Month: February 2015
A jury has spoken, and the mask is off: Ross Ulbricht has been convicted of being the Dread Pirate Roberts, secret mastermind of the Silk Road online narcotics empire.
On Wednesday, less than a month after his trial began in a downtown Manhattan courtroom, 30-year-old Ulbricht was convicted of all seven crimes he was charged with, including narcotics and money laundering conspiracies and a “kingpin” charge usually reserved for mafia dons and drug cartel leaders. It took the jury only 3.5 hours to return a verdict. Ulbricht faces a minimum of 30 years in prison; the maximum is life. But Ulbricht’s legal team has said it will appeal the decision, and cited its frequent calls for a mistrial and protests against the judge’s decisions throughout the case.
As the verdict was read, Ulbricht stared straight ahead. His mother Lyn Ulbricht slowly shook her head, and his father Kirk put a hand to his temple. After the verdict, Ulbricht turned around to give his family a stoic smile.
“This is not the end,” Ulbricht’s mother said loudly as he was led out of the courtroom. “Ross is a hero!” shouted a supporter.
From his first pre-trial hearings in New York, the government’s evidence that Ulbricht ran the Silk Road’s billion-dollar marketplace under the pseudonym the Dread Pirate Roberts was practically overwhelming. When the FBI arrested Ulbricht in the science fiction section of a San Francisco public library in October of 2013, his fingers were literally on the keyboard of his laptop, logged into the Silk Road’s “mastermind” account. On his seized laptop’s hard drive, investigators quickly found a journal, daily logbook, and thousands of pages of private chat logs that chronicled his years of planning, creating and day-to-day running of the Silk Road. That red-handed evidence was bolstered by a college friend of Ulbricht’s who testified at trial that the young Texan had confessed creating the Silk Road to him. On top of that, notes found crumpled in his bedroom’s trashcan connected to the Silk Road’s code. Ulbricht’s guilty verdict was even further locked down by a former FBI agent’s analysis that traced $13.4 million worth of the black market’s bitcoins from the Silk Road’s servers in Iceland and Pennsylvania to the bitcoin wallet on Ulbricht laptop.
Ulbricht’s defense team quickly admitted at trial that Ulbricht had created the Silk Road. But his attorneys argued that it had been merely an “economic experiment,” one that he quickly gave up to other individuals who grew the site into the massive drug empire the Silk Road represented at its peak in late 2013. Those purported operators of the site, including the “real” Dread Pirate Roberts, they argued, had framed Ulbricht as the “perfect fall guy.”
“The real Dread Pirate Roberts is out there,” Ulbricht’s lead attorney Joshua Dratel told the jury in opening statements.
But that dramatic alternative theory was never backed up with a credible explanation of the damning evidence found on Ulbricht’s personal computer. The defense was left to argue that Ulbricht’s laptop had been hacked, and voluminous incriminating files injected into the computer—perhaps via a Bittorrent connection he was using to download an episode of the Colbert Report at the time of his arrest. In their closing arguments, prosecutors called that story a “wild conspiracy theory” and a “desperate attempt to create a smokescreen.” It seems the jury agreed.
Despite the case’s grim outcome for Ulbricht, his defense team seemed throughout the trial to be laying the grounds for an appeal. His lead attorney Joshua Dratel called for a mistrial no less than five times, and was rejected by the judge each time. Dratel’s protests began with pre-trial motions to preclude a large portion of the prosecution’s evidence based on what he described as an illegal, warrantless hack of the Silk Road’s Icelandic server by FBI investigators seeking to locate the computer despite its use of the Tor anonymity software. As the trial began, Dratel butted heads with the prosecution and judge again on the issue of cross-examining a Department of Homeland Security witness on the agency’s alternative suspects in the case, including bitcoin mogul and Mt. Gox CEO Mark Karpeles. And in the last days of the trial, Dratel strongly objected again to a decision by the judge to disallow two of the defense’s expert witnesses based on a lack of qualifications.
“What you saw in terms of length of deliberations is demonstrative of [what happens] when the defense is precluded and limited and circumscribed in the way that it was,” Dratel told reporters outside the courthouse, confirming that he will appeal the decision.
“It was not an even playing field,” added Ulbricht’s mother. “It was not a fair trial.”
Even so, the case’s decision will no doubt be seen by many as U.S. law enforcement striking a significant blow against the dark web’s burgeoning drug trade. More broadly, the case represents the limits of cryptographic anonymity tools like Tor and bitcoin against the surveillance powers of the U.S. government. In spite of his use of those crypto tools and others, Ulbricht couldn’t prevent the combined efforts of the FBI, DHS, and IRS from linking his pseudonym to his real-world identity.
But Ulbricht will nonetheless be remembered not just for his conviction, but also for ushering in a new age of online black markets. Today’s leading dark web drug sites like Agora and Evolution offer more narcotics listings than the Silk Road ever did, and have outlived law enforcement’s crackdown on their competitors. Tracking down and prosecuting those new sites’ operators, like prosecuting Ulbricht, will likely require the same intense, multi-year investigations by three-letter agencies.
