85: Darkside with Larry Herzog

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: The Dark Web, an elusive realm shrouded in mystery, has captured the imagination of many. Its origins and evolution have given rise to tales of secrecy, anonymity, and hidden activities. It contains a world of hidden marketplaces, encrypted communication, and untold possibilities for those brave enough to explore its depths.

Chris: I’m here with Larry Herzog, a senior presales professional, low brass musician and motorcycle enthusiast. He’s a dynamic force who orchestrates every aspect of the sales engineering domain with finesse and expertise. With an unrivaled ability to cultivate and maintain strong revenue generating partnerships with security sales teams, larry has earned a reputation as a true maestro in the field. Armed with a stellar record of qualifying customer needs, he weaves technical solutions into captivating narratives that enthrall both customers and partners alike.

Chris: Larry, thanks for joining me at the bar. If you don’t mind, I’d like to hear the genesis story of the Dark Web. Tell me about its evolution.

Larry: Yeah, the actual Dark Web, or sometimes called Darknet, actually goes back way farther than if you look online Wikipedia. And so it’s going to say like either 2007 or 2009 or so forth. But it really goes back to prior to y2k, when the initial popularity of peer to peer networks and so forth, things such as Napster, there was in the educational environment in various colleges, there was a thing called Internet2 that was being stood up. It basically was just ramping up, kind of like what we see today and always on internet for the consumer where back then it was all dial up unless you were on premise at an institution. And Internet two was kind of the basis to kind of started in the educational system. But the Dark Web basically was starting to form there where people were like things like Napster and stuff were starting to get taken down.

Larry: Folks still wanted to be able to share files and so forth. And the typical peer to peer networks were proving to not have the middenity that was needed for them to stay up near the share basically anything and everything regardless of the legalities. So it really started brewing and the design of it really kind of took off in freenode IRC network and basically it was all the geeks at the various colleges and so forth that came together to develop this kind of Dark Web.

Larry: Basically call it Dark Web because it’s not viewable from your standard internet. So they call that the clear web. What you basically see if you pop open a browser, basically non indexed web that’s peer to peer, there’s no centralized data centers and so forth, it’s all decentralized. And actually you used to be able to actually early two thousand s and so forth, anyone could just stand up a server. If you had a decent internet connection, you could throw it in and basically it would turn it into a caching server, it would host files, randomized and so forth. You could still do that today, but it wasn’t not as prevalent as it was then when it was first ramping up. And that was actually needed fairly quickly.

Larry: It became a haven for things such as child porn. So when you first started getting into it, you kind of had the moral dilemma, do I want to participate in something that I believe in as far as the freedom? But along with that, you know that you’re helping to facilitate things that are illegal, which you may not have a problem with, but things such as child porn, that’s pretty much universally disliked.

Larry: So that was really the main primary illegal activity that was happening on the Dark Web. Was that child pornography? Aside from typically what it was stood up for in the first place, things such as music sharing and those sorts of things that were on the fringes as far as legality, where people felt they had a right to it. But at the same time, obviously the record labels and everything were cracking down.

Chris: So I’d like to hear more about the architecture and the way it’s designed to optimize anonymity built for those who use it. What are some of the mechanisms involved?

Larry: They took the concept of peer to peer networks and wrapped encryption around them. Encryption around them, and which basically kind of makes it like a pseudo mega point to point to point to point VPN because all the traffic is encrypted, all the data that’s available is replicated in many places, like your standard peer to peer network. And all the interactions that you do with the Dark Web obviously is all encrypted.

Larry: Use special browser, the Tor browser. So there really is no logging mechanism that you can point to and say, okay, well this activity came from this IP, or this activity came from this IP simply because it’s all encrypted and there’s no standardized logging. And as far as the data that’s being housed, it’s replicated over numerous locations. So it’s not just one server here, one data center that’s housing the data.

Larry: So as far as Anonymity and being able to engage in those activities free from the fear of getting caught, strictly speaking, interacting with the Dark Web is incredibly safe. And as we talk about how people get caught, I would say probably 99.99% of the time is where data from the Dark Web intersects or gets exposed on the regular internet or their personal activities. Maybe somebody is running a bunch of successful campaigns and so forth, getting a lot of money.

