The Dark Web: Is it a threat to your organization?

As a corporate network admin or security professional, you probably think of yourself as one of the good guys in the cyber world. And that means you probably rarely venture over to the wrong side of the virtual tracks, where the bad guys hang out.

Sure, you’re aware of and understand the old adage that you should “know thine enemy,” but even if you wanted to check out what goes on down there on the underside of the Internet, you’re most likely too busy just trying to keep your own network and systems secure to really delve into it.

Besides, bad things happen to good people when they wander into crime-ridden neighbors, and that’s just as true online as out there in the real world.  That said, the “head in the sand” approach doesn’t work well for ostriches or humans. Cautious awareness of the dangers that exist will help you to avoid them.

Let’s take a wary look, then, at the mysteries of the “dark net” and how it can threaten the integrity and security of your corporate network.

Into the darkness

First of all, let’s distinguish between dark nets and the dark web. Although the two terms are sometimes used interchangeably, they aren’t the same thing. In this context, the word “dark” has a connotation of evil, sinful, immoral or illegal.  

Networking in the dark

Technically, dark nets are the networks on which the dark web is hosted.  As you already know, the Internet is not a single entity; it is made up of many different networks that communicate with each other (a network of networks, or internetwork). Those networks are made up of servers, clients, switches, routers, and the cables or wireless equipment and airwaves that connect them together.

A dark net is an IP network connected to the Internet, like any other. A dark net is designed to be “hidden” from the rest of the Internet. Of course, there are many networks connected to the Internet (such as corporate intranets). But those networks are built to limit communications to groups of known users. Dark nets, on the other hand, are designed to provide anonymity to their users.

“Dark” traffic is routed through multiple layers of encrypted relays to hide its origins and its content. It’s also the content of the traffic going across a dark net that makes it different – which brings us to the dark web, where those who know how can access that content.

Oh, what a tangled web

The dark web is sort of like a parallel universe that coexists with the public web (sometimes called the visible web) without ever revealing itself to those on the other side, even though they both use the same Internet infrastructure as their foundations.

Regular public websites are hosted on web server software that runs on organizational or personal computers connected to the Internet, and all of those millions of web pages together make up the world wide web as we know it.

The dark web consists of websites running on computers connected to a dark net. These servers are not indexed or accessed by the standard search engines, and Internet users can’t find or view them without special software and accounts.  The dark web is (a small) part of the larger entity called the deep web, which we’ll discuss next.  

Getting in too deep

Lying between the visible, legitimate web and the well-obscured dark web, sort of like the Bathypelagic or midnight zone in the ocean that lies between the sunlight zone and the abyss, is a “place in cyberspace” called the deep web. While its resources, like those on the dark web, are not discoverable with Google or Bing, you can get there with a standard web browser such as Chrome or IE – if you know the direct link/IP address of the websites and have the proper credentials to sign in.

There is a lot of confusion as to what the deep web is and isn’t. If you watch TV crime series, you might think the deep web and dark web are the same thing, but they’re not. If you think of the dark web as analogous to a criminal operation that takes place behind locked doors (or maybe even literally underground), you might think of the deep web as a little like the streets of an urban neighborhood where illegal activities are sometimes carried out. There are some shady dealings going on, but there are also many good people and many legit businesses there.

The most accurate and broadest definition of the deep web is any web site that can’t be accessed through search engines, including those web pages that are merely password protected. That would include the inner pages of for-pay sites, corporate employees-only or customer-only sites, and many more. There are some, though, who consider a site, including its protected pages, to be part of the visible web if you can use a search engine to get to its login page.  

The latter group sees the deep web as the home of porn sites, black hat hacker sites, software and music/movie piracy sites, sites that trade or questionable or illegal goods, etc. (as long as the site can be accessed via a regular web browser). There is some of this happening on the deep web.

However, hard-core criminals who engage in serious crimes such as human trafficking, moving large numbers of weapons or drugs, counterfeiting money or passports, organized crime groups, hostile nation-states, terrorists, hit men (or women) for hire, kiddie porn peddlers and snuff filmmakers are more likely to go farther under the surface and seek the greater identity protections of the dark web.

