Why Even Cyber Criminals Need Web App Security

Back in October 2013, this guy Ross Ulbricht (AKA Dread Pirate Roberts – DPR) who was in charge of the popular website Silk Road was arrested by the FBI in a San Francisco library. His laptop had about 45 million bucks in Bitcoin on it and he was charged with a bunch or stuff ranging from planned murder to breaking just about everything in the Computer Fraud and Abuse Act.

Nice message from FBI we saw when Silk Road was seized

It was a bit of a surprise when he got arrested because he was very careful. He hid behind a bunch of Tor nodes, hid everything he did, and went out of his way to remain anonymous. Many thought that the Tor network was suddenly hackable by the FBI and that they used illegal means to arrest him. Well, the nice folks at the FBI recently told us what really happened; he was a web app security noob of ginormous proportions. But hey, before you start calling him that, remember that you probably are too (heck, this site is built on WordPress).

DPR got caught because he used a captcha on his site as everyone should when authenticating users. However, the captcha verification resolved to his main website server directly instead of going through Tor like the rest of his site (LOL!). This was probably going on for a stupid amount time but no one ever really figured it out. It’s one of those things that are just so stupid that you would never think to check it.

Ok! Ok! I must have, I must have put a decimal point in the wrong place
or something. Shit. I always do that. I always mess up some mundane

In my professional opinion (if you can call it that), if DPR had taken the time to have security professionals look into the security of his site, he wouldn’t have gotten caught so fast. I guess that even if you’re running a seedy and most likely illegal online enterprise, security should still matter. Probably more than ever.

Here is how the test by a professional would have gone assuming they know anonymity is a priority:

  1. They would setup a proxy for the Silk Road website and observe traffic
  2. They would see that most traffic goes to TOR nodes
  3. It would be easy to see that the Captcha verification always resolves to the same IP
  4. Notify DPR that they know where his site is hosted

Case solved… 45 million bucks saved for the time being.


Leave a Reply

Your email address will not be published. Required fields are marked *