Larry: All of a sudden they’re mediocre. Their midline residential home has like Ferraris parked outside. So really in almost every case, folks that get caught, it’s where their activity is exposed somewhere other than the Dark Web, where they give private information on the Dark Web, and those that are actually investigating in the Dark Web are able to identify them that way. So it’s not the ability to hack the Dark Web and be able to identify things that way. It’s really your run of the mill social engineering.

Chris: Okay, so let’s journey below the surface and see what this is all about. The Dark Web’s UI incorporates visual aesthetics that deviate from the sleek modern designs of mainstream websites, transporting visitors to an intentionally low key and unassuming environment that includes dark backgrounds, minimalistic layouts, and scarce imagery.

Larry: I mean, it looks a lot like primarily looks a lot like late 90s Web because you have, for instance, various search engines and so forth that are available within the Dark Web and you’ll be prepopulated in Trinky solutions like Tails OS and so forth, where you can actually boot off a USB stick. You’ve got a Tor browser there and you can start browsing the Dark Web. And because people that designed it and so forth, they’re security conscious in that they’re looking not only are they looking to create exploits and those sorts of things, but also protect their activities.

Larry: There’s not a lot of client side scripting and so forth available JavaScript and the PHP available on those websites because they want to keep them simple. They’re less likely to be hacked. And then also, it’s not built for the end user experience. It’s built to house data and to provide services. So it looks a lot, like I said, the late 90s Web, hand coding, a web page, HTML I’ll remember what those look like. And animated gifs and so forth. It looks a lot like that.

Chris: So, Larry, you mentioned tails OS, which is abbreviated for the amnesia incognito live system. It’s a privacy focused OS specifically designed to provide anonymity for its users. It’s free my favorite four letter word, by the way. And you can download it from its official website, although you can also find it on the Darknet for sale, as well as many other privacy tools. How trustworthy are these tools, especially if you’re getting them from the Dark Web?

Larry: Yeah. So basically when you’re trying to make your entry into the Dark Web, you’re going to be looking for tools that are available on the standard Internet because you don’t have the tools to access the Dark Web. Most if not all the tools are freely available, but there are certainly people that are willing to sell them to you. You just search for those tools and so forth. Either sell it to you maybe they’ll wrap it in, we’re going to support it for you, or give you help in setting up and so forth.

Larry: But ultimately the tools to access the Dark Web are completely free. And it used to be you’d stand up a Tor browser and you could access it that way, but products such as Tails OS is just a complete turnkey solution. You basically reboot your computer, you boot off a thumb drive, and then you have a fully protected environment that you can access the Dark Web, and you can even have that flash drive read only, so you’re not even saving any cookies or anything yet.

Larry: There are sites that actually leverage cookies on the Dark Web, so you can actually completely keep yourself removed from any sort of tracking that way. But yeah, those tools are free. And as I mentioned before, strictly speaking, from a technology standpoint, the Dark Web is incredibly safe and incredibly hard to be, quote, unquote found out because it is designed incredibly well.

Chris: Sounds to me like the sellers are simply capitalizing off of the buyer’s mind.

Larry: State, and a lot of times young. Certainly it’s going to be suspicious if you’re going to be purchasing those, if you know any better. And a lot of times they’re probably going to wrap malware and so forth around those tools.

Chris: Yes, malware included at no extra charge. So let’s talk about the Dark Web services related to cash access, credit and debit. Explain the process of how this information ultimately gets onto the Dark Web, and also how financial institutions can help prevent it from happening.

Larry: Yeah, so debit cards, credit cards and so forth. From an electronic standpoint, it’s nearly 100% phishing, whether it’s just broad phishing attacks or even what they call spear phishing, where you’re actually targeting a specific person. But yeah, it’s almost always phishing attacks. You do email campaigns and so forth, trying to look like PayPal, trying to look like Microsoft Azure account needs to be updated. Your Office 365 account needs to be updated.