In actuality, the deep web makes up the largest portion of the web and contains things like medical and legal documents, academic and research information, government resources, banking and financial records, and all sorts of access-restricted databases and repositories.

Hitting the (Silk) Road

A dark web entity that you might have heard of is Silk Road, which was (black)marketplace on the dark web that was shut down by the FBI several years ago for sales of illegal drugs and its founder/owner was prosecuted and convicted of narcotics trafficking and money laundering, among other charges.

In an interesting aside, two of the federal undercover agents who built that case were later charged with wire fraud and money laundering themselves, in connection with funds they were allegedly given by the accused (and kept).

In addition to drugs, other legal and illegal goods were sold through Silk Road. The site’s terms of service actually prohibited sales of child pornography, stolen credit cards, and weapons. It was estimated that the site enabled over $15 million per year in transactions, all of which were conducted with Bitcoin as the currency, and the FBI said there were approximately 1,229,465 transactions completed on the site before it was closed down.

Silk Road’s successor, Silk Road 2.0, was also shut down after approximately a year in business. Other dark web marketplace sites come and go; by their very nature, they are prone to impermanence. This is one of many reasons to be careful about dealing with merchants you find on the dark web.

Origins of darkness

According to most sources, “onion routing” for the purpose of communicating over the Internet without detection actually got its start, like the Internet itself, with the U.S. military. Specifically, it was the Naval Research Laboratory that developed the Tor project for covert communications with intelligence assets.

This took place in the mid-1990s, and the Navy released the code for Tor to the public in 2004. In 2006, a group of computer scientists in Massachusetts formed a non-profit organization to maintain Tor. The Tor project is funded in large part by the U.S. government.

Dangers of the dark web

Although it’s impossible to get a real count, many experts estimate that the “invisible” web that search engines don’t see – both dark web and deep web – is many times larger than the visible “surface web.” Many of the people who inhabit the dark web are dangerous characters who have no qualms about lying to you, stealing from you, or even in extreme cases causing you physical harm if you cross them (or even if they only suspect that you might).

The dark web is designed to allow you to surf and make transactions anonymously, but the flip side of that coin is that the identities of other parties are similarly protected so that you never really know with whom you’re dealing.

Not everyone in a bad neighborhood is a bad neighbor

Despite the connotations of its name, not everything that happens on the dark web is illegal or morally reprehensible, and not everybody who ventures into its nether regions has malevolent intent. In fact, whistleblowers may use it to protect their identities as they seek to unmask illegal activities. Citizens in countries under the rule of oppressive regimes may use it to communicate with the outside world. You can also be sure that law enforcement agencies are on the dark web, lurking undercover to unearth evidence of crimes.

Curiosity seekers, too – especially computer geeks – may wander over to the “dark side” just to see what’s going on there, as do writers researching books, security professionals assessing the threat, and others who aren’t members of the ranks of “bad guys.” It’s especially important for anyone who’s considering dipping his/her virtual toes into the murky waters of the dark web to be aware of the dangers and how to take measures to protect against them.

Assessing the risks

Beyond the obvious dangers that are associated with rubbing digital shoulders with drug dealers and paid assassins, it’s important to understand how dark web client software works. Files on the dark web are often shared through peer-to-peer (P2P) networks. Why does this matter? Because it means that just as you’re connecting through other users’ computers (which makes it hard to track you), other people are connecting through your computer.

In a full-fledged P2P network, all of the computers act as both clients and servers. The servers that you connect to may or may not have security measures implemented; you have no way to know. They may have viruses or host malware that can be passed on to your computer. There is essentially no infrastructure security; protections depend on the security of the application (such as the encryption of data).

You also have no way of knowing whether other users are really who they say they are since authentication is difficult or impossible on a network designed to provide anonymity. The integrity of P2P networks is based on the trustworthiness of the peers, but how can you trust someone when you don’t even know who he/she is?

