In this listeners live episode, Matt answers questions from the audience that have come up over our dark web episodes. Get sage advice on safely accessing the dark web without running afoul of policy, blockchain analysis (or the lack thereof with Monero), how to use PGP encryption to communicate with dark web actors and more.
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, and personally I think the dark web was far better than the dark web rises.
JEFF PHILLIPS:And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today is one of our special episodes of NeedleStack, Matt, where we're going to take questions from our live audience and then we're going to dig into our mail bag also for questions that folks have been submitting over the recent weeks during our podcasts.
MATT ASHBURN:Yeah, that's right. Each week we give you guys a URL that you can go visit to give us feedback and ask questions and all those things, so we appreciate everyone that has submitted a question so far. And we've been focusing on the dark web for the past several episodes, and we've had a lot of great guests talking on things like dark web research in general, communicating with people on the dark web and strategies around that, from protecting your security to communicating effectively and all sorts of other interesting topics. If you've missed those, definitely go back and take a look at those. Really, really good stuff and great conversations. The dark web is one of those topics that really elicits a lot of fascination by people. There are hurdles to accessing it. You can't search for it like you would necessarily on the surface web. It's also a bit dangerous or mysterious to some people. And so we get a lot of questions on this topic, so we're excited to answer them, so let's hop right in. Jeff, what do you have for us?
JEFF PHILLIPS:Well, we're going to start, the first question we've got coming in here is one of those basic ones. And so, this comes from our mail bag early on when we started the whole dark web series. They ask, "How do I get access to the dark web?" Pretty much 101.
MATT ASHBURN:Yeah, great question. Very simple answer, right, to this is that anyone can get on the dark web. You can download Tor. You can also pair Tor with Tails, for example. You want to have it inside of a VM for the isolation or something like that, right? But there are few other things that you may not be aware of, right? Yes, you can, technically, there's really not a technical challenge to getting on the dark web, specifically Tor in this case, but some other things you want to keep in mind, you want to make sure that you're authorized by your organization. You also want to make sure the organization, ideally has some kind of access policy for the dark web, or for research in general. Also make sure that you understand what you're getting into. There may be content that's there that may be difficult to unsee, may be objectionable. You also may be subject to drive by malware attacks and other things. Fraud, bad actors and other things that are there. So just be aware of of those dangers and go into it with eyes wide open. Or in some cases, maybe you want to close your eyes to some of the things that are there as well.
JEFF PHILLIPS:For sure.
MATT ASHBURN:Also understand that the dark web is not completely anonymous. If you're a bad actor, that can be a detriment to whatever you're trying to do, but to us as investigators, that can really assist us in our investigations. We can exploit those capabilities to deanonymize some of those transactions and uncover people. On that note, a really good episode to check out would be episode 13 - it's called "Ready to turn out the light? An intro to the dark web" - if you're looking for maybe more introductory-level information on getting on the dark web.
JEFF PHILLIPS:And I echo listening to that episode, because as you point out, anyone can go as simple as download Tor and off you go, you would think. But there's a lot more to it than that. A lot more important things to consider beyond just the technology side so check out that episode. Okay, our next question is in a similar vein regarding access, but I think this is pretty interesting. The question is, or statement starts off, "My company doesn't allow access to the dark web, but it would be valuable for my research. Can I access it safely from a personal device?" What do you think about that?
MATT ASHBURN:There's a bit of a caveat there. Yes, you can access it from a personal device, but can you do so safely? I guess it depends on your definition of safely, but in general, I would recommend against that because of a number of reasons, right? Mostly for your own security and your own anonymity and your own privacy, right? You're using a personal device for accessing something that may be objectionable. Maybe, there may be content there that could be illegal in some cases, and you don't want to compromise that personal device with malware also that could be on the dark web. Just be cautious of that. I would recommend against it unless it's maybe as a last resort or something like that. Also keep in mind, as always, organizational policies, right, may prohibit that, so make sure you know your organization's policies as it pertains to using personal devices as well. But, yeah, look out for yourself. Look out for your own privacy and your own personal safety as well. And if you're doing it, do so, one, in compliance with your organization's policy and also do it in a safe manner. Obviously, the previous answer as well. Take all that into consideration to get on the, the dark web in a safe manner.
JEFF PHILLIPS:Good stuff. Okay. I like this question. "How do I know," because we've talked a lot about the dark web through this set of podcasts being a great resource but the question is, "how do I know if my company's being referenced on the dark web if I can't access it? If I can't get access to it, how do I know if there's stuff going on the dark web related to my company?"