Larry: You need to reset settings in your EBAY account or PayPal, basically getting you to go to a website and put in personal information and primarily looking for credit card or debit card information. So that’s almost exclusively phishing campaigns. Yeah. As far as thwarting against those, there are things, fairly easy things that you can do on the client side. One, obviously, what’s that URL you’re being directed to.

Larry: If you’re needing to update things in your bank account or so forth, use a known bookmark, type the URL directly, go to that site and update your information. There are also things if you’re using, for instance, password handlers, and so forth, a lot of times they have a certain icon that will show up for prepopulating password fields. If you typically see that and now you’re at the same site and you don’t see that, it’s probably because it’s not the same site.

Larry: So it’s a lot of awareness on that side and then on, I guess, the banking side, it’s becoming a lot more popular for them to have these randomized electronic credit cards where every time you use them or at wheel, you can actually recycle those cards. So you have your debit card. Like, for instance, I use Wells Fargo. I have the ability to leverage an electronic credit card that’s used I can use for commerce.

Larry: I can rotate that at will so I don’t have to cut up my card, wait for them to mail me a new card and just say, okay, I want a new number. Bam. There you go. If you use those exclusives for online, at the very least, if that number gets compromised, you can change it right away, and then the old one is null and void right away.

Chris: Okay. So for financial institutions, it’s wise for them to offer randomized electronic credit cards, and for the customer, it’s wise to take advantage of it. You also have the marketplace vendors that specialize in carding, which refers to a stolen credit card, right?

Larry: Yeah, that gets into kind of what I always find is pretty funny is you’ll have people who and a lot of times it’s probably older generation, maybe a Gen X like myself, or even older, where they’ll say, I never use my credit card online. Right. They won’t use it online. Maybe they’ll use a gift card. Or like my wife, she always makes me to order stuff. So I’m like, you just want to make sure that your card area is exposed. Right, I see what the game is, but yeah, they’ll do that. But then they’ll go to a restaurant and say, oh, here’s my card. Why don’t you go take it into the other room and do whatever you want with it?

Larry: There’s no problem with that. So you’re at a restaurant, someone takes your card, and carding is basically just reading information off the card. So basically there’s these kits. You just swipe the card, you get the information, and then you can create your own cards and leverage those. And you think today it’s a little more secure with the chip cards and so forth. But they make these cards that basically have chips in them, but they malfunction. So basically you put them into the reader malfunctions. It says, okay, swipe instead something wrong with your chip. So it’s like, well, if you’re going to default to the stripe, what’s the point of having the chip?

Larry: So there’s still ways to get around it, even though the complexity and the checks and balances have increased exponentially in regards to credit card safety. But yeah, carding is basically getting physical access to your card and then pulling that information off so that you can replicate it.

Chris: Yeah. Now that I think about it, this reminds me of something that has faded from my memory over the years, but draw similarities. Credit card skimmers. I’m not even sure if those exist anymore.

Larry: And that’s basically just unattended carding. So basically you throw a reader on the outside of another reader. So basically you’re going through two readers when you put your card in either to an ATM or to these more gas stations or even vending machines that have the chips and so forth, where you put the card actually in. But yeah, those still exist. I think they’re a lot less prevalent because I think gas station so forth, they’re training their employees to look for those things, and they’re pretty easy to spot if you’re cleaning up a gas station parking lot every day for yourself and you’re like, what’s that?

Larry: It’s pretty easy to identify. So they’re typically going to be short campaigns and you’re going to know that you’re going to lose that hardware. So I would say probably these days because people are a lot more vigilant. It’s probably not worth investing in that hardware. Much easier to if you got a friend that works as a waiter or something like that or get a part time job yourself, you’re going to have access to a lot more credit cards and it’s going to be more controlled environment. You’re going to be able to capture that information yourself.

Chris: I got you. So let’s talk about Dark Web search engines, the place to locate these services. Grams was once an infamous tool that gained notoriety for its ability to index and search hidden services on the Tor network. I’m curious to understand more about that. Can you expand on the concept of Dark Web search engines and how exactly user friendly are they?

