For a brisk morning tour of Tor, darknets, and dark marketplaces, attendees of the 2017 CyberCrime Symposium couldn’t have asked for a more entertaining, informative guide than Neil Wyler. Grifter, as he’s known in the security community, launched his impressive career at age 11, when he began hacking computer systems. Eventually, he switched sides. Currently a threat hunting and incident response specialist at RSA Security, he’s been running technical operations for the Black Hat Security Briefings for 15 years, and serves as a senior staff member for DEF CON.
Warning audience members to buckle up, Wyler outlined some things they could expect to see and hear during his breakfast keynote, Touring the Dark Side of the Internet. “We're going to talk about drugs, murder for hire, hacking, hacktivism, porn, and money-laundering,” he said, further promising to show them where to find related activity, wares, and services.
Beyond providing a live glimpse into the dark side of supply-and-demand dynamics, Wyler used his presentation to point out legitimate business reasons for traversing dark markets and learning how underground groups operate. Anyone charged with staying abreast of cybercrime activity to protect their organization or customers stands to benefit from familiarizing themselves with criminal hotspots, products and services, and bitcoin usage.
“It’s phenomenally interesting to get on hacker forums and see what they’re discussing, the exploits they’re selling, the kits available,” said Wyler. Take Hell, a fairly well-known hacker forum. Hell, according to Wyler, was the upload destination for Adult Friend Finder’s hacked database — containing personal information from 340 million user accounts — where it was available for months before company officials even knew they’d been breached. To mitigate the potential damage from similar attacks, security teams can search forums for any mention of their organization’s name and other targeted keywords. While this can lead to some unpleasant discoveries, Wyler said, it’s better than “having your data sit there for several months before you find out about it through some third party.”
Some other tour takeaways and recommendations:
Taking to Tor.
It’s not difficult for new users to start using the Tor (The Onion Router) network, a series of volunteer-run servers that work to anonymize Internet traffic. They can download Tor software as an executable. Once they connect, they can open the Tor browser and head to check.tor.project[.]org to see if they’ve correctly configured their Tor client.
If they don’t want to take any configuration chances, users can make Linux-based Tails their operating system of choice for Tor-related activity. “If you’re booting into Tails, you’re using Tor,” said Wyler. “It forces all traffic through Tor, so you don’t have to worry whether you configured things correctly.” Wyler demonstrated a Tails boot using his “dark net machine,” a device with a bootable optical drive dedicated to “super-secret squirrel stuff.”
Visiting the virtual Wild West.
Tor is inherently slow and finding specific hidden services is hard. “Hidden services go up and come down like a yo-yo,” Wyler said. Sites running for years will suddenly disappear — for months or forever. “It’s the Wild West. You get on there and do whatever you can.”
One resource Wyler recommends for helping users find these services is the “hidden wiki,” which provides [.]onion links to dark web “introduction points.” These include anonymous search engines such as Torch Not Evil, Duck Duck Go, and Grams, the “Google of dark markets.”
Showing some skin.
The Hell hacker forum, like some other underground forums and marketplaces, requires registrants to make a small bitcoin investment. It’s an attempt to ensure all users have at least a little skin in the game. No bitcoin, no registration, and therefore, no exploration.
Among the diverse products and services on dark nets is a thriving cybercrime-as-a-service marketplace, which offers a range of straightforward and more-sophisticated services to any buyer, often for little money. There’s also a lot of cybercrime bounty for sale — stolen credit cards, verified credential for accounts of every kind, and Fullz packages, datasets on individuals containing names, birthdates, social security numbers, addresses, credit card numbers, and account credentials.
Practicing safe shenanigans.
Basic security best practices, coupled with a twist or two, go a long way toward safe dark net use. Among those cited by Wyler:
- Keep software updated;
- Leverage browser segregation;
- Don’t reuse identities or passwords;
- Use temporary, disposable email addresses available through providers like Guerilla Mail or SharkLasers; and
- Run VMs or use dedicated devices for all “dark net shenanigans.”
This is the third post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!