Darlings of the Dark Web: Who is Selling Your Data?

“I am Oz, the great and powerful” – the ominous words of a weak wizard foretold our future. And who was Oz? A regular guy posing as the leader of a land that does not exist. But the Emerald City was no Dark Web. And even though it exists in technological space alone, the Dark Web is real. With people using code names wielding their power within it. What people, you ask? All types of people.

But back up a bit. What is the Dark Web? And how does it differ from the Deep Web?  This is easy. It goes like this…

When you step onto the web in your daily life, you’re most likely going right to the Surface Web, also know as the Visible Web or Indexed Web. This is the web that is available to the general public.1 Here you find all of your Google searches and the portals to your varied accounts. Now log on to your email. BAM! You’re in the Deep Web, also called the Invisible Web. It’s where the privacy curtain falls, which is a good thing. The Deep Web contains the coded content not indexed by search engines.2 It is password-protected for members – you wouldn’t want everyone reading your email, right? – or subscribers, like anything behind a paywall – let’s keep that Amazon or Netflix account locked. Even a web page that requires typing a query within a search box, such as one for court records, is Deep Web travel.3

Okay, you’ve got that, right? Right. Moving on.

When you’re talking about the Darknet, you’re talking about the Dark Web. Your standard browser (Chrome, Safari, Firefox…) won’t take you there. The most likely portal is via Tor software, from the Tor Project4 – a government-funded nonprofit created in the mid-1990s by the U.S. Naval Research Laboratory, and publicly launched in 2003.5 Once you’re on the Tor network, information is encrypted, so your browsing remains anonymous. Created for anonymity, Tor offers many positive uses, (like free speech without government firewalls – i.e. China; even Facebook provides Tor access for safety and security6), and most Tor browsing is entirely legal and legitimate. “Visits to those dark web sites account for only 1.5 percent of all Tor traffic, according to the software’s creators at the non-profit Tor Project.”7

Tor’s “hidden services” – special websites that may only be accessed through Tor –

are the most popular darknet sites. Cloaked in Tor’s anonymity, it is difficult to track who visits them.8 This is where the trouble begins. Information you thought was secure, your personal or your company’s information, is being traded down there. Dark sites sell stolen credit cards, social security numbers, lists of user information collected off of Yahoo, LinkedIn, Twitter, Tumblr, MySpace9 and so on, forged documents, counterfeit currency, and much more.

But who’s behind this? Where are they coming from?

The most high profile take down of dark web activity happened in 2013 with the FBI arrest of Ross Ulbricht, founder of the notorious criminal-traffic Silk Road site.10 When Ulbricht’s uneventful background11 is considered, it’s clear that most anyone can don the cloak of criminality, and perhaps convince themselves that they are doing it for the greater good. Ulbricht was an American, hailing from Texas, with Libertarian leanings. Other recent arrests have involved entire rings, like the FBI’s Operation Shrouded Horizon which charged, arrested or searched 70 hackers globally on the Darkode site in 2015. They were hit with wire fraud, money laundering and conspiring to commit computer fraud. Their trail of crimes included compromising Microsoft and Sony, as well as swiping data from more than 20 million victims.12

Then there were those who brought down Dyn with distributed denial-of-service (DDoS) attacks in October, 2016. The networks of zombie computers that hurled astounding amounts of terabits per second of data at the Dyn-managed servers, ultimately disrupting Twitter, Spotify, Netflix and Airbnb, were controlled by a collective called the New World Hackers. Members identifying themselves as “Prophet” and “Zain” claimed on Twitter that more than 10 members participated in that attack. They also mentioned that about 30 people have access to their Twitter, with 20 members in Russia, 10 in China, and “Prophet” identifying as being in India. One additional New World Hacking member, “Ownz”, came forward, claiming to be in London, and 19 years old. 13

Russia and China are repeatedly identified as ultimate sources of major attacks. Security technologist Bruce Schneier (called a “security guru” by The Economist) noted the two nations in a September, 2016 article.14 It’s the nature of the attacks that has him wondering. Probing attacks in addition to DDoS style are “testing the core defensive capabilities of the companies that provide critical Internet services,” he claims. Schneier goes on to state “It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes—and especially their persistence—points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar.”15 It’s either that or one of these scenarios: A request for money is denied, so the extortionist unleashed extreme force, or hacktivists decided to exhibit the bite behind their bark.16 No one knows just yet.

There is one consistent factor that calls to be addressed: age and knowledge. We have seen that these powerful perpetrators are seasoned cyber players by puberty. James Kosta was convicted for hacking banks, military computers and more at 14; Jonathan James was the first juvenile in the US jailed for hacking; he was 15.17 Ownz, of New World Hackers, is presumably 19. Another notorious name to have arrived on the dark web in 2016 is Tessa88, a Russian woman who also appears to be young.18  Should this surprise anyone? Not at all. The kids are in the game now, with elementary-school the jumping-in point. In 2014 the MIT released a free iPad app that teaches children from 5-8 to learn to code.19 And “code literacy” is a new way of looking at advancements in learning.20 Soon growing up coding will be as much a component of understanding the worlds as the transition from analog to digital clocks. It’s where we are as a society. The most important thing we can do is teach them responsibility, that they’re part of the greater picture, even if that picture seems distant through a screen.

