Beware of the Dark Web

Lord of the Flies: Imagine a world where children are left entirely to their own guidance and education. One where the only instruction they ever receive is from peers. What kind of a world would that be?

Internet Born: When the Internet was born, it was called the DARPANET. Initially its creators tried to maintain control over its growth and development, but as it grew, that control became untenable. Eventually, a dark side emerged there.

Surface, Deep, Dark: The Internet can be subdivided into: the Surface Web (that which you can Google), and the Deep Web.  You may be surprised to hear that most of you regularly visit the Deep Web.  Accounts such as Facebook, Twitter, or your company network that require sign-in credentials are not index by search engines and are a major part of the Deep Web.  Estimates put the Deep Web as over 95% of the internet.  The Dark Web is a subset of the Deep Web that is intentionally hidden, requiring a specific browse to access. No one really knows the size of the Dark Web, but most estimates put it at around 5% of the total internet.

Dark Web: The Dark Web is best known as a place for illegal and nefarious activities.  You can buy drugs, guns, credit card numbers, credentials, and hacked Netflix accounts.   You can buy malware or pay hackers to breach your competition for intellectual property.  There are even E-Commerce sites. Dark Web commerce sites have the same features as any e-retail operation, including ratings/reviews, shopping carts and forums.  However, sellers have been known to suddenly disappear with their customers’ crypto-coins without providing the service.  The old saying, “There is no honor among thieves,” applies.

Legal Activities: Not all activities on the Dark Web are illegal.  Around half of the Dark Web is used for legitimate activities.  It allows political dissidents to communicate anonymously with journalists without fear of persecution. People go to the Dark Web for mundane activities like joining a chess club or to exchange recipes.   Facebook even has a presence called BlackBook.  The New York Times has a presence.  The Dark Web attracts those that are interested in being anonymous.

The Onion Router: The most common way to get on the Dark Web is through an anonymizing browser called a Tor (the onion router). The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable.  It is difficult to find your way around as there are no indexed search engines.  The experience is unpredictable, unreliable, and often incredibly slow.

Why Should I Care: This is all very interesting, but I am not interested in a seedy journey to the Dark Web.  Why should I care?  The Dark Web is full of Personally Identifiable Information (PII) and password credentials recovered from breaches and sold, or just dumped to a site.  Large identity theft companies, like Experian, offer services that search for your information on the Dark Web and notify you of their findings.  Companies can look to their trusted security advisor to obtain a Dark Web monitoring service that tracks your company domain.   For your own email address, you can check for yourself at www.haveibeenpwned.com.   Enter your email address to see if your credentials have been caught in a breach.  If so, it is time to change passwords and verify your account information.

Self Governance: In the novel Lord of the Flies, a group of boys is stranded on a deserted island. Their attempt at self-governance is a disaster. A dark side emerged. Civilization eroded and chaos reigned. Kind of like the Internet.

Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

Replacing the Irreplaceable

Dinosaurs Are Back: In 1993 Dinosaurs came to life.  We were assured they were in a controlled environment. Dennis Nedry was the underappreciated system administrator/programmer/network engineer/aspiring dinosaur cloner.  Paid less than he thought he was worth, Dennis struggled to make a living. Eventually, he turned on Jurassic Park owner John Hammond and stole prized dinosaur embryos, intending to sell them to a rival theme park owner who had failed to clone his own. To facilitate his crime, Dennis leveraged his unique position to shut off the security controls that protected the park. He was the only one with the knowledge to control the system. If Dennis had not possessed a criminal mind and to preserve the security of the park, he should have been required to do two things:

  1. Document his processes.
  2. Educate his coworkers.

Identify Risks: As a business owner, you may like risk. Risk means opportunity. But sometimes risk also means, well, risk. If, on the other hand, you DON’T like risk, you may also dislike change. But “change averse” does not equate to “risk averse”. Change is good when your current business practices carry unseen and unprofitable risk. One unseen risk that should be glaringly obvious is an employee who knows all the intricate workings of a spreadsheet, a system, or a network, and is unwilling or unable to share the knowledge (Nedry, dressed like a loyal minion).

Best Practice: One critical best-practice in cyber security is job rotation. Job rotation is just that. Rotating employees through different jobs on a somewhat regular basis. While it’s different for each company, it may be as frequent as every two weeks, or as far out as every few months. A challenge with this procedure for small businesses is your staff may be so small that everyone wears many hats, thus you are rotating by default; or the complexities of each role may make it prohibitively burdensome to train everyone sufficiently to have each person proficient in each role. It may seem like tiring work, but the security and productivity benefits will pay off. Such a goal will make everyone more valuable to you, yet none will become irreplaceable. In truth, some employees are really valuable, while others do little more than execute their own self-preservation strategic plan. They are nothing but a bottleneck between you and successful growth.

Self Preservation: Self-preservation is an inherent human trait. It is inherent in every living thing, really. You need to be aware of the risk this can pose to your business. You may have an employee who is acting out of self-preservation instead of looking out for the success and growth of your business.

