Tag Archives: Silk Road

Security News for the Week Ending November 6, 2020

TikTok Ban – Remember That?

Well now that the election is over – at least the voting part – we can get back to the important stuff like whether our kids can create 30 second dance videos on TikTok. The President signed a memo a couple of months ago to add trade pressure on China by banning TikTok in the US, but a Federal judge signed a preliminary injunction putting the memo on hold. The government has asked the DC Circuit to overturn that injunction but there are other restrictions like hosting the TikTok software on US cloud servers that go into effect on November 12th, so assume this subject will heat up over the next week or so. Credit: Law360

Feds Seize $1 Billion in Bitcoin from Silk Road

The feds shut down the Silk Road online crime bazaar in 2013 and convicted its founder, Ross Ulbricht in 2015. He was sentenced to two life terms plus 40 years. Now, this past week, the feds transferred 69,000+ Bitcoin out of a wallet that has been quiet since 2015. Is Ross trying to make a deal? Those Bitcoin are worth not quite a billion dollars. Now the feds have to convince a judge that the money is proceeds subject to forfeiture. If they do, the feds will likely auction off the cryptocurrency and put the proceeds in its piggy bank and, possibly, the piggy banks of other agencies that helped take Ulbricht down. Credit: ARS Technica

How Fast is Our 5G

I know that 5G is not a security issue – except that how we use 5G WILL make it a security issue. Right now, the 3 big carriers continue to roll out some form of 5G nationally and they are succeeding. It is important to understand what they mean by 5G. It does NOT mean that if you spend $1,000 or $1,500 on a 5G phone (although there are a couple of low price models), you should expect really fast speed on your phone. It means that the carriers are layering the 5G protocols on top of the existing 4G infrastructure.

So how fast is our 5G? PC Magazine does tests every few months and has released a new set of tests. They say that our 5G average speed is slower than Saudi Arabia, South Korea, Australia, Canada, Switzerland, United Kingdom and Germany. That is not impressive and is not likely to change for a number of years for several technical reasons. Read the details at PC Magazine.

Jackson, Mississippi Integrating Your Ring Camera into their Surveillance Network

To be clear, they are doing it with the owner’s permission. They are partnering with two companies who claim to be able to suck up your Ring camera data and feed it into the police department’s surveillance network. Obviously, if the city can get the benefit of thousands of surveillance camera feeds without paying for them AND they can really digest the data, then that may help them stop crime. If the cameras point towards the street and record people that are not on your property, YOU may be committing a crime (depending on the state), but since the cops want your data, they are unlikely to complain. On the other hand, the person who is captured on your video which is fed to the police may sue you. Just sayin’. While Ring has made a big deal of trying to get you to give your video feeds to your local police, this is not one of their projects. Credit: Vice

Attention Those 220 Million Web Sites That Use Let’s Encrypt

This is probably not a big deal but still worth mentioning. When Let’s Encrypt first came out it borrowed a friend’s root signing certificate since the browsers did not trust it. Years ago it became trusted when it issued its own root certificate. Now that original signing certificate is expiring and if your computer or phone does not have their new certificate, you will get an error message when browsing to one of the 220 million web sites that use Let’s Encrypt. NOTE that only affects old operating systems and old browsers that use those operating system’s certificate stores (this may be the reason why Chrome is moving away from using the OS certificate store). This doesn’t become a problem until September 2021, but IT managers should make a note of it because they will likely get at least a few calls. Credit: The Register

The Cost Of Not Baking In Security In At The Beginning

Wired is reporting a giant dark web scheme to sell counterfeit coupons costing the consumer packaged goods industry tens of millions of dollars.  The scam is simple because no one thought that anyone would try it.  So no one added any security into the coupon chain.  Later, they bolted on a blacklist, but that is easily bypassed.

When I started to read about it, I thought “what’s the big deal – so someone is duplicating the coupons that manufacturers put in the paper”.  That is not quite it.  These guys make their own coupons where no coupons exist and since there is no security in the system, the retailer scans in the bogus coupon and the manufacturer eats the loss because they don’t want to retailers to stop accepting their coupons.

On Thursday the feds indicted Beauregard Wattigney of Louisiana  on wire fraud and trademark counterfeiting.  It seems like even the law  hadn’t thought about this and counterfeiting coupons is not it’s own crime.

He is charged with making bogus coupons and selling them for everything you can imagine – alcohol, cigarettes, cleaning supplies, video games.  The FBI accused him of doing $1 million of damage, but Jane Beauchamp, president of a firm that tracks brand fraud estimates the damage at “tens of millions”.  In addition to selling packages of coupons, he is also accused of selling people classes to teach them how to do this themselves (and likely create their own, at home, business).  He is even accused of launching a service where people could generate the own coupons on demand.