If the feds do find the administrators of the next generation of dark web drug sites, as they found Ulbricht, don’t expect those online drug lords to let their unencrypted laptops be snatched in a public library, or to have kept assiduous journals of their criminal conspiracies. The Dread Pirate Roberts’ successors have no doubt been watching his trial unfold and learning from his mistakes. And the next guilty verdict may not be so easy.
The latest threat to users involves a fake Flash Player update which pops up during a preview of a pornographic video.
Once you click on the link to update your video player, malware (the name given to malicious software), downloads onto your computer.
This Trojan horse software gives the creator of the malware remote access to your computer.
They can then download viruses onto your computer.
Security researcher Mohammad Faghani alerted users to the threat in a post on theFull Disclosure blog, which flags up network vulnerabilities.
“The Trojan tags the infected user’s friends with an enticing post,” he explained.
Faghani warned that the malware then tags up to 20 friends of the victim in the malicious post, thus leading to a larger number of those who could be affected.
He believes it could “infect more than 110,000 users in two days”.
Faghani also said the malware was able to hijack keyboard and mouse movement.
In response, Facebook said it was aware of the problem and was working to block it.
In a statement issued to security news website Threatpost, a Facebook spokesperson said: “We use a number of automated systems to identify potentially harmful links and stop them from spreading.
“In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites.
“We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”
Last week, a hacker group called Lizard Squad had hinted it was responsible for the Facebook, Instagram and Tinder going down.
Facebook denied it was hacked, saying the access issues were “not the result of a third party attack”.
That’s the view of James Lewis, a cybersecurity expert at the Washington DC-based Center for Strategic and International Studies (CSIS).
Mr Lewis says that no company can prevent an attack launched by hackers who have the resources of a nation-state behind them from succeeding.
He believes the hackers who breached Sony’s network in late 2014 and leaked huge amounts of confidential information were backed by the North Korean government.
“It is simply not possible to beat these hackers,” Mr Lewis says. “Criminals want to make money, and if they find it difficult to get into your network they will move on to another target.
“But the Sony hack was not done for money – it was politically motivated and vindictive.”
Other experts have expressed doubts, though, over whether Pyongyang was really behind the hack, and North Korea has consistently denied involvement in the security breach.
Government-backed attackers have far greater resources at their disposal than criminal hacker gangs, and if necessary they may be able to make use of “other measures” such as human agents or communications intercepts to successfully bypass any security measures, he explains.
“Government-backed hackers simply won’t give up – they will keep trying until they succeed,” Mr Lewis adds.
This calls for a fundamental rethink in the way the companies calculate security risk and how they mitigate it, he believes.
“Right now most companies are underestimating risk. So the question they need to be asking is, ‘How do I change what I do to take into account this risk?'”
Many security experts believe the answer to this question is to focus efforts on detecting security breaches as quickly as possible and then responding appropriately to minimise the harm they can do.
“This is where I would find fault with Sony – not in the breach itself, but in not detecting it quickly, and failing to prevent the exfiltration of large amounts of data,” says Rick Holland, a security and risk management analyst at Forrester Research.
“But this is pretty typical of many companies out there,” he adds.
Effectively many companies have erected high walls to try to deter intruders, but they are failing to post guards on the walls to spot when intruders climb over them.
Mr Holland believes that minimising the damage hackers do when they inevitably force their way on to corporate networks involves making big changes to the way that those networks are designed.
“If you look at the way networks are at the moment, most of them are fundamentally insecure,” he says.
“Once an attacker gets into an environment it’s like a shopping trolley dash but without the clock – you can just take whatever you like.”
He recommends companies make more efforts to segment their networks. This involves separating one part of the network from another in such a way that if hackers get on to the network they only get access to the data in that segment and no more.
“What you need is a bulkhead approach like in a ship: if the hull gets breached you can close the bulkhead and limit the damage,” Mr Holland says.
Divide and conquer
In some industries, such as oil and gas, there is a practice of “air gapping” important computer infrastructure such as control systems – physically disconnecting them from corporate networks so that hackers can’t get to them from the rest of the network.
While this approach can be effective Mr Holland believes it would be impractical for most businesses, because it would be too inconvenient for employees and productivity would suffer. As a result they would probably close the air gap somehow – perhaps by setting up an unauthorised wi-fi link.
The Sony hackers are likely to have damaged Sony’s reputation significantly by leaking some of the confidential email exchanges that they stole.
One measure that Mr Holland suggests companies adopt to prevent this is to reduce their “embarrassment footprint” by ensuring that unnecessary data is deleted promptly so that there is less for hackers to steal.
“Companies can certainly have too much data, and they need to identify the data they don’t need and kill it,” he says.
This leaves many companies with something of a dilemma, because of the growing popularity of big data analysis. Big data projects require that data is collected and stored rather than deleted so it can be analysed to uncover previously unknown patterns, trends and correlations.
