OWL, that’s who, holds stolen data
Nine hundred Visa and MasterCard numbers flash on a wall, projected from Mark Turnage’s laptop. All were stolen and all were for sale on the mysterious dark web.
But Turnage isn’t selling them. His team at OWL Cybersecurity in Denver built a searchable database that constantly scrapes this online underworld where illegal data is shared or sold before it vanishes — from credit card numbers and health records to child pornography, drugs and weapons. Banks, retailers and other clients can search for familiar data that might indicate their own computer networks were hacked.
“You can go on (a special) browser to do some searching. But the problem is that it searches a very limited number of sites and only sites that are there that day. If your data was stolen or compromised 30 days ago and sold, you wouldn’t find it today,” Turnage said. “Not only do we provide safe access to the dark net and the data for our clients, we also provide an archival look back.”
Remember when cyberthieves swiped millions of Target’s customer credit card numbers in 2013? Or last year’s attack on health insurer Anthem, which impacted the health care records of 80 million Americans? Or even last month’s admission by Yahoo that a half billion customer e-mail accounts were hacked? The dark web is where such data ends up and sold to the highest bidder. And a growing number of companies, such as OWL, are finding new ways to gather intelligence on the dark web to prevent future cybermayhem.
The dark web, also called the darknet, are websites that aren’t visible to typical internet users. It’s not the same as the deep web,
or websites purposely hidden for noncriminal intentions, such as Dropbox files or the unpublished stories of The Denver Post.
Darknet activity tends to be surreptitious, though not always. It’s also become a place for people to trade hacking tips and communicate with others in the digital underworld.
“It’s a community. They have their own equivalent of Facebook,” said Dan Likarish, an associate professor at Regis University and director of its Center on Information Assurance Studies. But, he added, “there is no romance about what goes on in the darknet. There are all different types of organizations but they’re all criminal. There are no heroes out there.”
One can see these sites with special tools, like the TOR browser, which anonymizes a person’s online activity, encrypts the connection and moves between TOR servers around the world. But to find darknet sites, one needs to know where to look and then somehow gain entry.
“You have to know somebody to be introduced in that world,” Likarish said. “It’s a very private world.”
There are some do-gooders in the world. Troy Hunt, a Microsoft regional director and security professional, runs HaveIBeenPwned.com, which lets people type in their e-mail address to see if their account is compromised. Hunt estimates there are 1 billion unique e-mail addresses in the database.
“Breached data is often the gateway into other accounts,” Hunt said in an e-mail. “The prevalence of password reuse means that an account exposed on one service is often then usable on other services.”
To mitigate any breach, he recommends consumers should be “changing a reused password in other locations, cancelling their credit cards or perhaps telling their wife they were frequenting an adultery website.”
Companies have invested heavily in building digital walls to keep attackers out. But one little hole — such as an employee responding to a phishing e-mail asking for a password — could let snoopers stealthily inside without an obvious breach in the walls.
“Companies like OWL, they’re gathering intelligence. We’ve never had this (many companies) before. It’s very recent, very new,” Likarish said. “The reason they’re doing it is that cybersecurity has been reactive especially after the Target event.”
Originally called One World Labs, the company was founded in 2009 by a white-hat hacker named Chris Roberts, who is no longer with the company. It was Roberts’ idea to create an archive of darknet data, Turnage said. Investors came on board and Turnage was hired as CEO in early 2015. A few months later, Turnage got a call from Roberts.
“Four months after I started, I got a call from Chris who had just been pulled off the plane by the FBI,” Turnage recalled.
Roberts is the guy who tweeted on a United Airlines flight in May 2015 suggesting an airplane’s onboard system could be hacked through its inflight entertainment system. The FBI met him when the plane landed.
Turnage said Roberts was cleared by the FBI. But investors and management said Roberts had to go and he left. The company struggled and began to look for a buyer without success. OWL filed for bankruptcy in October and Turnage and OWL president Russ Cohen purchased the assets two months later. Roberts now works for Acalvio Technologies, which assumes you’ve already been hacked and secures the network accordingly.
OWL, which now employs 25, moved to a new office space in April and is back to raising money and showing off its technology. OWL’s search engine helps clients search for key words, such as a company name or e-mail address. And then it ranks the results for “hackishness,” which is based on OWL’s algorithm to determine the likelihood that the data will be criminally misused. When he typed in a familiar financial institution’s name, 900 credit card numbers popped up — complete with expiration dates, customer names, addresses and the three-digit security codes.
“There are 900 Visa and MasterCard numbers on one page,” he said, pointing to the result’s 100 percent hackishness rate. “What’s the likelihood that they’re on the dark net for good reasons?”
But credit cards are chump change compared with data such as personal health care records. A few weeks ago, OWL discovered about 10 million health care records for sale for about $500,000, Turnage said. If OWL can identify the company, it notifies them and turns over the data, even if the company isn’t a client. But it’s consumers who really need to worry.
“If I had your health record, I can socially engineer you for several years to come. I have your name, your date of birth, your social security number and all of your insurance information,” he said. “I can go to California and take out a mortgage in your name. As a result, health care records on the darknet sell for more than a standard credit card number. A credit card number can be shut down by Visa or Mastercard very quickly. But with a health care record, I can steal your identity.”