Dive into the enigmatic world of the Dark Web with “The Daily Decrypt.” In this bonus episode, we unravel the mysteries of the Dark Web, explore its implications for privacy and security, and demystify what it really means when your information is found there. From Donald Trump’s Twitter hack to practical tips on safeguarding your digital footprint, this talk from a local library presentation is packed with insights, humor, and actionable advice for navigating the complexities of online anonymity and security.
Show Notes:
Introduction to the Dark Web and its layers
Impact of data breaches and leaked credentials
Practical steps for enhancing your cybersecurity
Demonstration of password managers for digital security
(1) https://us.norton.com/blog/how-to/how-can-i-access-the-deep-web <- good graphics
(2) https://skerritt.blog/how-does-tor-really-work/
Transript:
[00:00:00] offsetkeyz: Welcome back to the daily decrypt today. I’m just throwing a bonus episode at you. The other night I gave a. Presentation on the dark web. And what it means when your information. Turns up there, like when you get an email from TurboTax or whoever. Saying that your email is found on the dark web. What does that mean?
What do you do?
So take a listen, if you’re interested in that. It’s important to me because it was my first time presenting to the community on a cybersecurity topic. Other than this podcast, of course.
And so I wanted to share with you guys.
I had a mic on during the presentation, but there was no mic in the audience. So I, I summarized their questions at certain points and had artificial intelligence read them. So things might sound a little weird. When the audience ends up asking questions or interacting, but a. That’s just a forewarning. So let’s go ahead and get into it.
[00:00:54] offsetkeyz: Alright, well we can go ahead and get started. I really appreciate you guys being here. I’ve [00:01:00] actually never done a presentation like this before in my life. So, you guys are now part of my family. Family can be rude, so you guys can be rude. Let me know when I’m, when I’m talking too fast, or if I’m talking too quiet, or something doesn’t make sense.
But, yeah, I’m glad to be here. Thanks to Dalton for having me. I just finished a course on leadership, and they said, hey, you should start every presentation with a story. So, I’m not gonna go full TED Talk on you. I’m not just gonna jump into the story. I’m letting you know that What’s coming is a story.
So, let’s go back to 2012. You remember the good old days when Disney didn’t own Star Wars? And the Encyclopedia Britannica was a bunch of books, not just on the internet. It’s not on books anymore, in case anyone didn’t know that. And it was a time [00:02:00] before Donald Trump was ever president. And that is not a dig at Donald Trump as a president.
He just happens to be the subject of my story. So, a young Whether or not you support the man has no business with the story. The story ends in 2016, before he’s even president, so. A young, spry, 67 year old Donald Trump, 2012, doing a reality TV show, firing people, I don’t know what he’s up to. He’s on Twitter.
He’s, he’s doing his thing. And in the same timeline, LinkedIn, which we all know, was breached. 2012. It’s the biggest breach of all time at that point in time. 6 point 5 million records were leaked onto the dark web.
And when I say credentials, that’s, Usernames, emails, passwords. The things we use to get into our accounts. Leaked [00:03:00] on the dark web. Crazy. Fast forward, I almost skipped the plot of the story. As the, as the credentials were leaked, every one of those 6 point 5 million people, received an email.
And that email came from LinkedIn, and it said, Hey! Hey, your email address was found on the dark web.
So helpful. They might even offer you free identity protection for a year. And then afterwards you have to pay 200 a year, whatever. It’s all a scam, but hey, your email address is found on the dark web. Donald Trump had a LinkedIn. Who doesn’t have a LinkedIn? Every LinkedIn user’s credentials were leaked in 2012.
So, I don’t know what Donald Trump’s email manager people did, maybe they changed the credentials, maybe not, I don’t [00:04:00] know. Fast forward to 2016. Where’s Donald Trump? What’s he doing in 2016? He is the nominee for the Republican Party for president. And he’s doing something that no one, no president in our history has ever done.
Run his campaign from Twitter. Great. It’s great. It gets him closer to the constituents that he’s attempting to serve, right? It’s, it’s, it’s a wonderful thing. So you’d think though, since that’s so important to him, it would be locked down or something, right? So at the same time, 2016, Donald Trump is the, is the nominee for the Republican Party.
