Looking at the Dark Side of the Net

Etay Maor, IBM

Etay Maor, IBM

Wired recently reported that hackers posted a “data dump, 9.7 gigabytes in size… to the dark web using an Onion address accessible only through the Tor browser.” The data included names, passwords, addresses, profile descriptions and several years of credit card data for 32 million users of Ashley Madison, a social network billing itself as the premier site for married individuals seeking partners for affairs.

“I want to show you the dark side of the net,” Etay Maor told me when we met last month at the IBM offices in Cambridge, Massachusetts. He then proceeded to give me a tour of the Internet’s underground, where cyber criminals and hackers exchange data, swap tips, and offer free and for-fee services. “Information sharing is a given on the dark side,” said Maor, “but for the good guys, it’s not that easy.”

Maor is a senior fraud prevention strategist at IBM and has watched the dark side of the Web at RSA, where he led the cyber threats research lab, and later at Trusteer, a cybersecurity startup which IBM has acquired in 2013 for a reported $1 billion. His focus is cybercrime intelligence, specifically malware—understanding how it is developed and the networks over which it is distributed. Maor is an expert on how cyber criminals think and act and shares his knowledge with IBM’s customers and also with the world at large by speaking at conferences and blogging at securityintelligence.com.

The Web is like an iceberg divided into three segments, each with its own cluster of hangouts for cyber criminals and their digital breadcrumbs. The tip of the iceberg is the “Clear Web” (also called the Surface Web), indexed by Google and other search engines. The very large body of the iceberg, submerged under the virtual water, is the “Deep Web”—anything on the Web that’s not accessible to the search engines (e.g., your bank account). Within the Deep Web lies the “Dark Web,” a region of the iceberg that is difficult to access and can be reached only via specialized networks.

Maor first demonstrated to me how much cybercrime-related information is available on the Clear Web. Simply by searching for spreadsheets with the word “password” in them, you can get the default password list for many types of devices and other things and places of interest to criminals. There is easily accessible information that may have been posted to the Web innocently or by mistake. But there is also a lot of compromised information (e.g., stolen email addresses and their passwords) available on legitimate websites that provide a Web location for dumping data.

Then there are forums for criminals, some masquerading as a benign “hacking community” or “security research forum,” promoting themselves like any other business and/or community, including a Facebook page, and covering their costs or even making some money by displaying ads. One such forum had 1,200 other people accessing it when Maor showed it to me, demonstrating how, with a few clicks of the mouse, you can find lists of stolen credit card numbers including all the requisite information about the card holder.

Maor proceeded to introduce me to Tor, the most popular specialized network providing anonymity for its users, including participants in the underground economy of the Dark Web.  It was developed in the 1990s with the purpose of protecting U.S. intelligence communications online by researchers at the US Naval Research Lab which released the code in 2004 under a free license. It has 2.5 million daily users, some with legitimate reasons to protect their identities, and others who are engaged in criminal activities.

Tor is based on Onion routing, where messages are encapsulated in layers of encryption. The encrypted data is transmitted through a series of network nodes called onion routers, each of which “peels” away a single layer, uncovering the data’s next destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. The final node in the chain, the “exit node,” decrypts the final layer and delivers the message to the recipient.

While Tor is used by people with legitimate reasons to hide their identity, it (and similar networks) also facilitates a thriving underground economy. This is where you can buy firearms, drugs, fake documents, prescription drugs or engage in pedophilia networks, human trafficking, and organ trafficking. Maor paraphrases Oscar Wilde: “Give a man a mask and he will show his true face.”

Tor is also home to rapidly growing “startups,” offering fraud-as-a-service. A decade ago, says Maor, cybercrime “was one-man operation.  Today, it’s teamwork.”  Furthermore, the whole process, from coding the malware to distributing it to working with money mules, can be easily outsourced.  Everything a cybercriminal might need is now available on the underground forums, some components of the process as a free download, others as a for-fee service, including cloud-based services with guaranteed service level agreements (SLAs). The menu of cybercrime options has grown beyond financial fraud tools, to include advanced targeting tools, Remote Access Tools (RATs), and health care and insurance fraud tools and services.

The explosion of data about us, our lives and our workplaces on the Clear Web has helped the denizens of the Dark Web circumvent traditional online defenses such as passwords. “Fifteen years ago,” says Maor, “it took a lot of work to breach a company. Today, I can go on Linkedin and find out exactly what is the structure of the company I’m interested in.” Knowledge of the reporting structure of a specific company helps criminals’ “social engineering” efforts, manipulating people into performing certain compromising actions or divulging confidential information. Once criminals get to know their targets (e.g., by connecting on Linkedin), the victims may open an email or attachment that will infect their computer and provide the desired access to the company’s IT infrastructure.

Cyber criminals are taking advantage of the abundance of data on the Web and its success at connecting and networking over 2 billion people around the world. 80% of cyber attacks are driven by highly organized crime rings in which data, tools and expertise are widely shared, according to a UN study on organized crime, generating $445 billion in illegal profits and brokering one billion-plus pieces of personally identifiable information annually.

Data and networking—aren’t they also great tools in the fight against cybercrime? Not so much. Corporations and security firms have been reluctant to share cybersecurity intelligence. Only 15% of respondents to a recent survey said that “participating in knowledge sharing” is a spending priority.

There have been some efforts to change that, such as the establishment of industry-specific Information Sharing and Analysis Centers (ISACs) and the cross-industry National Council of ISACs.  The Department of Homeland Security and other government agencies are working to promote specific, standardized message and communication formats to facilitate the sharing of cyber intelligence in real time. The Cybersecurity Information Sharing Act (CISA), a bill creating a framework for companies and federal agencies to coordinate against cyberattacks, is being debated in Congress.

Alejandro Mayorkas, the Deputy Secretary of Homeland Security recently said: “Today’s threats require the engagement of our entire society. This shared responsibility means that we have to work with each other in ways that are often new for the government and the private sector. This means that we also have to trust each other and share information.”

IBM has taken a big step towards greater engagement and information sharing when it launched in April the IBM X-Force Exchange. It is a threat intelligence sharing platform where registered users can mine IBM’s data to research security threats, aggregate cyber intelligence, and collaborate with their peers. IBM says the exchange has quickly grown to 7,500 registered users, identifying in real-time sophisticated cybercrime campaigns. “I’m a fan,” security guru Bruce Schneier responded when I asked him about X-Force Exchange.

“The security industry must share information, all the time, in real time,” says Maor. “It’s a change of mindset, but it has to be done if we want to have some sort of edge against the criminals.”

Originally published on Forbes.com