Writing Homework Help

Read the article on the Dark Web and answer the questions in the attachment.  Your paper should be in APA format and have a coverpage, a minimum of 3 pages of text, double spaced, and a reference page.Answer the following questions.

(Add citations, 3 references and this assignment should be at least 3 pages)

• A hacker will benefit from intruding on a network in primary and secondary ways. A primary benefit would be collecting money directly from a hacking target. What would be a secondary benefit? In other words, how else could a hacker make money from stolen data? Use a quotation from the article in your answer. One sentence in your own words and one quote will suffice.  
• Describe the position of the deep Web in relation to other layers of the web and give a brief example of a legitimate deep site and hypothesize regarding its legitimacy for having gone deep. 
• A hacker uses their technical skills to engage in illegal or unethical behavior.Explain how hackers are affecting companies and what companies can do to safe guard your information against an attack?Give an example of a company, what happen, and did they make it known to the public. (Example, Sony)
• Is it ethical for companies to store and use your personal information for their personal gain or to share your information without your knowledge?(Example, Cambridge Analytica and Facebook scandal)

Welcome to the Dark Net, a Wilderness Where Invisible World Wars are Fought and Hackers Roam Free

Through the eyes of a master hacker turned security expert, William Langewiesche chronicles the rise of the Dark Net—where weapons, drugs, and information are bought, sold, and hacked—and learns how high the stakes have really become.

BY WILLIAM LANGEWIESCHE

Vanity Fair OCTOBER 2016

I. THE BACK DOOR

His name is not Opsec, but I will call him that to guard his privacy. In webspace he is known as a grand master of the dark art of hacking. He is one of a small elite—maybe a hundred, maybe fewer—all of whom are secretive and obsessed with security. They do not talk about their work with their families. They generally do not talk to the press.

He is a fast talker when he’s onto a subject. His mind seems to race most of the time. Currently he is designing an autonomous system for detecting network attacks and taking action in response. The system is based on machine learning and artificial intelligence. In a typical burst of words, he said, “But the automation itself might be hacked. Is the A.I. being gamed? Are you teaching the computer, or is it learning on its own? If it’s learning on its own, it can be gamed. If you are teaching it, then how clean is your data set? Are you pulling it off a network that has already been compromised? Because if I’m an attacker and I’m coming in against an A.I.-defended system, if I can get into the baseline and insert attacker traffic into the learning phase, then the computer begins to think that those things are normal and accepted. I’m teaching a robot that ‘It’s O.K.! I’m not really an attacker, even though I’m carrying an AK-47 and firing on the troops.’ And what happens when a machine becomes so smart it decides to betray you and switch sides?”

Given sufficient motivation and time, Opsec can break into almost any secure network without setting off alarms. Breaking in used to thrill him; by contrast, defense presents the challenge of out-thinking every aggressor. This appeals to him, and he works now on the defending side. Usually this means protecting company networks from criminal attacks, or reacting to attacks after damage has been done. Opsec does not do the routine stuff. He is the man for the serious cases. He has seen some big ones.

I will call his client the Company. It is an Internet behemoth. It streams entertainment online and makes direct regular connections to more than 70 million personal computers worldwide. The Company does not charge for the connections but rather for the services it provides. It is very profitable. And it is under frequent attack from many parts of the world. Most of the attacks are drive-by shootings—spray-and-prays that succumb harmlessly to the defenses that Opsec has helped design. But some are carefully aimed and have threatened the Company’s existence.

He first intervened six years ago, after a data center had been hacked. The intruders had gone after key systems, including the central payment processor and the C.E.O.’s computer, and had stolen credit-card and financial data as well as the Company’s proprietary source code—the secret formula upon which the business is built. Opsec worked for nearly six months to clean up the mess. By backtracking he discovered that the hackers were a group associated with the Chinese army. They operated out of a specific building near Shanghai, which he was able to locate, and specialized in targeting entertainment companies. Eventually he was able to identify some of the individuals involved, and even to obtain pictures of them. Nominally, that was the end of it. Opsec told me that because a government was involved, and legal recourse in China was unrealistic, no further action was taken.

