Dark web marketplace Silk Road was spotted due to misconfigured privacy software and a CAPTCHA which was broken by multiple access attempts.
According to a document released by consultant and former FBI agent Christopher Tarbell, analysis of the traffic being sent from the Silk Road website did not involve accessing any administrative area or “back door” of the site, as the website’s user login interface was fully accessible to the public and was accessed by username, password and CAPTCHA fields contained in the interface.
“When we did so, the website sent back data to the computer we were using – specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid,” he said.
He also said that upon examining the individual packets of data being sent back from the Silk Road website, it was noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets.
Tarbell said: “The Subject IP address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
“When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP address was the IP address of the Silk Road server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”
Following this discovery, it was determined that the subject IP address was assigned to a server hosted at a data centre operated by a foreign company in Iceland. An official request was made on June 12th 2013 to Icelandic authorities to obtain subscriber information associated with the Subject Server, collect routing information for communications sent to and from the Subject Server, including historical routing data from the prior 90 days and covertly image the contents of the Subject Server.
Security blogger Brian Krebs said he understood the website was detected not by NSA surveillance, but because the CAPTCHA pulled content from the open internet, leaking the site’s true location. Ross W. Ulbricht — a.k.a Silk Road administrator “Dread Pirate Roberts”, failed to configure other applications to run on the Tor router, therefore leaking the data to the FBI.
Software developers and security blogger Nik Cubrilovic, said in his blog that there are many, many ways that a Tor configuration can leak and reveal details about a user that could lead to them being identified. “The cited wiki page on the Tor project website lists a number of the potential leaks. One problem – the page they link to and cite refer to Tor clients – not hidden services,” he said.
“The leak issues and attack v
ectors on that page are for end users of Tor browsing the web or hidden services (it goes into how to use an isolating proxy, how to torify certain applications such as email and irc clients, etc.), they don’t apply to Tor hidden services and servers.”
However Cubrilovic doubted the detailed version of events, claiming that the Silk Road image CAPTCHA was hosted on the same server and at the same hidden URL as the Silk Road website, and was not a third-party CAPTCHA. “The CAPTCHA image was produced by a script that sat alongside the login and authentication endpoints,” he said.
“The CAPTCHA being hosted on the same server and endpoint as the main Silk Road application caused the site problems. Since generating a CAPTCHA is resource intensive, there was a DoS attack against Silk Road which did nothing more than continuously request CAPTCHA images. The site was later modified to use cached versions of the CAPTCHA images, but these too were served from the same host and onion as the web application.”
He went on to claim that Ulbricht was not an experienced programmer and was learning how to develop web applications and write PHP at the same time as he was implementing the Silk Road web application”.
“A much more plausible explanation is that the FBI discovered a security exploit or information leak in the login page, in the same way a number of other people discovered similar security holes or information leaks in both the login page and the Silk Road application itself,” Cubrilovic said.