While the visible Internet is vast, the websites that you regularly access on your web browser represent only a fraction of what’s truly available online. There is, in fact, a significant section of the Internet that you cannot find via a simple Google search—one that is estimated to be roughly 400 to 500 times larger than the so-called “surface Internet” the average web user sees. This section of the Internet, known as the “deep net,” includes everything from email accounts, to video content, to information locked behind paywalls. It’s also where some sophisticated web users go to browse the Internet or interact in a private, encrypted environment.
This secrecy has given the deep net a very dark side. Cybercriminals, looking to operate anonymously, have set up “dark net” networks of illegal marketplaces that pawn off everything from child pornography to hitmen for hire. These marketplaces are also where you’ll find merchants selling private account information from Dropbox, LinkedIn, and other commercial websites for pennies, often paid through anonymous cryptocurrency transactions. In March, for example, hackers turned to the dark net to sell information from one billion purloined Yahoo accounts, including telephone numbers and security questions that could be used well beyond Yahoo’s sites. The price: $200,000, or .02 cents per account.
The Dark Net and Your Attorney Email
Many lawyers’ emails and login credentials are among those being sold on the dark net. As LegalTech News reported last year, thousands of business email addresses linked to a number of AmLaw 100 and mid-sized law firms are regularly for sale on dark web marketplaces.
The repercussions can be severe for both law firms and their clients. Most obviously, cybercriminals who purchase these emails can use them to either try logging into the accounts themselves or to hack into related websites. But compromised account information can also be used to set up spoofing attacks on unsuspecting clients. In such cases, the pawned email address may be used to request that a victim download a file containing malware—or to send money to a thief's bank account.
Even compromised personal email addresses and login credentials used by associates and partners can set law firms up for a data breach disaster as well, as they can be used to access the owners’ personal devices. As firms are increasingly adopting BYOD work policies and remote working arrangements, careless law firm employees can put clients’ confidential data at risk for cybercriminals to swoop in and sell. In short, this is a data breach and reputational disaster waiting to happen.
How to See If Your Law Firm Data Is Being Sold Online
Finding out whether your law firm emails and passwords are up for sale involves a fairly cumbersome process. While you do not need a special computer to access dark net marketplaces, you would need special browsers and—ideally—a virtual private network to pull this off. Many of these browsers use anonymized addresses that can be run off of a single server or even a booted-up laptop. TOR, I2P, FreeNet, and DN42 are some of the most common browsers to use to access dark net marketplaces. These browsers anonymize the user’s location and network information, routing traffic through various multi-layered encrypted channels through a randomized network of servers to visit marketplaces and other dark net websites.
Think of a TOR connection as a Newton’s cradle—those swinging pendulum balls that send the out balls flying on collision, by transferring force through a series of stationary balls. Similarly, in TOR, a user’s website visit request runs through a number of randomized servers to reach its destination, only it’s one covered by an opaque box designed to keep outsiders from monitoring what’s going on. Outsiders are prevented from knowing who started the connection, what servers the connection request traveled through, and who received the request—all of which appeals to dark net marketplace merchants and buyers looking for privacy when conducting transactions.
Browsing through dark net marketplaces, however, can cause issues for casual surfers. For one, the types of sites you can find on the dark net via a TOR browser are NSFW—and in most cases illegal. In addition, if you don’t set up your TOR browser and dark net connection properly, your connection could be hacked into, putting any data stored on your laptop at risk. Furthermore, it is questionable whether your activities on TOR can be tracked by criminals and the NSA.
Fortunately, it’s possible to see if your law firm’s data or login credentials are being sold on online black marketplaces—without having to visit the marketplaces yourself. A growing number of cybersecurity and investigative companies now offer dark web marketplace monitoring services that professionals can take advantage of.
Ways to Mitigate Potential Problems Involving Compromised Email Credentials
The problems posed by dark net marketplaces illustrate how devastating poor password hygiene practices can be. This pervasive problem is not unique to the legal profession, however. In fact, most people are more willing to share their business passwords with others than their personal passwords. But lawyers aren’t just any workers. Not only do they handle clients’ most sensitive data, they have ethical obligations to protect against it’s inadvertent disclosure.
Fortunately, law firms can move quickly to address these issues in a number of ways. Mixing up or regularly changing business account passwords, for example, is one easy way to avoid putting your data at risk. Cybercriminals are aware that over half of internet users use the same password across multiple accounts, so ensuring you use separate passwords for business and pleasure is paramount.
The human mind has limited space for passwords, however. Implementing a secure password manager can help ensure that you, and those with access to your systems, are using highly secure, randomized, and unique passwords across all their sites and accounts. Using multi-factor authentication over two-factor authentication helps add extra security, especially since traditional two-factor authentication text messages can be easily intercepted.
As cybersecurity expert and assistant general counsel at Microsoft Dennis Garcia has already noted on this blog, moving to the cloud is one way you could meet your ethical duty of staying abreast of the latest technology and ensuring the security of confidential client data. Many companies offer secure cloud hosting that allows you to into move your email into the cloud in compliance with a number of common data security and privacy standards. This is crucial for law firms that are considering implementing BYOD and remote working arrangements, since information stored on consumer devices is a single security flaw away from being compromised. If cloud hosting is not an option, then incorporating encrypted message plugins and software with your email programs is another way to work around this.
Although some dark net marketplaces such as AlphaBay and Silk Road have shut down, the quick rise of new marketplaces is signaling that the dark net will not die easily. This is why our profession must be educated about and made aware of the potential pitfalls related to email and password issues. Carelessly addressing the risks of stolen credentials—or, worse yet, failing to do so at all—could put your clients’ sensitive data at risk of being sold off to the highest bidder.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at eric@writeforlaw.com or on Twitter at @writeforlaw.