Silk Road CAPTCHA bust, the weakest link in security is you!

The internet community has finally began to come to grips with the need for increased internet security and online privacy. Recently the narrative took yet another twist when the revelations of mass government spy programs created to intercept the daily communications of common internet users came to light. Mainstream news organizations are publishing stories about the drastic rise in cybercrimes almost daily. Even the internet guru’s make mistakes.

Silk Road CAPTCHA bust

Silk Road websiteRecent news has come to light regarding how the underground drugs bazaar Silk Road was ultimately closed with the arrest of alleged owner, Ross W. Ulbricht aka Dread Pirate Roberts. While it goes without saying a large scale operation that was attracting the attention of some senior law enforcement agencies would be running a tight ship it now appears as if user error also lead to the downfall.

Silk Road became the biggest online drugs trading platform available on the internet, however it was only accessible via the TOR anonymizing system and as such was considered part of the hidden Dark web. This gave authorities a conundrum and leaked documents show that the TOR system has become a huge thorn in the side of legal investigations.

While alleged owner Ross W. Ulbricht is reported as taking many extreme measures to ensure his own security such as accessing Silk Road from an internet cafe in San Francisco it now appears that his own user error lead to the demise of not only the site but also sealed his own fate.

In late 2013 it was first reported how authorities managed to link the real world persona with that of the Silk Road pseudonym Dread Pirate Roberts by linking old queries relating to Bitcoin and ultimately Silk Road and a personal email address used by Ulbricht himself.

Captcha Silk RoadFast forward to 2014 and new details have emerged alleging that even though Silk Road was run on the underground TOR network portions of the site, namely the CAPTCHA tool linked to an off-site third party location on the standard internet. CAPTCHA is the somewhat annoying tool that prevents spam bots signing up to various websites, usually requiring the user to enter a string of characters from a jumbled up image.

With this information at hand it is alleged law enforcement were then able to pinpoint the real location of the Silk Road servers in Iceland at which point Icelandic law enforcement made a direct image copy of the hard drive information.

For a site with a massive profile such as Silk Road it would have been relatively easy to produce an in house anti-spam solution similar to CAPTCHA which ultimately would of removed the leaky information that brought about the downfall of the site. As with many internet criminals who have been caught, in the majority of cases it is user error (or human error) which lead to their apprehension.

Law Enforcement Lies?

Questions have been raised about the FBI’s version of events that lead to the capture (no pun intended!) of the Silk Road servers with some security experts claiming that a more hacking approach would have been required to secure such information.

It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor

– Andrew Auernheimer,

Regardless of the complete truth behind the story it is completely clear that on more than one occasion human error lead to the ending of the drugs bazaar’s reign. While not all of us are running online drug marketplaces the same theory can be applied to user security and as such should serve as a lesson to double check our security and privacy measures to ensure our own failings won’t ultimately expose ourselves to potential hazards.

Security too hard for the layman?

Security software or at least cryptography software has been billed by many as too difficult to use by the general public. Products from anti-virus companies have become easier to use and in recent years software such as LiquidVPN’s Viscosity have made it easier to connect to a Virtual Private Network. These such advancements have made it more simplistic for the layman (or woman!) who are concerned about their privacy and security but less inclined to want to delve in to the inner workings of the ways to enable this to happen.

One such example is encryption of emails. Email is a excellent form of communication and when communicating with business it is still the preferred method of online communication. I have on many occasions been asked by various businesses to submit personal details and even scanned identity documents via email. Without understanding how email works the average person may assume that what you send is secure, after all, you type out an email on your own system and within seconds it reaches the other end.

Little thought is given to the workings of systems such as email and although encryption systems such as PGP (Pretty Good Privacy) are relatively easy to set up when following a step by step guide it is still a resounding factor that the average user who has little interest in computers as a hobby may find such tasks even too daunting to consider.

The majority of us consider ourselves to be rather security conscious and the message is certainly being spread about security best practises. This has no doubt increased the security measures that users take online but one chink in the armour is always going to be the user themselves. It is all well and good using a strong password but if you make use of that strong password over a range of sites the strength that security has becomes weakened. Just like having a difficult pin number for accessing an ATM can become less useful should you store that pin on a piece of paper in the same location as your bank card.