The big news of this week occurred due to the complaint and warrant made by the FBI for the arrest of Ross William Ulbricht, aka Silk Road founder “Dread Pirate Roberts”.
The “dark” website, not hosted on the world wide web but accessible via The Onion Ring (TOR) reportedly had close to a million users and allowed registered users to dabble in art and erotica, but also in drugs, weapons and malware. The issue here, apart from apparently melting the website of security blogger Brian Krebs who hosted a PDF copy of the warrant for a time, is that despite the strong security needed to both access the Silk Road and attempt to hide the site from public access, some failings around (ironically) fake ID cards were what brought the site down.
This has led to a greater focus being placed on TOR, with it saying in a blog that it has been watching in regard to any flaws within it that it needs to correct, and discovering nothing. As the work to identify Ulbricht and the Silk Road content was done by good old police work, it has little so far apart from bad PR by association.
Its blog said: “Remember: TOR does not anonymise individuals when they use their legal name on a public forum, use a VPN with logs that are subject to a subpoena, or provide personal information to other services.
“Also, while we’ve seen no evidence that this case involved breaking into the web server behind the hidden service, we should take this opportunity to emphasise that Tor’s hidden service feature (a way to publish and access content anonymously) won’t keep someone anonymous when paired with unsafe software or unsafe behaviour. It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher’s anonymity independent of Tor.”
TOR will get added attention for some time and it is good that they have made this statement, but the danger is that the association with such a site, through no fault of its own, they are deemed to be the bad guys.
Also facing a challenging week is the United States. Well not all of them, but government departments, who are partly sitting with their feet up playing GTA 5 as a result of the budget stalemate and shutdown. Firstly there was the question of how many members of staff would not be able to go to work, and how 31,000 fewer members of staff at the Department of Homeland Security would affect national security.
Now, it has transpired that SSL certificates have begun to expire and websites are either not being updated, or are redirecting to other domains. Whether this can be blamed on the shutdown is unclear, but would these certificates have and be expiring if full attention were not on trying to get the country back online?
Finally back in blighty, minutes were released this week where it was revealed that UK banks will face a stress test and checks on their resilience to cyber attacks. With the financial system among the most targeted vertical, it is commendable that the UK is seeking to not only secure, but ensure that they remain secure through some level of penetration testing.
The minutes blamed problems in vulnerabilities, a reliance on centralised market infrastructure and “complex legacy IT systems” for a lack of sophistication. While replacing the technology is one option, is testing resiliency in existing infrastructure another when it is known to be outdated? Surely a better option would be ensure there is modern technology rather than trying to break what is there to prove what is already known?
