Made possible by

You don’t have to use the dark web to be exposed to its dangers

a stylised depiction of data insecurity. people use computers and devices, while shadowy figures eavesdrop and physically steal representations of their personal data
All illustrations: Ezra Whittaker

You don’t have to use the dark web to be exposed to its dangers

As the amount of time we spend online continues to increase, so too does the possibility we’ll be exposed to scams, hacks and data leaks. But do we really understand the risks, or how we can avoid them?

You probably have a mental image of who falls victim to cyber-crime. And it’s probably wrong.

In New Zealand – and, indeed, in most places – it’s not clueless boomers who are most likely to suffer internet crime. According to NortonLifelock’s annual global cyber-security survey, it’s millennials, with Gen Z also coming on strong.

“They come out quite strong whenever we do research,” says Mark Gorrie, NortonLifelock’s senior director for Asia Pacific. “We typically see the younger audience is suffering – they share a lot of data, they even share passwords. These are activities that compromise data.

“One thing we note with the younger audience is this belief that it won’t happen to them, that these problems happen to someone else and that the data they have online is not of interest to hackers. That makes them vulnerable.”

The most recent NortonLifeLock survey highlighted a particular threat: the theft of personal information. In that survey, fully 95% of New Zealanders expressed some concern about their personal information on the internet – and around half feared that that information might be “exposed in a data breach and compromised by cyber-criminals.”

The Dark Web is in many ways similar to the internet most of us use every day: people there chat and network and buy and sell things. But because it’s not visible to search engines and is built to anonymise its users, the chatting and networking might be different and the goods bought, sold and paid for in cryptocurrency might include drugs or guns – or other people’s personal information.

All illustrations: Ezra Whittaker

That’s the backdrop to NortonLifelock’s launch of a new service to the New Zealand market – Dark Web Monitoring. This service, now part of the Norton 360 subscription package that goes with the retail software, scans the places where your personally identifiable information (PII) might be traded if it had been stolen – and alerts you if and when it finds your PII.

This is clearly something I’d want to know about. So I installed NortonLifelock, activated the 360 service and waited for an alert. Or, as it turned out, seven alerts.

My login details – both email and password in most cases – have been stolen in data breaches targeting professional social networking sites, productivity software and even online genealogy companies. In truth, these are historical breaches, I knew about several of them and have since changed the passwords for all. Yet if you’d asked me before the Dark Web Monitoring scan, I’d probably have said no, I haven’t been the victim of a PII breach.

But I have and you probably have too – especially if you are or were an Xtra email customer with Spark. In 2016, Yahoo, which was managing Xtra customers’ email service at the time, announced that login details for 500 million accounts it managed had been exposed in a huge 2014 hack attack. The breach affected at least 130,000 Xtra customers. Spark did its best to clean up the mess and dumped Yahoo as its service provider. The following year, Yahoo confessed that a billion accounts had been compromised in an earlier attack in 2013. Then it upgraded the number to three billion accounts.

For me, the most obvious consequence of these breaches is occasional emails from unidentified parties that slip through the spam filter and claim to admire my taste in porn and propose to share it with my friends and family. Look, they say, we have your password and everything. It’s not unknown for such threats to be genuine, but more often the scammers are brandishing your stolen credentials to try and scare you into paying them off.

“They’re a numbers game, says Gorrie. “They’ve got their hands on a compromised database that happens to have your email address and a password and they’re giving it a go. If there’s 10,000 people in the block of data and they’ve got a password that would be familiar to you and the likelihood that someone’s looked at porn and would be embarrassed about it, they can play on that. In most cases they have no idea beyond a credential that was traded on the dark web.”

Sometimes, however, the consequences of a breach can be more urgent and much more serious. NortonLifelock has taken the innovative step of sponsoring a podcast series, Criminal Domain, that illustrates just how serious they can be.

The first episode features Tayla Damir, winner of the 2018 edition of TV reality show Love Island Australia, who had her bank accounts and credit card cleaned out and was stranded, penniless in Lebanon and even had her mobile number ported to another network without her knowledge, to defeat two-factor authentication.

There’s a New Zealand story there too. Glenn Hart is the guy who does the cheery online roundups of Mike Hosking’s Newstalk ZB show and the station’s technology reviewer. He claims to be “a reasonably techie sort of a guy”, which seems a fairly rosy self-assessment given that the family computer he infected by trying to get a cheat code for his daughter’s game apparently had no local or online backup, or security software capable of detecting the malware he was inadvertently installing.

It turned out to be a ransomware attack – every file on the computer had its name changed and was locked up with encryption pending payment to the ransomers. Those files included his own media work and irreplaceable baby photos. Hart did show some moxie in bargaining down the price to $US200, but it took him “dozens if not hundreds of hours” to sort out, first in nerve-wracking dealings with the ransomers and then in painstakingly trying to get all the renamed files in some kind of order.

