There are a lot of questionable practices online, and this week we saw a discussion on the ethics one of the most controversial practices – buying stolen data. Facebook recently announced that the it has been buying its users’ stolen credentials on the dark web in an effort to improve security. While some hail the move is innovative and proactive, others argue it encourages the theft of data and strengthens the market for stolen credentials. Meanwhile, a handful of netizens were served prison sentences, and over 400 million accounts were exposed in a breach of Adult FriendFinder.
Facebook Buying Credentials
At a conference in Lisbon last week, Facebook’s Chief Security Officer, Alex Stamos, revealed – rather casually – that the social media giant peruses dark web marketplaces, buying stolen credentials in an effort to improve security.
Facebook, like most companies with sound security practices, doesn’t store its users’ passwords in plaintext. Instead, they store hashes of users’ passwords. Hashes are produced by one-way, cryptographic functions; it’s significantly difficult, and sometimes impossible, to determine the original text when given only the hash.
What does this have to do with their latest dark-web dealings? When Facebook buys lists of logins from dark web vendors, they take those passwords and hash them in the same manner the site does when someone logs in. If the hash generated from the stolen data matches the hash in Facebook’s database for that user, then Facebook knows that user is at risk of being compromised.
Not surprisingly, this overwhelmingly affects Facebook users with weak and common passwords, and especially those who reuse those passwords across different sites and services. Facebook has since alerted millions of its users that their accounts have been compromised, encouraging them to craft stronger and more unique passwords for their accounts.
And although some may applaud this as an innovative effort to make security proactive, others are concerned about a dangerous precedent of paying cybercriminals, trafficking in stolen information, and fueling the market for compromised data.
In reality, data will always be at risk, and hackers will continue to grab the low-hanging fruit that are weak passwords. But perhaps buying the data outright isn’t the best solution, either, especially given the archives of credentials that are regularly leaked to the public. The cause may be noble, but it remains unsettling that the revenue could be used for even more harmful attacks.
Going Directly to Jail and Pay $50
Many dark web users turn to Tor for the anonymity. Because of the veil of anonymity, users believe they are less likely to be caught for criminal actions. Many people continue to get away with these activities, but a few people this week were not so lucky:
A 17-year old confessed to hacking UK ISP TalkTalk to impress his friends. He compromised 150,000 customer accounts and pled guilty to seven charges under the Computer Misuse Act.
A man who went to jail for 3 years after causing £27 million in losses in 2012. Now he is going back behind bars because he failed to declare a laptop that was gifted to him in Dubai, which he should have done under the UK’s Serious Crime Prevention Orders.
A German man received 22 months in prison for making 16 drug purchases on the dark web in 2013. The prosecution alleged that all purchases were of significant quantity and wanted him charged with drug trafficking. The defense, however, demonstrated that the size of the packages and money spent on purchases did not necessarily result in a large volume of drugs - at least, not a large enough volume to warrant trafficking charges.
Two men were also arrested in Romania for buying 50 grams of amphetamine on the dark web from the Netherlands. The men had the package shipped to the address of an acquaintance who gave his permission after being convinced the package would only contain phone parts.
Zachary Ruiz, or “Mr. Mouse,” received a sentence of 4 years in prison and 3 years of probation for counterfeiting and conspiracy in Las Vegas.
One more thing: Criminals Find Friends Through FriendFinder
This week, 412 million accounts were exposed in a breach of the FriendFinder network of sites. Nearly 340 million users were stolen from AdultFriendFinder alone, while 62 million were stolen from Cams.com, and 7 million were taken from Penthouse.com. Much of the sites’ information was stored in plaintext, meaning anyone who gained access to the database could read the passwords without any decryption. Among the stolen accounts were previously deleted accounts and many accounts with the password “12345.”