It’s important to remember that privacy and security, while frequently lumped together in the IT world, are not the same thing. While your activity on the dark web may be private, that doesn’t mean it’s necessarily secure.

Many hackers and scammers are lurking in the depths of the dark web, set on stealing your personal information. And if you’re tempted to engage in anything that’s illegal or falls into a “grey” area, be aware that the FBI and NSA have exploited vulnerabilities in the Tor protocols and can and will track users. It’s not illegal merely to access the deep or dark web, but doing so can raise a red flag to law enforcement.

How to get there from here

The web browsers and search tools that we use to surf the “above board” web are blind to the existence of the deep web, including the dark web. To cross over into that shadowy world, you need special clients such as Tor (Tor stands for The Onion Router, so named because of the layer after layer of encryption that is applied to dark web transmissions). There are other deep/dark web clients, but Tor is the most well-known.  

It’s highly recommended that if you wish to experiment with accessing the dark web, you create a secure, isolated environment for doing so: set up a virtual machine and install an operating system that will be used only for dark web access. Install sandbox software such as Sandboxie and run the Tor browser in the sandbox.

And the alternate method is to install VPN software such as NordVPN to run Onion over a virtual private network, log into an Onion over VPN server, and run the Tor browser to connect through the VPN.

Either way, before you open the browser, ensure that webcams and microphones on the computer you’re using are disabled or disconnected. It’s also a good idea to disable scripting and shut down any applications and unnecessary services running on the computer that could be exploited.

It’s even better if you can use a “throwaway” physical machine that’s dedicated only to this purpose, on an Internet connection that’s completely separate from your home network and run your VM on this. There are Tor browsers for mobile operating systems (Android and iOS), but their security is questionable. The best way to access hidden sites is with a PC, with a good firewall and anti-malware software running.

Under the hood: how it works

The Tor network software builds a circuit of encrypted connections through relays, and the Tor browser enables the use of Tor on Windows, MacOS, or Linux. The Tor web browser is based on Mozilla Firefox and uses the Tor proxy. You can run it from a USB stick without installing it. The browser automatically routes requests through the Tor network.

So how do you find sites on the deep/dark web? These sites don’t use public DNS servers to resolve names to IP addresses as you do on the visible web. Dark websites live in the .onion top-level domain, which was designated as a special-use TLD for implementing anonymous services.

The Tor Onion Service Protocol provides the way for hidden services to advertise their existence in the Tor network so that you can find them. Random relays on the network act as introduction points and public key cryptography is used to keep the service’s IP address private.

The client downloads a descriptor for an Onion service, which gives it the introduction points and public key to use to contact the service. The communications go over a Tor circuit, and the client stays anonymous. The client and server connect through a rendezvous point established by the client and protected by a one-time secret. The connection consists of six relays, three chosen by the client and three by the server.

The Onion Directory and the Hidden Wiki are some resources you can use for finding sites on the deep/dark web.  Note that on the dark web, especially, sites come and go to a listed site may have disappeared temporarily or permanently.

Protecting the company network

Given all of the above and the precautions that are advised for exploring the invisible part of the web, it goes without saying that you should never access dark websites from your work computer/network. And of course, that goes for all of your users as well.

Many of the “geeks” or amateur hackers who venture into the dark web don’t have criminal aspirations but do it because it’s the “cool” thing to do. But they aren’t security experts, and they know just enough to be dangerous, or rather, to put themselves (and the organization whose network they’re using) in danger.

To protect your organization’s systems and networks, it’s important to have company policies prohibiting or controlling any use of Tor or other dark web clients on the company network. You should also have technological controls in place to enforce those policies by blocking Tor and other deep web client traffic. There are a number of ways to do this, which are beyond the scope of this article.

A quick web search will reveal many discussions of how to detect and block access to the dark web. Some of these works better than others. Firewall rules can be used to control access to various ports, sites, protocols, and applications, so a good firewall such as Kerio Control can be an important element in protecting your organization from dark web threats.

END

SEO exercise: Listen to storytelling podcasts here