What to Look For: According to a Forbes article, there are ways to spot the self-preserving employee:

  • They are embroiled in drama.
  • They complain–about everything.
  • They seek attention.
  • They gossip.
  • They don’t simply perform their jobs without a need to draw attention to their professional or personal challenges. 
  • They see a need to remind others of how challenging the task might be.
  • They call attention to the fact that someone else didn’t complete their task.

Single Point of Failure: I’m not suggesting you have a self-serving Dennis Nedry lurking among your IT staff. But experience has proven over time that having a single point of failure in the form of an irreplaceable employee is no less concerning than a cloned T-Rex run amok. For Jurassic Park, the warning signs were there. Ignoring them resulted in a business disaster. Implementing a job rotation procedure could have mitigated the threat.

Gone Phishin’

Happy to Help: An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Oops: Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds.  The CEO was fired and most likely, Sebastian. 

Phishing: Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information.  The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.”   There are several variations of phishing.  Whaling refers to targeting high-level personnel in an organization.   Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

More Complex Today: With the techniques used today, it is not always simple to identify a phishing attack.  Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations. 

What to Watch For: Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait.  Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked.  Similarly, be wary if there is an urgent deadline to go along with the dire consequences.  Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is. 

What Next?: Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one.  Hover over the link and look at the bottom left corner of your browser or email client.  It should show the full web address.  Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.)  Also, beware of short URLs (hyperlinked website addresses).  Hackers can hide their true address inside a tiny URL link.  When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.)  Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

Protection: To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.  

The Keys: Training and awareness are the key.  There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO. 

On A Hot Day

Not The Droids You’re Looking For: On a hot day (which was not unusual for the desert planet of Tatooine), overlooking the Mos Eisley space port, the Jedi master warned his freshly-minted apprentice to be careful, with good reason. No sooner had they hovered into town in the weathered X-34, when they were stopped at an impromptu checkpoint. The gleaming troopers searching for stolen imperial plans demanded to see identification. Waving his aged fingers, the holy man muttered, “You don’t need to see his identification.” In a perplexing turn of events, the menacing guard robotically repeated those words, thereby blasting that exchange into galactic popular culture.

Cyber Jedi Mind Tricks: You may compare your computer to the weak-minded fools vulnerable to a Jedi mind trick: It does what it is programmed to do. Nothing more. For example, when an operating system looks for files (like when it hunts for malware), it does so in a methodical manner. Malware authors know how this is done, and they modify the list the operating system uses to find files, hiding their secret plans deep in the file system. They may even modify registry settings, install additional user accounts, and set up scheduled tasks.

Defender: According to several reputable sources, the Windows Defender component of Windows 10 is all the antivirus you need. It will take care of commodity malware, and it does so quietly. It doesn’t alert you when it finds malicious files. That’s good and bad. You won’t have a lot of alerts you have to investigate–that’s good, but you also won’t have a lot of alerts to investigate–that’s bad. You want to know when you get infected, so you can do something about it.

Don’t Fall For It: You also need to be aware and avoid falling for the Jedi mind trick yourself. It may come to you in the form of a popup, warning you that your computer is infected. It’s a lie. Don’t click anything in that window of warning. The red “x” in the upper right corner isn’t the close button. Every part of that window is the “install” button. Instead of clicking anywhere in that window, use the Windows Task Manager to find your browser instances, and end the task on all of them.

If Infected: What do you do if your computer legitimately becomes infected with malware? Like the stormtroopers on Tatooine, you can systematically check the identification of every program, and visit every mysterious dark hole within the Windows Operating System; however, be aware there are Jedi that will prevent your successful search. The most effective way to be sure you’ve deleted all the secret plans the malware left behind is to reinstall the operating system then reinstall all the necessary programs. Just make sure you create a backup of all your irreplaceable files before you do.

Let’s just be clear: Malware wants to hide, and it’s very good at it. A knot of Stormtroopers  fitted with pure white armor briefly interrupted the Jedi concerning his mismatched metal companions at Mos Eisley. They were rebuffed. You will be rebuffed if you think you can find the malicious secret plans embedded in your computer.

We Have A Problem

Risks While Fishing?: A few weeks ago, I was fishing in the White Mountains. Fishing, not catching, but that was ok. I was there to escape the steadily building heat of a Sierra Vista June, and to receive lessons in patience and perseverance. While the former was intended, the latter was an unwelcomed bonus. Everything was going according to plan. The weather was enviable. White puffy clouds cast occasional shadows that provided mild relief for a beleaguered amateur angler, and the pine scented air had an unexpected autumn crispiness. Then my fourth and last golden Acme Kastmaster snagged on a mossy rock in the middle of the East Fork of the Black River (which was more of a creek really). I had a choice to make. Retrieve the lure and try, try again; or snap the line and accept defeat.

Assess: I was alone on the river and miles from help. What if I slipped? A good friend slipped on a rock in THIS river; after facing THIS choice. The difference was he had a family to drive him the 30 minutes or so to Springerville for his fiberglass arm charm.