He’s not yet president. There are three elderly gentlemen, these gentlemen. I wouldn’t say old, they’re probably around the same age as Donald Trump. They are cybersecurity researchers, retired from their previous careers in cybersecurity. They are doing password research. [00:05:00] And what does that mean? They’re just looking at all the passwords that were leaked in 2012, and they’re seeing which ones are the most used, what are the trends, are there exclamation points, are there ten characters, whatever researchers do, I’m not a researcher.
They finish their work for the day. And they sit down with each other, they’re friends, so they have a beer, and they decide to just like, eh, plug in emails and passwords into LinkedIn to see. With good intent. Their intention is to reach out to these individuals and say, Hey, you need to change your password because it’s really easy to get into your account.
They’re robin hoods, they’re attempting to do good. Look at the TV, there’s Donald Trump. So, what do they do? They go grab Donald Trump’s email and Donald Trump’s password and type it into LinkedIn. And he had changed his password. Great! They’re like, oh, nice, okay, that’s good. They’re just drinking beers, they’re just having a good time, they’re not even like looking at their screens as they do this, they’re just typing away, [00:06:00] haha, Donald Trump, maybe So then they’re like, ah, let’s go to Twitter.
Let’s use those LinkedIn credentials. and let’s see if they work in his Twitter. They’re drinking, they type it in, they press enter, they’re still talking, jibjabbing, hanging out, they look back down. Welcome, Donald Trump. How are you today? This is a true story. Donald Trump’s Twitter was, quote, hacked in 2016.
These people tried to reach out to the Secret Service, they tried to do all this stuff, they didn’t have any malicious intent, but they used credentials they found on the dark web to access something completely different on Twitter. Pretty crazy! All from this email, huh? So, what happened?
Why, what can you do to prevent that? That’s why you guys are here, and that’s what I’m going to try to answer for this presentation. So that none of you get caught in that situation. [00:07:00] And, we’re not Donald Trump. We don’t have to worry about our Twitter. But, hopefully I’m going to be able to show you why you should worry, and how you can prevent that stuff from happening.
So, that was to hook you. Y’all look hooked. But the question we’re all here to answer. What is the dark web? I am not an expert in the dark web.
Before giving this presentation, I’d never been on the dark web. But here we are. There are actually three. layers to the web. And when I say web, I just mean internet. The web of connected devices that we love to call the internet. So the surface web is what everyone here is most familiar with. That’s where you’ll find the sites that are listed there.
You’ve got Facebook, you’ve got Google. You’ve got sites that want to be found. Their goal is to get increased traffic, and they want to be found so search engines, if you type in [00:08:00] most of those words, they would lead you right there in Google, right? Then we move down a little bit, we’ve got the deep web, and you all are familiar with it, this actually makes up most of the internet, and it’s things that don’t want to be found unless they want you to find them.
So like login pages to your bank, or like internal documents at your work, if you have like a space where you search up, how do I do this process at work, that’s the deep web. Research papers are big, words, proprietary information, stuff like that, unindexed, you google for it, you won’t find it, that’s the deep web.
And then the dark web, where you can find a lot of stuff we’re going to touch on later. Privacy protection, illegal trade, private communication, stuff like that. So what is the difference? What’s the dark web?
It’s essentially an anonymous internet. So you might be thinking, hey, I use DuckDuckGo, or I use incognito mode [00:09:00] in my Google Chrome, or I use privacy browsing in Firefox, or I have a VPN. I’m anonymous. I don’t need the dark web. You’re anonymous. You’re doing the, you’re doing it. You’re, you’re, you’re, you’re trying and those are good things.
If you haven’t heard of those, those are just things that prevent trackers in your browser from tracking you. I can go into more details of that later, but you’re not anonymous. Your internet service provider can still see everything you do
[00:09:29] offsetkeyz: whether you’re in Cognito mode, whether you’re on DuckDuckGo, doesn’t matter.
