When an organisation is hacked, its customer data or other stolen information will often end up being sold on what’s known as the dark web. As I’m sure most readers will know, the dark web is a part of the internet where websites are not indexed by search engines and can only be accessed if you know the site address, effectively hiding them. Inside the dark web, ‘dark net’ markets sell contraband such as drugs and firearms, as well as the sensitive data stolen in breaches. To illustrate the scale of what’s out there, just last month a group of researchers discovered a 41-gigabyte file containing 1.4 billion username and password combinations for sale on the dark web.
I wanted to research the dark web, explore it and provide my perspective on how easy it is to trade and what sort of activities are taking place. Part of this was about revisiting my youth – as a teenager in the 1980s I was an early user of dial-up BBS and hosted a software-sharing site from my bedroom. By using a technique known as phreaking to cover long-distance charges, I could allow hundreds of global visitors to land on my site. You could argue that what I was doing then was an early form of today’s dark web, although by just sharing software my intentions were relatively innocent.
So it was with a touch of nostalgia that I began to navigate the dark web. To kick things off I installed a VPN, configured my browser with Tor and proceeded to spend several hours perusing .onion sites. To help my research I switched between the dark web and the real world, using Google to find some of the more popular dark websites.
That was when it hit me. With its easy access to sensitive information and illegal activities, the notion of the dark web can be chilling. Yet there is a place that is potentially more dangerous and much more significant in scale. Many thousands of public-facing sites exist where data can be easily uploaded and shared, offering a vast treasure-trove of sensitive information to prospective hackers. I’d like to call this place the ‘bright web’.
To demonstrate the risks the bright web can pose, I got in touch with our Threat Research Labs at Netskope and started focusing on areas of the internet where it’s easy to upload and share sensitive data. I knew that many of these sites existed, but what shocked me was how simple it is to do significant damage and how widespread the problem is.
Creating a scenario that involved sharing sensitive information, we produced a piece of data that replicated what was stolen during the recent Equifax breach. We generated a fictitious customer record with personal information that included name, address, phone number, email and social security number. We also added a couple of credit card numbers, which is appropriate given how often they’re are sold on the dark web. Packaging this sensitive information in three different formats – PDF, JPEG, and .pptx – allowed us to expand our reach as we uploaded and shared the data.
We started with slide-sharing services, which are a popular way to upload and share presentations. However, these services also make it easy to share publicly and it is frightening what you can find simply by performing a Google search. For example, if you search for “Prezi” and “QBR” you will find all public-facing QBR (quarterly business review) presentations hosted on Prezi. Look at a few of them and you’ll find revenue numbers, customer names and business plans – data that is sensitive and obviously not intended to be shared publicly. We then moved on to cloud storage services and discovered that not only do apps like Dropbox, Box, and Zippyshare make it easy to upload and share data publicly, apps like Google Drive have an option to have the data you upload be indexed by search engines. This presented a very risky scenario where any data can be easily leaked to the masses by simply uploading it and clicking on a button. But how widespread is this issue?
Our sample size included the top services in the cloud storage and collaboration categories in addition to a handful of slide-sharing tools in the personal cloud app category. More than 10% (1,240) of cloud services available online allow you to easily upload and share data by signing up without a credit card. On average, an enterprise has more than 1,000 cloud services in use and more than 95% of those are business-led, with the remaining 5% being IT-led. Lines of business rely on these cloud services to move quickly, innovate and be more productive. A comprehensive cloud security strategy should include a focus on securing the IT-led cloud services like Office 365 in addition to safely enabling the bright web with granular access control and Cloud DLP that can be applied to and of the thousands of cloud services that make up the bright web.
I had originally set out to learn more about the activities of the dark web, centering on the trade in sensitive data, but my research led me to a place with much greater potential to put all of our personal and sensitive information at risk. In a world where we live and work online, it’s vital that we secure the tools we use and make sure we don’t create a bright web that’s a gift for hackers.