What do you do when there is no law? Counter-hacking is a temptation, but can be dangerous. The Russian mob, for instance, has a poor sense of humor, and Colombian drug cartels are not much fun, either. Also, among independent hackers there is no small number of psychopaths. Over the years the Company has endured death threats, rape threats, and bomb scares. It gets personal. In a world without privacy, home addresses as well as the names of spouses and children are easily found. As the Democratic National Committee recently discovered, it is better not to get hacked in the first place.

VIDEO: Hacking 101: A History of Data Breaches

After the original breach by the Chinese, Opsec had urged the company’s management to establish a vigorous information-security program, which it did. The sole purpose is to catch intruders, and to catch them as quickly as possible. The average industry delay in detecting a malicious hack is 188 days. For the Company, Opsec was hoping to reduce the delay to minutes or even seconds. But late last year, when the operations manager called him at home and urgently requested his presence at the Company’s high-tech campus, about 20 miles away, he knew that those defenses had failed. Almost as disturbing, the alarm had been raised not by the security team but by an ordinary technician, a system administrator doing the drudgery of a routine review.

When Opsec got to the campus, the details filled in. The system administrator—a friend of his—had been going through event logs of the previous week. Seeing a red dot, the administrator had zoomed in for more information. The failed task turned out to be an attempt from within the Company to deploy a piece of software companywide. He alerted the operations manager.

Opsec was immediately suspicious. He ran the content through a piece of reverse-engineering software, called a disassembler, and quickly confirmed that his client had been hit with a malicious hack. Within an hour he understood that the purpose had been to permeate the Company’s networks, steal and encrypt all of its data, and demand payment for the data’s return. The numbers for an overseas bank account were included in the program. Opsec would not tell me where that bank account was, or how much had been demanded. He said only that it was an aggressive piece of ransomware, and that often in such cases the data is never returned. Ransom attacks have become an epidemic on the Internet. Most are widely dispersed. They lock down a victim’s computers and ask for relatively small amounts, payable in hard-to-trace Bitcoins, in exchange for returning the victim’s life to normal. The biggest attacks—against corporations—have netted millions of dollars. Little is known about them because the victims are tight-mouthed. The massive hack of Sony Pictures in 2014 was a ransom attack, though by whom is still in question. Presumably Sony did not pay, because its internal e-mails and other information were released onto the Internet. Last February, hackers seized medical records from the Hollywood Presbyterian Medical Center, in Los Angeles. The hospital paid to get the records back. Now, through sheer luck—a missing letter—the attempt to extort Opsec’s client had failed. But big concerns remained: the Company’s network was clearly compromised.

Someone had emerged from the Internet, slithered into the Company’s heart, and then disappeared. The specific vulnerability the attacker had exploited was still unknown, and was likely to be used again: he had established a back door, a way in. Some back doors are permanent, but most are short-lived. Possibly this one was already for sale on the black markets that exist for such information in obscure recesses of the Internet. Until Opsec could find and lock it, the back door constituted a serious threat. Opsec reviewed the basics with the Company’s managers. He said, Look, we’re in the Internet business. We know we’re going to get hacked. We have to assume, always, that our network is already owned. It is important to go slowly and stay calm. We will soon know how and when to lock the door. We will have to decide later if we should do more.

II. ANARCHIST AT HEART

Definitions. A vulnerability is a weakness in a network’s defenses. An exploit is a piece of software that takes advantage of a vulnerability. A zero-day exploit is a piece of software that takes advantage of a vulnerability that is known to a small group of aggressors and generally not to the defenders. “Back door” is another name for much the same. There are variations. Infinite invention is at play. Welcome to the Dark Net, a wilderness where wars are fought and hackers roam. More definitions. The Dark Net exists within the deep web, which lies beneath the surface net, which is familiar to everyone. The surface net can be roughly defined as “anything you can find through Google” or that is otherwise publicly indexed for all to see. The deep web is deep because it cannot be accessed through ordinary search engines. Its size is uncertain, but it is believed to be larger than the surface net above it. And it is mostly legitimate. It includes everything from I.R.S. and Social Security data to the internal communications of Sony and the content management system at The New York Times. It includes Hillary Clinton’s e-mails and text messages, along with everyone else’s. Almost all of it is utterly mundane.