Larry: Yeah, as far as how friendly they are, they look just like if you look at what Grams you just look like it looks just like Google. You got a logo, you got a search box. And the biggest difference is those search engines aren’t really crawling the Dark Web. You’re basically registering with them saying, hey, I’ve got services and so forth that I want to be exposed. And you can make those available to whoever’s running that search engine. And then you can give them access to, for instance, if you’re running a form or so forth, they can crawl that information and so forth, but they need the address and so forth. They can’t just go ahead and like Google doesn’t just crawl the entire Dark Web.

Larry: They need to have some sort of direction. So you make them aware of your, for instance, message board where you’re buying and selling services and advertising services and so forth. And then a Grams or a Grams replacement goes ahead and crawls that indexes, and now you have that information available and then you do things sorts, especially if it’s like a new search engine. You say, okay, who’s spinning up the next release of Tails OS? I want to be included that as a bookmark on the Tor browser that’s being in the next release so that I can actually have exposure with my search engine. So it’s more manual in that process.

Larry: But as far as the end user, it’s exactly the same as using Google. You’re looking for something, you type it in, boom.

Chris: Interesting, you can’t get any easier than that. So I think we all know that illegal drugs are a big part of the dark web. Powerful narcotics, synthetic highs and mind altering compounds are not only advertised, but also include ratings and reviews like products in an online store. Hypothetically, could I go onto a dark web search engine and key in cocaine near me? I mean, it has to be risky.

Larry: Even on the dark web. They’ll kind of frame it more like natural medicines or those sorts of things or alternative medicines. They’ll classify them that way, but not everyone’s going to be that. I guess that characterizes. They maybe just say, okay, here is ecstasy, or here’s cocaine, here’s marijuana. But yeah, you could absolutely search for that. The funny thing is that the most common way of propagating that is through the US mail.

Larry: So most of the online, I guess drug activity and so forth, end user drug activities, not like massive shipments or anything, is through the US mail. They’ll throw in an air freshener into the box, wrap it up nicely, and they’ll throw it through the mail because there’s next to no inspection from that standpoint for domestic mail.

Chris: With that amount of trafficking, what does the source to destination workflow look like? I mean, are they using local resources?

Larry: For the most part, if you’re looking for personal use drugs on the Dark Web, most common is going to be in country. So if you’re in the US. You’re going to get something from sent to you from Colorado or whatever. Because the mystic mail, there’s not a lot of inspection and not us, I guess there’s not a big eye looked at as far as there, aside from being able to scan them so that you can say, here’s what’s coming in your mailbox the next day, but not really looking for nefarious activities or drugs and so forth. That’s more focused on importing from other countries and so forth. But in country, not a lot of, I guess, critique of that activity.

Chris: I also heard that the Dark web is known as a platform for hiring hitmen. I assume that there has to be some complexity involved with that. Surely a search engine wouldn’t easily return that result for you.

Larry: Yeah, usually you’re going to kind of go down the rabbit hole in that way. Typically that stuff’s not going to be just first level searching, but there are tons of message boards and so forth that have all sorts of services and so forth. So basically you’re going to go to a message board, you’re going to look at some sort of nefarious activity, ask around, they’ll know about other nefarious services that are offered, so you can eventually define those sorts of things, but it’s not as, I guess, in your face as some of these other services that are available still.

Chris: It’s there hiding in the darkest corner of the Dark Web.

Larry: And of course, those sorts of services where you’re going to need to exchange real world personal information, folks could be a lot more guarded because that’s one of the ways people get caught. An FBI agent can certainly spin up tails and they absolutely do and start looking for services and so forth. And if it’s something like a murder or a hit or those sorts of things, there’s going to be need to be the exchange of personal information.

Larry: And so you have to be way more careful, obviously, for those sorts of things.

Chris: Yeah, for sure. So for the non experienced cybercriminal, there are actually educational courses on how to conduct cyberattacks, everything from writing a phishing email to how to steal someone’s identity. And alternatively, you can hire an actual hacking group to administer the kill shot for you. Talk to me about those services and what price point would a buyer expect to see?