MATT ASHBURN:Yeah, great question. In many cases, you know, when there is some compromise of data, the dark web, Tor specifically, these dark web markets that are out there, they're often the first places that your organization's breach data can land. From compromised credentials, third-party leaks, ransomware drug listings - ransomware dump listings, rather. It's also a source for invaluable threat intelligence. Getting information on perhaps pre-planned attacks, or discussion around vulnerabilities and exploits, all those things, those are very helpful. So you're right, whoever asked this question, you're absolutely right. It is valuable to get on to Tor, get on the dark web marketplaces and understand what's going on, what's being said about your organization or your company, because it is a good source of intelligence and also a good source of breached data as well. As far as accessing it, you can certainly go do all that stuff manually. You can do searches and all those things fairly routinely on a periodic basis. That can get really old really quickly, right? Also take a look at some of the threat intel platforms that are out there. There are also a number of other companies that are specifically focused on dark web information, so they'll essentially go, they'll scrape these markets, they'll take all the information, catalog it, archive it, index it to make it easily searchable. You can even set up alerts, for example, for certain key terms and if one of those comes up, you'll get an alert and you can be directed to that source document. Lots of those out there, all the major threat intel platforms that are out there that are worth their salt, also have something similar to this, some service like this, right?
JEFF PHILLIPS:That's interesting. So, it'll give you the alerts. You can set in keywords and then it'll alert you. Then you have to make the decision whether you're going to go and investigate it I suppose. You know, the other thing I've seen a lot of ads for now lately, not a lot, but fair amount: on the personal side, where people will go out and companies will do scans for your personal information, is your own personal credit card or your personal email ending up on the dark web. So there are definitely, if you just Google that, lots of companies offering scans and monitoring tools to take advantage of.
MATT ASHBURN:Yeah, absolutely.
JEFF PHILLIPS:We had some really interesting guests. We did talk a lot about marketplaces and what's going on across those different marketplaces. This guest of, not guest, one of our listeners has actually asked, "What are the top dark web marketplaces that are out there today?"
MATT ASHBURN:Good question. The answer for what's active today is not necessarily the answer for what will be active tomorrow so keep that in mind. The nature of darknet marketplace is such that they will be shut down only to pop up somewhere else. Any kind of list that you see of dark web marketplaces will change pretty frequently. As an example, AlphaBay is a great one. It's was first focused on narcotics and cybercrime. Probably the largest dark web marketplace ever. It was actually taken down by law enforcement in 2017, but today it is actually back and better than ever or so they say. The number two admin recently resurrected AlphaBay and it's gaining a lot of market dominance as other marketplaces are shut down. And the key benefit of AlphaBay at least from the criminal's perspective, is that it allows the use of Monero, which makes it very difficult to track and analyze transactions. Rather than bitcoin, it's much more difficult, if not impossible, to track Monero. It's much more privacy-focused. There's a number of other marketplaces that are out there as well. You have ASAP, Abacus, Archetyp, Vice City Market, Bohemia, and there are even some regional-specific markets that are out there as well. For example, WeTheNorth only caters to customers in Canada. That may be of interest to some of the folks in the audience as well. There are also lots of surface websites that are out there that profile all the various markets and they also track takedowns and all those things as well. An example of that would be darknetone.com is one of those sites that tracks that type of stuff.
JEFF PHILLIPS:It's tough. Let me check here what our next question is. You mentioned crypto, so let's go with this one. The question is, "What are the best tools to analyze cryptocurrency transactions?" The person mentions that "I've heard about chainalysis, but are there alternatives or different ways to go about analyzing crypto?"
MATT ASHBURN:Chainalysis is the one I was going to mention, mostly because it's the heavy hitter that's out there. It's been used in lots of high-profile investigations and it's really changed the game and blockchain analysis. For a long time, people just assumed that cryptocurrency, possibly because it's maybe complicated to use or required special tools, or just obscure, people just assumed that it was untraceable. They assumed it was anonymous. The transactions, keep in mind, are not really anonymous, they're more confidential. There's a distinction there that's important. Because in bitcoin, for example, the blockchain is a public register of transactions. You have the sender address, the receiver address, and the amount exchanged, and people just assume, "Oh, well, it's not my name that's on there, just my wallet address." Well, over time, as we've talked about previously with other things related to internet research, these little breadcrumbs over time can create a nice trail for somebody to uncover who you are and what you're doing. The same is true for blockchain analysis. You can take a look at that. Somebody can go take the blockchain, take that public register and go analyze it, store it off. If you want to see who is transferring data to whom, or who's transferring money to whom, you can do that pretty easily. You can also uncover things like maybe mixing and essentially laundering money through a series of change there to try to obscure the source to the destination. Certainly we've mentioned Chainalysis there, and even in the question, they're the big hitter. But as cryptocurrency becomes more popular, more tools are popping up. A couple of those true narrative, for example, like LexisNexis they're offering. Also Crystal, they're geared towards law enforcement and financial services institutions. Also Coinbase Analytics is another one. They're also geared towards financial services and government customers too. Keep in mind some of these services are built for e-commerce, some are also built for financial services. So think lending, know your customer, anti-money laundering, all those different use cases.
