Got an email from Clearscore that they have released a new product 'protect' - free dark web monitoring tool.
As per their website:
We've partnered with cyber security experts who search the dark web for stolen data and save it in a secure database.
Every three months we’ll scan this database for stolen passwords associated with your email address.
Based on their help centre FAQ they say they work with both Have I Been Pwned and SpyCloud.
I'm not saying they're not full of sh*t, but just to be clear, if they find your email address in a credible dump with a password or weak hash next to it, then they don't need to know your password to know that you've been compromised.
mate, my password is generated randomly, AES 128-bit, how is it possible?
Not endorsing or excusing clearscore in any way but even if you're password is generated randomly and long as hell it means nothing if the service stores it in cleartext and it gets leaked. Happened so many times with even the biggest players in the game.
@Jenny Death: true, but would not expect ClearScore to "fix" it, all they want you to do is clicking on the notifications which would then lead you to homescreen of the app or their page of deals and offers
Ok, so you have the password "9sxsz8fc7zs098cf7s89dvc7" which is super secure.
You sign up to my site with your super secure password (or any password).
I take that password and store it in plain text in my database. That database is stolen. Everyone now knows your password.
Or, I take that password, hash it with MD4, which is a super broken hashing mechanism. I store it in my database. That database is stolen. Someone spends 5 minutes breaking the hash. Everyone knows your password.
It doesn't matter how strong your password is, if it's stored badly it can be stolen.
The other 2 months they're trying the passwords out?
Not very Clear of what this is about. So if they scanned and find your password in the Dark Web. What are they going to do? Tell you your password is in the Dark Web?
Yep, same thing haveibeenpwned does for free, or norton does, with broad oversight.
Please understand I hate nortons products, but Id prefer to trust my data is handled correctly by a company that size, than a small one relying on scraped data. In a "secure database".
The idea you can "scan" the dark web is ludicrous.
The whole point of what makes it DARK is that its unsearchable, you need an exact address to visit sites.
There exist a few search engines; but that just means they're Onion sites, they're no longer dark, since they're indexed.
Playing with fear, this fella is.
Again, not saying this company is not full of sh*t, but let's be clear about why and why not.
You can crawl the dark web the same way you crawl any other set of sites which have links to each other.
You start at hidden wiki, grab all the URLs, read them, grab all the URLs, read them….
You won't get everything but pretty quickly you'll have a large list of URLs to check.
You can also periodically check the known dump sites for new dumps and parse them.
True, but you're months behind doing it that way.
Any 'group' with this sort of info 'fresh' is moving, the second they find their site has been indexed.
The second you're part of a database, you're just an onion site. Its not dark anymore.
Just like the second you power up dark fiber, its now just fiber. Doesnt matter if its encrypted or not. i can identify data exists.
Someone outside the inner circle can find it? Its no longer dark.
@MasterScythe: That's a bit "No True Scotsman", and you're making a lot of assumptions about how quickly people know their sites have been found. There are certainly law enforcement agencies doing it decently - I don't know if I'd trust a mob like this to be competent, but assuming every group of teenagers liberating user databases out there are godlike in their knowledge and opsec seems a bit far fetched.
I've stumbled across plenty of databases which had relevant usernames and passwords in them in far less well hidden places than you'd suspect. I've checked with friends if they'd changed their passwords since and they hadn't — and those passwords hadn't been used to hijack any of their accounts that they were aware of yet. Services like this may not be useful to people who are aware of the risks and how to mitigate them, but there's a fair few grannies out there who might benefit from something like this, but done right.
every group of teenagers liberating user databases out there are godlike in their knowledge and opsec seems a bit far fetched.
Agreed, but you're giving the counter-force far too much credit.
If you're attracting 'secret service' level attention, sure. But at every other level; there's a reason they 'have to' outsource.
You dont need to be "great" to be "better".
I've stumbled across plenty of databases which had relevant usernames and passwords in them in far less well hidden places than you'd suspect
Of course, as has anyone who works in secops, but those are (poorly) " hidden databases". They're not 'dark web'. They're more like security through obscurity.
Ever seen "the net" ? Sorta like that.
Services like this may not be useful to people who are aware of the risks and how to mitigate them, but there's a fair few grannies out there who might benefit from something like this, but done right.
Absolutely! Im not looking for an argument; the value is real in the right circumstance. We agree on the use, totally.
But I object to the false advertising is all. The most they're doing is scraping data from onion sites.
Call it database monitoring, call it "hidden web" call it god damn anything else.
If we accept what you describe is "dark web" we're going to end up with another technical definition, corrupted by laziness
i dont want another "USB" in my profession. Call it a memory stick, or a thumb drive, or a darn 'storage plastic' I dont know; but technical connection interface 'USB' will forever need further clarification (which was not always the case!), the "dark web" doesnt need that; its too complex for that to be OK, it'd be way more than a minor inconvenience and the idea of scanning it is just false advertising.