Here is the core problem:

GS1, the global standards organization that companies as diverse a Coke and Mattel support, defined a bar code standard without considering security.  Likely the standard was developed years ago, when no one considered the possibility of bar code fraud and certainly before the Internet.  In any case, according to Wired, the first 6 characters of the bar code are a company code, which you can copy from any coupon the company ever created, the next 6 digits are an offer code, which for the purposes of a fake coupon, can be a random number and the remaining digits are the discount in cents and the number of items you have to buy to get the discount.

Wattigney is accused of selling these on Silk Road and Silk Road 2 and the feds caught on to him when they took down Silk Road.

Apparently, the retailers do not have a way to check with the manufacturers at the time of coupon acceptance. I am sure that 50 years ago when couponing started and you could get 10 cents off a box of cereal, the cost of creating such an exchange was mind boggling.  Now, it would not be a big deal.  But that 10 cents off idea has morphed and Beauchamp said that these coupons were giving people $7 off one product, $9 off a different one and costing the manufacturers $2 million each on just those two coupons.

Wattigney is not the first guy to try this and now that Wired spilled the beans, it could become more common, forcing stores to do something about it.  Two years ago, Lucas Henderson was sentenced to three years supervised release and forced to pay $900,000 in restitution.  Henderson was a Lubbock, Texas college student.

According to expert Beauchamp, stores like Target and Walmart rely on a industry group, Coupon Information Center, which maintains a blacklist of known bogus coupons.  If a fraudster creates a new coupon, it won’t be on the blacklist and as long as it looks OK to the cashier, the user gets their discount.  If it is caught by the system, the customer just makes up some excuse like a friend gave it to me and walks off.

Coupon Information Center president Bud Miller says they have other security measures but wouldn’t say what they are.  Given that Wattigney cost the brands millions, I would say that whatever those measures are, they are not working.

One interesting part of this is that the two prosecutions described above are Americans in America.  What if bogus coupons become the next Chinese import.  Miller says that prosecution is one of the measures, but prosecuting fraudsters from less than friendly countries is not likely.

And all because security was  not baked in.




Why Encryption Does Not Mean The End Of Law Enforcement

IT World wrote a piece on how the cops caught up with the now convicted founder of Silk Road, Ross Ulbricht, AKA The Dread Pirate Roberts, the man who ran the dark web marketplace for everything from drugs to murder.  The author goes into a lot more detail for those geeks who are interested.

Curious note:  That article ran everywhere under the title 4 technologies that betrayed Silk Road.  Their article lists 5 technologies, but the page name for the article is still called 4 technologies … go figure.

Number 1: He used Bitcoins to transfer money between buyers and sellers and himself, thinking it was untraceable.  Turns out while it might be hard to decrypt the bitcoin wallets themselves, it is easy to watch the transactions on the net.  You can see where the traffic comes from and where it goes to.

Number 2: Ulbricht used TorChat to communicate.  Like Tor, it is encrypted so you can’t just look at it.  However, for some reason, he consciously turning on chat logging, which made unecncrypted logs on his hard disk.  He may have thought that the logs were encrypted or he he may have thought that since his disk was encrypted, he was safe.

Number 3: Encryption makes it difficult for someone to eavesdrop on your world but stuff has to be decrypted in order to use it.  In Ulbricht’s case, he apparently was using whole disk encryption (WDE), like Microsoft’s Bitlocker (but probably not Bitlocker).  The problem every WDE product has is that it decrypts stuff once you login and the keys are kept in memory.  What this means is that WDE offers no protection while the computer is on.

For some reason, Ulbricht used public WiFi at the library some times and the cops caught him there, while the computer was turned on and logged in and were able to grab his computer before he could shut it off.  They now had access to, among other things, his private encryption key. Game over.

I have often said that public WiFi is not secure.  That is certainly true if you are a crook.

Number 4: Loose lips sink ships.  This is as true now as it was during World War II when the phrase was coined.  Ulbricht used Facebook and cross posted information, for example, about a vacation in Thailand to both Silk Road and Facebook.  Tie the FB account to a GMail account and voila.

Number 5: Automated server logins are convenient, but deadly.  because human beings are lazy, Ulbricht had set up a trust relationship between his laptop and the Silk Road servers, so he did not need to enter a password to login to the servers.  If you have access to the laptop, you have access to the servers.

I think most people will be able to figure out what not to do, so I don’t think I need to explain that here, but it does point out that nothing is foolproof.

The Feds – and Prime Minister David Cameron of England – feel that no communication should be private from the government.  The fact that in 99% of the cases, the people who want private communications just don’t trust the government and are doing nothing wrong is not relevant to them.  This case pointed out two things – First, encryption is not a silver bullet and Second, human beings make mistakes.

Maybe the next crook won’t make these five mistakes, but actually, I would not count on that.  The good news for the cops is that there is pretty much an unlimited supply of mistakes for the bad guys to make and while it may be harder to catch them if they use encryption, it is, for sure, not the end of catching crooks.  Ask Ross Ulbricht.