So, enter the Dark Web. The Dark Web contains hidden sites, which I had mentioned before, you can’t actually search for them on Google.
It’s hard to picture, I’m always searching for things and finding them. Dark Web is accessed primarily through the Tor browser, and not always accessed through the Tor browser, but it is the most commonly used method, and TOR stands [00:10:00] for The Onion Router.
So, you’re going to hear onion a lot when you do any research on the dark web, because the principle of the dark web is that it adds layers of encryption , as you pass through it.
There’s a little diagram up here that sort of displays how the Tor browser works. Anyone who has the Tor browser, so you know what Google Chrome is, that’s a browser, Firefox, Safari, those are all browsers. Tor is just another one of those. Anyone who’s logged into the Tor browser becomes what’s called a Tor node.
And it’s just like the internet, how all of our devices are connected, all of these Tor nodes are connected. And say, for example, Alice, on the page, on her little iMac, needs to talk to Jane. [00:11:00] But she doesn’t want anyone to listen in. She doesn’t want her internet service provider to listen in. She doesn’t want the NSA to listen in.
She doesn’t want anybody because maybe she has something to say. to say to Jane that might incriminate her, or it might Whatever the reason, she doesn’t want anyone else to read it. She decides to go through Tor. And so what she does is she opens up Tor, and she writes Jane a message. That message then heads to another person with their Tor browser.
And that device, completely unknown to this person, this person doesn’t know this is happening, they’re just all a web of browsers, adds a layer of encryption. And then it does the cool thing where it looks like the communication is coming from this person. So already Alice is anonymous because it looks like this person’s talking to Jane.
And then that person sends it here and it adds a layer of encryption. And then that person does the same thing and sends it here. They’re not [00:12:00] actually actively doing this, this is all through the Tor browser. Okay, so it just continues to add layers of encryption until it finally reaches what’s called an exit node, which is when the encryption exits from the Tor network.
And here is a representation of unencrypted text. So whatever internet service providers are outside here are able to read the message, but they don’t know where the heck it came from. They can’t trace it back. So, because of this, the dark web has started harboring criminals who don’t want things traced back to them.
It’s not impossible to trace things back, but it is very hard. So that’s a lot to lay on, you guys. Does anyone have any questions on that, specifically? Feel free to digest it and Wait until the end as well, but I just want to make sure it’s addressed. Michelle?
[00:12:55] Gabi: Yeah, um,How does someone figure out how to get the Tor Browser?
[00:12:59] offsetkeyz: You can [00:13:00] Google tour. You can Google it and it’ll, it’ll get you. That’s essentially what I did. I was like, how do I do, how do I tour,
did you have a question?
[00:13:08] Bernard: Look what I found! Should I download it?
[00:13:11] offsetkeyz:
He has found the Tor browser for Android.
Don’t download it.
Not until the end of the presentation when I can tell you about the risks. Okay, but that is fun.
[00:13:30] Ruth: Once you get on the dark web, is someone looking into you, like is the FBI going to start looking at you?
[00:13:38] offsetkeyz: No. I’ll say no, there’s caveats, there’s times when that’s not the case, but no. Let’s see what the next slide says, I don’t even, I don’t even remember.
Oh man, here’s a screenshot of the dark web!
That’s crazy! Okay, so this is just some sort of market that [00:14:00] is probably for things that aren’t nefarious, because I found it. The dark web is remarkably slow. So there’s a wait time for most websites, because it has to go through all of these little nodes. And it just, it just really slows them down. So it’s slow.
This is a screenshot. Looks pretty safe, right? That’s the Tor browser. Nah, not much going on. What’s the next slide? Okay, so here’s a picture of a dark website. Which, as you can see, is an anonymous tip line, so maybe police use this, or journalists who are seeking information on something might use this.
Use this to communicate with their sources or something, but as you can see it’s like beautifully branded We got a nice color palette and a little emoji logo Like the dark web is it’s it’s just like the regular web. Okay. Hey, who uses the dark web? Man, I’m glad I’m getting the questions that people want to know there [00:15:00] are 2.