Larry: Yeah, so you have kind of the three major services in that realm. There’s the Malware as a service where basically you’re just providing money via typically bitcoin to basically run that service and you don’t have to have any information or technical savvy at all. How do you do it yourself? And then there’s open source packages where you can download the entire suite and spin it up on your own servers and run your own campaign yourself. And a lot of times that may be coupled with courses and so forth.

Larry: And really especially the message boards where they have advertised the various courses on how to do a phishing campaign or ransomware campaign and so forth. They’re a lot like if you’ve ever clicked on like a Facebook ad where it’s like, oh, these are some cool shoes, you click on them, it’s like, oh, you only got two minutes to have this deal. And you say, nah, I’m just going to click off. Are you sure? Here’s 30% off. Here’s 20% more off. You’ll have a lot of those things where they’re just going to try to get any money from you because it’s static information.

Larry: It’s already sunk cost that they put research into it and so forth. So it really cost them nothing to even offer it for like a couple of bucks. So a lot of those things are going to be going to leverage those same sort of techniques. We’re like, all right, limited time only you can get it for this price. Hey, okay, fine. How about $5? They’re trying to get any money from you. If you’ve got something just stood up there, you’re not interacting with it, you might as well extract whatever you can.

Chris: The irony of bargaining with a cybercriminal on the Dark Web is an interesting facet, but for the tech savvy that prefer more of a DIY approach. Purchasing an exploit kit is always an option. One particular exploit kit that has gained notoriety within the Dark Web community is called Offensiveware Multiexploit Builder. If you don’t mind, tell me what that is exactly and what it would be used for.

Larry: Yeah, Offensiveware specifically is an infected document builder. So it’s typically going to be leveraged in concert with like a ransomware of a service or other malware as a service program, as a method to get a client or an agent on an endpoint. So there’s going to be that service specifically Offensive, where Multi Explorer Builder basically you have different levels that you can purchase, different features and functionality and those are typically what is actually detected.

Larry: Let’s say you want to embed and install an agent and you don’t want to see the end user see anything. You don’t want to see an error, you don’t want to see anything like that. That’s going to cost you more than say, they open up a document, it throws up like an error message and they go, well that’s weird, and they close it. That’s going to be cheaper because it’s not as elegant as kind of more sophisticated document effective documents.

Larry: Offensiveware is primarily giving you the ability to embed malware into documents like a Word or Excel or so forth for the purposes of infecting an endpoint for the next step for loan launching, for instance, a ransomware campaign.

Chris: Now if an individual decides to buy an exploit kit and has zero knowledge or experience using one, does it include instructions or does it include some type of support plan?

Larry: They absolutely come with support plans and something like Offensiveware. It’s really still a SaaS service. So if you’re engaging in maybe you’ve already enlisted a ransomware campaign and you’ve got the malicious code that you want to push out there, you’re just going to upload that and select the options that you want and it’s going to generate the document and then you just download it. So you’re not even downloading a kit to build the infected document. You’re simply uploading everything that you want to propagate and then it spits out the resulting file.

Chris: That seems pretty straightforward. Let’s talk about another as a service offering that can be obtained, which is Ransomware as a service or RaaS. In January 2017, Satan infamously made headlines as the first known RaaS offering sold in a Dark Web marketplace. Talk to me about how that process works.

Larry: So basically you register, you log in, you pay the requisite money, and then it runs the entire campaign. It will still provide you with the infection file that you need to propagate via something offensiveware, but it handles the whole back end. So those agents are going to check in with Satan, it’s going to push down the encryption keys. All that is going to be facilitated via the Satan service. And it has two factor authentication has a help desk and those sorts of things.

Larry: One of the things that was really cool about Satan is that they crowdfunded the expansion of their software into multiple languages. So I checked in with them multiple times over the course of six months and they supported maybe like half a dozen languages, english, Portuguese, et cetera. And basically almost double the course of like six months. They doubled the amount of languages that their software was supported in. And that was all crowdfunded basically saying we’ll either give you free services up to so many infected clients or we’ll give you a discount.

Larry: And basically through that methodology, giving discounts and giving free services and so forth, they’re allowed to basically crowdfund the expansion and additional sophistication of their software.

