Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 20 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Leaky Captcha enabled Silk Road detection and takedown

by The Gurus
September 8, 2014
in Editor's News
Share on FacebookShare on Twitter

Dark web marketplace Silk Road was spotted due to misconfigured privacy software and a CAPTCHA which was broken by multiple access attempts.
 
According to a document released by consultant and former FBI agent Christopher Tarbell, analysis of the traffic being sent from the Silk Road website did not involve accessing any administrative area or “back door” of the site, as the website’s user login interface was fully accessible to the public and was accessed by username, password and CAPTCHA fields contained in the interface.
 
“When we did so, the website sent back data to the computer we were using – specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid,” he said.
 
He also said that upon examining the individual packets of data being sent back from the Silk Road website, it was noticed that the headers of some of the packets reflected a certain IP address not associated  with any known Tor node as the source of the packets.
 
Tarbell said: “The Subject IP address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
 
“When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP address was the IP address of the Silk Road server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”
 
Following this discovery, it was determined that the subject IP address was assigned to a server hosted at a data centre operated by a foreign company in Iceland. An official request was made on June 12th 2013 to Icelandic authorities to obtain subscriber information associated with the Subject Server, collect routing information for communications sent to and from the Subject Server, including historical routing data from the prior 90 days and covertly image the contents of the Subject Server.
 
Security blogger Brian Krebs said he understood the website was detected not by NSA surveillance, but because the CAPTCHA pulled content from the open internet, leaking the site’s true location. Ross W. Ulbricht — a.k.a Silk Road administrator “Dread Pirate Roberts”, failed to configure other applications to run on the Tor router,  therefore leaking the data to the FBI.
 
Software developers and security blogger Nik Cubrilovic, said in his blog that there are many, many ways that a Tor configuration can leak and reveal details about a user that could lead to them being identified. “The cited wiki page on the Tor project website lists a number of the potential leaks. One problem – the page they link to and cite refer to Tor clients – not hidden services,” he said.
 
“The leak issues and attack v
ectors on that page are for end users of Tor browsing the web or hidden services (it goes into how to use an isolating proxy, how to torify certain applications such as email and irc clients, etc.), they don’t apply to Tor hidden services and servers.”
 
However Cubrilovic doubted the detailed version of events, claiming that the Silk Road image CAPTCHA was hosted on the same server and at the same hidden URL as the Silk Road website, and was not a third-party CAPTCHA. “The CAPTCHA image was produced by a script that sat alongside the login and authentication endpoints,” he said.
 
“The CAPTCHA being hosted on the same server and endpoint as the main Silk Road application caused the site problems. Since generating a CAPTCHA is resource intensive, there was a DoS attack against Silk Road which did nothing more than continuously request CAPTCHA images. The site was later modified to use cached versions of the CAPTCHA images, but these too were served from the same host and onion as the web application.”
 
He went on to claim that Ulbricht was not an experienced programmer and was learning how to develop web applications and write PHP at the same time as he was implementing the Silk Road web application”.
 
“A much more plausible explanation is that the FBI discovered a security exploit or information leak in the login page, in the same way a number of other people discovered similar security holes or information leaks in both the login page and the Silk Road application itself,” Cubrilovic said.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Obamacare suffers attack, takes a month to be detected

Next Post

Gartner Security Summit: Correct controls between user and data can help with attack mitigation

Recent News

Nominations are Open for 2023’s European Cybersecurity Blogger Awards

Nominations are Open for 2023’s European Cybersecurity Blogger Awards

March 20, 2023
TikTok to be banned from UK Government Phones

TikTok to be banned from UK Government Phones

March 17, 2023
New AT&T Cybersecurity USM Anywhere Advisors Service Helps to Establish and Maintain Threat Detection and Response Effectiveness

Should Your Organization Be Worried About Insider Threats?

March 17, 2023
Guild Education controls API abuse with Salt Security

Guild Education controls API abuse with Salt Security

March 16, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information