7 million Users, what does that say, daily active users on the dark web That sounds like a lot. I mean, it is a lot. It’s worldwide, though, so it’s more than I would have expected. Only 6. 7 percent of those users use it maliciously. That leaves, if my math is correct, 93. 3 percent of the users do not use it maliciously.
And the word malicious is a little loose because some might consider Whistleblowers to be using it maliciously, like Edward Snowden per, per se. But most of the use of the dark web is not malicious. Okay.
[00:15:40] Bernard: Was the dark web being used for the Arab Spring?
[00:15:43] offsetkeyz: I cannot . , I can’t speak to the Arab Spring.
[00:15:50] Bernard: I mean it was Egypt and they were more free…
[00:15:53] offsetkeyz: Yeah. And I mean, it eventually didn’t work, but, if I were a betting man, and I am from Las Vegas, I would say [00:16:00] yes, that their use of the dark web might look a little different, because they might not have actual devices that have the Tor browser on them, but what they do instead is they have a router, similar to like what’s in your home.
They have that for like communities that have Tor on it, and that is the Tor node, and they connect to that, and then it anonymizes their traffic from there. It’s a little more risky. But in, in, as you can see here, one of these bullets is citizens of oppressive governments. Yes, that is one of the main groups of people who use the dark web, and they use it a little differently.
But yes, journalists need to keep their sources anonymous. Whistleblowers don’t want to go to the Russian airport and live there for eight years, so they try to use the dark web, political protesters, all of this stuff. There are a lot of governments out there who just try to limit what you can do on the internet.
I can’t speak to any of them per [00:17:00] se, but like, I’m pretty sure China has limits. You can’t access Facebook, you can’t do stuff like that. But if they are on the Tor browser or on the dark web, they can actually access normal websites like Google and Facebook. It just takes forever. And it’s anonymous, so that’s great.
Okay, so that’s how the dark web works. Hopefully that’s pretty comprehensible. We’re all here to see what do you do when your information is found on the dark web. So I’m on the dark web here, this is a screenshot of the dark web, and I happen to find a site that sells credentials. So when I say credentials, usernames, passwords, email addresses, that can go all the way down to social security numbers, mother’s maiden names, it can be anything.
So I just typed in my email, that’s my real email, I’ve had that since fourth grade? So clearly there’s gonna be some things that, that, that have been on there. So, at one point in time, I had an account with Adobe [00:18:00] that was hacked. So, so essentially what that means is hackers, or elderly gentlemen typing in passwords, get in and probably want money from these corporations.
They want money from Adobe, so they get all the data they can and they say, Hey, Adobe! I have all this data, give me 10, 000, 000 and I’ll give it back. And Adobe’s like, no. And so then they leak it here. They just put it on there and they’re like, ha, I told you, tell your friends, so that when I come to them, they know I’m gonna leak their credentials.
Anyways, long story short, all these places got hacked, Dropbox, Fling, Last. fm, MySpace apparently has two parts, tumblr, whatever. Tumblr. I’ll have my email. If I were to go in, I think, I don’t, I can’t see the button, but there is like a button maybe farther down that says view password.
It costs about 10 [00:19:00] in Bitcoin to view any password, and I don’t have a crypto wallet ready to spend 10, nor did I want to. But I can go on there, so say if I had something against you, and I knew your email address, I could go on here and buy the password. and then try it on your bank. Ah!
So that, that’s essentially all that’s happening. If you find your info on the dark web, it’s not a personal attack. No one’s out to get you. Like I said, it’s, they’re going after these corporations. They’re the target . You’re just an innocent bystander, unfortunately, so. It’s the result of a breach. Usually less secure websites.
You’re not gonna see Google on here. And yeah, you can buy like the whole LinkedIn breach, which is 6 point 5 million usernames and passwords for like 300 bucks? So, the amount of monetary gain [00:20:00] people can get from those username and passwords is a lot. So it’s worth the 300 in Bitcoin. Can anyone tell me why they would use Bitcoin?
