V&C Solutions

V&C Blog

August 11, 2015

Eternal Darkness – What Happens To Stolen Data When It Enters The Dark Web


According to Computer Rescue Ltd., “the average time it takes for a company to detect a data breach is 205 days.”

That is a frightfully long time. Just think how much damage could be done by then. In fact, if it’s taken the best part of 5 months for a company to realise that some of its data has been stolen, then one would imagine that it would hardly be worth the bother of trying to retrieve or fix anything after this period, for the damage would have surely already been done.

Indeed, the Computer Rescue article goes on to note that “a recent report by a data protection provider has found that 12 days gives cyber criminals the opportunity to reach 5 continents and 22 countries.”

And this just after 12 days. After 205 days, it’s a wonder there’s any business left.

 

Data Breaches 

In today’s world, data breaches are not just things that happen to a few unsuspecting people who are perhaps a little ignorant of the dangers that exist. Of course, people like this are still prime targets for hackers and other cyber criminals – and, although it pains me to say it, there’s still the odd phishing scam that slips through the net.

As dangerous as these can be to an individual, the real headline-makers are the attacks that target businesses. And it’s not just SMEs either. Big corporations have been targeted in the recent past, and successfully hacked, and their data stolen.

Let’s remind ourselves of a couple of these corporations and what happened to them before we go on. I think that this is important – although I’m certain that Sony would struggle to see any positive that came out of what happened there, I like to see these big companies that have been hacked as ambassadors of the dangers that exist to the rest of us. If it can happen to them, then it can happen to you a lot easier.

So – lest we forget…

 

Sony

This was of course big news the world over, devastating for Hollywood, and indeed was almost like something out of a movie itself.

On November 22nd 2014 skulls started appearing on employees’ screens at Sony. A threatening message was attached to the images, saying that certain “secrets” would be exposed from data that had been obtained in a sophisticated cyber attack if certain demands were not met.

An unknown group that called itself #GOP (Guardians Of Peace) later claimed it was responsible for the attack.

Speculation soon formed surrounding the motives for the attack – Sony, for the most part, were of course keen to downplay what was happening – and it wasn’t long before suspicious eyes started fixing on North Korea as having some sort of hand in things, as a form of retaliation for Sony’s release of The Interview (a film which involves a plot to assassinate North Korean leader Kim Jong-un). Sony indeed cancelled the release.

So, what was stolen? I hear you cry. Here’s the BBC’s explanation:

“Before the controversy around The Interview, reams of data considered confidential by Sony – and some of the company’s prime assets – were stolen in the hack.

“An early version of a script for the next James Bond movie, Spectre, was leaked but failed to halt production.

Five Sony films, including the new and unreleased version of Annie, turned up on illegal file-sharing sites and were downloaded up to a million times. Brad Pitt’s Fury, which had already hit cinema screens, was also shared.”

 

Target 

This was a big one. A beauty. A “cybercriminal’s dream”, as the New York Times described it.

And here’s how the online version of the NYC tells the tale:

“For months, an amorphous group of Eastern European hackers had been poking around the networks of major American retailers, searching for loose portals that would take them deep into corporate systems.

“In early November, before the holiday shopping season began, the hackers found what they had been looking for — a wide path into Target and beyond.

“Entering through a digital gateway, the criminals discovered that Target’s systems were astonishingly open — lacking the virtual walls and motion detectors found in secure networks like many banks’. Without those safeguards, the thieves moved swiftly into the company’s computer servers containing Target’s customer data and to the crown jewel: the in-store systems where consumers swipe their credit and debit cards and enter their PINs.”

The frightening thing again with this massive attack is that Target had absolutely no clue that a breach was taking place until the Secret Service alerted the company just two weeks before Christmas.

We asked ourselves at the start of this blog how much damage can be caused in a data breach – $18 billion all told in this instance. Ouch!

 

The Size Of The Threat 

Those are just a couple of the big headline-making data breaches that we’ve all heard about. But there are of course many more that largely slip under the public radar.