There were nearly double the number of DDoS attacks this year and half of those used multi-vector attacks. There was a 200% increase in the number of 100Gbps-plus attacks from a year ago and each DDoS attack lasted 28% longer, according to analysis by Akamai’s Prolexic Security Engineering and Research Team (PLXsert). DDoS-for-hire services are thriving, so much so, that it helped non-techie attackers launch attacks.
“An incredible number of DDoS attacks occurred in the fourth quarter, almost double what we observed in Q4 a year ago,” said John Summers, vice president of Akamai’s Cloud Security Business Unit. Akamai said it mitigated nine attacks that exceeded 100 Gbps; there was a 52% percent increase in average peak bandwidth of DDoS attacks compared to Q4 2013.
More percentages and comparisons for Q4 2014 and Q4 2013 were published in Akamai Technologies Q4 2014 State of the Internet Security Report (pdf).
Akamai analysis found that UDP-based attacks were the most common, whereas the most utilized protocol for reflection tactics were NTP, CHARGEN and SSDP. Regarding the sharp 57% increase in DDoS attacks from a year ago, Dave Lewis, Global Security Advocate for Akamai Technologies, explained that one of the main reasons was a “241% increase in the number of attacks that leveraged SSDP floods.” He added:
What, might you ask, is SSDP? This stands for Simple Service Discovery Protocol. This is a service that can be used by attackers to reflect traffic against a target in a DDoS attack. Attackers can amplify the signal of their attack bringing a larger amount of attack traffic against the target than they could otherwise based on the volume of just attacking nodes. SSDP is commonly found in devices using Universal Plug and Play (UPnP). The largest attack that was witnessed in this instance was one that reached 106 Gbps of malicious traffic.
“This is an example of what can happen with poorly configured, or worse, devices with no security controls that are rolled out as a component of the Internet of Things (Iot),” Lewis added. “As the Internet of Things continues to increase we will see more opportunities for attackers to leverage devices to increase the size and scope of their botnets.”
US was the country responsible for the most DDoS traffic in Q4
The United States was the worst offender and Russia was the best when it comes to the ‘whodunnit’ department.
The US was named as the top source country responsible for DDoS traffic, 31.54%. China was next with 17.61%; together, the US and China responsible for nearly half of all attack traffic in Q4. Germany was next at 12%, followed by 11.69% from Mexico, 7.64% from France, 4.31% from India, 4.12% from Spain, 3.8% from the UK, 3.65% from Korea and 3.64% from Russia.
Gaming, then software and tech industries were the most attacked in Q4
Akamai said it mitigated the most DDoS attacks during the last two weeks of December; comparing the last week of December 2014 to the last week in 2013, there was 1,110% increase in attacks. The Christmas DDoS against Microsoft Xbox Live and the Sony PlayStation Network pushed the gaming industry to the top of most-attacked list. In fact, “the last four attacks that reached 100+ Gbps all targeted the gaming industry.” The Akamai report stated, “Another trend was the holding of networks hostage, where the owners were asked to pay a small ransom to stop a DDoS attack.”
While the gaming industry experienced 35.33% of all DDoS attacks in Q4, software and technology companies were the second most targeted industry and were hit with 26.58% of attacks. Although the percentage is less, software and technology industries that provide serious like cloud-based tech and Software-as-a-Service (SaaS) had the biggest surge in attack rates, up 7% from Q3.
Most targeted application layer in Q4
While 10.31% DDoS attacks targeted the application layer in Q4, infrastructure attacks made up 89.69% of all attack vectors.
“Attackers’ preference for volumetric infrastructure-based attacks may be due to ease of execution: Internet infrastructure is growing. Surging economies and millions of Internet-enabled devices are being added worldwide, making new resources available for exploitation, botnet building and DDoS attacks. Infrastructure-based attack resources are plentiful.”
DDoS-for-hire attack innovation
“DDoS-for-hire booter suites took a low-investment approach by tapping into reflection-based DDoS attacks,” stated the press release about Akamai Technologies Q4 2014 State of the Internet Security Report. About “40% of all DDoS attacks used reflection techniques, which rely on Internet protocols that respond with more traffic than they receive and do not require an attacker to gain control over the server or device.”
The market for DDoS-for-hire services sometimes referred to as stressors or booters “promoted multi-vector campaigns as the competitive market drove attack innovation.” There were 88% more multi-vector attacks this quarter than in Q4 2013. More than 44% of all attacks used multiple attack vectors.
“The expansion of the Internet infrastructure, the addition of millions of potentially exploitable Internet-enabled devices and the steady discovery and disclosure of signification vulnerabilities in web applications has driven mass exploitation and botnet building.” Those factors are expanding the “DDoS threatscape.” Looking forward, Akamai said a flourishing DDoS-for-hire market will result in “attack innovation.”
DDoS trends, Akamai said, will “include more attacks, the common use of multi-vector campaigns, the availability of booter services and the low cost of a DDoS campaign that can take down a typical business or organization. The expansion of the DDoS-for-hire market may result in the commoditization of DDoS attacks, where availability drives down prices, which grows the market. DDoS may become a common tool for even non-technical criminals.”