Q&A - Frequently Asked Questions
What is the Dark Web?
The Dark Web is a hidden universe contained within the “Deep Web”- a sublayer of the Internet that is hidden from conventional search engines. Search engines like Google, BING and Yahoo only search .04% of the indexed or “surface” Internet. The other 99.96% of the Web consists of databases, private academic and government networks, and the Dark Web. The Dark Web is estimated at 550 times larger than the surface Web and growing. Because you can operate anonymously, the Dark Web holds a wealth of stolen data and illegal activity including stolen Usernames/Passwords.
Are there any special Credentials required to investigate the Dark Web?
You do not need special permission to access the Deep or Dark Web. However, accessing the Deep or Dark Web requires the use of a “TOR” browser and should only be done using a VPN/ 10042017 encrypted tunnel. In general, we advise against attempting to access the Dark Web lest you get caught up in something you were not expecting. The Dark Web and the individuals who populate it are targeted by Law Enforcement and Security Services worldwide.
How does Avantia's Dark Web monitoring service help protect my organisation?
Our service is designed to help both public and private sector organisations detect and mitigate cyber threats that list and sell stolen email addresses and passwords. Our US Partner leverages a combination of human and artificial intelligence that scours Botnets (computer networks) , criminal chat rooms, Blogs, Websites and Bulletin Boards, Peer to Peer networks, Forums, private networks, and black-market websites 24/7, 365 days a year to identify stolen credentials and other personally identifiable information (PII).
Doesn't the 'haveibeenpwned.com' website offer the same service for free?
The free website 'haveibeenpwned.com' run by Troy Hunt does not offer the same service that Avantia Cyber Security offers. The 'Ihaveibeenpwned' website publishes data such as Usernames & Domain Names gathered from notified data breaches of companies and organisations. If an organisation has had a data breach but does not disclose the breach, the data will not appear in his database, however, it can be listed on the Dark Web for sale at that time.
It does not record (or have access to) compromised passwords and does not indicate if these ‘critical credentials’ are listed on the Dark Web for sale; thus a user of this website cannot truly evaluate their level of risk . Mr Hunt states in his blog “It should be abundantly clear from this post, but let me explicitly state it anyway: I have no idea how many of these are legitimate, how many are partially correct and how many are outright fabrications”.
At Avantia Cyber Security our focus is on determining (a) If our Client’s Username/Passwords are listed on the Dark Web for sale as soon as they are listed and (b) Alerting our clients in real time that their Username and/or Passwords have been compromised so they can change them and (c) Constant around-the-clock monitoring of the Dark Web to reveal future compromises of their usernames and passwords. (d) Offering our Govt/Business/Organisation clients free access to our online Cyber Security Awareness Certification Questionnaire for their staffs education on safe cyber practices. Don’t be lulled into a false sense of security by information that only gives you part of the resources you need to protect your assets and identity.
The Firefox browser now allows you to check your Email to see if it has been identified in a breach for Free - Isn’t that what you offer?
Firefox has cloned the “have you been pawned” Email notification tool as part of their offering to allow you to check if your Email has been cited in notified data breaches. A review of the ‘Compromised Breach & Threat Updates’ will reveal that many of the breaches that occur worldwide are not “disclosed” for between 1 day and 1 year after they have been discovered during the investigation phase by the organisation that has been hacked. Not all jurisdictions have mandatory data breach disclosure laws so many are never disclosed and therefore never added to the “have you been pawned” database.
State Sponsored Hackers and/or Organised Cyber Crime Gangs have become more sophisticated. For many their objective is to get inside a network, get the data they are after and get out - undetected. Many breaches are not discovered for years after the event - if they are not discovered and therefore not disclosed they will not be listed on the “have you been pawned” website or on the Firefox website database clone tool.
Between the date that the breach occurs and is when discovered and ultimately disclosed your ”critical credentials” - the key to the front door of your Bank; Credit Cards; Paypal Etc, etc could be listed on the Dark Web for Sale, could be sold to a cyber criminal and could be exploited during the hacked institution's ‘investigation’ period. During this time, you and your whole digital life is ‘in the wind’. If you are a company or organisation your business could get wiped out overnight. If you are an individual you risk exposure to Identity Fraud and if you are a family with children you risk online ‘stalking’ of your children by sex offenders if their login passwords are listed on the Dark Web.
