IT professionals have many loves: cable management, acronyms, mechanical keyboards—and buzzwords. In fact, much of the time, your interaction with “things IT” comes in the form of buzzwords intruding into the wider lexicon. I don’t believe many of our readers would know that SCSI is pronounced “scuzzy,” but if I were you ask you about “the cloud” most of you would have at least a frame of reference. Sometimes the common usage of these words and phrases bears strikingly little resemblance to the original definition—think of how many things you have seen described as HD and then ask yourself in what way they are “high definition.” Although the ‘Darkweb’ hasn’t quite reached that level of definition disparity, it is important to dispel some myths along the way to explaining what the ‘Darkweb’ is, what it isn’t, and why exactly you should care.
The most basic definition of the ‘Darkweb’ is far more innocuous than the ominous sounding name would lead you to believe. At base, the ‘Darkweb’ is any webpage that is not indexed by search engines, which essentially means appearing in search results. Examples of webpages you interact with commonly that would not appear in search result indexing would be web-pages internal to your company or your personal Google photos account. The scarier portions of the ‘Darkweb’ are those that require a special type of web address and web browser to access. One example is Tor, which uses web addresses called .onion addresses. To access these types of websites you need a special web-browser, with Tor being one of the most common. Tor routing is used to end to end encrypt web traffic, the word onion is used because each relay the traffic passes through decrypts a layer of encryption, much like peeling an onion. Tor websites are designed to obfuscate both the origination and destination points of web-traffic, making it much more difficult to trace a given individual’s activities online. One infamous Tor website was The Silk Road, which provided an anonymous marketplace for the sale of illegal narcotics and was shut down by the FBI in 2013.
Although there are entirely legitimate uses of the ‘Darkweb’—the US State department provides much of the funding for the Tor project for example—the anonymous nature of traffic sent over the ‘Darkweb’ lends itself to illegal activities. This then brings us to most people’s understanding of what the ‘Darkweb’ is—a place for hackers to buy and sell your private information, including your password. This is, to an extent, true. When a major databreach happens, something on the scale of recent attacks against LinkedIn or Equifax, many times the data released in the breach finds its way to the ‘Darkweb’, either for sale or for free, for hackers and identity thieves to utilize for potentially nefarious purposes.
What then does this mean for you? You may have seen the ‘Darkweb’ referenced in ads for identity protection services, indicating that they will protect your identity on the ‘Darkweb’. This isn’t strictly accurate. Essentially what services of this type do are keyword searches—specialized software sifts through the thousands of lines of personally identifiable information to determine that, for example, an email address and password combination that you have used in the past was found in a particular set of data, like what was stolen from LinkedIn for example. The service then notified you that this particular combination of credentials was found on a ‘Darkweb’ site, in hopes that you will change the password associated. Not so much a security guard as a security notification, but this is a step in the right direction.
If you hear ‘Darkweb’ mentioned in a sales pitch—don’t immediately look askance. Unlike HD Sunglasses or Smart Broccoli, the ‘Darkweb’ is real, and services designed to protect your identity from being stolen are a good thing. What they are not is a one stop solution for security—there is no magic bullet. The best defense is a good offense. If you are concerned about your information ending up on the Darkweb, enable two-factor authentication on any service you use that supports it. Don’t share passwords between multiple applications. Use a secure password management application rather than sticky notes under your keyboard. Plenty of services can alert you when your information ends up on the ‘Darkweb’ ready to be exploited, but as with most things, it is up to you to do your part to prevent that from happening in the first place.
Mythos Technology is an IT consulting and management firm that provides Managed Technology Services including hosted cloud solutions. For more information, please visit www.mythostech.com or call (951) 813-2672.