The Dark Net occupies the basement. Its users employ anonymizing software and encryption to hide themselves as they move around. Such tools offer a measure of privacy. Whistle-blowers and political dissidents have good reason to resort to them. Criminals do, too. White fades quickly through gray and then to black in the Dark Net. Furtive sites there offer all manner of contraband for sale—narcotics, automatic weapons, contract killings, child pornography. The most famous of these sites was Silk Road—the brainchild of Ross Ulbricht, a libertarian entrepreneur who was arrested by the F.B.I. in San Francisco in 2013 and sentenced last year to life in prison without parole. New and even larger marketplaces have opened, including the current leader, AlphaBay, which is owned by a man who has been quoted as saying he resides in an “off-shore country where I am safe,” gives interviews to the press, and openly defies attempts by the authorities to shut him down. There are twists: illegal narcotics sold over the Dark Net tend to be purer, and therefore safer, than those sold on the street—this because of the importance to the sellers of online customer ratings. By comparison, it is hard to see the bright side of missile launchers or child pornography.

However noxious the illicit Web sites may be, they are merely the e-commerce versions of conventional black markets that exist in meatspace. The real action on the Dark Net is in the trade of information. Stolen credit cards and identities, industrial secrets, military secrets, and especially the fuel of the hacking trade: the zero days and back doors that give access to closed networks. A short-lived back door to the iPhone operating system may sell for a million dollars. In 2015 a black-market site called TheRealDeal, the first one to specialize exclusively in cyber-weaponry, opened for business. Several others have followed.

HE CAN BREAK INTO ALMOST ANY SECURE NETWORK WITHOUT SETTING OFF ALARMS.

By the age of seven Opsec had become a regular on electronic bulletin boards where gamers exchanged information and posted downloadable games. The bulletin boards were precursors of the Dark Net: you could not search for them on a computer; you had to have a specific phone number and reach it point-to-point with a dial-up modem. After you found the first one, you were in and could find others. The users had pseudonyms and remained largely anonymous. Age and location did not matter. Social awkwardness did not matter. Some of the information the bulletin boards contained included pirated property and advice on how to break the law.

Opsec was just a kid, and at first he was only after the games. His problem was that they were often locked and required payment. With hints from the bulletin boards, he began to reverse-engineer the games, identify the lines of code associated with security, and modify the programs to bypass the payment requirements. He then posted his solutions on bulletin boards so that others could do the same. Though he did not know it at the time, he was creating zero-day exploits.

By the sixth grade, Opsec had started hacking into universities and phone companies. His parents saw him sitting hour after hour at the keyboard, but were so unaware of his activities that they bought him a laptop for schoolwork because his handwriting was bad. The effect was to pour fuel on the fire. His grades plummeted from A’s to D’s.

When he was 12, Opsec began to attend the local chapter meetings of a notorious hackers’ group. The meetings were held in the food court of the Pentagon City shopping mall. He had a friend, a like-minded Persian kid who attended the meetings with him and was extraordinarily capable but a bit malicious: he later published papers on how to destroy hard disks remotely and how to cause computers to catch on fire by shutting down their fans. Although also an anarchist at heart, Opsec was more interested in expanding his skills than in wreaking havoc.

But the two friends had technical goals in common. They became regulars at the food-court gatherings and eventually met a man there who worked for an unnamed government agency but was willing to explain certain concepts clearly. Such exchanges are characteristic of the larger hacker gatherings that have followed, with natural adversaries such as F.B.I. agents and Eastern European cyber-criminals temporarily setting aside their differences to share information.

III. CHINESE NETWORKS

Opsec took what he learned and acted on it. In most cases, success was defined as access to the administrative console of an operating system. That position is sometimes known as a root shell. For Opsec it was the holy grail, because from within the root shell, as an illicit administrator, he could do as he pleased, including using one computer to attack another, and from there yet another, in daisy chains that spanned the globe. This was tricky stuff. With several of his friends in detention, Opsec grew nervous about being identified.

It was 1996. The commercial Internet had barely arrived. Opsec was a scrawny adolescent. He was still using dial-up modems to break point-to-point directly into mainframes, particularly those that were part of the global telecommunications infrastructure. From an illicit bulletin board he obtained a master list of the default passwords used for many of the manufacturers, then went on a spray-and-pray hunt through the phone system, looking for vulnerable computers. To do this he wrote a program that would call every 1–800 number possible, for a total of roughly 7.9 million combinations. He chose 1–800 numbers because the calls were free. If computers answered, the program would distinguish between them, respond with factory-default passwords, and register the successful penetrations. Once the program had mapped the vulnerabilities, and Opsec had taken possession of some computers, he intended to use them to go after other computers, in order to hide his traces as he approached the final targets. The problem was how to make millions of automated phone calls, because even a 14-year-old has limits on his time.

