When the topic of the deep or dark web comes up, it is hard not to picture Hollywood’s ‘The Matrix.’ In fact, I specifically picture the scene where Morpheus offers Neo his choice of either the blue pill, giving him a path back to his everyday life, or the red pill, and an opportunity to play Alice in Wonderland and see how deep the rabbit hole truly goes.
In our case, we aren’t entering a Hollywood framed, virtual environment like the Matrix, but instead we have our own version in the World Wide Web. A place we all visit on a daily basis. But the truth is that the web is vaster than most can imagine. To put some perspective on it, the previous CEO of Google estimates that the Google search engine has indexed only 0.004% of the web. In other words, if the entirety of the web was a dollar, Google wouldn’t even have half of a penny.
These areas of the internet that have not been indexed are called the Deep Web. A search engine like Google, searches and indexes websites through links, and these links are utilized to rank search results according to relevancy, inbound links, and keywords. The best example I have heard is this (article): “If you wanted to search a public library catalog to find a book, you couldn’t type the title into your browser’s search bar and expect Google to return a meaningful result for you library. Instead, you would have to go to the library’s website and use a search bar inside the website to locate this data on the library’s [internal, but internet facing] servers.” This data is stored within the deep web. More to the point, we utilize the deep web every day when we access our online bank accounts, social media accounts, medical record accounts, personal email accounts, etc.
The Dark Web exists within the deep web. In fact my high school Geometry teacher would liken it to the phrase, “all squares (Dark Web) are rectangles (Deep Web), but not all rectangles are squares.” A Dark Web, or Darknet, is most commonly thought of as a large, secured network that utilize the internet, but requires specific software, configurations, or authorizations to access.
The most well-known darknet is Tor, which is shorthand for The Onion Routing Project – a 1995 naval research project to secure naval communications. The onion routing concept is a unique method of routing data packets into, out of, and within a network that utilizes a layered, defense in depth approach. (Yes, the same phrase you have no doubt heard from your auditors regarding the implementation of internal and technological controls.) Users remain anonymous as user data is sent through many routers, and at each router a new layer of encryption is applied. The data is only decrypted when it exits the network. Dark website addresses that are hosted within Tor servers end with a .onion domain.
The Dark Web is filled to the brim with content, some of which is perfectly benign and legal, but a solid portion is malicious or illegal in nature. Somethings commonly found include:
- Cryptocurrency Services – While most services are perfectly legit, many times these services are offered with the intent of laundering money.
- Various Markets – Mediate anonymous legal transactions like financing services, but also market places for illegal drugs, services like hacking and fraud, software exploits, weapons, etc.
- Social Media Platforms – The most common of which is Blackbook, a legit Dark Web counter to Facebook.
- Hosting of certain other sites connected with terrorism, illegal pornography, or other illicit activities.
What can we glean from this? The Dark Web has plenty of useful data and services, but it also shows us the extent to which attackers may go to protect themselves from discovery.
About the Author
Brad graduated from Indiana University of Pennsylvania in 2014 with Bachelor’s Degrees in Accounting and Management Information Systems. He joined YHB that same year and has since split his time between both the Bank team and the Risk Advisory Services team completing external and internal financial audits, SOX consulting services, and IT related audit and consulting services. Brad became a Certified Information Systems Auditor in early 2019.