FBI used ‘leaky Captcha' to catch Silk Road's hidden servers
by Alastair Stevenson 08 Sep 2014
The FBI used a leaky anti-abuse Captcha tool to find the infamous Silk Road servers' geographic location and arrest its founder Ross William Ulbricht.
Silk Road was a deep web black marketplace that was known to facilitate the trade of illegal substances and services, including class A drugs and hitmen. It was shut down by the FBI October 2013.
It was originally unclear how the FBI had managed to track the service's command-and-control server and author as the hidden web service leveraged the anonymising Tor network.
However, according to recently disclosed court documents, the FBI managed to track the services after spotting an IP address linked to Silk Road that was not being protected by the Tor network.
"We noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the ‘Subject IP Address') was the only non-Tor source IP address reflected in the traffic we examined," read the FBI's court testimony.
"The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal."
The FBI reportedly tracked the IP address to an insecure Captcha used by Silk Road, which in turn led them to one of the hidden service's servers, which was located in Iceland.
"When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the Captcha prompt) appeared," read the testimony.
"This indicated that the Subject IP Address was the IP address of the SR [Silk Road] Server, and that it was ‘leaking' from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor."
The revelation follows widespread reports that law enforcement and hackers are trying to find ways to track Tor users.
The Tor Project issued a security advisory warning it had detected evidence that hackers were hitting the network with cyber attacks that could de-anonymise hidden services running on it in July.
Silk Road was a deep web black marketplace that was known to facilitate the trade of illegal substances and services, including class A drugs and hitmen. It was shut down by the FBI October 2013.
It was originally unclear how the FBI had managed to track the service's command-and-control server and author as the hidden web service leveraged the anonymising Tor network.
However, according to recently disclosed court documents, the FBI managed to track the services after spotting an IP address linked to Silk Road that was not being protected by the Tor network.
"We noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the ‘Subject IP Address') was the only non-Tor source IP address reflected in the traffic we examined," read the FBI's court testimony.
"The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal."
The FBI reportedly tracked the IP address to an insecure Captcha used by Silk Road, which in turn led them to one of the hidden service's servers, which was located in Iceland.
"When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the Captcha prompt) appeared," read the testimony.
"This indicated that the Subject IP Address was the IP address of the SR [Silk Road] Server, and that it was ‘leaking' from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor."
The revelation follows widespread reports that law enforcement and hackers are trying to find ways to track Tor users.
The Tor Project issued a security advisory warning it had detected evidence that hackers were hitting the network with cyber attacks that could de-anonymise hidden services running on it in July.
No comments:
Post a Comment