Late one night, working alone, he threw a rubber mat over a barbed-wire fence protecting a phone-company yard, and climbed up and over. Once inside he broke into two vans and stole everything he could: technical manuals, linemen’s handsets, utility belts, uniforms, helmets, pay-phone keys, and, most important, a master key to neighborhood trunk boxes—the junctions through which hundreds of phone lines run. With parts from a RadioShack he built a small device that allowed him to seize every one of those lines simultaneously. He connected the device to a small laptop that he had stolen from a Staples, and set to work. Dressed in an oversize lineman’s uniform and hard hat, with a utility belt dangling equipment from his waist, he slipped away from his house and every night for several weeks probed the 1–800 network with thousands of computerized calls. On the final night of the endeavor, at two A.M., he had opened a trunk box situated on the front lawn of a church, when an old woman—a member of the congregation—spotted him from her window and, noticing that his uniform did not seem to fit him, called the police. Opsec still wonders what she was doing up so late. When he was arrested, the police had so little idea of what he was doing that they returned the laptop computer to his father without having it examined. The local prosecutors charged him with illicit wiretapping, as if he had been eavesdropping. His parents hired an expensive lawyer. Opsec copped a plea to a misdemeanor to avoid having to explain himself, and was sentenced to several weeks in a juvenile-detention center, to be followed by years of probation.

As he gained experience he graduated from indiscriminate hunts for low-hanging fruit to more focused attacks, known as deep dives, against well-defended networks. The dives required careful planning. Opsec said, “You start with recon, studying the target network, but also doing research on employees, building psychological profiles, trying to assess the culture of security, and looking for the ‘social engineering’ possibilities—can you trick someone into divulging a password? You create a map of all the possible avenues you can use to get in.”

HIS CLIENT, AN INTERNET BEHEMOTH, IS UNDER CYBER-ATTACK FROM ALL OVER.

Opsec got into the Colombian government’s networks without setting off alarms, and spent six months there, undetected, moving around. Then he dived into Chinese-government sites and military networks, and into the domain of specific Chinese hacking teams. He was 16 now. In yet another lapse of understanding his parents allowed him to take a job in an electronics store, where his main purpose was to steal more “burner” laptops to discard after use, to avoid detection. A regular customer there learned of his unusual knowledge of Chinese networks and offered him some work on the side: the man handed him a list of about 20 Chinese servers and asked Opsec to look into them. This turned into a regular thing. The man sent a bank transfer to him every month. Opsec guessed that he worked for the N.S.A. or the C.I.A.

Opsec’s parents, meanwhile, kept shipping their son from one school to another, in the vain hope of getting him to return to conventional studies. They sent him off to a military school with the idea that boot camp might bring him to heel. He hacked into the school’s network, encrypted the data on a classmate’s personal computer, and taunted him with the loss. The school found out and gave Opsec the choice of helping to shore up its defenses or being expelled. He chose to be expelled. When he called his mother to give her the good news, she was livid. She said, “How did you manage to get kicked out of a bad-kid school?” She exiled him to live with his uncle in a faraway place. He kept hacking.

