Wednesday, July 7, 2021

Darknet Diaries: Valuable Lessons from a Cyber Security Podcast

In the past few years, podcasts have come to dominate my personal media consumption, and I am far from alone: as of 2021, 57% of Americans have listened to a podcast and about 28% listen to podcasts weekly. As a person who is perpetually trying to do too many things at the same time, podcasts are appealing because I can listen to them while commuting, exercising, or working around the house.

I am particularly fascinated by podcasts that feature experts in a complicated topic discussing that topic and their experiences. I find that these podcasts are often a great way to both learn about a topic and hear from a variety of people with different experiences. One of my favorite podcasts in this area is Darknet Diaries, a podcast created by Jack Rhysider, that covers a variety of cybercrime and Internet topics, and often features fascinating interviews with hackers and security professionals.

More than just covering the titular “darknet,” each episode of the podcast contains valuable lessons even for those of us who stick to the surface web. For example, in one recent episode titled “The LinkedIn Incident,” Rhysider covered the 2012 LinkedIn hack that eventually resulted in the posting of 117 million user details to the public. The hacker got access to LinkedIn’s user information by using publicly available information such as social media to identify a site engineer at LinkedIn, locate that engineer’s personal website, trace information from that site to the engineer’s IP address, and find a doorway into that engineer’s personal computer that the engineer used to do remote work for LinkedIn. From there, the hacker was able to use the user information in LinkedIn’s database to also access data from Dropbox and Formspring, likely because some LinkedIn users who worked at those other tech companies were re-using their passwords across multiple sites. 

The use of social media information is a common theme in these episodes. This sort of public information can be used in connection with a type of “social engineering,” a phrase used in information and cyber security to essentially mean using deception to “hack” people and convince them to give up private information. Its use ranges from gaining access to individuals and their computers, entering physical buildings, convincing people to give out sensitive information such as PINs over the phone, or forming relationships with potential whistleblowers.

It is always interesting to hear how the human factor is often the weakest part of a business from a cyber security perspective. While many of the stories on this podcast center on large businesses, this lesson is just as true for entrepreneurs. No matter how secure a computer system — or even a physical building — is in terms of technology systems, the humans operating those systems also need to be trained to be cautious and protect business information themselves. 

Another astonishing theme of Darknet Diaries episodes is the use of weak passwords and the re-use of the same password across multiple platforms. For example, Rhysider reports in “The LinkedIn Incident”:

The most common [password used by LinkedIn users in 2012] was simply ‘123456’. Over 700,000 users had used this password because yes, LinkedIn’s minimum password length was six characters at the time. The next most popular password was ‘LinkedIn’, then the password ‘password’, then ‘123456789’, then ‘12345678’, then ‘111111’. 

The episode “RockYou” contains a longer discussion of commonly-used passwords compiled from millions of breached account details — highlights include “12345,” “Password1,” “I love you,” personal names such as “Nicole” or “Daniel,” and more.

Not only are these passwords relatively easy to guess, many people also re-use passwords across multiple sites, so the leak of an individual’s password from one site, such as LinkedIn, could also give a hacker access to a variety of other accounts. For example, Donald Trump’s 2012 LinkedIn account password was contained in the leaked LinkedIn database, and this same password was used to access Donald Trump’s Twitter account in 2016

Other vulnerabilities in a computer system can be fixed as easily as making sure to download the latest software updates and patches. One particularly fascinating episode noted that a computer worm relying on a vulnerability in Windows that was addressed and patched back in 2008 is estimated to still be present on about 400,000 computers. Another episode about vulnerabilities in internet routers noted that three and a half years after patching an issue with Asus routers, thousands of people hadn’t installed the update to fix the issue. Updating critical technology such as computers, phones, routers, and printers is a simple step that anyone can take to keep both personal and business systems more secure.

Although the topics discussed on this podcast are often complicated and very technical, frequently the source of an issue comes down to something that is quite easy for a user to fix: create complex passwords, don’t re-use passwords, keep your computers updated, and exercise caution both online and offline.

These considerations are particularly important for entrepreneurs building businesses, as they become responsible not only for their own security but also for the security of their business and for developing policies to ensure that employees are equally vigilant.

No comments :

Post a Comment