Jan
23
Originally posted October 10, 2017
How the U.S. government helps hackers
When you email or visit a website, your computer leaves behind a calling card in the form of its IP address. Short for “Internet Protocol,” the IP address helps devices locate and recognize each other, thus speeding communication.
People, too, can identify senders and visitors by an IP address. This can be rather inconvenient if you happen to be a cyber spy, assuming you don’t want the people you’re spying on to know that you’re spying on them, much less who you are or where your kids go to school.
So, the United States Navy set to work on a browser that would make it impossible to trace IP addresses. The result was the TOR browser, “TOR” being an acronym for The Onion Router.
I’d hoped its name derived from the news-satire site, but a little research revealed that the “Onion” part refers to multiple layers the browser employs to mask user identities.
The Navy released TOR for general use in 2002. It soon became apparent that TOR, like any technology, can be used for good and not-so-good purposes.
On the good side, you can use TOR to reduce your chances of being hacked, frustrate any designs Big Brother may have on monitoring your online activity, or, if you’re writing a crime novel, research topics like, say, how to defeat a burglar alarm or get away with murder without fear of landing on a watch list.
On the not-so-good side, TOR enables and allows to flourish a secret online world known as the dark web, which happens to be a fairly safe environment for conducting illegal activities. It should come as no surprise that myriad criminals use it for exactly that purpose. Stolen identities with account numbers, healthcare information, firearms, drugs, fraud, and prostitution—and worse—are all freely traded on the dark web.
We’re not talking small potatoes here. There are flagrantly illegal dark web operations that have grown so large that they offer guarantees, publish user reviews, and maintain 24-hour help lines.
More reason to educate clients on the basics of online safety
For the financial services industry, stolen identities with account numbers is the tip of the dark iceberg. Writing for Verafin a little over a year ago, financial crimes research specialist Denise Hutchings reported that a wealth of personal information belonging to U.S. Bank clients—including “usernames, passwords, physical addresses, email addresses, phone numbers and bank account numbers”—had been made readily available to dark web shoppers.
Since digital payments are traceable to bank accounts, you might think that making a purchase over the dark web would immediately reveal your identity. Perhaps it would, were it not for cybercurrency, which, like the dark web, is largely untraceable. The recent advent of Bitcoin provided the final component that criminals needed to make the dark web safe and profitable for illicit purposes.
Given the extent of the dark web’s dark side, you might wonder why the Navy opened up TOR for general use in the first place. And, since the dark web does not fund itself with the likes of pay-per-click, ad revenues, and retargeting, you might wonder why, as reported in The Guardian, TOR receives about 60% of its funding from the U.S. State Department and Department of Defense.
To answer both questions, consider TOR’s original objective: To let cyber spies spy without fear of detection. If TOR were available only to U.S. government employees, it would be pretty obvious that anyone not leaving an IP address worked for the U.S. government. Cyber spies can pass for anyone only if you let anyone use TOR.
And anyone does. As of this writing, TOR has nearly 3 million users. I want to emphasize that not all TOR users are bad guys. It has its legitimate uses. Its illicit uses, however, leave the U.S. government in an interesting predicament. It needs TOR to remain anonymous in order to keep undercover agents under cover; but the government doesn’t like enabling criminals, much less picking up most of their tab. So, the government asked TOR’s developers to create a secret way in, a request that was wisely refused. TOR works precisely because there is no secret way in; were one developed, it would sooner or later find its way to the wrong people.
Inevitably, businesses whose raison d’être is to crack the dark web are now flourishing.
Legit uses aside, it behooves financial institutions to beware the illegitimate ones. Warning clients about potential harm can make for good policy provided it doesn’t err on the side of sowing paranoia. It might also be a good idea to check for the TOR browser on company devices. It’s one thing to use TOR at home. Unless there’s a job-related need for anonymous activity, an employee who downloads TOR onto company property may be up to no good.