Tor. Tor is just a technology that helps you, helps you become anonymous. And also helps you access these private sites.
Tor is extremely useful in places such as…let’s say there’s an authoritarian government that wants to spy and listen in on what people are talking about. Tor is a useful tool for instance in those places, to have discussion and full access to the entire database of information that’s contained.
Because you can access just regular webpages with Tor, as well. Some people use Tor just to browse their daily pages, whatever they might look at. And there even exists .onion domain pages for, I think, the Washington Post, and for the FBI and, as Laura said, some popular websites as well.
Laura: Definitely Tor has a really crucial role to play when it comes to freedom of speech and freedom of the press. So if access to the internet or information is limited, then Tor provides a really good gateway into the internet, making it so that it’s really difficult to see where this person is going, what kind of websites they are browsing, but also hiding the anonymity of these people from the websites themselves.
Okay. Well, the first thing that comes to my mind is the drug markets and places to buy illegal guns from. But you’re saying that’s just a small part of it. So what else is there? You hear stories about nefarious hacker forums and cyber crime services…
Laura: Yeah, there’s definitely those as well, and sometimes they are in the same marketplace or sometimes in a separate marketplace.
I would say that some of this information, or for example data leaks or dumps, exploit code, they are sold. And then there’s also the possibility of buying just services of someone – for example, writing phishing templates for you, or doing phishing for you or whatnot. So it comes really down to just having a need for something or a demand for something and then answering to that demand.
But when it comes to these hacker forums, for example, or selling exploit code, and if we’re talking about not zero days, but more generic kind of exploit code, I feel that this naturally takes place in the dark web, or through Tor browser accessing these hidden services, but there are a lot of these hacker forums that are available also in the clear net, for example, or clear/deep net, so you need to log in. Or sometimes not even that, but that contain information in data leaks, or on exploit code that is available for people, or just examples of how to do carding, or different types of crime that are really directly tied to immediate profit.
Elias: I’d like to draw a separation between these hacking forums and marketplaces that you’ve mentioned. So, marketplaces are only places to usually sell some illegal material such as drugs. Mostly it’s just drugs. There’s legends of having hitmen for hire and stuff like that…those are just legends. The marketplaces are just mainly places for illicit, illegal drugs, usually material related to software, such as these ransomware builders or whatever.
The quality is quite bad in the marketplaces. It’s usually just old stuff that somebody’s trying to get a quick buck for. It’s not something necessarily new or interesting.
And then there are these hacker forums, which Laura mentioned. Dark web hacker forums, they, in my experience, are mostly to have serious conversations about cyber crime as a service, and other possibly illegal things.
Laura: Yeah, regarding the marketplaces, the generic kind of nature of the code is definitely a big thing there. So it’s nothing revolutionary. Typically it’s quite old, like well-known scripts just repackaged and sold forward. There’s naturally zero-day merchants and brokers who are selling zero days, but that’s a super exclusive club. That is not a club that is fully always available to random people on the Tor network.
And when we talk about for example, zero-day exploits, the price tag on those is not something that a consumer could easily afford, especially if they are just looking for an exploit that they are willing to spend a couple of hundred dollars maximum on.
I would assume there’s quite a bit of scamming going on as well, that not everything you’re buying is exactly as advertised.
Laura: Typically in these marketplaces, and especially when it comes to forums where information is shared and people are having discussions, there are typically these kinds of reputation things that you can check. So, for example, the discussions they are having on a specific piece of code or specific tooling that someone is offering, or just a dump of information.
For example, when it comes to drug dealing, a lot of the drug dealers, they are really concerned about their reputation and that they are actually serving customers. I believe when Silk Road was taken down, a lot of the sellers were investigated, and the stuff they were selling was investigated at that point, and a lot of it was found to be really good quality, and they were really living up to the expectations so to speak. It would be bad for business also to be selling bad stuff online.
Elias: Excellent point about the reputation. As weird as it sounds, on these anonymous forums, you are your username. So a lot of the time, especially on the dark web hacker forums, you see people providing sometimes even free software for use. Or sometimes you might find some free credential dumps provided by a user. Why? It’s really hard to decipher the actual motivation behind those, but I believe it’s for street cred.
Often you can find that from these lower-level hacker forums you can sort of graduate to some higher level, if your username is well-known, if you have a reputation in the underworld. So in that sense, reputation is everything over there.
Laura: That’s true. And what I find most intriguing in these forums is how trust is built in this kind of no-trust environment. As you, Janne, also said that you were a little bit skeptical of what we were going to get if we buy something from there, but how intricate the trust actually is there. And that people really believe that this person behind this specific username, he or she has a really good reputation, so we trust them.
Elias: About the trust as well, these marketplaces, they usually don’t have a long life span. So usually they are closed via officials, or sometimes they have conducted exit scams. So because the payment happens usually via escrow, the site can hold a lot of Bitcoin, a lot of cryptocurrency at one time. So it’s easy to just one day, as the operator of the site, just disappear with the entire Bitcoin. And it has happened.
