IT professionals have many loves: cable management, acronyms, mechanical keyboards and buzzwords. Most of the time, your interaction with “IT stuff” comes in the form of buzzwords you hear. I don’t believe many of our readers would know that SCSI is pronounced “scuzzy,” but if I were you ask you about “the cloud” most of you would have some idea what I was talking about. Sometimes the common usage of these words and phrases bears strikingly little resemblance to the original definition—think of how many things you have seen described as HD and then ask yourself in what way they are “high definition.” Although the Darkweb hasn’t quite reached that level of ambiguity, it is important to dispel some myths along the way to explaining what the Darkweb is, what it isn’t, and why exactly you should care.
The most basic definition of the “Darkweb” is far less dangerous than the name would lead you to believe. The Darkweb is essentially any webpage that is not indexed by search engines, which means that it does not appear in regular search results. Examples of webpages you interact with commonly that would not appear in search result indexing would be web-pages internal to your company or your personal Google photos account.
The scarier portions of the Darkweb are those that require a special type of web address and web browser to access. One example is Tor, which uses web addresses called onion addresses. To access these types of websites you need a special web-browser, with Tor being one of the most common. Tor routing is used to provide encryption of web traffic, the word onion is used because each relay the traffic passes through decrypts a layer of encryption, much like the peeling of an onion. Tor websites are designed to anonymize both the origination and destination points of web-traffic, making it much more difficult to trace a given individual’s activities online. One infamous Tor website was The Silk Road, which provided an anonymous marketplace for the sale of illegal narcotics and was shut down by the FBI in 2013.
Although there are entirely legitimate uses of the Darkweb—the US State department provides much of the funding for the Tor project for example—the anonymous nature of traffic sent over the Darkweb lends itself to illegal activities. This then brings us to most people’s understanding of what the Darkweb is—a place for hackers to buy and sell your private information, including your passwords. This is, to an extent, true. When a major data breach happens, something on the scale of recent attacks against Marriott, Equifax or Nintendo, many times the data released in the breach finds its way to the Darkweb, either for sale or for free, for hackers and identity thieves to utilize for potentially criminal purposes.
What then does this mean for you? You may have seen the Darkweb referenced in ads for identity protection services, indicating that they will protect your identity from the Darkweb. This isn’t strictly accurate. Essentially what services of this type do are keyword searches—specialized software sifts through the thousands of lines of personally identifiable information to determine that, for example, an email address and password combination that you have used in the past was found in a particular set of data, like what was stolen from Marriott for example. The service then notifies you that this particular combination of credentials was found on a Darkweb site, in hopes that you will change your password. Not so much a security guard as a security notification, but this is a step in the right direction.
If you hear Darkweb mentioned in a sales pitch—don’t immediately run away. Unlike HD Sunglasses or Smart Broccoli, the Darkweb is real, and services designed to protect your identity from being stolen are a good thing. What they are not is a one stop solution for security—there is no magic bullet. The best defense is a good offense.
If you are concerned about your information ending up on the Darkweb, enable multi-factor authentication on any service you use that supports it. Don’t share passwords between applications or services. Use a secure password management application rather than sticky notes under your keyboard. Plenty of services can alert you when your information ends up on the Darkweb ready to be exploited, but as with most things, it is up to you to do your part to prevent that from happening in the first place.
Mythos Technology is an IT consulting and management firm that provides Managed Technology Services including hosted cloud solutions. For more information, please visit www.mythostech.com or call (951) 813-2672.