IV. “MAFIABOY”

Opsec describes the public’s awareness of the Dark Net as a slow awakening. It started at the dawn of the new millennium, around the year 2000. With Internet connections proliferating, e-commerce expanding, and the dot-com boom fully under way, the surface Web looked much as it looks today except for this: attacks were not pervasive and computer security was not a big concern. The problem with security is that it slows operations down, and the new and ambitious Internet entrepreneurs were locked into competitive races that allowed no room for interference. The interference came anyway. In February 2000 a 15-year-old French Canadian who went by the name Mafiaboy launched a series of denial-of-service attacks that took down a progression of important Web sites, starting with the then dominant search engine, Yahoo, and moving on to Amazon, eBay, Dell, and CNN, among others. Such denial-of-service attacks, which overwhelm Web sites by hitting them with massive traffic, are the most primitive form of hack. They require only the hijacking of undefended computers, not the penetration of the target networks, and they do not result in the loss of data. In Opsec’s view, Mafiaboy was a talentless “script kiddie” who used off-the-shelf components written by others, and needed little knowledge to pull off his stunt. He was so naïve that he bragged about his exploits in Internet chat rooms. He was arrested, and sentenced as a juvenile to eight months of house arrest and a year of probation. But Mafiaboy’s attacks surprised the industry, caused losses estimated at more than a billion dollars, and made international news. Internet companies realized that they were going to have to improve their resiliency. The magnitude of the cited losses also got the attention of the underground. Anarchists were attracted by the opportunities to cause disruption. Others were attracted by the opportunities to make money. Organized crime soon got involved. Identity theft, credit-card fraud, and electronic extortion expanded rapidly. The public remained largely unaware, but with monetization the evolution of the Dark Net suddenly accelerated. In the United States alone, nearly every company larger than small is getting hit on a regular basis, usually from abroad. The Pentagon has said it fends off several million attempts at cyber-intrusion every day.

Opsec had just turned 18 when Mafiaboy struck. Nominally he was a senior in high school. As an adult now, he arranged to have authority over his probation transferred from where he lived with his uncle back to the Washington area, and he returned from his exile soon afterward. That spring he fell in love with a beautiful Asian girl who was all about drugs and sex, and he moved in with her. During his next visit to his new probation officer, he reported the change of address, and she busted him for it because he was supposed to have informed her in advance. He was sent to jail. Opsec was released in 2000, becoming a free man without restrictions for the first time in four years.

He swore off hacking, and went to work at an espresso bar on the ground floor of an office building. Through a chance encounter with a customer there, he found himself with a computer job upstairs. Opsec moved on to a series of small jobs, then landed a position at a network-security company.

V. HIRED GUN

We are now approaching the mid-2000s. Opsec went to work for a computer-security company as a “penetration tester,” and for the next five years traveled extensively, performing security audits and hacking into corporate networks to explore their weaknesses. Some of Opsec’s clients were serious about security. But many were just going through the motions. All too often Opsec would hack into a network, submit a report recommending fixes, and come back the next year only to find that nothing had been done. He said, “Mostly it was just check-box security. And a lot of the penetration testers are really bad. They don’t have the background or mind-set. They don’t have the skills. They have a scanner with a database of all the different vulnerabilities, and it checks the network for those things. There’s no creative process there. They’re not looking for things that are not in the knowledge base. They push some button, then come back and say, ‘You’re clean!’ ”

In 2007 he quit the job and set himself up as a hired gun, determined to be selective about which clients to accept. The first requirement was that they had to be serious about network security. The second requirement was that they had to be on the side of “right.” This turned out to be tricky, because the expertise he offers and the systems he puts in place are classic dual-use weapons that can be used to rob and oppress just as easily as to defend people’s lives and property. Furthermore, Opsec was politically naïve: he assumed that U.S. agencies and foreign allies were inherently on the side of right. He no longer suffers from the illusion. To me he said, “If you kick over enough rocks, you’re going to find shit, and if you piss off the military-industrial complex . . .” He hesitated. He said, “There are certain things they just don’t want you to know. And they kill people. They’ll kill you.” I asked him if paranoia is a professional hazard. He said it is, but if only for peace of mind he steers clear of those sorts of clients today.

As a gun for hire he made some mistakes early on. He subcontracted to an American team in an oppressive Gulf kingdom and ally of the United States. He assumed that the project was known to the U.S. government and only later discovered that it was not. Opsec moved to the kingdom for nine months. The job was to set up a national network-security operations center, an emergency-response group, and a hacking school to teach offensive and defensive cyber-warfare techniques. The school was equipped with cyber-warfare “firing ranges”—rooms of computers where simulated attacks could be run—and had a curriculum that included intelligence gathering and the writing of malware. Additionally the team ran penetration tests and discovered vulnerabilities in the country’s radar and missile-defense systems as well as in its international telecommunications. But Opsec discovered that under the table the team was selling cell-phone interception and tracking equipment to the authorities for all the wrong reasons. The capabilities he was providing for national defense would in practice be turned against the citizenry. He left the project and returned to the United States. He settled down with a few good clients, the best of which was the Company, 20 miles from home.