Choices: We all have to make choices every day. Maybe not this exact choice, but still choices that involve risk. Without even thinking, most of us can conduct risk assessments in real-time. Risk is a function of probability, impact, and asset value. In the scenario I was facing, the probability of a fall was somewhat likely, the impact of a fall COULD have been high, and the asset was either my arm, or my life. Again, high. A quick mental calculation contrasted with ending my fishing trip early and I stepped solidly into the river. My worn leather ropers quickly filled with cool river water.  I found sturdy footing and successfully rescued the remainder of my fishing excursion.

Business Risks: By now you’re asking me, “Tom, is this Field and Stream, or the Cyber Tripwire?” Stay with me. I’m getting to the point. On your business computer network, you have assets. I want you to calculate something. If you went into work today, and found that none of your computers worked, what would be the monetary loss? What if it took a week to recover? Now, I’m no Dallin Haws, so you may want to check with him first. But here is a recommendation from Dr. Eric Cole one of the leading cyber security experts in the country.

Calculating Risks: In calculating risk, two general formulas are used: SLE (single loss expectancy) and ALE (annualized loss expectancy). SLE is the starting point. With it you determine the single loss resulting from a malicious incident. The formula for SLE is:

SLE = asset value x exposure factor

While the SLE is a valuable starting point it only represents the loss for one incident. Since many organizations suffer the same loss multiple times a year, you have to include the ARO (annualized rate of occurrence) and use them both to calculate the ALE:

ALE = SLE x ARO

The ALE is what you always use to determine the cost of the risk and the TCO (total cost of ownership) and is used to calculate the cost of a solution.

Your Cybersecurity Budget: So, this leads to the question. How much should you spend on cyber security prevention, detection, deterrence, and recovery? Calculate the ALE, and spend less than that annually.

In retrospect, I probably should have cut bait on the river that day. The consequences could have been disastrous. But for your business, the consequences could be far worse if you remain in the dark regarding risk.

Riddled by Ransomware

Ransomware. The word sends chills up your spine; or it should. Ransomware is essentially a cyber-criminal holding hostage your digital life in a binary bag. Cyber-criminals do this by zipping all your important, irreplaceable files and setting a password on them. The crooks “generously” offer to sell you the password for a “minor” fee. Truth is, the fee is not so minor, nor convenient.

How It’s Delivered: Most ransomware comes as either an email attachment, or it comes by infecting you when you visit a compromised website. For example, a few weeks ago, the actual website for the World Health Organization was compromised and serving up malware to every visitor to the site!

Protection: You used to protect yourself from this type of attack by creating a daily backup of your critical files. Files like Quickbooks, family photos, and the digital scan of your high school diploma. I said keeping backups used to work. The crooks have changed their tactics. As more and more of us got better at backing up our files, fewer and fewer of us paid the ransom; therefore, we cut into their profits. That’s bad for business.

Lockout or Stealing: Before, they just stole your access to the files by encrypting them. Now they actually steal copies of the files. If you don’t pay up, they will dump your files on the dark web–not to the highest bidder–but for free. Maybe you’re not concerned if your pictures of Fluffy end up in the darkest corners of the Internet, but how about your Quickbooks, or the scans of your birth certificate, social security card and driver’s license? It is not uncommon (nor is it recommended), for people to keep spreadsheets of all their bank and investment account numbers and the associated usernames and passwords. These are certainly not the files you want to become public!

Anti-Virus Enough? I know what you’re thinking. “I have anti-virus so I don’t have to worry, right?” Wrong. Your antivirus won’t stop it. If it could, you’d rarely hear about these attacks in the news. Don’t delete it though; it will stop some malware.

Two Keys: It is imperative for every user to do two things. First, ensure you don’t surf the web with an account that has administrator privileges. Second, become suspicious of EVERY email you receive; if your gut tells you an email looks “fishy”, then it is probably “phishy”. Additionally, if you receive an email, and the tone is one intended to terrify you with dire consequences for inaction, be on your guard. That is a favorite tactic of cyber-crooks.

Helpful Hint: One last suggestion, if you do store critical files like those I mentioned, then you should zip them and password-protect them yourself with an annoyingly long password. Finally write the password in a book and lock it in your desk drawer. If you follow this recommendation, it won’t matter if those files get dumped onto the dark web, because you have protected them.  You turned the tables on crooks. They will be unaware that the bag they hold is filled with digital dust.

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me. 

Passwords Are Like Dental Floss

Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.

Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password.  Continuing the theme, this week we discuss the importance of password hygiene.  Password hygiene involves the strength, uniqueness, and practices of passwords.

The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity.  So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase.  A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days.  However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.

Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly.  That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember.  You have your email, company login, bank, investment, social media, gaming … the list goes on.  Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password.  The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com.   A trusted advisor can offer Dark Web checks for your business domains. 

Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.

Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal.  These passwords are stored in clear text in the browser can easily be stolen.  

Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes.  A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them.  Password managers can also protect you from Some recommend free managers are:  Apple Key Chain,  Bitwarden and KeePass.  You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.