Memo to online crooks: Forget Tor exploits, sloppy opsec will get you every time.
by Dan Goodin
What will get you in the end is sloppy opsec. Short for operations security, it encompasses a sprawling list of disciplines, including keeping PCs free of malware, encrypting e-mail and other communications, and placing an impenetrable firewall between public and personal identities.
The latest high-profile criminal defendant to get a first-hand lesson in the perils of poor opsec is Ross William Ulbricht. The 29-year-old Texan was arrested on Tuesday on allegations he was the kingpin behind Silk Road, an online drug bazaar prosecutors said arranged more than $1 billion in sales of heroin and other illicit substances to hundreds of thousands of buyers. A 39-page complaint alleges that he was known as "Dread Pirate Roberts" in Silk Road forums. A FBI agent went on to say Ulbricht controlled every aspect of the site, including crucial server infrastructure and programming code that used the Tor anonymity service and Bitcoin digital currency to conceal the identities of operators, sellers, and buyers.
Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro in the Bitcoin community" to work in a venture-backed startup. The post directed applications to send responses to "rossulbricht at gmail dot com." It came about nine months after two previous posts—also made by a user "altoid," to shroomery.org and Bitcoin Talk—were among the first to advertise a hidden Tor service that operated as a kind of "anonymous amazon.com." Both of the earlier posts referenced silkroad420.wordpress.com.
If altoid's solicitation for a Bitcoin-conversant IT Pro wasn't enough to make Ulbricht a person of interest in the FBI's ongoing probe, other digital bread crumbs were sure to arouse agents' suspicions. The Google+ profile tied to the rossubicht@gmail.com address included a list of favorite videos originating from mises.org, a website of the "Mises Institute." The site billed itself as the "world center of the Austrian School of economics" and contained a user profile for one Ross Ulbricht. Several Dread Pirate Roberts postings on Silk Road cited the "Austrian Economic theory" and the works of Mises Institute economists Ludwig von Mises and Murray Rothbard in providing the guiding principles for the illicit drug market.
The clues didn't stop there. In early March 2012 someone created an account on StackOverflow with the username Ross Ulbricht and the rossubicht@gmail.com address, the criminal complaint alleged. On March 16 at 8:39 in the morning, the account was used to post a message titled "How can I connect to a Tor hidden service using curl in php?" Less than one minute later, the account was updated to change the user name from Ross Ulbricht to "frosty." Several weeks later, the account was again updated, this time to replace the Ulbricht gmail address with frosty@frosty.com. In July 2013, a forensic analysis of the hard drives used to run one of the Silk Road servers revealed a PHP script based on curl that contained code that was identical to that included in the Stack Overflow discussion, the complaint alleged.
A cautionary tale
The sloppiness portrayed in the court documents is by no means unique to the Silk Road case. Indeed, Hector "Sabu" Monsegur, one of the leaders behind a spree of crimes carried out by Anonymous offshoot Lulzsec, reportedly accidentally joined an Anonymous IRC server from his own IP address rather than connecting through Tor. If that single error wasn't enough for authorities to identify him, Monsegur's fate was sealed when the prvt.org Internet domain frequently referenced by Sabu was briefly tied to Monsegur's real-world persona.
A gang accused in 2010 of perpetrating a $4 million fraudulent tax return racket was also undone when one of its member allegedly failed to hide his home IP address in communications with an informant.
Wednesday's complaint comes a two months after FBI agents exploited a vulnerability in the Firefox browser to unmask Tor users suspected of participating in a child pornography site. There's no evidence Silk Road was brought down through similar tactics, although at this early stage they can't be ruled out conclusively. What is more in evidence is that, like Monsegur and countless other criminal defendants before him, Ulbricht's lack of opsec was key in drawing the attention of investigators.
The complaint reads as a cautionary tale about the asymmetrical challenge in staying truly anonymous on the Internet, even when government agents or other snoops don't exploit obscure vulnerabilities or wield the massive surveillance apparatus of the National Security Agency. End users have to get it right every single time they go online without slipping up, even once. The FBI and even grassroots investigators with the time to look, only need to stay vigilant and wait to get lucky.
Courtesy: arstechnica
0 comments:
Post a Comment