Sage Advice - Cybersecurity Blog

Dispatches from the Dark Side of the ‘Net

tour-of-the-dark-web.jpgFor a brisk morning tour of Tor, darknets, and dark marketplaces, attendees of the 2017 CyberCrime Symposium couldn’t have asked for a more entertaining, informative guide than Neil Wyler. Grifter, as he’s known in the security community, launched his impressive career at age 11, when he began hacking computer systems. Eventually, he switched sides. Currently a threat hunting and incident response specialist at RSA Security, he’s been running technical operations for the Black Hat Security Briefings for 15 years, and serves as a senior staff member for DEF CON.

Warning audience members to buckle up, Wyler outlined some things they could expect to see and hear during his breakfast keynote, Touring the Dark Side of the Internet. “We're going to talk about drugs, murder for hire, hacking, hacktivism, porn, and money-laundering,” he said, further promising to show them where to find related activity, wares, and services.

Beyond providing a live glimpse into the dark side of supply-and-demand dynamics, Wyler used his presentation to point out legitimate business reasons for traversing dark markets and learning how underground groups operate. Anyone charged with staying abreast of cybercrime activity to protect their organization or customers stands to benefit from familiarizing themselves with criminal hotspots, products and services, and bitcoin usage.

“It’s phenomenally interesting to get on hacker forums and see what they’re discussing, the exploits they’re selling, the kits available,” said Wyler. Take Hell, a fairly well-known hacker forum. Hell, according to Wyler, was the upload destination for Adult Friend Finder’s hacked database — containing personal information from 340 million user accounts — where it was available for months before company officials even knew they’d been breached. To mitigate the potential damage from similar attacks, security teams can search forums for any mention of their organization’s name and other targeted keywords. While this can lead to some unpleasant discoveries, Wyler said, it’s better than “having your data sit there for several months before you find out about it through some third party.”

Some other tour takeaways and recommendations:

Taking to Tor.

It’s not difficult for new users to start using the Tor (The Onion Router) network, a series of volunteer-run servers that work to anonymize Internet traffic. They can download Tor software as an executable. Once they connect, they can open the Tor browser and head to check.tor.project[.]org to see if they’ve correctly configured their Tor client.

Choosing Tails.

If they don’t want to take any configuration chances, users can make Linux-based Tails their operating system of choice for Tor-related activity. “If you’re booting into Tails, you’re using Tor,” said Wyler. “It forces all traffic through Tor, so you don’t have to worry whether you configured things correctly.” Wyler demonstrated a Tails boot using his “dark net machine,” a device with a bootable optical drive dedicated to “super-secret squirrel stuff.”

Visiting the virtual Wild West.

Tor is inherently slow and finding specific hidden services is hard. “Hidden services go up and come down like a yo-yo,” Wyler said. Sites running for years will suddenly disappear — for months or forever. “It’s the Wild West. You get on there and do whatever you can.”

Jumping off.

One resource Wyler recommends for helping users find these services is the “hidden wiki,” which provides [.]onion links to dark web “introduction points.” These include anonymous search engines such as Torch Not Evil, Duck Duck Go, and Grams, the “Google of dark markets.”

Showing some skin.

The Hell hacker forum, like some other underground forums and marketplaces, requires registrants to make a small bitcoin investment. It’s an attempt to ensure all users have at least a little skin in the game. No bitcoin, no registration, and therefore, no exploration.

Selling cybercrime.

Among the diverse products and services on dark nets is a thriving cybercrime-as-a-service marketplace, which offers a range of straightforward and more-sophisticated services to any buyer, often for little money. There’s also a lot of cybercrime bounty for sale — stolen credit cards, verified credential for accounts of every kind, and Fullz packages, datasets on individuals containing names, birthdates, social security numbers, addresses, credit card numbers, and account credentials.  

Learn more about Cybercrime-as-a-Service, in another blog post in our CyberCrime Symposium series, Cybercrime-as-a-Service... Can You Spot the Cybercriminal?

Practicing safe shenanigans.

Basic security best practices, coupled with a twist or two, go a long way toward safe dark net use. Among those cited by Wyler:  

  • Keep software updated;
  • Leverage browser segregation;
  • Don’t reuse identities or passwords;
  • Use temporary, disposable email addresses available through providers like Guerilla Mail or SharkLasers; and
  • Run VMs or use dedicated devices for all “dark net shenanigans.”

This is the third post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!

Go to the entire series >>


Don't allow a cybersecurity attack to bring your business to a halt. Early threat detection and indicators of compromise are essential pieces to an effective and efficient response effort. Ensure business continuity in the face of a rapidly evolving and dynamic threat environment with Tyler Detect.

 Learn More

Topics: CyberCrime Symposium, Cyber Crime


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More