Im not gonna be upset if you dont agree, im just explaining why I 'care'.
Why would you trust a 3rd party with your information, when its clearly searchable thanks to the haveibeenpwned volunteers?
Very tricky way to scrape user data though, kudos for the 'clever' marketing.
If you feel the absolute need for active dark web searching (which is BS by the way, since the whole idea of dark web means you need to know an address to visit it, otherwise, its 'the web' random ipv6 guessing on an onion network is maniacal.) then at least go with a company who has some oversight so they wont sell your shiit to others.
Id still heavily recommend against it; but someone like norton offers this, and has a large amount of oversight forced upon them.
Don't they just scan to find your email address as a target as opposed to your password??
One strategy would be to give your current password (hopefully generated by password manager) to them but immediately change it and see what transpires.
Otherwise all those people who use Password123 will all be getting the same alerts?!
If that were the case, they'd find millions of examples. Since every email spam list worth its salt is just ozbargainer1@, ozbargainer2@, ozbargainer3@.
So if your email is any sort of known name, or known topic, you'll be on the list.
It really depends if the password matches; the existence of an address means nothing.
point taken and stored for future use. Thanks!
Not a bargain. Just use https://haveibeenpwned.com/ for free and avoid the marketing BS from these guys
HaveIBeenPwnd is excellent. The guy who wrote it (Troy Hunt) is a Microsoft Regional Director and is a respected security researcher (I've been to one of his presentations). His website was the first to archive and report on stolen passwords before others started copying the idea.
Recently one of my accounts appeared on a hacked list, HaveIBeenPwnd reported it to me, then a couple of days later other services started telling me the same thing (e.g. Firefox). With leaked passwords, time is critical so you may as well use the fastest service. The way it works is your password never gets sent anywhere they store your email address (hashed) and if it appears in a hacker dump you get alerted. It's safe and simple. And it's free!
Just follow the simple rules.. Change your passwords constantly, always use MFA (Multi-Factor Authentication) when available and close accounts when you no longer need a service.
THIS!!!!!
Change your passwords constantly
You mean using a unique password for different site right? Constantly change your password sounds like a full time work.
Every 6 months, get your password manager to remind you and change them. Less required if you have 2FA.
Practically never required if you have 2FA.
On the strict condition that you're not a known target to the general public.
Otherwise you are still at risk of companies falling for social engineering, and you getting "sim jacked" to get your 2nd factor.
@MasterScythe: SIM jack is something that occationally keeps me up at night…. Dammit. Any ways to prevent it from a consumer level??
@Naigrabzo: Just make sure you're with a provider who isnt going to be conned.
I went with Moose for exactly that reason; aussie call centres only.
They know Tom Jones isnt going to sound like Jackie Chan. Kinda makes the scam fall apart at step 1.
If you are a celebrity or a public media icon; you can often get a dedicated rep at the company as your only contact.
The obvious thing there, being that their agent isnt going to mistake them for someone else. Gilbert Gottfrieds manager isnt going to confuse him for cher.
@MasterScythe: I see. Given that I am not a celebrity, I will need to choose a provider with Aussie call centres? I will investigate Coles mobile… I don't think I am going to like the answer….
No deal for me since all my passwords are 'incorrect'
I wonder if there is a porn hub dark web version? Always been on the light side of the web and have never had any experience with the dark side before.
Yes there is, it's the same site just not on the clear web
So everything is dark?
Yep, 'dark' in the way its used for dark magic, or dark thoughts.
You want something sick and illegal that will make you hate humanity? You're in luck.
Id advise against poking that hornets nest.
@MasterScythe: Yeah na I can't stomach anything like that.. I guess I'll stay in the Light Web for now.. I don't want to think too much about anything else other than my self right now.. I guess you have been to the dark side hey?
DARK WEB…….sounds scary af
I've noticed a lot of ads from these guys recently, seems they're just trying to profiteer off an old idea.
God awful privacy policy;
They collect your info from credit companies and
undertake analysis and profiling of your credit information in order to identify and inform you of credit products that we consider are likely to interest you or be suited to your credit circumstances or to enhance our services.
But not only are they trying to sell you credit garbage, they also sell this info on to marketing firms!
We may share your data with other members of our group and with other third parties, such as our service providers, advertisers, Credit Reporting Bodies, our Cybercheck Partners and fraud prevention agencies.
You'd be a fool to use this service.
Got some spam from Clearscore that they have released a new product 'protect' - free dark web monitoring tool.
to OP, there, i reworded it for you.
Sounds like a complete piece of shit.
this company is full of sh*t, one day they suddenly warned me constantly about finding one of my passwords on dark web, and I was like … I never share any password with ClearScore. all they want you to do is keeping you busy with their notification from app to check their offers and deals, which are not the best and this is how they make money out of ya.