Also, the fact that some of these marketplaces have been under police control. So the police have taken control from the original office and not let anyone know about that, that they are in control. And they’ve just let it be open and build their cases with people buying drugs and whatever. So you can never know the site is fully legit in that sense.
Laura: Yeah. And especially when it comes to hidden services, and again, demystifying it, it’s just basically a website that is available through a specific kind of routing protocol. So there are vulnerabilities that can exist on that website. Or there can be these opsec mistakes, that someone is revealing too much or that the website itself is not good at protecting its users from being tracked, and so on. So it’s just a website running on someone’s computer or a computer called server somewhere.
Yeah, and you’re choosing to trust that party a little bit. All right, a lot of times companies approach me to ask about dark web monitoring services, things like that. They are working from the assumption that there are groups of criminals conspiring, talking, planning ahead…we’re going to attack this company and let’s hit that company next. Is that taking place?
Elias: So, general discussion and planning is definitely not available in the low level hacker forums. If there are people planning this, it usually probably happens via some common communication methods, behind the closed doors of Jabber, for instance. There’s no open talk, at least, on these low level forums that you can access with that simple credential.
Laura: Yeah. I don’t think it would make a lot of sense for anyone to conspire publicly against any company, because then you would attract a lot of attention on your objectives and whatever you’re doing.
What I do see happening, though, is that there are people, not necessarily doxing anyone or naming anyone, but wanting to hack, for example, someone’s account on Facebook or Instagram or Snapchat, or then they try to get access to someone’s nudes or something and then sell those forward.
So there are specific kinds of services that are targeted, but it’s not necessarily the service itself, but the accounts and the user accounts in those services that are of special interest for some of these activities.
Okay, but we know that sometimes, company-specific information gets leaked on the dark web or the deep web. There’s stories about IPRs, or customer databases, things like that getting dumped or being sold. So how’s a company supposed to find out that its data is floating around in the dark web?
Elias: I know that there exists some cyber security providers that provide security assessment, basically. So they can scan the known places and some of the known forums and so forth, and search for search terms, and look out for some interesting related terms that might come up.
But the key term there is “known,” so you can only scan the sites you know and the sites you have access to, and things like that. So you can’t scan the whole darknet.
Elias: It’s really difficult. Just the way they have constructed the sites, building scrapers or crawlers that access the dark web is…usually the CAPTCHAs are so difficult that programming something to take care of those might be a bit of a task.
Yeah, I mean you’d have to have all the credentials, or ways to breach the security of each of these sites.
Laura: Yeah, it’s not, definitely, feasible programmatically, as there so many CAPTCHAs protecting all of the Tor websites. I think it’s a lot of manual work combined with looking for clearnet, for example, just Google dorking, and keeping tabs on these clearnet forums as well. Clearnet, but going to the deep web side of them. So, seeing what kind of discussions people are having there, what kind of data dumps people are sharing there, and typically sometimes these discussions, they directly have the name of the data dump that is being shared as well.
So it can be really easy if a company has their eyes open, and just does internally, or with an external contractor does some kind of threat intelligence around this.
So let’s say I found my company information being auctioned off in the darknet. Is there anything a company can do at that point?
Laura: Once data is breached, then there is no way to reclaim that, so it will be out there forever, potentially. Not all of these data breaches are sold or shared in these basic level hacker forums, or these basic marketplaces, so you can’t really get full visibility in either case.
But if you happen to find your database being sold somewhere, then depending on the nature of the data, for example, if it’s personally identifiable information, then you may be subject to GDPR-related regulations to inform your users.
Elias: Yeah, exactly. It’s important to be open as a company about these data breaches. And also it’s important to find out what data was stolen, and determining, is there a possible breach of your system? Might there be a back door that is still accessible? Or was it just scraped data with legal means, so to speak?
So it’s important to know also that, so you can come up with a good response plan, in that sense, because it’s an entirely different thing if your network structure is being compromised.
Okay. What about individuals? I guess the biggest threat of cyber crime is things like identity theft. What sort of a role does dark web play in these?
Laura: A lot of these marketplaces, especially on the dark web side, there is a possibility of buying very specific identifying documents, for example, passports and IDs and things like these that can be used for identity theft. But naturally, something like your credit card, the credit card number and the CVV number being breached, then that could be also used to buy stuff as you. So that’s also a form of identity theft.
Having said that, all of these things are available in these marketplaces, so there is naturally a really crucial role that these specific marketplaces play when it comes to identity theft.
It’s very hard to talk about the dark web without going into cryptocurrencies. What sort of a role do they play in the dark web?
Laura: So, a lot of the transactions that happen, happen over cryptocurrencies, whether it’s Bitcoin or Monero or whichever is the preferred cryptocurrency at that moment.
Which is it, by the way, at the moment?
