Some lawyers—mostly family and criminal defense lawyers—know at least a little about the Deep Web and the Dark Web. Data-breach lawyers know something about the Dark Web too, especially since that’s where a lot of the breached data ends up for sale. But the average lawyer? Not so much. In fact, after the Ashley Madison breach, a lot of family law colleagues began asking us questions about the Deep Web and the Dark Web—where the full steamy contents of the Ashley Madison breach were published in many places. Most had no clue that there was any distinction between the Deep Web and the Dark Web.
So what is the Deep Web? Think of the Web we search (via Google or other search engines) as an iceberg. Conventional browsers index only about 4 percent of the Web—that’s the top of the iceberg. Everything beneath the waters is the Deep Web—96% of Internet content. That content is deliberately kept away from conventional search engines, via encryption, routing through relay points and masked IP addresses – and accessible only by special web browsers.
Much of the Deep Web is perfectly legitimate. Many privacy advocates are there, wishing to operate without being tracked. Journalists are often there, generally concerned about government prying. You can also find whistleblowing sites. Some of it is also dynamically generated web pages (like your Gmail account) or forums that require registration.
We’re not sure how much of the Deep Web is also the Dark Web, though experts say it is a small percentage. The Dark Web contains the seamy places where drugs and guns are sold, human trafficking occurs, criminals offer their services for hire, stolen credit card numbers are sold, hackers and cybercriminals operate, and child porn is viewed, distributed and sold. And those are only some of the activities on the Dark Web.
Most people, if they know the Dark Web at all, know it because of the black-market website called Silk Road—which was shut down twice by the FBI in 2013 and 2014. Silk Road’s founder, Ross Ulbricht, was convicted of a number of crimes, including several attempted murders-for-hire.
Welcome to Onionland
Sometimes, the Dark Web is known as the Darknet. By whatever name you use, it is accessed via Tor (The Onion Router), Freenet or I2P (Invisible Internet Project), all of which use masked IP addresses to allow users and website owners to operate anonymously. In common parlance, when you use Tor, you are in Onionland.
Most lawyers are amazed when we tell them that Tor was originally funded by the U.S. Department of Defense. While it is now a 501(c)(3) U.S. nonprofit organization dedicated to research, development and education about online anonymity and privacy run by volunteers, it is funded in part by the U.S. government and the National Science Foundation. Tor has even begun to solicit donations directly from its site.
Why would the U.S. government support it? Because it is part of the State Department’s Internet freedom agenda, allowing people in repressive countries to have access to data censored by their governments. Even Facebook has a version of its site on the Deep Web to make it easier to use in countries that restrict Facebook, such as China and Iran.
We spend some time there because of our digital forensics work as criminal defense expert witnesses. And recently, we’ve helped family law colleagues ferret out some of the Ashley Madison evidence.
Make no mistake about it—the family law grapevine is rife with stories about snaring clients since the Ashley Madison breach. And as many conventional sites began to remove Ashley Madison information upon request, or to report the information only in part, the lawyers surged to Tor to find more evidence in their cases.
Should the average lawyer jump into the waters of the Deep Web? Most should not. It is not a place for the technically inept or those not familiar with the perils and potholes along the way. Onionland is not a point-and-click world. You have to make sure you that your configuration settings ensure you remain anonymous. It’s also a place to be extremely cautious, as there is little policing of software downloads and services.
Finding Lawyers We Knew
To start with our Ashley Madison analysis, we had to obtain a copy of the data that was breached from the site. It was fairly easy to find multiple sources that claimed to have copies of the compromised data. After some careful research, we selected what appeared to be the most reliable source, but you can never be sure on the Deep Web. We connected a pristine computer (only base Windows, antivirus, BitTorrent client and Tor browser) to the Deep Web to download the data. The data was contained in several compressed files.
After downloading the files, we ended up with approximately 30 GB of usable data to review. Other downloads reported distributing close to 100 GB of Ashley Madison data. Before doing any analysis, the data was scanned for content and the potential presence of malware. Fortunately, the data was malware free and could be imported into a SQL database for analysis and manipulation.
This is the same process we assume many others performed in order to divulge the contents of the breached data. What did we learn? After sorting by zip code, we learned that the data about several local lawyers we know was contained in the database. We also learned that a surprisingly large (vast majority) number of users gave their real names and credit card data. It would have been far smarter to use a fake name and a pre-paid debit card, but that was the exception.
We also learned that Ashley Madison did not protect the data with a very strong encryption mechanism. As a result of a programming error, hobbyist crackers were able to uncover more than 15 million Ashley Madison account passcodes. Not a surprise, but the most common passwords included some of the same old insecure passwords revealed from other studies. The top 10 revealed passwords were:
It’s pretty crazy that Ashley Madison didn’t have some sort of enforcement for strong passwords. As many readers should know, our current recommendation for passwords is 14 characters or more, containing upper case, lower case, at least one number and one symbol. Each password should also be unique for every system you need to authenticate to. This means that we are now in an age where password managers are a requirement. We could write an entire article about passwords and password managers, but we’ll save that for another time.
Since we find questions about the Deep Web and the Dark Web popping up frequently in our recent presentations, we thought a small primer would be timely. Happy travels in Onionland – just be careful which streets you walk down!
About the Authors
Sharon D. Nelson and John W. Simek are the president and vice president of Sensei Enterprises, Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA.