27 comments

[ 4.0 ms ] story [ 67.6 ms ] thread
"97% of companies have data leaks and other security incidents exposed on the Dark Web" - Bold claims. Do you have any proof of this? Such as redacted screenshots or examples of these leaks?

The article shows lots of stats, but no real evidence.

There are some people that say, now I am not saying it, but there are people that say, “Your data is on the Dark Web”.

It looks like FUD, it sounds like FUD, then in my books, it is FUD. Fortunately it is easy to get out of infosec meetings that blather on with these generic statements while working from home. No awkward walking out of the room.

replace Dark Web with NSA, and I'll probably buy it. Other than that. It sounds like FUD.
It looks like it’s based on looking for the companies’ domains in password and data dumps, in which case 97% is utterly unsurprising and I bet the 3% are just too new to have had any users in a major breach.
How exactly does that work though?

I'm not connived that every name in a data dump indicates a breach at a given company.

My thinking:

If someone gets a hold of a huge list of usersnaems and passwords from bobcompany.com, and then spams numerous sites with those logins to see if they work elsewhere ... and finds that a few work on joecompany.com then puts out that data.... joecompany.com might have their name listed somewhere in someone's data dump, but they didn't have a breach...

Yeah, this is meaningless marketing scare tactics.
I agree.

Every work email address I've ever had has been a part of at least one breach according to haveibeenpwned. None of them are specific to the companies I've worked for. If they count things like the Exactis breach, they'll likely pick up every company that existed prior to that breach.

> I'm not connived that every name in a data dump indicates a breach at a given company

It doesn’t, the article is marketing bullshit trying to push an dark web monitoring service.

That’s not to say you’d never be interested in these breaches: if joecompany has employees who reuse or iterate (Summer2020 -> Fall2020) their passwords, a breach at bobcompany that includes joecompany employees could give an attacker their first valid login.

The correct things to do about this problem don't require even knowing the breach exists, let alone getting somebody to tell you the details though.

You need to do MFA for everything that matters. Passwords are crap, you may not be able to mandate that your customers start caring about that (though you should offer them better alternatives) but you can enforce it for your employees.

Require WebAuthn everywhere. Issue employees a suitable authenticator if they don't have one (iOS 14 will make newer iPhones a suitable device, high end Android phones are also suitable) and avoid mechanisms to let an employee subvert this requirement. Now you literally don't care if your employees choose crappy passwords (which they will) because it has no security impact.

That’s great if you can do it, unfortunately companies with big slow IT departments that don’t like making changes they didn’t ask for tend to see “MFA on all remote services” as a multi year project and widespread use of hardware tokens as impossible. For companies in that situation using something like the HIBP domain notifications can be helpful.

When MFA is in place you still have to keep loopholes in mind, things I’ve seen recently at various companies include a user blindly approving Duo prompts and letting an attacker on to the VPN, a Fortinet appliance that was supposed to be decommissioned a year ago that wasn’t, allowing an attacker to log in with credentials stolen previously, and legacy HTTP basic auth in Office 365, which bypasses MFA unless it’s disabled.

> include a user blindly approving Duo prompts

Sure, one of the reasons I specified WebAuthn is that intuitive security properties tie up better. Users have seen keys before, if I give Bob this Security Key, obviously Bob can unlock the same things as I could with the Security Key. Whereas a lot of these other technologies are a bit abstract - I should fill this six digit code into this web site but not any other web site? The phone might give me a Duo prompt out of the blue but I shouldn't say yes?

Actually WebAuthn's Security Keys have behaviour that matches people's intuitive understanding of actual keys somewhat better than the actual keys do. If I examine the lock I can make a key for it! If I see one key, I can use that to make more keys that all work! These are properties of real mechanical keys that surprise users but aren't present in WebAuthn's Security Keys.

(comment deleted)
that's cause the article is written for seo and advertising purposes and not for educational purposes. do you know how many seo articles i have personally seen written with false information? i'm surprised they didn't throw in the obligatory quote from company ciso.
There are so many "numbers" reports in the cybersecurity industry without any kind of way for validating the claims that I think all of them have equal value - close to zero.

The only source of truth in this industry is speaking with the "frontline" and figuring out how things really are.

While the evidence is light. Is anyone surprised if this is true? My experience is that most cybersecurity firms are only slightly better than other enterprises. They often have lofty standards that they themselves don't follow.

They also have professional service arms that are similar to the rest of the industry. Handful of senior people and an army of junior engineers that bias towards velocity over quality (i.e. take shortcuts that can lead to data exposure and other issues)

I know an attorney who was quite capable legally and with tech and spent his career in both. He ended up at a legal organization that also dealt with security.

The cybersecurity industry is absolutely full of crappy security companies worth jack squat. The legal industry is full of Luddites.

Being capable in both areas = some serious demand / profit.

Yeah I don't really agree. I have both software engineering and law degrees and would love to do something on the nexus tech/law/security but there are very few jobs where deep knowledge of several is a real plus. It's at best an 'oh that's nice' level thing. I'm open to jobs in the south of The Netherlands, eastern Belgium or western Germany if anyone is looking :)
I think the lack of demand on an individual level is different as companies don't value it.

But when companies need help and they look to an outside company to come in and help, then they're willing to pay incredible amounts.

> My experience is that most cybersecurity firms are only slightly better than other enterprises.

They're often worse. I can't recall the study, but one of them looked across industries at software quality, and security products were statistically worse than others. Of course such studies are hard to really feel confidence in, but it isn't surprising.

It comes up with 130 high risk events for ycombinator.com [0](accounts with plain text passwords) and 294 medium risk events (accounts with encrypted passwords)

This feels like the sum of all the domain accounts from leaked breaches - similar to have I been pwned

Despite what the report says - you can't actually verify the data without signing up to their service and doing the whole sales funnel thing

[0] https://www.immuniweb.com/radar/?id=kKhvrIhe

I ran this Immuneweb test against my personal website with no cookies, no login, no Form nor JavaScript allowed.

Yet, I, as a “CyberSecurity firm”, have “appeared” to failed.

I have asked this in several forums but didn't get any satisfactory answer.

How does one get started in dark web monitoring for intelligence, like finding these leaked databases or confirming/denying the reports of data leak in "the dark web".

Are you asking from a career or technical perspective?

This report isn't particularly technically complex, a majority of this sort of leaked data is widely available on clearweb forums. The minority requires building relationships and/or paying and/or developing a reputation that gets you access to more exclusive forums or circles. You then have to regularly crawl those forums, and avoid identification of your crawlers (as the more exclusive forums/site watch out for that sort of activity pattern). Then you just index the data and can perform searches or analysis.

https://scylla.sh/ is a free example covering just breach data.

From a career perspective, this is a subset of threat intelligence. The more interesting companies in this space often are leveraging military-style HumInt to gain access to these marketplaces and data, and often have leadership from that sort of military or government background. Most folks I'd assume are just standard engineers however, as a majority of the work is probably not specific to "dark web monitoring for intelligence."

Any company that is trying to sell automated dark web scraping is selling snake oil. Many of the 'legit' places to purchase stolen data have vetting procedures before a person is allowed to participate in (or even view) the marketplace.

There are a few companies that have analysts that are in these marketplaces, and they provide actionable intelligence, but they are not cheap.

There are many CIOs at small/medium companies who don't understand any of this and will pay because it makes them feel better.
(comment deleted)