No secret is safe on the dark web

Cybercriminals can steal your vital data, but luckily the white hats are on the case

24 June 2018 - 00:03 By GRAEME HOSKEN

"Your salary is quite high. You own a property here. You've worked at these companies. Would you like another overdraft?"
One minute, 35 seconds.
That's the time it took for a Sunday Times photographer's entire life to be brought up on a computer screen.
Everything there is to know about him: employment history, properties he has owned, his wife's business interests. Everything is available on the internet, if you know where to look.
In October, hackers stole 63 million South African title deeds in what was, until now, the country's biggest cyberattack in terms of the volume of data taken.
This week that record is believed to have been broken when a group of "black hats", as criminal hackers are known in the IT industry, announced they had stolen 40 terabytes of data from Liberty Holdings' e-mail server.
The theft apparently includes thousands of medical records and life insurance policies, and on Friday Liberty admitted the stolen data had not been encrypted.Dusty Boshoff, a "white hat" hacker who works for an international IT firm and is tasked with securing the company's data, sat in Centurion and stared at a computer screen filled with columns of data.
"Do you want a UK passport? Hackers will get that for you for €1,500 (about R23,500). Want to melt [a] shopping mall's ice rink? Operate generators of an industrial manufacturing company?
"All of this is possible because the devices are connected to the internet. This is what black hats look to compromise and what us white hats try to keep secure," he said.
Boshoff, with fellow white-hat hacker Jacques van Heerden, is among South Africa's ethical hackers. 
Van Heerden scrolled through a forum on the dark web - a clandestine version of the internet where anything is available for sale, including hackers for rent.
White hats, said Boshoff, are employed by multinationals and governments to test the security of IT systems and search for vulnerabilities.
With black-hat operations increasing, their task is immense.
Van Heerden, a cybercrime expert at computer consultants GTSP, said the hack on Liberty Holdings showed the seriousness of the threat.
"South Africans should be terrified."
For too long people had thought hackers were pimply geeks and schoolkids, he said.
"They are mothers and fathers. IT security experts, who are part of international syndicates, who operate on the dark web."
Van Heerden said 99% of companies did not realise they had been hacked, with many not realising the value of their data until it was compromised."With the Liberty Holdings data, you could potentially cash out policies or cause massive reputation damage by releasing information on people's health status."
He warned people against opening an e-mail with an attachment from unknown senders.
"There is an increase in 'footprinting', where black hats spend years inside a computer system learning how to exploit it before harvesting the data. Once they attack, they move onto other internal systems where they continue to harvest data, building up profiles which they sell off or hold for ransom. 
"These ransoms, which run into millions of dollars, are paid in untraceable cryptocurrencies," he said.
South Africa has a sophisticated core group of black hats who operate globally.
After the hack, Liberty CEO David Munro said data was usually encrypted only if it was to be shared with external parties.
"In this case it would have been difficult to encrypt information inside the organisation because there's so much information going around. The data that was stolen is largely unstructured [not indexed]."
He said Liberty would take all necessary remedial actions once the company's internal investigation was completed.
Munro, who said the stolen data was "largely e-mail and attachments", refused to quantify the size or value of the stolen data.
He assured customers the company's IT infrastructure was secure and that IT specialists had identified and addressed specific vulnerabilities.
He maintained that Liberty had not paid the hackers' ransom demands.
Consumer protection lawyer Janusz Luterek said South Africa's legal system meant consumers have to show they have suffered harm if they want to claim damages from a company.
"If fraud is committed because your data is leaked, a consumer would have a claim.
"The questions which need to be answered was how unreasonable was it for Liberty not to encrypt its internal e-mails, how easy was it for someone from outside the company to get to this unencrypted data, and what sort of data protection did Liberty have in place to prevent this from happening?"
• ViewFines: The addresses and vehicle details of 934,000 South African motorists were stolen when the website - which helps motorists establish if they have outstanding fines - was breached in May.
• Title deeds: Millions of South African homeowners had identity numbers and details of their homes stolen after a breach of the Deeds Office, allegedly via a property company's IT system, in October.
• Standard Bank: R300-million stolen by a Japanese criminal syndicate when the bank's credit card database was breached in June 2016.
• Eskom payroll: Hawks foil a billion-rand attempted hack in 2014.

This article is reserved for Sunday Times subscribers.

A subscription gives you full digital access to all Sunday Times content.

Already subscribed? Simply sign in below.

Registered on the BusinessLIVE, Business Day or Financial Mail websites? Sign in with the same details.

Questions or problems? Email or call 0860 52 52 00.