Cyber Security

by Rupert Davey
November 2019

What is the Dark Web?

The internet has been around for 50 years.

It's come a long way and now has three layers, starting with the Public Web, making up around 4% of the internet by content. This is what we all use every day, including general websites, social media platforms and online shopping.

The Deep Web is next, containing around 90% of the web, the largest portion, and it consists of private systems, such as the cloud services we use in business along with all the integrated data that flows through the world wide web but isn't searchable by Google!

Leaving about 6% the internet classed as the Dark Web. This is invisible to the normal user and requires special software to access; anonymity is the name of the game. It is therefore a major place for cyber criminals to connect and sell what they’ve managed to steal from others.

I should say, it's also a place of safety too. If your government, for example, is monitoring internet traffic the Dark Web gives journalists a way to communicate; there are other fine uses too. Although there is evidence to suggest even the Dark Web is susceptible to surveillance by nation states... have a read. This article is nearly 5 years old!

I’ve got a very secure password; I don’t need to worry at all?

Hacking isn’t just a hobby for a few, it’s an industry for many. Like you, they train to perfect their craft to make money... which they make from selling usernames, passwords, data and intellectual property on the black market or forums of the Dark Web.

A secure password is a good start, but if a site you use is targeted and hacked, your credentials could be posted in the Dark Web.

Many of us are guilty for this: we tend to use a single password on social media, online shopping and online banking.

So, once the bad actors get that username and password combination, they'll take a stab at various popular sites to see if they get lucky. This is a subset of an attack type called 'brute force' and is itself called 'credential stuffing'. 

I’m concerned now, how can I stop them?

The first step is to find out what your current situation is and, whether you’re currently at risk.

Go to https://haveibeenpwned.com/ and pop in your email address. If any sites are listed, head over to those sites and change your password. Sign up for alerts using the "Notify Me" link.

There are a few basic steps you can take to significantly increase your own online security, in order of "effort":

  1. Use unique passwords for each site you use
  2. Enable 2FA or MFA if it's available on the sites you use regularly (read this if you don't know what 2FA or MFA is all about)
    1. Banks have this enabled by default, but Facebook, Xero and many other sites offer it as an option.
    2. Get an Authentication app for your phone, one of these is perfect Google, Microsoft, 1Password and LastPass but others are available.
    3. If your phone supports it, setup your Authentication app (above) to only open on Face ID or a finger print. The Microsoft Authenticator app on iOS on an iPhone supports this.
  3. Get a password manager application to generate unique passwords. 1Password and LastPass are good options.
    1. LastPass is a plugin for your web browser, for example Google Chrome, and can auto-fill username and password fields on websites. LastPass is also a website you can visit, log into and see all your credentials.

Setting up 2FA means the bad actor not only needs your username and password (which is pretty easy to get), they also need your phone. Putting the extra authentication step, which is the Authenticator app, behind a bio-metric check is the icing on the cake. If you can use a face scan, such as Face ID, that's a tad more secure than a fingerprint... which can be used while you're asleep. Apple Face ID requires you to be awake... and alive.

There is one last trick that can really slow down the bad actors but it's more of an advanced step.

Get yourself your own domain; it doesn't have to be meaningful. Something like df23434.co.uk. They're not much, maybe £ 15 a year to maintain. You should get unlimited email addresses, which can all be redirected to point to your main email account. Then, whenever you sign up for a new site or service, use a unique password and unique email address eg: facebook@df23434.co.uk. Your password manager app (see above) can handle the tracking of all the usernames and passwords. The added bonus of this: if you start getting spam addressed to facebook@df23434.co.uk you know which site has sold your info!

What next?

It is a numbers game and you are unlikely to be specifically targeted. Your details will get caught up in the details of millions, if not billions of others - the top 9 data leaks on Have I Been Pwned currently account for 3.84 billion records! 

If you can take steps to protect yourself and you can take steps to take responsibility for your data security online. The firms you deal with have a responsibility, absolutely, but there are things you can do to help.

Being aware of the threat and having a managed security plan to alleviate the exposure of our business and our own private records.

At ctm IT Support, across Cambridgeshire, we specialise in learning our customers’ business and applying the best in technology and cyber security advice to match their requirements.

If you would appreciate a free brief discussion about your operational challenges and to explore the threats to your business, get in touch with us today.