Do you know why? Okay. It’s very similar to how the dark web is not traceable. Yes, there’s a whole series of encryptions. And just like the dark web, it can be traceable if you do it completely wrong. Like if I’m, if I’m on Coinbase per se, like if you had clicked on that ad and bought some bitcoin and then tried to buy credentials with that bitcoin, that bitcoin is tied directly to your email address on Coinbase, so there are ways to trace you if you do it wrong but yes, bitcoin is encrypted and it’s anonymous and it’s What’s the word?
Decentralized? There’s no server that holds all your bitcoins? It’s, you can have a physical wallet with your bitcoins. That’s a whole nother topic. The question we’re all here to answer, and don’t worry, we’re nearing the end of the presentation. The question you’re all [00:21:00] here to answer is what do you do when you get that email?
Let’s go back and look at this email. You notice how it doesn’t tell you, it doesn’t tell you anything. It doesn’t say where the password was found, it doesn’t say what to do. This was from three weeks ago. I get these all the time because I’ve had this email since fourth grade. Three weeks ago. There’s a video down there.
Doesn’t say anything. Great! Cool. So, proud of each and every one of you for coming here tonight. The path forward is easy, but maybe not as easy as you hope. Just ask my girlfriend. or anyone who’s been to a bar with me. It can be. It’s, yeah, we’ll get there. Okay, so, when you get that email, what do you do?
You change all reused passwords. All of them. Any password that [00:22:00] is associated with that email, you must now change. That sounds hard! Yeah. Yeah. Don’t worry, it can be easy. While you’re changing these passwords, enable multi factor authentication. Can anyone tell me what multi factor authentication is? Yes.
Push notification.
Ooh, biometrics. Very good. So, one of the forms of multi form authentication, and there’s multiples, thus the name. is when you type in your username and password, you go, Ha ha, I want to log into Facebook, dee dee dee. Username, password. It’s just going to send an alert to your phone. And you have to click, Oh yeah, I’m actually trying to log in.
That works great. Not impervious to attacks. Bummer. But, People, in order to hack into your accounts, would need your username, password, and for [00:23:00] you to press yes. So, while you’re changing your passwords, enable multi factor authentication on your big accounts, like Facebook, whatever’s important to you, your bank, 401k, Fidelity, make sure that’s enabled there.
The best way to stay secure online is a password manager. Hands down, can’t beat it. Sounds scary, my mom still won’t use one. I’ve been talking to her weekly. For three years. She has a notebook. She keeps it in her pocket, has all her passwords in it. That’s great. I say, Mom, great, I will, I will, I’ll help pick up the pieces when someone gets into your 401k.
I’m doing my due diligence by talking to each and every one of you and talking to her. That’s fine. That’s better than nothing. If you have a notes app in your phone that has different passwords, better than nothing. Up until four years ago, my life, I had the same password. One password for every account.
Bank of America, Facebook, Adobe, Dropbox, one password. [00:24:00] All those accounts that had been breached. All of them. They all had the same password. They all still do, actually, because they’ve been breached, so I don’t care. I don’t use that password anymore, anyways. Because of Donald Trump, we know what can happen, right?
We know what can happen when my MySpace account gets hacked with the same password as my Bank of America. They’re gonna try it in the Bank of America. So, before we get into password managers, you might be thinking, yeah, Donald Trump’s obviously, they’re gonna try his credentials on his Twitter. They want to get in there.
They might have a political motivation. They might have anything. He’s a big name. Everyone knows him. To belittle anybody here, but we’re just, we’re just a little Frankfurt family. Hmm? Who’s going to come after us?
Let me tell you, the 6 point 5 million credentials found on LinkedIn, I, I might turn to Justin here. How, how, Justin, how long do you think it would take to loop through all of those [00:25:00] credentials using software and plug them into, say, Bank of America? Maybe 1 seconds? Yeah? Oh, man. It’s, you’d be surprised at how little code you need for that function.
The chat GPT will tell you how to use, so. How many banks are there out there? 4, 000? Yeah, it’s like, I don’t know, a couple. So how many times would it, how long would it take to loop through 6 point 5 million logins 4, 000 times? I said it was about 0. 1 seconds. times 4, 000, I don’t know, that’s four seconds?