At Avantia Cyber Security our focus is on determining (a) If our Client’s Username/Passwords are listed on the Dark Web for sale as soon as they are listed and (b) Alerting our Clients in real time that their Username and/or Passwords have been compromised so they can change them immediately and (c) Constant around-the-clock monitoring of the Dark Web to reveal future compromises of their usernames and passwords. (d) Offering our Govt/Business/Organisation clients free access to our online Cyber Security Awareness Certification Questionnaire for their staffs education on safe cyber practices. Don’t be lulled into a false sense of security by information that only gives you part of the resources you need to protect your assets and identity.
Our organisation uses the 'cloud' for data storage which encrypts everything. Why
do we need do your service for password security?
Commercial cloud storage systems like Google Cloud, Office 365, Dropbox and others encode each user’s data with a specific encryption key. Without it, the files look like gibberish – rather than meaningful data. Most services keep the key letting their systems see and process user data, such as indexing data for future searches. These services also access the key when a user logs in with a password, unlocking the data so the person can use it.
Just like regular keys, if a cyber criminal has them, they might be misused without the data owner knowing. Getting access to the data by way of a stolen Username/Password to gain entry opens up potential to steal the keys to all your stored data. The ‘cloud’ is a “honey pot” of potential income generation for cyber criminals making it a very attractive target - password security is critical for cloud users.
Where do you get your data breach information from?
We utilise many legitimate sources in the USA and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable.
If I have 2 Factor Authentication why do I need your monitoring services?
Although some web services require two-factor authentication or 2FA, the strength and security vary. It is easy for hackers to bypass weaker implementations by intercepting codes or exploiting account recovery systems. Most of the problems centre around the fact that if you break through anything next to the 2FA login, (account-recovery process, trusted devices, or underlying carrier account) hackers are into the system anyway. The weakest point for 2FA is the wireless carrier (who can be breached) and the mobile device (which can be hacked and intercepted). This was graphically demonstrated by the penetration and Data theft from 'Reddit' (one of the top 5 viewed websites worldwide) who use 2FA as part of their login process in August, 2018.
On the test search, you found a Username/Password that I don’t use anymore.
Why do I need to use your service?
The sample test report provides historical as well as live real-time data. At one point in time, there was risk associated with these credentials (Username & Password), and there could still be. Universally, it is estimated that between 40 – 60% of adults are using the same or very similar passwords for multiple online login sources. These passwords (whether active or not) are being used in phishing email exercises and can be very compelling to unsuspecting victims.
The password shown on the Dark Web test scan is not one I have ever used?
How could I be affected by that?
In most cases when a password is coming up that an individual has never used, they have either forgotten they’ve used it before, someone is testing a password, or someone is creating a fictitious account for fraudulent purposes (having researched the names of company employees for example.)
Often, when cybercriminals handle breach data, they work to put a value on the data. This may involve attempting to confirm the validity of a username/password combination. If such testing is positive, the password is often left in the source data. If the test is negative, the criminal may fill in some placeholder value such as noted above to indicate that the username/password could not be confirmed as valid.
The data platform that Avantia Cyber Security uses has controls in place which allow it to filter out password values that have been identified as “invalid” - this can appear in a Live Data Search as blank password fields. This is done to help avoid confusion.
If this occurs, the question then becomes ‘How much weight should give a password compromise with a blank password?’ Our guidance is to treat such compromises with the same weight you would one that has a clear text password. There may be a variety of reasons the criminal handler chose to put in a placeholder value, but your credentials were found in a place known to be a source of criminal theft, and our objective is to protect our clients from further exposure.
Some of the email addresses & passwords that show up on the Live Scan attributed to our company domain are not from anyone that has worked in our company.
Why is this?
Email addresses that are either not valid emails within an organisation, or “fake emails” ( ie: ) may be a sign that a cyber criminal is attempting a phishing attack on the organisation. This is a reason for great concern, as it makes it clear there has been an active attempt to attack the organisation. Email addresses discovered in the wild may not have ever existed on the Organization’s mail server.
Let’s say that these email addresses were used to create accounts on some other service and it’s that other service that is breached and the source of the compromises. We can’t determine if the email addresses we find in the wild are actual email addresses and therefore we report them to our clients for clarification.
Notes or comments regarding the credential or credential owner may also appear in our test findings. For example, we’ve seen phone number and gender in the password field. While such a finding may not contain a password, the presence of the personal information in the record is still a valid finding.