“It’s very confronting for those people impacted,” says Gorrie. “And the thing that often comes out for people who’ve been confronted by identity theft or other cybercrime is the time involved. The investment of time to make things right again can be massive.”

Although the attacks suffered by Damir and Hart were different in kind, it’s the nature of computer security that they’re all linked. Damir seems to have surrendered her details to a “virus-cleaning” scam that popped up when she was using unsecured wi-fi at a hotel (“I’m just the most gullible human in the world,” she cheerily admits at the beginning of the episode) and used the same password everywhere. Hart invited in malware and hadn’t backed up his family’s most precious files.

A significant challenge faced by online and digital security businesses is that the threats they protect against are rarely static or unchanging. With that in mind it was Lifelock’s specialisation in this form of cybersecurity that led Norton to acquire the Arizona-founded identity security business in 2017.

“When we came up with our cyber-safety strategy, identity was a key area,” says Gorrie. “And Lifelock had a long heritage working around identity theft protection. Obviously, our heritage on the Norton side was antivirus and protecting the device, but we had to move beyond that because people’s digital lives were becoming more complex and there were different threats evolving.”

NortonLifeLock systems engineer Dean Williams is reluctant to venture too far on exactly how the monitoring is done (“you don’t want to let these guys know how you’re getting the job done”) but says stolen PII will often be duplicated across multiple Dark Web forums.

Typically, the threat will split between opportunist hackers who seize personal information and put it up for sale and the financial criminals who pay for it.

“Quite often you’ll find that it’s not one person doing everything,” says Gorrie. “There are multiple players involved. Someone might have written a malicious tool, they’ll sell that tool on the Dark Web and others will buy it, then use it for data collection. They’ll generate a database with thousands of items that are of use, then sell it for others to use. It’s an economy.”

It’s also getting serious. This year’s update to the Privacy Act will place an additional duty on businesses to account for compromised information. From December 1, it will be mandatory (on pain of a $10,000 fine) to report any breach of customer data to the Privacy Commissioner.

It’s also likely that the year of Covid-19 is increasing risk. Employees discovering the pleasure and pain of working from home typically aren’t as well-secured as they are at the office. Working at the local cafe isn’t any better, says Gorrie. And don’t get him started on phones.

“We’ve had mobile security out there for years, but for a long time people were convinced that they didn’t need security on their mobile device. Yet for most people it has become a primary device now, they use it in the same way they would their PC.

“It’s not so much about the operating system being vulnerable, it’s through [things like] phishing scams; if you’re clicking the links, whether it’s on your mobile or your desktop PC, you’re still going to end up at the same location, giving up your PII.”

For Gorrie, one of the drivers of this increased risk is the ever-increasing convenience of always-on connectivity, particularly from unsecured third-party sources.

“What we started to see a few years ago is that we were protecting their devices, stopping the threats from hitting them. But people were being compromised because they were connecting onto open wifi networks where it’s quite easy to perform man-in-the-middle attacks and eavesdrop on people’s connections.

“We had to extend our protection beyond the device to the connection. Hence the VPN to protect the flow of information out of people’s devices. Even now, you can’t tell whether the apps on your phone are using SSL, the only way you can guarantee the app’s transmitting data in a secure way is to use a VPN.”

Most people don’t think about whether their mobile communications are encrypted, of course. And most people don’t think about what information they’re making available to whoever. Ironically, one feature of the Dark Web Monitoring service is that it’s more effective when you share more with it. It can scan for not only your email address but phone numbers, your mother’s maiden name, credit card and bank details and even physical address. But you have to tell it those things first. You have to type or paste them into a web page, which, even over a secure connection, feels a bit weird – like, it’s a thing not to do. So, does NortonLifelock itself need to earn the trust of its users?

“It’s critical,” Gorrie confirms. “If you want that data monitored, that’s private information that you don’t want leaked out. People do think twice about sharing it with any service, so obviously sharing it with us, there’s got to be a high level of trust.

“This is where for us coming into this space, trust is a big thing. We have customers who’ve been with us 20, 25 years and a lot of that’s to do with trust. So we take that very seriously.

“I must admit, when we were setting up I was asking a lot of questions about the level of effort that we go to to protect people’s information. And we do – we take that seriously. If we were compromised, it would be massively damaging, so we go to a lot of effort to protect the information.”

Bottom line: if you’re going to tell anyone, it might as well be the good guys – if only because you’re going to want to know if you’ve accidentally told the bad guys.




The Spinoff is made possible by the generous support of the following organisations.
Please help us by supporting them.