It’s the stuff of crime novels and science fiction movies: a virtual world that seems so mysterious and foreboding that one enters only at his or her own risk. Welcome to the dark web, a quadrant of the internet that serves up a motley collection of often boring but sometimes secretive sites that contain everything from corporate records to meeting places for illegal drugs and weapons.
“The dark web is content you cannot access from a standard web browser,” explained Rick Howard, chief security officer for Palo Alto Networks. “It’s comprised of encrypted data and sites that are only accessible using a specialized tool, such as the Tor Browser.” There are currently about 7,000 Tor sites; approximately 2,000 are active, including sites that dissidents use to communicate with the outside world. The FBI estimates that about 800 sites revolve around criminal activities.
To be sure, it’s important to understand what the term dark web refers to—along with companion spaces, such as the deep web and dark internet, or darknet. “These hidden places are not created equal,” pointed out John Davis, chief security officer for the federal sector at Palo Alto Networks and a retired major general for the U.S. Army.
Deep, dark and hidden
A starting point for understanding the hidden places on the internet is to know what the terms refer to, and what resides at these sites. The common denominator is that a visitor requires specialized software, configurations, or authorizations to visit the deep web, dark web, and darknet. Here’s a look at what’s out there, and what global executives should know about them.
The Deep Web. There’s nothing intrinsically nefarious about this quadrant of the virtual universe. It’s simply a collection of sites and data that extend beyond the reach of conventional search engines, such as Google and Bing. Because these sites, services, and other network locations are not indexed, they’re largely invisible. This includes databases, webmail, forums, and data accessible behind paywalls. Banks, newspapers, and other content publishers use the deep web daily to run their businesses. Scientists, research institutions, and others often store data in the deep web, which is sometimes referred to as the dark internet. But the deep web also contains a place known as the dark web, and that’s where things become more interesting—and murky.
The Dark Web. These sites and peer-to-peer networks comprise content that is not indexed by search engines. They are set up by individuals and organizations looking to control access to information or data. They require specialized software, such as the Tor browser, which uses encryption and virtual IP addresses. While there’s legitimate use for this browser and the dark web by journalists, law enforcement, whistleblowers, and some others, it’s also a tool for operating within a shady netherworld of crime and espionage. Hackers and attackers post and sell data on the dark web—including Social Security numbers, credit-card numbers, and even medical records. After the Ashley Madison breach in 2015, cybercriminals reportedly demanded bitcoin ransoms or threatened to expose infidelities. In addition, child pornographers, drug dealers, gun dealers, and other not-so-nice types use the dark web to exchange and sell items illegally.
“Law enforcement struggles with shining light onto these sites within the Tor network and others, but it can be done,” Howard said. Those who hide behind encryption and appear mostly anonymous are still at risk. “If you don’t secure your websites within the Tor network, you can be discovered. But law enforcement and spy agencies have also found vulnerabilities in the Tor software that have allowed them to learn more than the designers planned.”
What does all of this mean for enterprises? How should your organization approach the dark web and the threats that may reside therein? Howard pointed out that a growing number of organizations are attempting to peer into the dark web to determine if intellectual property (IP), proprietary customer data, and other content is available that could wind up in the wrong hands.
But cracking the code and obtaining useful information from the dark web is easier said than done. Without passwords and lacking the right connections, it’s tough to infiltrate these sites and forums. “Gaining access to the dark web is not an issue. It’s as simple as installing the Tor Browser Bundle,” Davis said. But making any progress in pinpointing stolen or hacked data—or identifying the thieves—can prove daunting.
Enter a growing array of firms dedicated to ferreting out information. They sport names like SurfWatch, Digital Shadows, Recorded Future, iSight, Intel 471, and DigitalStakeout. Howard suggested questioning in detail any company that promises to scour the dark web and deliver insights and information about an enterprise and its data. Some of these services use bots, which offer mixed results. Moreover, Davis said that a growing number of hackers and cyberthieves are turning to encrypted apps, including messaging apps, to conduct business in a secretive fashion.
Ellen Sirull, senior manager of content at Experian Consumer Services, wrote that the public web constitutes only about four percent of the entire internet, while the deep web constitutes 93 percent of it. The dark web makes up the final three percent of data and content. Protecting data is the first line of defense. “Once exposed, this information can change hands again and again over time—especially if it’s valuable.” She pointed out that “people looking for stolen data and information can gain access to records inexpensively. In fact, some bundles go “for less than $10 per record,” Sirull noted.
As a result, security experts suggest implementing tight controls, using strong authentication, encrypting all critical data, and investigating if any suspicious activity occurs. Howard explained that it’s unwise to wade into the murk of the dark web without knowledge and experience. It can land a person or a company in a potentially dangerous situation.
“The deep web and the dark web are places that every business leader should know about,” Howard concluded. “Although they are used for good purposes, they also represent real-world risks and dangers.”