Chris: And then you also have Nemesis, which was another notorious RaaS sold, although it’s slightly different from the Satan malware, correct?

Larry: Actually, Nemesis still is Ransomware. They have a little bit different in that they take a percentage of the cut, whereas something like Satan is going to be one time cost, depending on how many systems you want to affect and so forth. Where Nemesis is, you put in your bitcoin wallet and they take a specific cut of the earnings right away. So basically when the ransom is paid, it’s paid directly to Nemesis and then you’re paid your percentage off of that, whereas something like Satan, you’re going to put your bitcoin wallet in and then any payments are going to go directly to you.

Chris: Got you. You mentioned bitcoin and when we look at cryptocurrency, which was really what elevated the dark web and drove the concept of buying and selling illegal goods anonymously online. Now you have what’s called bitcoin mixing or tumbling services. Essentially, it’s crypto laundering.

Larry: Yeah. So crypto in general, I guess there’s the anime part of it, but basically one of the big initial draws to it is not controlled by any government or Federal reserve or anything. It was completely independent monetary system. So it’s something that the government didn’t have their fingers and it’s totally controlled by those that leverage it. So that was kind of one of the biggest draws. But yeah, the electronic portion of it and so forth is certainly another draw as well.

Larry: Given the fact that you have wallets that are tied to specific people, you can still track to a certain extent bitcoin itself. So Tumblrs is basically tumbling, I guess in general is basically the ability to basically launder bitcoin. So just like you would launder money by introducing dirty money into a side business or something and having that recycled and intermixed with customer and client money, same sort of thing, except electronically you’re dumping into a bigger wallet and so forth, it’s going to get mixed up. You’re going to have the company that’s doing or the person that’s doing the tumbling service is going to take their cut, obviously, and then you’re going to get basically bitcoin back that are from the. Various different folks that are actually participating in the tumbling activity. So basically it obfuscates. It enough that you can’t track it down to specifically where it came from, who paid it, and who ultimately ended up with it.

Chris: So not only illegal services are being sold on the dark Web, but you can also purchase equipment as well. Laptops, burner phones, even down to t shirts. What type of swag could one find in the dark web marketplace?

Larry: It’s anything and everything, certainly. Electronics, laptops, and those sorts of things are quite prevalent. But also things such as the non casual things that are easier to use anonymously, such as airline points and Uber points and those sorts of things that are typically almost all the time extracted illegally themselves, but then offered for sale. And then of course, there are things such as passports and so forth.

Larry: The physical merchandise, obviously, is what provides the most danger. Because you’re mailing something to a specific address, whether you’re leveraging a PO. Box or whatever, if an agent or government entity can identify, okay, we’re seeing merchandise that’s hot stolen being mailed out here, and then you’re receiving that merchandise, then obviously that’s kind of an exposure point where you could potentially get caught.

Larry: But as far as electronic services and those sorts of things, way more reliable, way less risk as far as exposing yourself to potential, I guess, potential arrest and those sorts of things.

Chris: So what if someone is interested in obtaining a new identity? Can the dark web provide a way to satisfy this request?

Larry: Yeah, and there’s obviously different levels to that as well. So you want to actually become a new person. There are Social Security numbers and date of birth and those sorts of things that are either extracted via phishing campaigns or grabbed from those that have been deceased. And those are obviously the more detail that you have as far as date of birth and those sorts of things, country or city of origin and Social Security numbers, the more that’s going to cost you.

Larry: That’s kind of the deep, I want to become a brand new person. What we see more often is, okay, I want to take a trip to Europe, but I don’t want to be identified as myself. So getting fake passports and those sorts of things. Things that you can’t maybe leverage to establish a full new identity long term, but that will pass at the airport and pass and getting into another country so that you can travel anonymously without being caught. That’s typically what we see more often. That’s for sale on the dark web. Now certainly there are entities that are going to sell that kind of deep information, new Social Security numbers, new identity, those sorts of things. But that’s not typically the norm as far as what you’re seeing propagated on the dark web, it’s more of that kind of documents to get you. You’ll buy once or twice through an airport or those sorts of things so that you can again anonymize your traveling activities.