VI. ALL-OUT WAR

The ransomware attack on the Company late last year was not just an incident. It was a serious breach. Opsec urged stealth in response. The attacker would have known that he had failed to steal the Company’s data; there could have been various reasons for that. It was important to keep him wondering whether the hack itself had been discovered. The ransomware was a generic off-the-shelf module of no great interest or complexity. It had arrived only two or three days before being identified. The question was how it had arrived. To his shock, Opsec soon determined that it had come in by piggybacking on a major intrusion, until now unknown, that had occurred fully a year before. This was the hack that really mattered. The extent of it was still unclear, but the Company’s network had been secretly “owned” ever since. There was more. Embedded in the system was strong evidence that the attackers were the same Chinese- government team that had hit the Company four years earlier. And the Chinese team’s capabilities had vastly improved. Opsec and his team concluded that the purpose was to lay the groundwork for the rapid construction of a giant botnet.

The “bot” in “botnet” is derived from “robot.” Botnets are illicit networks of infected computers, known as zombies or nodes. They have been around for a long time. No one knows how many are active, but the numbers are large. A few are self-propagating, but most require active (if unintentional) downloading. Either way, they are the force multipliers of the Dark Net. Some of them are commercial, and offer services on the black market. Others are privately held. On the most simple level, hackers use them to mount denial-of-service attacks, overwhelming Web sites with the sheer volume of traffic. Beyond that, their purposes are almost limitless—identity theft, credit-card fraud, bank fraud, intelligence gathering, high-speed code cracking, corporate espionage, commercial sabotage, and attacks on national infrastructure, including industrial control networks, phone systems, and the Internet itself. Cyber-attacks that cause physical damage are extremely rare—Iranian centrifuges destroyed by Stuxnet in 2010; a steel mill hit in Germany in 2014; blackouts caused by a hack of the power grid in Ukraine in 2015—but whatever damage a single computer can do, a botnet can do it better. Botnets are so valuable—and potentially so short-lived—that their creators normally rush to use them as soon as they are built. That was the odd part about the attack on the Company. The Chinese had gone to all the effort to insert their destructive, camouflaged program, yet had stopped without taking further action. Why?

The botnet it could have created would have been huge. If the Chinese had breached other large Internet companies via the same payment-center route—and it seemed likely they had—the combined effect would have been the creation of by far the largest botnet ever seen, an Internet robot consisting of perhaps 200 million computers, all controlled by one small Chinese hacking team. Opsec had stumbled onto a very big thing. And its lack of use was the key. The only possible purpose, Opsec concluded, was that of a sleeper cell, lying in wait as a pre-positioned asset to be used as a last resort, like a nuclear weapon, in the event of an all-out cyber-war. The world certainly seems to be moving in that direction. Already cyber-attacks constitute an active component of nearly every conventional military battle. They are used by the U.S. in conjunction with the air and ground war against ISIS. Some say that a global cyber-war is already under way, because everyone is getting hacked. But many states—China, Russia, Germany, France, Pakistan, Israel, and the United States—are actively preparing for something much larger to come.

The sleeper cell would never have been discovered had it not been for the ransomware that failed to deploy. According to Opsec, a member of the Chinese government team had apparently decided to freelance and make a little money for himself, sending his extortion demand along the pathway secretly blazed by the government team a year before and inadvertently exposing the entire operation. When identified, if he has not been already, the renegade team member in China will face a very unhappy future.

As for the future of the sleeper cell itself, Opsec could only speculate. The U.S. government had of course been informed. “Yeah, and they wouldn’t take it down. They’d surveil it, do reconnaissance and monitoring, just so they could keep tabs, and they would probably spend some time developing the capability to disrupt or hijack the botnet if they needed to. Right?,” he said. “Let the Chinese build their cyber-weapon and think they’ve got it, and when we need it, we’ll just block it or take it over.”

As a product of the Dark Net, Opsec has the power to invade China, and has done so before. I asked him what an invasion would look like. “A botnet takedown, that’s what I’d like to see. We’re at least crippling their network.” And maybe, he went on, as a present, you could give them the identity of the guy whose ransomware brought the hack down.

So is that what you’re doing?, I asked.

Of course not, he said. It would be against Company policy.