Risk
6/10/2011
09:59 AM
Connect Directly
RSS
E-Mail
50%
50%

LulzSec Hackers Using Digital Currency: DEA Crackdown Soon?

The LulzSec hacker group has said it's receiving monetary support via a P2P digital currency, Bitcoins. Now Senators are urging DEA action on an illegal online drug sales site with a Bitcoins connection.

Two senators have called on the Drug Enforcement Administration (DEA) to shut down the online marketplace known as the Silk Road by seizing its domain name.

"Launched in February, this underground website allows users to hide their identities and freely purchase and sell illegal drugs, ranging from cocaine, heroin, ecstasy, and marijuana," said Senators Charles Schumer (D-N.Y.) and Joe Manchin (D-W.Va.), in a letter sent this week to Michele Leonhart, the head of the DEA, and attorney general Eric Holder.

Knowledge about the Silk Road went mainstream earlier this month, thanks to a Gawker profile. But shutting the marketplace down could prove difficult, since it can only be reached via the distributed, anonymized network known as Tor. Furthermore, the marketplace uses a seemingly random assembly of letters and characters as its URL, which means that, should that domain name get shut down, its operators could simply open up shop under a different name, publicizing the new URL via underground channels.

That said, one weak point would be Bitcoin transactions, since they're the only form of currency currently accepted by the Silk Road. Bitcoins are decentralized currency, created in 2009 by Satoshi Nakamoto, who also released open source software which powers the decentralized peer-to-peer network that runs Bitcoins.

Jeff Garzik, a Bitcoin developer, told Gawker that Bitcoins could expose the actual identities of Silk Road users, since law enforcement agencies, with enough time, could correlate network traffic with the publicly released--though anonymous--records of Bitcoin transactions, to identify actual users. Accordingly, "attempting major illicit transactions with Bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb," he said.

Bitcoins represent an interesting evolution in currency. As noted in an Electronic Frontier Foundation (EFF) analysis published earlier this year, "once the Bitcoin software has been downloaded, a user can store Bitcoins and exchange them directly with other users or merchants--without the currency being verified by a third party such as a bank or government," according to the EFF's activism director, Rainey Reitman. "It uses a unique system to prevent multiple-spending of each coin, which makes it an interesting development in the movement toward digital cash systems."

But she warned that the system is still a work in progress, and not entirely anonymous or secure. Interestingly, EFF had been accepting Bitcoins as donations, but in recent weeks appears to have ceased this practice, instructing potential donors that the organization prefers legal tender instead. As that suggests, the currency's legal status is unclear.

By May 2011, however, there were already 6.2 million Bitcoins in existence. As of June 10, the value of a Bitcoin was about $30, up from $0.06 in October 2010. The Bitcoin software's growth algorithm caps the the total number of Bitcoins in circulation at approximately 21 million, which developers don't expect to approach until 2140.

The LulzSec hacking group, which reportedly split off from Anonymous and has been steadily hammering Sony websites, as well as PBS, InfraGard, and others, has also called for--and received--Bitcoin donations. According to a tweet released by the group last week, "by the way, we've received $110 in BitCoin donations and we just used some of it to buy a server with which to own things from."

Of course when it comes to purchasing illegal drugs, Bitcoins aren't the only currency. In fact, cash is much more anonymous. On that front, technological moves are afoot to help battle so-called pill mills, which involve doctors trading prescriptions for cash. For example, currently 98% of all doctors who prescribe oxycodone are located in Florida, according to a Thursday story in the Guardian, which said that the cash-for-prescriptions racket can earn a single physician up to $25,000 per day.

Accordingly, the American Society of Interventional Pain Physicians, among other groups, is pushing for a single, statewide database for recording all pain medication prescriptions, by physician, to help crack down on pill mills. The state's governor, Rick Scott, had resisted the plan, on cost and privacy grounds.

But according to recent reports, the Florida Senate is now weighing a related bill, backed by both Scott and the Florida House. In addition, Scott told a U.S. House of Representatives energy and commerce committee that he'd ordered the state to develop "a database focused on the patient level."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.