The dark web refers to the mass of websites that exist where the identity of the host and user are hidden and encrypted, and of course, they’re not searchable. An often used graphic to depict the dark web shows a large ice-berg with the small tip above water representing the web as we know it and the hidden mass underneath representing the dark web. It’s been reported however, that the dark web is smaller than we are led to believe.
Silk Road, one of the bigger and better-known sites on the dark web, where drugs and weapons were sold, was shut down in 2013 (followed by Silk Road 2.0 shut down in 2014 and Silk Road 3.0 taken down in 2017 due to a lack of funds). This site, and its notoriety, put the dark web on the map for many but just because it's gone doesn't mean the others are. It’s not just illicit products and services like hitmen for sale, there is also a stack of data that’s been stolen. Your data, my data, swathes of data stolen from individuals and companies is published there.
Our online lives create more data than ever before, and we entrust that data to companies. These companies are the target of hackers who want our information to make a profit. In July this year it was reported that hackers stole the Medicare data of every Australian and put it for sale on an undisclosed dark web marketplace. A vulnerability was found and exploited (dubbed the Medicare Machine) allowing the breach to happen, people can buy their own data (or anyone's) for $30 a record.Whilst the data available isn’t enough to access personal health records as suggested by some media outlets, it is enough to create a fake card as proof of identity when committing other fraudulent acts.
So how do you know if any of your personal data has been leaked in a breach?
Earlier this year the government passed new laws Privacy Amendment (Notifiable Data Breaches) Act 2017, which will be in effect from February 22, 2018. The new regulations state that any Australian company that discovers a data breach must disclose it, within 30 days of the breach being detected. Depending on the nature and size of the breach if you are affiliated with the breached company in any way it would be a good idea to update any credentials or details that may have been affected, taking a better- safe- than- sorry approach.
Another way to check is to visit the website Have I been pwned?, set up by web security expert Troy Hunt. The free website lets you enter your email address to see if it’s been compromised. A note; even if you come back clear, you may not be in the clear – the information may not have been made public yet. It’s a good idea to check back regularly. The website also contains information about data breaches so you can check if any company you're affiliated with has been breached.
What can I do to stay safe?
Some say it’s only a matter of time before every company is hacked (unless they already have been, but just don't know it). Even so, there are some things you can do to keep ahead of with the bad guys:
> Always check exactly what you are signing up for and untick any boxes that allow your information to be sold to third parties
> Create strong, unique passwords for every site you access and store them in a password vault
> Limit the amount of information you share and disclose on social media sites such as Facebook, regularly check and update your privacy settings on these sites
> Never respond to unsolicited emails or phone calls, and always report suspected fraud to those that need to know
> Check your bank statements regularly for any unknown transactions
> Install security software on all your devices
> Encrypt hard drives that store any personal information
> Sign up to Scam Alerts from Stay Smart Online, they will keep you updated with any major breaches, software updates or other scams such as phishing that are circulating
If you are concerned about the safety of your staff or company, we offer Security Awareness Training as one of our security services.