Chris: We have shed some light on the activities, identity trades and cybercrime networks that thrive on the dark web. So what haven’t we hit on? What are some other marketplace services that truly make it a bizarre, bizarre fake Uber points?

Larry: And those are basically just hacked so that they’re not actual Uber points that people have accumulated that are stolen that does exist. Typically, it’s something where they’ve gamed a system able to generate a bunch of fake Uber points or fake airline miles and those sorts of things and installing those so you can leverage those activities at pennies on the dollar. Those sorts of things are very common.

Larry: Run in the mill things are common as well, such as licensing licenses for different software and so forth. Like, for instance, things such as VMware enterprise License. They don’t check into VMware to actually authenticate. You can actually put those into multiple systems and so forth and get away with it. So you capture somebody’s enterprise license for an enterprise implementation of ESXi VMware and so forth, you pay like $50 or something for that. And you can leverage that in your environment, your company, or maybe in your lab, being able to use those expanded features. And functionalities if things as mundane as what we historically have seen, these type of activities just software licensing and cracking to things, as we already mentioned, things as identity information and malware services and so forth.

Chris: Pirated software also runs rampant, reminiscent of the bygone era of peer to peer networks and when services like LimeWire was in their prime. And like back then, hidden within the very code of these pirated applications sold on a dark Web are seeds of viral destruction.

Larry: Of course. Yeah, because that’s typically the very unsophisticated user. They just barely figured out how to boot up that thumb drive. I’m going to get me some free games. And of course, they’re ripe for the picking. So of course there’s going to be a lot of malware in those. That’s low hanging fruit for those trying to get a stranglehold on them and get an infected system or whatever and leverage them for some of their campaigns. So they may not ever extract anything from them from a ransomware standpoint, but they’ll use them in a botnet and so forth for their other paid services.

Chris: Is it worth the risk not only for the buyers, but also for the operators? I mean, look at the takedowns of Alphabay or Dream Market or what led to the ultimate demise of Russ Ulbricht, the mastermind behind the very first illicit marketplace, Silk Road.

Larry: If I remember correctly, it was like an IRS agent that was actually basically doing this in his off time, trying to catch this guy. And basically, just like anyone else, it’s typically where the dark web information intersects with the Clear Web or the normal Web.

Larry: I believe he was doing searches for things such as onion and terms that would typically be related with somebody advertising dark web services on the Clear Web. And he was able to identify, I think it was through a message board, I’d have to look and see. But there was some sort of dark Web information that was available and identified on the World Wide Web, the Clear Web that was able to ultimately tie it back to him.

Larry: And that’s really where everyone gets caught. It’s the social engineering. It’s not the technology of the dark Web itself. It’s the fact that either you got personal information that you’re advertising on the Dark Web or you’ve got information about your Dark Web activities that are available and found out in real life or on the Clear Web and that’s time and time again, it’s going to be, more often than not, social engineering that ultimately is a downfall for these people that’s older than time itself.

Larry: Whether it’s complete a murder or anything or theft or has nothing to do with electronic or the technology whatsoever, you just can’t keep your mouth shut.

Chris: The ultimate self-incriminating method is offering your own words, not to say that surveillance by law enforcement doesn’t exist in some capacity. Earlier you mentioned the Tor browser, and for those that aren’t aware, the Tor browser is based on the Tor network, which is a decentralized network of volunteer operated servers called Tor nodes, or Relays. The Tor network helps users protect their online identity and activity by routing their Internet traffic through a series of encrypted connections.

Chris: Within the Tor network, there are specific types of relays known as exit nodes. These exit nodes are the final nodes in the tour circuit, where the encrypted traffic leaves the tour network and enters the regular Internet. I’d love to hear your thoughts on the concept of exit node monitoring.

Larry: When you talk about our, for instance, like the NSA, they have much more, I guess, visibility into things that you would think. Like, for instance, I have some friends that work for what they call, quote, unquote. These work for the agency, right? The NSA? And they’ve said, things are passing to me like the US. Won’t allow us to export any software that the NSA hasn’t already cracked. And you’re like, really?