JEFF PHILLIPS:Good stuff. With our questions here, crypto was definitely a popular episode. And you mentioned Monero. This person asked, "How does blockchain analysis work for Monero?" If it's private, what can you actually do here?
MATT ASHBURN:Great question. Yeah, I did mention Monero earlier and kind of teased that it's a bit more privacy-focused. I appreciate the question from the person that asked that. Because blockchain analysis has been proven effective in analyzing bitcoin transactions, it's really helped to spawn a number of privacy-oriented cryptocurrencies. Monero is one of those that are essentially untraceable. They are designed with privacy in mind. In simple terms, the details are obfuscated. You can't identify the sender and receiver addresses, the amount exchanged, the address balance or transaction histories. That's because they use ring signatures, which groups the sender's address with other addresses that [inaudible 00:13:40]. Stealth addresses also allow recipients to receive funds without revealing the owner, which is good too. From a privacy perspective obviously. Also transaction amounts are encrypted. That's yet another step. Monero is also fungible. When you think of that, their coins are not unique. Whereas if I pull out a dollar bill, for example, every dollar bill has a serial number that's attached to it. And each bitcoin, for example, each bitcoin's transaction history is logged into the public blockchain. Monero doesn't have those issues from a privacy perspective. All these safeguards and untraceability have really made it also very attractive for illicit activity. As many things that are starting out to be privacy-focused criminals can also exploit that privacy-focus as well. Some exchanges have actually banned it for those reasons, making Monero less attractive if you have some hope there to exchange it for fiat currencies or to have just a widespread use. But it is used on a number of dark web marketplaces. As with everything, there's always that game of cat and mouse or arms race between investigators hoping to crack its privacy or exploit some vulnerability in the system. And also whatever the next iteration of this is.
JEFF PHILLIPS:Lots of moving parts within keeping up with crypto and what's happening in that world. This looks like our last question sir. They had one of our attendees ask is, I remember there was a discussion on one of the episodes around PGP encryption being used to securely communicate on the dark web. The question is, "What is PGP encryption? How do you get it? How do you use it in terms of communicating securely on the dark web?
MATT ASHBURN:Yeah, great question. Pretty good privacy. PGP has been around for I guess, 30 years now. It was invented in 9091, and it's the de facto standard for email security. It actually came up in our interview with Investigative Journalist Eileen Ormsby, and how she communicates with confidential sources, and including some that are on the dark web. It's important to note that PGP, like all encryption, it encrypts the message in the content, but it doesn't make you anonymous. Emails sent through a PGP or via PGP encryption, can actually be traced to a sender and recipient. You see that sender A sent it to person B, but the metadata is all there in the clear. When I say metadata of the day, time, the from, the to, even the IP address information, perhaps may be visible, as well as the subject line. These are all things that are on essentially the envelope of the message, but the contents within the envelope are encrypted. Don't put anything sensitive, for example, in the subject line. PGP works by a key that's generated by the sender and only used to send one message, that's the session key. The session key and the message sent are sent to recipient. The message is protected in transit by the receiver's public key. The receiver's private key is really the only way to decrypt this session key and actually view the message. Anybody can download software, by the way, that does this to generate your public and private keys and send PGP encrypted messages. There's also a ton of tutorials out there on YouTube and number of other websites. If you found that confusing at all, definitely check out some really good guides that are out there on getting started with PGP. It's stood the test of time, it's a great resource, and it's out there for you to use.
JEFF PHILLIPS:I think that was the last question.
MATT ASHBURN:I'm sorry, I don't see any other questions popping in here.
JEFF PHILLIPS:I do not.
MATT ASHBURN:Yeah. We appreciate it. Thanks for everybody who's watching and listening. We appreciate everybody who submitted questions today and any other time that's been in the mailbag. We really appreciate you guys tuning in as well. If you like what you heard today, as always, you can subscribe to NeedleStack wherever you get your podcasts. You can also watch episodes on YouTube and view transcripts and other episode info, or send us questions if you'd like, on our website, authentic8.com/needlestack. Be sure to follow us @needlestack_pod on Twitter, and we'll be back, of course, next week with more online research tips, tricks and experts in the field in July. See you then.