Monday, February 24, 2020

Qualified lead, or outright fraud. When journalists help push snake oils and magic dust.

Journalists look for good stories.....  and sometimes someone serves them one that is too good to be true.  But a journalist isn't a security expert, so if the speech is really good, they too fall victim and inadvertently help market something they shouldn't.

Nothing gets me out of bed faster then receiving a message about an article showing a journalist falling for a manipulative marketing trick and actually become part of the unjustified hype machine that promotes unethical services. 

Well, ok... that's not exactly true... I can think of a few things that would get me up in the morning, but I digress.

All joking aside, this subject is so important, that I felt compelled to produce a video in both French and English to address the subject with my clients.

Their are hundreds of sites offering DarkWeb monitoring...

In fact, as I teach in various Universities and Colleges, I made it a mission to give an entire class on this subject over the last few months.


Just to be clear, this is about cybersecurity and lacking morals, willing to do anything to get business, not sales, but let me open with this.

Qualified leads.   The bread and butter of a heathy sales cycle.

What if we could find a way to drive customers directly into our sales pipeline....

Well, many companies are doing this today with the help of cool and frightening cybersecurity term that you may have heard.   "SEARCH THE DARK WEB".

So here is the problem with that.

Marketing and security do not play well together.  If your motivation is to sell something, chances are security is a secondary objective.

What if someone told you they could check out your health at the click of a button, and come back and tell you they found nothing wrong with you.  Or worst, they found two things wrong with you, and you can correct them with the "doctors" help.

You would feel great.  Thank goodness someone was nice enough to help me identify these two things so I could handle them.  

Well, the problem is, that "doctor" didn't actually check much of anything compared to what you perceive.  After all, are you qualified to know if that doctor did a good job.  Or even did anything qualified for that matter.


Searching the dark web and telling you if you have been breached so you can sleep well at night is as close to fraud as you can get unless it is clearly explained to you that the chances of finding your data is slim, and that you are mostly looking for passwords, not actual corporate data.

It isn't that you cannot find things on the dark web, it is that you cannot find your things on the dark web with any level of certainty.

Let me explain with a visual diagram, take a good look at these three tiers:

So lets break this down into logical and comparable pieces.

PART 1:  Surface web

The surface web is you everyday Google searchable results.  Compare that to a published catalog or menu of items.

If someone is selling your data on the surface web, you MAY find it by crafting a good search query in google.  It still remains unlikely to find it, because the internet is endless, but it is certainly possible.

Sites like PASTBIN are common grounds to at least start the exchange of data by providing samples, and an email to start the trade.

So lets compare this to visiting every bar in the world, sitting at every table, and asking every shady individual if they are selling your data.

Not impossible because of tools like google, but still a challenge.

PART 2:  Deep web

This is still on the regular public internet, but, it requires a user account to log in.  So imagine we compare this to visiting a bar again, well, this time, you have to find the right bar, AND when you sit at the table to chat, they have to know you, trust you, and decide they want to share information with you.  

Now some of these bars are listed in the phone book, and some aren't and you have to get a referral to find them. 

This is where it becomes IMPOSSIBLE to guarantee that a service can tell you if your data has been exposed.  So when marketing folks tell you that you can sleep tight, they have clearly committed an ethical fraud.   

PART 3:  Dark web

This is the funniest one.  Everyone uses this term to inspire fear and misunderstanding.  History has shown us many times how fear can be used to sell snake oils, and magical cures, and this is no different.

The dark web is an isolated network.

The dark web is similar to the deep web, some listings exists, but all the good stuff is not listed.  That is the point of the dark web.  So not only do you not know all the addresses for these bars you want to visit, but you most definitely need an invite to get into the good stuff.

Bottomline, it remains an impossible objective to infiltrate even a small number of actual dark web ecosystems that would yield results.

The best you could do, is manually navigate SilkRoad3 (the eBay of the darkweb) and maybe get lucky.  But this is not where the REAL exchanges of sensitive information takes place.

PART 4:  Cyber criminals
Yes folks, there is a part four......  The fact is, your information might be out in the criminal world and NEVER touch any of these "sites".  

You see, cybercriminals are smarter than you think.  If they have valuable information, they hang on to it, they share information behind closed doors, and they may never leak the information because of an espionnage golden rule.

"A tactic known is a tactic blown".  Your information looses value quickly once it is known.   Lets face it, once a data breach is published, people normally change their passwords.

So lets go back to these "services" that will allow you to sleep good at night because they checked the "Dark Web" cough cough for you.

Surely you have heard of these emails people get, that tells them their computer has been hacked and shows them a password they are familiar with.  They then ask you to pay a ransom in bitcoins or they will publish videos recorded from your laptops camera.  Now I have had people call me in a panic that didn't even have a built in camera on their computer.  So these tactics work.

These passwords are taken from LEAKED password databases.

There are tons of these sites.  RAIDFORUMS is one.  Several terabytes of leaked data.

But, you can also check for yourself for free at HAVE I BEEN PAWNED to see if your email address or domain name has been exposed in the past.

So just like these fraudulent emails, these "services" that claim to check the dark web only check the most basic of elements.... leaked password databases.

Now... how do you test this.

Well, it is actually quite simple:
  • You create a leak of false data representing a new and fictitious enterprise.
  • You insert it into several EASY places found on the Internet
  • You insert it into several known, but closed forums
  • You insert it into Silkroad3 (the darkweb market place)
  • You insert it into one or two REAL underground sites

And then you test the service.

You know what will come up.


And if you read the disclaimer on these services you are subscribing to, the legal wording makes it clear that you have no guarantees and it may become clear that they are not catching much.  I have read a dozen disclaimers from carious sites, and non of them made me feel good about the service.

So it's a great way to drive the uneducated and unqualified to your sales pipeline.  Great way to sell them something else after you have established a relationship.   But for many qualified security professional, this is unethical and immoral since the client perceives that their are somehow protected.

Lately, some articles have been published that in Quebec alone we have over 17,000 security resources.

No, we have less than a 1,000 in my view, and less then 100 in the highly qualified portion.  

This type of marketing proves that point.

Security is about maturity and about perception.  The fact that you add the word security in your marketing literature does not make you a valued security partner.

A false sense of security is what resulted in the sinking of a 46,328 ton vessel called the Titanic.

Now, to the journalists and websites that cover these less then ideal services and push referrals to them and actually help these snake oil salesmen sell more magic dust, please... please... validate your stories with vetted security professionals and make sure to explain the limits of these services.


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...