Four minutes? I don’t know. Not very long. So, a little over an hour. That’s why, that’s why I brought him.
So yeah, you might not be Donald Trump. They might not be sitting down over beers, typing in your email address and your password, but they are running these loops, checking every credential they find on every bank in the world until one pops up. [00:26:00] Don’t let that one be you. Okay, the risks are high. And I’m here to help.
So, I talk to a lot of people about passwords and password managers, and everyone approaches it with such dread. Okay? It sucks. Anytime you have to change your routine, it sucks. But wouldn’t you like to change your routine for the better and keep yourself safe in your retirement and your family and Michelle?
[00:26:25] Gabi: Um, what even is a password manager?
[00:26:27] offsetkeyz: Oooh. You know what? What is a password manager? No, I did a podcast episode like three days ago with a graphic of a little like 70s accountant. He’s got a green visor, and he’s got little receipts, and he’s the password manager. It’s, that’s what it is. It’s a, it’s an app. It’s an app. It’s a browser extension.
I will, I will be demoing a password manager, and I’m so excited.
Yeah, passwordmanager. I [00:27:00] highly recommend this one. It’s called 1Password. And if you’ve drank aviation gin or you’ve talked on a Mint mobile phone, you know who Ryan Reynolds is?
He owns 1Password. Yeah, Ryan Reynolds, the, the, The Rexxum star,
okay, so, yes, you can have a password manager, you can have multi factor authentication, you can have them both in the same app. That’s one password. Okay, time for a demo! Yippee! . I just did this, like, 10 minutes beforehand.
This is me signing up for a new account on my phone.
Okay, so my password manager on my phone, says, hey, this looks like you’re trying to sign in to create an account, and it pre fills all that stuff. That’s my email address, you’re all familiar with it. Password, what do I do? There’s my one, there’s my, I don’t have any accounts for GitLab, that’s another piece of information that’s very helpful to have.
Grabs my username, generates, this is my [00:28:00] password, if you were fast enough you could have taken a picture and logged into my GitLab. Then it pastes it! It pastes it in there! I had to write in a username. Then I had to verify, I had to find some ice cream. Harder than it looks. It, it, it didn’t understand. So anyways, okay.
Now we’re here, I just signed up for an account. I don’t, I couldn’t tell you one letter in that password. I don’t remember it. I only know one password. It’s the password to my password manager. And that manager remembers all my passwords. I just signed up for an account. That took four seconds. It’s quick.
It’s quick. I remember before I had a password manager, I hated signing up for accounts. I was like, what am I going to add to my password? It’s going to be like an exclamation point. Where am I going to write it down? Do I take a picture of it when I write it down? I don’t know.
[00:28:53] offsetkeyz: Well, if you made it this far, Thanks so much for listening.
I’m pretty happy with the way that it turned out, but there, there were some [00:29:00] things that. That I’d like to work on, but for the rest of the presentation, I give another demo. Have a password manager in the browser. Logging into things. And I answered some questions on the dark web, but as far as the recording goes, it, it becomes pretty incoherent due to the back and forth nature with the audience.
So I decided to just wrap it up there.
If you’d like any more information on the dark web or on password managers or pass keys or multi-factor authentication. I love talking about that stuff. So just shoot us a DM. Shoot us a tweet. You can reach us by email@decryptcyberatgmail.com.
We’d love to hear from you as always, but thanks so much for listening.
[00:30:00]
Tags:
dark web, cybersecurity, data breach, online privacy, password managers, digital security, online anonymity, Tor browser, identity protection, cyber safety
Search Phrases:
Understanding the Dark Web
How to protect your information online
What to do when your data is found on the Dark Web
Tips for using password managers
Enhancing online security and privacy
Navigating the implications of data breaches
Safe browsing practices on the Dark Web
Related Posts
Cyber News: KnowBe4 Hires North Korean Spy, CrowdStrike Testing Errors
CyberSecurity News: Google Abandons Plan to Phase Out Third-Party Cookies in Chrome