Do you know some company secrets that you could sell? Do you want to get revenge on an employer by exposing some of their illegal activity? Do you have some photos of celebrities that someone might be interested in? That’s nice, but how are you going to find a buyer? Are you going to approach a competitor with your information? That could work,… if they aren’t working with the FBI. In other words, you may have the information, but you’d better be really careful how you try to profit from it.
Case in point: Charles Harvey Eccleston believed he could use spear phishing emails to get important, secret information from his ex-employer, the Nuclear Regulatory Commission, and sell it to an interested nation-state. Unfortunately, the unnamed nation decided to contact the FBI instead. The FBI set up a sting operation on the unlucky Mr. Eccleston. He is now awaiting trial. Then there’s Thomas Rukavina, formerly of plastic maker, PPG, of Pittsburg, who, angry at having been fired, offered a secret plastic formula to a competing Chinese company. PPG claimed the formula was worth “hundreds of millions of dollars… and the plastic window product in question was the industry’s first new transparent plastic in more than 50 years.” Sadly for Mr. Rukavina, the Chinese company he approached was suspicious of the offer and tipped off the FBI. Thus, a million dollar leak turned into nothing more than a prospective prison term.
Now, I have no doubt that a former employee of average intelligence could write a perfect spear phishing email and, with the help of someone informed on spyware programs, install malware on a company network. I also have no doubt that there are any number of disgruntled current or former employees who have valuable information about secret products or plans. There is a lot of potential money to be made if only these folks could find the right buyer, because it seems their plans fall apart at the selling level. This is partly because neither the buyer nor seller can really trust each other. After all, either of them could be part of some kind of sting operation, right? If this possibility was removed, the information market could be booming. Well, now, the leakers’ dream has come true. We have a market for all of you wishing to profit from the information you possess. Ladies and gentlemen, welcome to Darkleaks.
So here’s how it works. First of all, you have to download the appropriate software, which is free. Then, you upload your information to the Darkleaks marketplace. This information will be encrypted except for one section, which will be enough to show those bidding on it that it is authentic. After bidding and after the leaker is paid in bitcoins, a decryption key is automatically sent to the buyer. The buyer and seller never meet and no one knows anyone. As in most deep web sales, reputation is everything. If you are found in any way to be selling useless information, that is the end of your career in Darkleaks. Bad reviews from buyers will finish you off. Oddly, in a region where no one trusts anyone, reputation and trust are everything.
Darkleaks calls itself, the “Decentralised Cryptographic Information Black Market” with “NO CENTRAL OPERATOR, NO IDENTITY NEEDED, NO INTERACTION WITH LEAKER REQUIRED.” The service can allow an individual to leak information such as:
- “Hollywood movies
- Trade secrets
- Government secrets
- Proprietary source code
- Industrial designs like medicine or defence
- Zero day exploits
- Stolen databases
- Proof of tax evasion
- Military intelligence
- Celebrity sex pictures
Anonymity is achieved by using a bitcoin chain encryption. If you’re confused about bitcoin, think of it as a file broken into parts with each part encrypted and stored in different locations. This technique makes it impossible to tell who the true owner of the file is. The simplest explanation for this can be found in a short video on the cloud storage site for Storj. I’m in no way connected to this company but I just find this explanation easiest for the novice. Anyway, it’s the same idea that powers both bitcoin and the Darkleaks site.
Clearly, if this site catches on, it puts a lot of company and government secrets in danger. In addition, hacked celebrity photos may become an attractive commodity since a publisher cannot be named and condemned as the buyer of such photos. In fact, the site could become quite popular for media outlets and journalists in general. Blackmail attempts may also increase. In fact, companies would be well-advised to monitor the site on a daily basis, just in case some of their secrets were up for sale. You never know. You may even have to buy back your own company’s secret information, which could encourage insiders to leak more information in a never ending spiral of attacks.
But, at least for the moment, I wouldn’t worry too much. The whole Darkleaks project is still in the development stage and has a lot of technical and practical problems to overcome. First of all, the program is written in python code and, though this is easily accessible to those used to programming, it is beyond the reach of many. I am not alone in having problems installing the software and forgot many of the DOS commands you really need to get things running. In the end, I simply gave up because it was taking too much of my time. However, if you do manage to get the software installed, the interface will look something like this:
It seems pretty straightforward if it works.
There has been a sharp increase in the number of leak sites recently. Everyone knows Wikileaks, but there hundreds of others for just about any category you can imagine. Many of these sites are either blocked or outdated. Some have leaks that are mostly not true leaks but are legitimately released documents, Cryptome is among these. Public Intelligence often has some interesting material such as the recent release of a document on ISIL that spells out just what they are capable of and some of their strategies. The Wall Street Journal tried to establish its own leak site but it was quickly closed after it was pointed out that, without encryption, the site did not preserve anonymity. Besides, it also contained the following condition: “(The Wall Street Journal) reserve[s] the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process […]”. I guess you could say that kind of defeats the purpose. LiveLeaks is a site for people who’d like to upload videos. Some of them are your standard YouTube stuff, but others have some true value as leaks, it’s all in the deciphering of how legitimate they are.
It has never been unusual for certain individuals to be paid for the inside information they possess. Law enforcement has depended on informants for years. However, the safety of the informant cannot be guaranteed. Government agencies, such as the CIA, have information awards programs as well. Again, you have to be careful if you want to inform. It is not without its risks. If, for example, you want to give information from overseas, the CIA has the following advice:
“By visiting this website from outside of the U.S. and contacting us, you may be subject to monitoring by security or intelligence services, or other third parties that do not adhere to U.S. Internet privacy laws. While we employ numerous safeguards to help minimize this risk, we suggest that you not use your home or work computer to contact us. Use instead a computer where you are entirely unknown. Although our website is encrypted, it is still possible for others to see that you have visited CIA.gov. As an added precaution, we recommend you use current web browsers and clean the computer’s search and/or browser histories after you visit the website.”
This seems to show that truly anonymous, truly safe sites for the sale of information may have a legitimate place. Media outlets and government organizations could benefit from a secure leak platform. It is important to note that many big companies have their own internal whistleblower architecture. Your workers are your best source of information about those who may be trying to undermine you. They may see somebody do something evil but, because they may work with the person, they may be reluctant to report them. A good, secure, anonymous reporting system will pay off in the long run.
A number of major media sites are now using the SecureDrop whistleblower site. Among these are Forbes, The Guardian, The New Yorker, and The Washington Post.
It is still a bit complicated to work with, but makes every effort to keep all communications safe. If the whistleblower wanted to negotiate a price for the information with the media outlet, a Tor-based encrypted and safe chat room is available. However, this is different from Darkleaks where all sorts of secret leaks are available. I would expect a variation of SecureDrop to become available for those with less ethical and more financial motivation in mind. One site, Slur, which is looking for funding before it begins, proudly asserts that it will leak anything that a person may want to sell, including zero-day exploits, stolen databases, “unflattering celebrity photos”, and military intelligence.
Insider attacks are currently one of the biggest threats firms have to face. They are also often the most difficult to detect. Insiders with access to important information will always be tempted to sell that information but may balk at the idea because of the fear of being found out. If that risk is removed and if the information they possess can be disposed of with relative ease, IT departments will have even more problems to worry about. It’s certainly an area that needs to be monitored.