Experts shed light on Darknet risks


No business can afford to ignore the Darknet.

Whether the target is a multinational corporation or a two-person company, a CEO or an entry-level employee — when cybercriminals steal information and credentials, the Darknet is where they go to sell it.

“We’re all in the firing line. The world of cybersecurity is plenty scary, and it’s going to get even scarier,” Mark Turnage, CEO of OWL Cybersecurity, told participants at the Cybersecurity Oversight Training event Aug. 10.

Local businesses learned about the Darknet and how to protect themselves from socially engineered attacks at the event, presented by the National Cybersecurity Center in partnership with Colorado Springs Business Journal and Firma IT Solutions.

“Not knowing about cyber risks — particularly the Darknet or the Dark Web — is like failing to do due diligence before opening a store in a high-crime area…” Doug DePeppe, cyberlaw attorney at EosEdge Legal, said in an email. “First, there’s the inherent risk in a cyberattack that a business’ crown jewels or its customers’ valuable assets will get stolen, and the business risk and brand risk associated with that. Secondly, failure to employ due diligence measures for those sort of harms can create legal exposure.”

Turnage, whose company specializes in monitoring the Darknet, describes it as the internet you can’t get to from Google — “an ingenious system that anonymizes users completely and securely.”

The internet has three layers: the surface net, which can be accessed by search engines and represents about 2 percent of the internet; the deep web, which includes password-protected sites like company networks; and the Darknet.

The Darknet refers to a network of servers not tied in to the surface net. Cybertheft expert Adam Levin describes it as “where the cyber underground convenes.”

The Darknet started in the mid-1990s when the U.S. government established the Tor privacy network to protect intelligence communications.

“Who uses the Darknet? Privacy advocates, law enforcement, military, researchers, political dissidents — they’re legitimate users,” Turnage said. “But guess what? It took about a nanosecond for the bad guys to figure it out.”

Now, the Darknet is also “the anonymous street corner [for] drug sales, counterfeits, hacked and stolen information, weapons dealers, terrorists, assassins, porn — I can’t even begin to tell you how horrible it is,” Turnage said. “Our estimate is that the majority of the Tor network today is illegal use.”

Those same cybercriminals stealing credit card information, passwords and Social Security numbers turn to the Darknet to sell them.

It doesn’t matter whether you have much in the way of assets or staff — all businesses are useful to cybercriminals because they’re connected. Phishing and social engineering can be at least as lucrative as hacking, and the risks increase the more digitally connected individuals, companies and devices become.

“Social engineering is the act of obtaining personal information via misdirection or lies,” Turnage explained. “I can get on LinkedIn and figure out where you work, where you went to school, get on Facebook and figure out how many kids you have … and I can build a social profile of you pretty quickly and easily.”

Using that information, with email addresses and logos from company websites, a cybercriminal poses as a CEO or supervisor and sends convincing personal emails to obtain anything from employee names and W-2s to vast sums of money.

“I’ve personally seen a case where that email [appeared to come] from the CEO to the CFO … and it said ‘I’m traveling, I need $70,000 wired to this account immediately’ … Of course they never saw it again,” Turnage said. “You take advantage of people’s desire to be seen to help the hierarchy. … If one out of 10 responds, you’re making $25,000 an hour as a living wage. That’s your going rate for hackers.”

Another boon for cybercriminals: Password fatigue leads many people to use the same information across multiple accounts.

“Don’t reuse the same passwords that you use for Facebook, for Gmail, for Amazon — I’m going to show you why,” Turnage said. “Because I’m going to hack into Facebook and get your password then I’m going to jump to Gmail then to your corporate account — and I know where you work because it’s all over Facebook and all over LinkedIn.… Once I have your first password I’m going to jump to all those places and start hacking in.”

Turnage pointed to 46,813 U.S. Navy email addresses and passwords now offered on the Darknet by a single Russian website — stolen because sailors used their military email addresses to sign in to other services.

Turnage outlined first steps for avoiding the cyber attacks that harvest information for the Darknet:

— Use a password manager to securely generate, store and retrieve complex passwords for numerous accounts.

— Never click on a link in an email.

— Never send sensitive information via email.

— Never use your work email address to sign in to any other site.

— Never conduct financial business on a public wireless network.

— Lock your cell phone with a code.

— Use two-factor authentication.