Laura: Yeah, I think it’s because it’s the most widely used, and recognizable, and it has a lot of easy ways to do transactions and change real money into Bitcoin, and so on. So it’s definitely the go-to mechanism for that.
Elias: There’s an interesting connection between Bitcoin or cryptocurrencies and the dark web, in the ideological sense as well. As we’ve talked, the dark web and Tor and these services can be used for good as well, and for anonymity, right? For good purposes.
And those sort of ideologies are something that are inherent to cryptocurrencies as well. They’re just tools. And just as any other tool, they can be used for good or for evil.
So the idea of maybe, equality, and being anonymous in that sense, and being open, and decentralization, in that sense, those are concepts that really tie cryptocurrencies and the dark web together. They share similar ideologies in that sense.
Laura: Yeah. They both are privacy-enhancing technologies. And I think privacy, in general, is good for all of us as general users of the internet. But actually, it’s a double-edged sword, so there’s the use case for criminal activities, because it’s used to hide the underlying identities.
But it’s interesting, for example with Bitcoin, the concept, because it’s transparent, for one. So you can see who paid who, and whatnot. And then there’s naturally services that promise you to obfuscate your money and launder your Bitcoins, and stuff like this. But in the end it’s all out there. And there are interfaces where Bitcoin usage can be deanonymized, for example, if you’re transferring Bitcoin back to real-life currencies, and stuff like this.
But yeah, I definitely agree with overall the ideology being good for enhancing privacy, for making the internet experience more democratic, and so on. So it’s really not the technologies themselves, it’s the way that they are used.
And when we talk about criminal activities, it’s a bigger issue than just having the technology available. It’s an issue of something being illegal, or something being wrong in a specific context, and then there is still demand for those services.
So it’s a really complex issue that cannot be tackled with, for example, let’s say if we just want to ban Tor network. That will definitely not remove the issue of these data breaches and leaks being sold online. Because, for one, they’re also available in the clear/deepnet, but there’s no stopping anyone to also start a new overlay network, for example.
I wish it was as easy as saying that yeah, let’s stop the usage of Tor network, or Bitcoins, or cryptocurrencies, and then we would be done with it. It needs more than that, unfortunately.
But we were also talking about how there’s good things happening on the dark web. There are services for people who might not be able to openly access those services, for example, where they live, things like that. Or certain services that you need but you can’t purchase where you are, so you need that anonymity, cryptocurrencies. But are you exposing yourself to risk by, as a law-abiding citizen, going to use the dark web for one of these legitimate purposes, are you sort of hanging out in a bad neighborhood now and exposing yourself to risk from cyber criminals?
But if you are doing some legitimate business, as you said, it really depends on your local government and their attitude towards it. The way that Tor works is that when you contact the first node, there’s a known list of nodes that are the starting nodes. So as a government, you can just block those, tell the ISPs to block those IP addresses. Such as, I think, China has done. I think they’ve successfully blocked Tor network.
Some of the governments and the ISPs actually might hold you under a scope, they might look at you a bit closer if they find out that you are using Tor. But inherently there is nothing illegal in that.
Laura: Yeah, definitely. It’s just a technology. It’s kind of like using VPN.
Perhaps for a normal user, VPN can be a better solution because using Tor network, and especially Tor browser, can sometimes be a little bit slow, because of the way that the routing works, so your connection is jumping from one place to another before you actually arrive at a location. And the second thing is that you will see CAPTCHAs everywhere, so it will slow down your internet browsing experience quite a bit.
Yeah, but I mean, if you live in a country that tries to actively block these sort of things, maybe this is not a philosophical conversation you want to have with the men in the van when they grab you from the street.
Speaking of philosophical conversations, you guys have brushed upon…you don’t seem to think that Tor is just a tool for evil. But is it a tool for good, either? Does it truly empower people? Does it provide that decentralization and freedom from “the man”?
Elias: Associating anything, any feeling or concept like good or evil, with a tool…like is a hammer evil? Is a hammer a good thing? Right? So, it’s just a tool. And it’s whatever you do with it. But I think it’s the minority that use Tor for nefarious purposes, if that’s what you’re getting at.
And the idea of empowering and creating a democratic playing field for people to express their opinions and thoughts, it’s something that I don’t fully comprehend, having lived in a country that does not actively try to restrict my voice. So I cannot fully appreciate that. But obviously, it is clear that for people living under certain conditions, tools like Tor are vital. They’re vital.
Laura: Absolutely. And I think it’s always good to look a little bit outside of your bubble. We wouldn’t need these kinds of privacy-enhancing technologies if the world was super democratic, and everyone had freedom of speech and no oppression anywhere. And that’s kind of like the underlying issue.
So these technologies are not made to be tools for criminals and criminal activities. They are made to serve for a greater purpose, that is to bring people together and give everyone a voice. But then, it’s increasing all of our privacy, so it’s a handy tool for conducting illegal activities then, as well.
Thank you guys for taking us on this insightful trip through the dark web.
Laura: Thank you.
Elias: Thank you for having us.
That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.