Back in October 2013, the Federal Bureau of Investigation took down the Silk Road Website. At the time, precise details of how the FBI was able to track down the Silk Road’s owner and operator were not disclosed.
A new court declaration made by former FBI agent Christopher Tarbell in the U.S. District Court for the Southern District of New York provides fresh insight into the whole ordeal. The Silk Road Website was used to buy and sell illegal goods and services online.
Tarbell notes in the declaration that he worked in the FBI’s New York CY-2 cyber-crime unit as a special agent and investigated the Silk Road. The Silk Road Website and its owner, Ross Ulbricht, were hidden on the Internet through the use of the Tor network, which was leveraged to effectively anonymize the site’s location. Tor is what is known as an onion-router network, where traffic is hidden by way of transit through multiple nodes within the network.
When the FBI first announced that it had found Ulbricht, there was some speculation that there was some form of security breach within the Tor network itself. Tarbell’s declaration proves that no direct breach occurred, and it was Ulbricht’s own actions that led investigators to his doorstep.
“In order for the IP address of a computer to be fully hidden on Tor, the applications running on the computer must be properly configured for that purpose,” Tarbell’s declaration states. “Otherwise, the computer’s IP address may leak through the traffic sent from the computer.”
The FBI’s CY-2 unit found such a leak on the Silk Road’s user log-in interface, which required users to input a username and a password as well as successfully complete a CAPTCHA challenge. Tarball noted in his declaration that the CY-2 unit did not have any form of backdoor access to the Silk Road site and simply attempted to access the site from its log-in interface for users.
“Upon examining the individual packets of data being sent back from the Website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets,” Tarbelle stated. “Based on my training and experience, this indicated that the Subject IP Address was the IP address of the Silk Road (SR) Server, and that it was leaking from the SR Server because the computer code underlying the log-in interface was not properly configured at the time to work on Tor.”
News of how the FBI was able to track down the real location of the Silk Road Website was not a big surprise to Tom Gorup, manager, Security Operations Center, Rook Security.
With any privacy application, there always seems to be a hole, and usually the hole is in the logic of how the application interacts with the end user or, simply, the implementation of the encryption schema, Gorup said.
“Web applications get more and more complex, and if the administrator is attempting to implement new tools, like a CAPTCHA, there should be diligent testing to ensure leakage doesn’t occur,” Gorup told eWEEK. “This is a great example used against a malicious administrator that diligent testing should take place before implementing any public-facing application.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.