How much is your data worth?

Let's start with the deep and dark web which is known for its infamous reputation which encapsulates syndicates of the internet of terrible things (IoTT). The unsurpassed privacy offered by software such as TOR creates an environment where criminals can sell their wares on the dark web without the worry of law enforcement. The Tor network is the world's most popular system for protecting Internet users' anonymity.

You may ask yourself, just how easy is it to obtain someone else’s Personal Information (PI), documents(PII), account details (PII)? 

It's very easy, as the most common way to acquire someone’s personal information is through Social Engineering which is a form of hacking where you use your social skills to imitate someone and that way obtain what you are looking for, which is their PI & PII.

If you had to put on the adversary hat, you would say that packet sniffing is another way to hack account information and credentials using wireless networks. Adversaries capture packets and decrypt information to get data in the form of plain text. Hmm, plain text that's just how the adversary loves your PI and PII served.

The steps that the adversary follows are as follows:

1. Reconnaissance: This is the first phase where the Adversary tries to collect information about the target, which is You. It may include Identifying You the Target, finding out the target’s IP Address Range, Network, DNS records, etc
2. Discovery (a.k.a Scanning): This phase includes the usage of tools like port scanners, network mappers, sweepers, and vulnerability scanners to scan data.
3. Gaining Access: In this phase, the hacker designs the blueprint of the network of the target with the help of data collected during Reconnaissance and Discovery. The adversary has finished enumerating and scanning the network and now decide that they have some options to gain access to the network.
4. Maintaining Access: Once an adversary has gained access, they want to keep that access for future exploitation and attacks. Once the adversary owns the system, it can use it as a base to launch additional attacks.
5. Covering Tracks: Before attacking you, the adversary would change their MAC address and run the attacking machine through at least one VPN to help cover their identity. They will not deliver a direct attack or any intrusion technique that would be deemed “noisy”.

We managed to obtain insights into the Dark Web's Pricing courtesy of Privacy Affairs:

Why are these insights important?

The data on the dark web market may not provide the average person with useful insights, but what they do provide is a powerful perspective into just how valuable your personal information (PI) and personally identifiable information(PII) really is, and how affordable it is for an adversary to exploit you.

An adversary would use a phishing attack on your account to obtain your Facebook account information with ease which on average on the dark web, based on the 2021 dark web price index, R 897,75. It is imperative to note a slight increase in the trend towards hacking LinkedIn accounts, please ensure you have 2FA active on your account together with a strong password that changes every 30 days.

In the world of an adversary, it is a numbers game based on the ample amounts of data available for purchase.

How much are you really getting for providing your personal information like your email address? Really think about it.

There's mayhem going on currently in South Africa before the enforcement date whereby the buyers and sellers of our personal information are going viral with their direct marketing campaigns. It's so strange that I personally receive marketing from providers that I never gave my explicit authority to. Thank's to POPIA in synergy with other legislature it gives power back to you the consumer as companies cannot just do whatever they want with your personal information(PI) and personally identifiable information(PII).

How to safeguard yourself from identity theft, which is one of the key areas of POPIA?

• Avoid the use of public wifi at your favourite local hangout as while you're sipping on your favourite coffee you're being phished.

• Check for ATM Skimmers: ATM skimmers are fake card readers and cameras attached to a real ATM. When you put your card into the fake card reader, it can steal your information. Because skimmers can look so realistic, it may not be immediately apparent that a skimmer is there. To protect your card information, start checking an ATM for tampering before you use it. Perform a visual examination and physically test the machine for loose or unusual parts. There is no foolproof way to completely detect a skimmer. With safe ATM habits, however, you can reduce your risk. Learn more

• Keep your information private, avoid giving sensitive information over the phone to anyone, irrespective of whether it is mandatory or not. You need to ensure that you have verified the person you are talking to as you never know you could just be talking to an adversary using the analogue approach to engage in social engineering.

• Use tools like anti-malware with cyber-attack protection like Panda Dome Advanced for home users and SentinelOne Control for businesses together with a good backup solution such as Iperius Backup and most importantly bridging the gap between your cybersecurity solution and your backup solution powered by NeuShield Data Sentinel Home for home users and NeuShield Data Sentinel Business for businesses.

• Security awareness training is mandatory in the age of the digital revolution for home users and employees. The most sought after security awareness training is to ensure you become Wizer.

• Use good account and password hygiene, as this is the easiest way for an adversary to gain access to your accounts.

• Don't leave your information floating around in cyberspace, delete accounts you no longer use.

• Use a good password manager like Zoho Vault to create that passwordless safety net for you. Just ensure that the device you use has sufficient protection measures like encryption, screen-lock etc. If you opt for Panda Dome Complete or Premium you automatically get a password manager.

• Ensure your businesses website has suitable web security measures such as cybercriminals are using the free R3 SSL (a.k.a Let's Encrypt) too. A technique for the delivery of SSL malware is for criminals to use SSL certificates on phishing sites that deliver malicious code to victims’ systems while looking like a legitimate website. The hacker will send out a series of fraudulent emails that look like they are coming from reputable sources. If users click on them, they will be directed to websites that look secure because they have free SSL certificates. At that point, the hackers can embed their malware into the encrypted traffic and try to bypass any firewall system based on the certificate being from a trusted source. It is important to note that SSL does not guarantee safety. It simply ensures that your requests are encrypted. But the actual data being transmitted can still contain dangerous elements, including viruses and other forms of malware. It is extremely difficult for adversaries to get their hands on OV and EV SSL as these come with the careful eyes of strict and rigorous validation before issuance. Don't blame SSL, it's just saying it may be time to gain confidence by upgrading to Organisation Validation (OV) or Extended Validation (EV) SSL to stand out by gaining true confidence. Sectigo is able to provide you with the best options for OV and EV SSL together with website security too.

• If you are running a huge business with offices around the country or province you may want to pay careful attention to the power of visibility of all our computing assets and achieves the following: Simplify Compliance, Prevent Data Breaches, Outpace Cyber Criminals, Reduce Human Risk and Minimize Third-Party Risks, powered by ImmuniWeb Discovery.

In the long run, you will be doing your part in protecting your digital identity and safeguarding your own future.

?

Disclaimer: This initiative is purely for educational purposes and does not constitute express advice in the cyber solution landscape and I personally disclaim myself from liability based on any reliance on the information in this article and its contents, irrespective of the merit it carries. Effectualness (Pty) Ltd is an authorised partner representing the cyber solutions mentioned in this article.

Avishkar Singh (2021) | Director | Effectualness (Pty) Ltd