[Reading Time - 3 minutes 45 seconds]
Another day, another breach. This morning (Dec 6 2018) I received an email that an outside company used by our school had suffered a data breach. The names of school employees and their social security numbers were exposed. This is not the first time school employees have been the victim of a data breach.
And as is now typical when these breaches occur, employees are offered free "identity theft protection services." (I already have six of these free services due to past security breaches). Today's offering includes credit monitoring through 2023, a million-dollar insurance reimbursement policy, and "fully managed identity theft recovery services" (whatever that is).
In addition, this protection service also includes "cyberscan dark web monitoring." The other free services I have also claim that they continuously scan the "dark web" in order to identity if my data is being used by attackers.
How are these services scanning for my data? And does this really provide added protection?
By definition the Internet is an international network of computer networks that connects billions of devices together. The World Wide Web, or just "web," is a means for access information over the Internet. It is one of several different ways (think of email and FTP as other means) but the web is the most common and easiest to use. The web is accessible to anyone with a device that has a web browser. Information can be located by entering the address (URL) of the site that contains the information (like www.cengage.com); if you don't know where the information is located, you can also search for it by entering the search criteria into a search engine (like Google) that continuously searches the web for content and then indexes what it finds. Search engines use web crawlers that follow hyperlinks through known protocol port numbers. Pretty simple.
But actually, there is much more to it than that.
Some web sites do not want their content to be discovered and indexed by search engines. For example, a website that contains private databases of user information may not want that information searchable by a search engine. In order to prevent their information from being found by search engine web crawlers a site's webmaster can take different steps to prevent it from being discovered.:
We might think of these sites as another "level" of the web. Web sites that cannot be discovered by a search engine's web crawler make up what is called the "deep web." In contrast, sites that can be discovered are called the "surface web."
But there is even another "level" of the web. It's called the "dark web."
The dark web is most often associated with criminal activity in which you can buy stolen credit card numbers, order drugs or guns, or trade tips with other attackers. And by some estimates almost two-thirds of all dark web sites are involved in some type of illegal activity.
But getting to the dark web and viewing its contents is not as easy as opening a web browser and using a dark web search engine.
First, to get to the dark web you must use an anonymizing browser called Tor. The Tor browser routes your web page requests through a series of proxy servers operated by thousands of world-wide volunteers. This prevents your device's IP address be being traced back to you.
Second, although there are some dark web search engines they are nothing like Google. The dark web search engines are clunky and notoriously inaccurate. One reason is because merchants who buy and sell stolen card numbers or sell drugs are constantly on the run and their dark web sites appear and then suddenly disappear with no warning. Third, dark web sites use a naming structure that results in dark web site URLs looking like "p6f47s5p3dq3qkd.onion." All of these are hurdles to keep out anyone who does not understand these inner workings.
So, does "cyberscan dark web monitoring" actually work by these protection services to determine if my stolen information is on the dark web?
Considering that the dark web cannot easily be searched using standard web browsers, the claims by protection services to perform "cyberscan dark web monitoring" should be considered as questionable. One service claims that they monitor "Internet forums and websites, web pages, IRC channels, refined PII search engine queries, Twitter feeds, P2P sources, hidden and anonymous web services, malware samples, botnets, and torrent sources." Of all those listed only the last ("torrent sources") could be called a dark web site; the others could indeed be part of the surface web and more easily monitored for suspicious activity.
It's important to remember that there are risks associated with using these services. One services automatically scans for email addresses and social security numbers, and then gives the option to scan for phone numbers, credit/debit cards, bank accounts, driver license numbers, passports, and medical identification. But if I give all this information to the service, what if they are then hacked? (It's already happened before). Thus, the very information that you want protected then becomes part of a data breach, and you are worse off than when you started.
So, should you use one of these identity theft protection services if they really cannot scan the dark web and if they could be the victims of attacks? You will have to decide for yourself if the advantages outweigh the risks. But just remember that the claim of scanning the "dark web" for your information is questionable at best.
Professor Ciampa is the author of several texts on Security Awareness and Network Security. These texts are available within MindTap as well. Login into MindTap here. MindTap is available to your students as part of Cengage Unlimited.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.