Larry: That’s not something that you think is common knowledge and that’s anything from VPN technology encryption that maybe any software company that’s in US based that sells to even our friendlies like the UK or France and so forth. So the essays there’s talk they’re already hip deep in quantum computing and those sorts of things. Way more than that we’re aware of in the mainstream. So yeah, they’ve got a lot of tools at their disposal that are more than I’m aware of.

Larry: They have visibility of those things that we wouldn’t obviously think that they would. And it’s like anything else. If you want to prove yourself, okay, I can do this, and you run one little campaign and then you’re out and you never touch it again, and there’s no evidence in your personal life that you did, it would be no different than, hey, I was able to shoplift that CD or something. Okay, yeah, you were able to do it.

Larry: Good for you. You were a small fish, you didn’t really make any impact, and basically all you did was compromise your morals for the sake of proving it to yourself. It’s the same sort of thing you think about people that watch 2020 Dateline. You’re like, I bet if I totally pick someone at random cross country and murdered somebody, got back and get away with it. But you probably have no desire to do so or any reason to do so.

Larry: Basically, you’re just going down the rabbit hole of being a morally bankrupt person for the sake of, I don’t know, proving a point from the perspective of.

Chris: An everyday user that may become a victim of ransomware that originated from the Dark Web or Ras. Help me understand the protection mechanisms that should be in place.

Larry: As far as ransoware in general, obviously there are various ways from an end user to protect yourself. What people first think of is, of course, backups, because what’s the number one thing that they’re worried about? Okay, my data has been encrypted, I don’t have access to it. How do I get that data back without having to pay the ransom? So one of the obvious answers is, okay, I can restore from backup.

Larry: Typically, what people didn’t think about in the past, or thinking about it more now is, okay, if they had the access to encrypt my data, they probably had the access to exfiltrate that data, take that data, and have ownership of it as well. So on the flip side, or I guess in concert with backups, encryption is key. Encrypting your sensitive data is huge. One, if they are able to gather a data, it’s going to be gibberish to them. They’re not going to be able to leverage that data.

Larry: So you can restore from backup and you can have confidence that data has not been compromised and has not been taken. So, data encryption, talus, we’re an industry leader in data encryption, so obviously that’s something that we promote as far as keeping yourself safe from data theft, but also Talis specifically other companies have specific ransomware protection. A lot of this is behavior based. So an agent, whether it’s tied to antivirus or it’s tied to, in our case to data encryption agent is going to look for the mass access of data. So basically a binary so far trying to encrypt a lot of data. So it’s reading and writing a bunch of data at once, that’s not normal activity.

Larry: So being able to identify that and then stop that, that’s one way that anti ransomware software works. Also there’s behavior and machine learning where it looks for various characteristics of the malicious software as well. So looking at either signatures or more advanced machine learning to identify the binary that’s going to be malicious. And then I guess the third method, this concept of trusted application.

Larry: So this would be in concert with an encryption program. So not only would your users have specific access to encryption keys, tax the data that they’re allowed to, from policy standpoint, they also have enumerated specific applications that are allowed to have access to those encryption keys. So let’s say you have a share that has office documents and so forth. You’re only going to allowed Microsoft office access to those encryption keys.

Larry: So while you’re leveraging it, you seamlessly be able to interact with your data. Something malicious gets installed on your system. It’s not a trusted application, it doesn’t have access to those encryption keys even if it’s leveraging your credentials to access the data.

Chris: Last call, Larry, I just heard last call here at the bar, so I got one more for you. If you opened a cybersecurity themed bar, what would the name be and what would your signature drink be called?

Larry: If it was cybersecurity themed? I think something like the honey Pot. Yeah, honey pot. And then if it’s Honey Pot, maybe you have a Mead based drink.

Chris: Mead has a long history dating back to ancient times and it’s often associated with myths and legends which in a way aligns with the mysterious and elusive nature of the dark web. Thank you Larry, and thank you listeners for joining me at the bar today. If you would like to connect with Larry and you’re on Twitter, Larry_Herzog is his handle or feel free to email him at larryherzog@thalesgroup.com.