No secret is safe on the dark web
Cybercriminals can steal your vital data, but luckily the white hats are on the case
● “Your salary is quite high. You own a property here. You’ve worked at these companies. Would you like another overdraft?”
One minute, 35 seconds.
That’s the time it took for a Sunday Times photographer’s entire life to be brought up on a computer screen.
Everything there is to know about him: employment history, properties he has owned, his wife’s business interests. Everything is available on the internet, if you know where to look.
In October, hackers stole 63 million South African title deeds in what was, until now, the country’s biggest cyberattack in terms of the volume of data taken.
This week that record is believed to have been broken when a group of “black hats”, as criminal hackers are known in the IT industry, announced they had stolen 40 terabytes of data from Liberty Holdings’ e-mail server.
The theft apparently includes thousands of medical records and life insurance policies, and on Friday Liberty admitted the stolen data had not been encrypted.
Dusty Boshoff, a “white hat” hacker who works for an international IT firm and is tasked with securing the company’s data, sat in Centurion and stared at a computer screen filled with columns of data.
“Do you want a UK passport? Hackers will get that for you for à1 500 (about R23 500). Want to melt [a] shopping mall’s ice rink? Operate generators of an industrial manufacturing company?
“All of this is possible because the devices are connected to the internet. This is what black hats look to compromise and what us white hats try to keep secure,” he said.
Boshoff, with fellow white-hat hacker Jacques van Heerden, is among South Africa’s ethical hackers.
Van Heerden scrolled through a forum on the dark web — a clandestine version of the internet where anything is available for sale, including hackers for rent.
White hats, said Boshoff, are employed by multinationals and governments to test the security of IT systems and search for vulnerabilities.
With black-hat operations increasing, their task is immense.
‘Be terrified’
Van Heerden, a cybercrime expert at computer consultants GTSP, said the hack on Liberty Holdings showed the seriousness of the threat.
“South Africans should be terrified.”
For too long people had thought hackers were pimply geeks and schoolkids, he said.
“They are mothers and fathers. IT security experts, who are part of international syndicates, who operate on the dark web.”
Van Heerden said 99% of companies did not realise they had been hacked, with many not realising the value of their data until it was compromised.
“With the Liberty Holdings data, you could potentially cash out policies or cause massive reputation damage by releasing information on people’s health status.”
He warned people against opening an email with an attachment from unknown senders.
“There is an increase in ‘footprinting’,
If fraud is committed because your data is leaked, a consumer would have a claim Janusz Luterek Consumer protection lawyer
where black hats spend years inside a computer system learning how to exploit it before harvesting the data. Once they attack, they move onto other internal systems where they continue to harvest data, building up profiles which they sell off or hold for ransom. “These ransoms, which run into millions of dollars, are paid in untraceable cryptocurrencies,” he said.
South Africa has a sophisticated core group of black hats who operate globally.
After the hack, Liberty CEO David Munro said data was usually encrypted only if it was to be shared with external parties.
“In this case it would have been difficult to encrypt information inside the organisation because there’s so much information going around. The data that was stolen is largely unstructured [not indexed].”
He said Liberty would take all necessary remedial actions once the company’s internal investigation was completed.
Munro, who said the stolen data was “largely e-mail and attachments”, refused to quantify the size or value of the stolen data.
He assured customers the company’s IT infrastructure was secure and that IT specialists had identified and addressed specific vulnerabilities.
He maintained that Liberty had not paid the hackers’ ransom demands.
Suffered harm
Consumer protection lawyer Janusz Luterek said South Africa’s legal system meant consumers have to show they have suffered harm if they want to claim damages from a company.
“If fraud is committed because your data is leaked, a consumer would have a claim.
“The questions which need to be answered was how unreasonable was it for Liberty not to encrypt its internal e-mails, how easy was it for someone from outside the company to get to this unencrypted data, and what sort of data protection did Liberty have in place to prevent this from happening?”