Darkweb Data Dumps
In the last few days I posted about some of the research and data out there that pointed to interesting Botnet activities during election day and also data on hacking voting machines. These two posts show information that anyone can verify on their own and should based on previous research of universities, news outlets and security researchers. In short this is published research and while you may not agree with some of the fews that researchers come up with, they and we do try to remain neutral in looking at threats and vulnerabilities. While doing research for customers I frequently look for different types of data that are “out in the web” and some of this searching includes the Darkweb.
If you start out I would suggest starting your search slowly here: OnionDir (only works with Tor VPN on and Browser package installed on your PC or using a VM (virtual machine).
Looking for needle in needle stacks is basically what I would think about when looking for sites and services that no one wants you to find easily. Add the fact that you need to use Tor to browse these sites and you need to do a little research on what Tor is what options it offers and how to reach websites over Tor (onion websites).
When starting out with the Darkweb its important to know where to start and what sites are “legit” and which ones are not. Just like there are fake websites on the viewable web we also have websites that are fake on the Darkweb. Some onion sites sell almost anything and everything you can imagine under the sun and this also includes data dumbs from famous hackers that break into sites and slurp the database with users credentials and order data. These dumps land on various sites and also include online shops that sell that data for bitcoins. Other dumps that are released land on ghostbin, pastbin and other sites.
Above is an example of some of the data we found being offered on Hansa. This isn’t voter data yet so lets take a look at other screenshots of more interesting data.
The image above is more interesting, were we have the first voter DB in this case from Pennsylvania (was a battle state, remember?).In addition we have data that was either slurped from a vulnerable website or could have been supplied by the OPM breach or some other breach that was not identified.
But having voter data is not enough so the next question is can we buy enough data to actually pose as someone or take their identity? The short answer is yes, the long one is it depends on how much of the person’s PI you can find or slurp (usually we are all very vulnerable because many sites have data on pretty much everyone. One of the reasons systems like NSA’s data slurp are so dangerous is that when these systems are breached (and there is no such thing as 100% security, every system WILL be breached at some point in time) then the data comes out and can be pieced together.
Drivers licenses are a great way to piece additional information together of an id, could this be used to vote in someone’s name? Theoretically yes but you would certainly need to plan things and build up the creds of the person you want to fake. In addition if would be awkward if both of you were voting in the same place at the same time or close to each other.
There are various different ways in which to protect impersonation from happening, one way is to send specific ID smart cards to the address and ask you to identify yourself with the shipped card and additional ID, its not impossible to fake but then you would also need to wait for the card to get shipped to the real address and then intercept it before the actual owner.
Another way to make it harder to fake someone is by introducing biometrics as a method for identifying someone and authenticating them when they want to cast a vote. Biometrics can be used to verify you are the person if enrollment was done correctly and none of the known threat vectors fro biometrics systems was used to hack it or template data.
Lastly there is the SSN or Social Security Data that could be used to further justify or build the case that you are indeed the person voting or authenticating, etc. This data is out there, its not me saying this but you should try searches on .onion sites to educate yourself as to what is really out there and not take mine or anyone else words for the blind truth. We always have the risk that some or all of these postings are bogus, fake or even LEA monitoring and trying to detect illegal behavior. IN the end though its highly likely based on the number of offers for data dumps and selling them for bitcoins that at least some of these dumps are real and are out there.
For a list of .onion sites and where to start, please send me an email with your details and I can give you a head start. This data and all the information in it is meant to educate, train and build awareness of what is out there. I make no claims that I am an expert at security or know everything. The truth is we all continuously learn and I hope this information helps you become more aware of what CAN or COULD happen if vulnerabilities are used and a nation-state or threat actor coordinates a more complex attack.
For those trolls that want to hammer me, go to it. My name says it all.
Your 1D10T (*confirmed* security Noob)
Copyright 2016 HDN