 

 

 

WHAT BANKS CAN DO TODAY TO PLAN FOR A SECURE TOMORROW

The 2017 banking trend reports are out in abundance. It comes as little surprise that increased emphasis will be placed on all things digital. From more sophisticated firewalls to enhanced mobile interaction, investment in technology and digital solutions will continue to rise.

 

In the light of such expectations, however, some industry experts are sounding an alarm. They are warning banks and credit unions not to overlook the physical security risks that, as a recent FBI report, continues to rise. As financial institutions look forward to new potential revenue streams and relaxed regulations, they should also be looking at proactive ways to secure their branch locations and assets in the future.

 

Proactive Security Measures

Security experts and law enforcement professionals say the same thing. Most banks and credit unions do not consider a thorough review of their security systems until something goes wrong. In many instances, it takes a robbery, an ATM fraud or other security breach to make bank officials aware there is a hole in their vanguard.

 

An initiative-driven approach to planning bank security, before a crime occurs, will protect the bank’s assets as well as reputation.

 

Three Ways to Start Planning against Future Security Threats

 

It’s been said that being forewarned is forearmed. Nowhere is this more accurate than in regard to security planning. As security threats become more sophisticated and ubiquitous, banks and credit unions are benefitting from the industry best practice of creating proactive security measures. As financial institutions plan for improved security systems, there are three key areas that should be examined to help determine potential weaknesses and areas of future emphasis.

 

#1. External Data Clues

Banks and credit unions, regardless of size, can anticipate and plan for potential risks by studying often-overlooked, but readily-available external data. Information from local and regional police reports can provide insight into whether certain branch locations could be more vulnerable to threat than others. An examination of additional demographic and geographic information can provide a macro view of trends that could have an adverse impact on physical financial institutions.

 

Data gathered from national and industry crime reports can also be used to predict areas of security weakness. Are there certain days of the week or times of the day your bank is more susceptible to robbery than others? Does the placement of your ATM put it at greater risk for skimming? Is the latest social engineering trend prevalent in your region? Building preventative security measures to combat the likelihood of such data-driven threats can pay off in peace of mind and enhanced precautions.

 

#2. Internal Evaluations

The next place that can provide valuable clues as to what should be prioritized in a bank’s security plan is within the physical facility itself. A financial institution’s physical structure is often one of the most overlooked areas, simply because it is seen everyday. Employees may get used to rigging a faulty lock or overlooking an inoperative camera. Security experts agree, conducting a thorough evaluation of on-site security systems is one of the best ways to ensure facility,  employee and asset protection. Such  evaluations are generally categorized as security assessments and threat assessments.

 

A security assessment evaluates the functionality of all security systems and devices. Items that should be in full working order include:

  • Security lighting
  • Alarms
  • Access controls
  • Cameras
  • Vault safes
  • Perimeter & gates
  • Fire detectors and deterrents

 

A threat assessment, on the other hand, looks for potential weaknesses in the bank’s overall system and surroundings, not just the security equipment. A threat assessment asks questions like:

  • Are all entrances monitored?
  • Are employee IDs easily visible?
  • Do all windows provide unobstructed views of the bank’s interior?
  • Does the bank’s typography provide hidden entry points?
  • Can the ceiling’s ductwork be accessed from neighboring tenants?
  • Can customers easily view employee’s computer screens and keyboards?

 

A professional evaluation of a financial institution’s physical equipment, security devices and potential threats is foundational to building a solid security program for the future.

 

#3. The Human Element

It’s not unusual for bank managers and employees to be so close to their facility that they literally stop “seeing” potential security threats, especially when it comes to behavioral practices. Over time, strident security practices become relaxed or ignored. Old employees leave the company and fail to turn in their security cards. New employees are hired and not informed about document destruction protocol. Employees make a habit of leaving back doors propped open for a quick smoke break. Individually, each offense appear innocuous. But together, over time, these security lapses can create huge safety gaps.

 

A proactive approach to security must include a genuine evaluation of the “human factor.”

 

Employees:

  • Do employees share their access credentials with coworkers?
  • Do employees regularly download software to company computers?

Visitors:

  • Do visitors have access to secured locations?
  • Are visitors required to have supervision while on premises?

Guards:

  • Do guards randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
  • Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?

Vendors:

  • Have vendors been trained in proper security techniques?
  • Do after-hour cleaning staff maintain the same level of facility security as required during daily office hours?

 

The examples above are just a sampling of behavioral habits that should be evaluated as banks and credit unions consider security enhancement measures. Any planning for the future would be inadequate, however, if it didn’t also include an examination of a bank’s social engineering training.

 

As banks and credit unions across the nation gear up for the unknown security threats of the future, many are turning to experts like SPC Companies to help them chart the most efficient path. SPC Companies makes it their business to equip bank and credit union professionals with the resources they need to sleep better tonight, and into the future.