This is why I like to think of these big companies as ambassadors of the dangers that exist. A bit of a backhanded compliment, I admit, but, unfortunately for the companies themselves, they do serve a purpose for the rest of us.

According to the Identity Theft Resource Centre (ITRC), the number of data breaches tracked in the US alone reached a record high of 783 in 2014 – a figure which represents a significant hike of 27.5% over the number of breaches in 2013.

Since 2010, the number of US data breaches that have been tracked totals to 5,026, and involves an estimated 675 million records.

This is a serious problem, but one that is not always met with due concern from individuals and businesses. Eva Velasque, President and CEO of ITRC makes the following comment:

“With support from IDT911, the ITRC has been able to continue its efforts in tracking and understanding the complex issues surrounding the growing number of data breaches. With an average of 15 breaches a week in 2014, consumers need to be made aware of the risk of exposure to personal identifying information in order to understand the threat posed by this growing list of data breach incidents.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue.  While not all breaches will result in identity theft or other crimes, the fact that information is consistently being compromised increases the odds that individuals will have to deal with the fall out.  The ITRC data breach reports are a necessary educational tool for businesses, government and advocates alike in our communication efforts.”

 

Where Does Stolen Data End Up?

What use is stolen data to a cybercriminal?

Well, probably not much to the actual hacker him/herself, per se – but there are certain marketplaces on the Dark Web where pieces of data and information are actually worth quite a lot of money.

 

What Is The Dark Web? 

I wish I could tell you… but it’s a secret. Shh…

 

Seriously? 

No. I can tell you. The Dark Web is most easily described as being a part of the internet that isn’t indexed by the likes of Google and other popular search engines. It’s those websites and networks that overlay the public internet, but usually require special software or other authorization to visit them.

Websites that reside on the Dark Web are in fact publicly visible, but they conceal the IP addresses of the servers that they are run on, meaning that not only will you not be able to find the sites using popular search engines, but it’s also very difficult for anyone to work out who’s behind the sites. Thusly, it is the Dark Web that is often used for criminal or illegal activity – such as the sale of stolen data.

Zdnet.com describes it like this:

“The Dark Web is one place where stolen information is offered for sale. Accessible through the Tor network, the underground comprises of stores and websites entrenched in illegal activities ranging from the sale of data to hacking tools to drugs and weaponry. However, websites hosted on the network also offer free downloads of data, which is posted anonymously.”

 

The Bitglass Experiment

Security researchers from Bitgalss decided that they wanted to know exactly what happens to data after it is uploaded to the Dark Web. And so they conducted an experiment to find out.

Chris Hines from the Bitglass blog writes:

“We created an excel spreadsheet of 1,568 fake employee credentials, then placed it on anonymous file sharing sites within the “Dark web,” using a Tor browser as our entry point. We tracked the data as it travelled to various sinister locations around the world, and as it was shared amongst cyber-crime syndicates overseas.”

After only a few days, the spreadsheet containing the fake credentials had been downloaded in more than 5 countries across 3 different continents and was viewed over 200 times.

By day 12, Bitglass reports that the file had received more than 1,080 clicks, and had spread to 22 countries on 5 different continents.

“By the end of the experiment the fake document of employee data had made its way to North America, South America, Asia, Europe, and Africa. Countries frequently associated with cyber criminal activity, including Russia, China and Brazil, were the most common access points for the identity data.

“Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia,” Bitglass’s report states.

 

Are you concerned yet? 

Bitglass’s experiment was of course harmless in the sense that it contained no actual real data that could be used for illegal profiteering. However, it most certainly highlights just how easy it is for stolen data to spread online.

Where does your stolen data end up? On the Dark Web is the answer, where it can be passed around anonymously and exploited by anyone who has the small amount of computing skills needed to access it.

The Dark Web is in fact a massive place – thought to actually be 500 times larger than the ‘normal’ internet, and once it enters, it may never be retrieved. Your business’s cyber security, therefore, can never be taken too seriously.

Published by Igor Varnava, August  11, 2015