Risk
6/10/2011
09:59 AM
50%
50%

LulzSec Hackers Using Digital Currency: DEA Crackdown Soon?

The LulzSec hacker group has said it's receiving monetary support via a P2P digital currency, Bitcoins. Now Senators are urging DEA action on an illegal online drug sales site with a Bitcoins connection.

Two senators have called on the Drug Enforcement Administration (DEA) to shut down the online marketplace known as the Silk Road by seizing its domain name.

"Launched in February, this underground website allows users to hide their identities and freely purchase and sell illegal drugs, ranging from cocaine, heroin, ecstasy, and marijuana," said Senators Charles Schumer (D-N.Y.) and Joe Manchin (D-W.Va.), in a letter sent this week to Michele Leonhart, the head of the DEA, and attorney general Eric Holder.

Knowledge about the Silk Road went mainstream earlier this month, thanks to a Gawker profile. But shutting the marketplace down could prove difficult, since it can only be reached via the distributed, anonymized network known as Tor. Furthermore, the marketplace uses a seemingly random assembly of letters and characters as its URL, which means that, should that domain name get shut down, its operators could simply open up shop under a different name, publicizing the new URL via underground channels.

That said, one weak point would be Bitcoin transactions, since they're the only form of currency currently accepted by the Silk Road. Bitcoins are decentralized currency, created in 2009 by Satoshi Nakamoto, who also released open source software which powers the decentralized peer-to-peer network that runs Bitcoins.

Jeff Garzik, a Bitcoin developer, told Gawker that Bitcoins could expose the actual identities of Silk Road users, since law enforcement agencies, with enough time, could correlate network traffic with the publicly released--though anonymous--records of Bitcoin transactions, to identify actual users. Accordingly, "attempting major illicit transactions with Bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb," he said.

Bitcoins represent an interesting evolution in currency. As noted in an Electronic Frontier Foundation (EFF) analysis published earlier this year, "once the Bitcoin software has been downloaded, a user can store Bitcoins and exchange them directly with other users or merchants--without the currency being verified by a third party such as a bank or government," according to the EFF's activism director, Rainey Reitman. "It uses a unique system to prevent multiple-spending of each coin, which makes it an interesting development in the movement toward digital cash systems."

But she warned that the system is still a work in progress, and not entirely anonymous or secure. Interestingly, EFF had been accepting Bitcoins as donations, but in recent weeks appears to have ceased this practice, instructing potential donors that the organization prefers legal tender instead. As that suggests, the currency's legal status is unclear.

By May 2011, however, there were already 6.2 million Bitcoins in existence. As of June 10, the value of a Bitcoin was about $30, up from $0.06 in October 2010. The Bitcoin software's growth algorithm caps the the total number of Bitcoins in circulation at approximately 21 million, which developers don't expect to approach until 2140.

The LulzSec hacking group, which reportedly split off from Anonymous and has been steadily hammering Sony websites, as well as PBS, InfraGard, and others, has also called for--and received--Bitcoin donations. According to a tweet released by the group last week, "by the way, we've received $110 in BitCoin donations and we just used some of it to buy a server with which to own things from."

Of course when it comes to purchasing illegal drugs, Bitcoins aren't the only currency. In fact, cash is much more anonymous. On that front, technological moves are afoot to help battle so-called pill mills, which involve doctors trading prescriptions for cash. For example, currently 98% of all doctors who prescribe oxycodone are located in Florida, according to a Thursday story in the Guardian, which said that the cash-for-prescriptions racket can earn a single physician up to $25,000 per day.

Accordingly, the American Society of Interventional Pain Physicians, among other groups, is pushing for a single, statewide database for recording all pain medication prescriptions, by physician, to help crack down on pill mills. The state's governor, Rick Scott, had resisted the plan, on cost and privacy grounds.

But according to recent reports, the Florida Senate is now weighing a related bill, backed by both Scott and the Florida House. In addition, Scott told a U.S. House of Representatives energy and commerce committee that he'd ordered the state to develop "a database focused on the patient level."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?