Certain credit reporting agencies have announced "we will alert you if your information is found on the dark web" - of the ones I've seen, nobody is saying what you might do, other than worry that your information has been compromised.
I have to wonder, what real benefit there is, since of the hundreds of millions of user accounts and compromised passwords from many organizations, including one of the big credit reporting agencies themselves (see www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do), as well as OPM (office of personnel management of the Federal government) -- see www.opm.gov/cybersecurity/cybersecurity-incidents/ . By the way you can check yourself whether your email and password have been found for sale on the internet (not just the dark web) at this site: haveibeenpwned.com/. If you find your email and password have been disclosed, at least change it. (Duh!) Whether your account(s) have identified as breached or not, you can and should try to set up your username and account password with strong(er) authentication such as 2-factor authentication (or multi-factor authentication). Google it if you don't already know what that means. If you still have questions contact me directly with the Contact form. Why should businesses (small and large) care about the dark web? Here is one reason: if you don't enforce a policy (you do have a policy on the dark web, don't you?) and controls (what firewalls and network restrictions?) to prevent undesirable network access, here are some scenarios:
1) Allowing your employees access to TOR (=the dark web) would enable them to access it, from inside the company network. Since the TOR traffic is encrypted, and their IP addresses are obfuscated, conventional firewalls (even NextGen firewalls) and network sniffers cannot detect the connections to (potentially illicit) sites on the dark web. 2) A rogue employee can set up a dark web (hidden service) server on the desktop or a system under their desk. The actual physical location of the hidden (dark web) service would be undetectable since it is only accessible with TOR software through the dark web. What are they selling? Where are their customers coming from? You can't tell. 3) A visitor or IT contractor could plug something into your network as simple as a single board computer as small as a credit card (see the Raspberry Pi) set up a TOR hidden service to allow an intruder to come in to your company network without your firewall or IDS/IPS detecting the entry at the perimeter. 4) Malware can set up a TOR connection and allow remote access without anyone having to enter your premises. 5) Outsourced services are so common now that outside organizations often install servers managed by those external entities, inside your network. Who knows what VirtualBox enabled virtual servers are running TOR and enabling connections to and from who knows where? Should we just give up then? It might seem hopeless, but there are strategies to configure your company network to allow monitored, audited, and logged access to the dark web without allowing the above scenarios. It can be a straightforward plan to not only enforce the appropriate policy, but also have full awareness and visibility for authorized activities. Send me a contact request and let's talk. It's normal to fear the unknown. Especially when its name is "dark" and the few things you have heard about it, is that criminals hang out there. How can it be anywhere nice people will go?
Let me offer up a scenario where it is both beneficial and legitimate: a victim of domestic abuse has to leave town because their life, or at least safety, is at risk. When the victim uses normal email to communicate with friends or other family members, the sending computer's IP address is embedded in the header (see www.ip2location.com/free/email-tracer ). If the abuser obtains access to one of these emails, the victim's location is revealed. Using the "dark web" or TOR (the Onion Router) can help hide the real location of the sender and protect against giving away their location. Other legal and legitimate use cases are described in more detail at www.torproject.org/about/overview.html.en. In fact, TOR was created by the US Navy to protect the location of American spies in hostile locations. It is still used by whistleblowers to report wrongdoing by powerful entities (see "Whistleblower Strategies" elsewhere on this site). If you have need of privacy (security) and want to talk about it, feel free to contact me through the Contact page to set up a meet. If either of us doesn't think it will work after at most a half hour, no trouble - we should call it and there should be no obligation on either side. |