Cyber wrap
26 Jul 2017|

Two of the largest marketplaces on the dark web, AlphaBay and Hansa Market, have been taken down by a joint US and Europol operation. By Europol’s count, AlphaBay alone had over 200,000 users, 250,000 listings for illegal drugs, and 100,000 listings for fraudulent or stolen identification documents.

The dual announcements from the US and Europol come after two weeks of chaos and speculation. AlphaBay was initially offline on 4 July, in what appeared to be an ‘exit scam’ orchestrated by its administrators to steal escrowed funds. Canadian Alexandre Cazes, suspected of being an AlphaBay co-founder, was arrested by police in Thailand on 5 July and his properties in Canada were raided by the Royal Canadian Mounted Police. The plan was to extradite him to the US to face criminal charges, but on 12 July he was found dead in his jail cell in Thailand after allegedly committing suicide. Cazes’ arrest solidified concerns among market users that the takedown of AlphaBay had been a law enforcement operation, driving many of them to rival websites like Hansa.

But Dutch police had already taken control of Hansa Market’s systems from 20 June, two weeks before US authorities closed AlphaBay. When the AlphaBay ‘refugees’ shifted their business to Hansa Market, Europol was able to grab user and transaction details, including 10,000 physical addresses. The twin takedowns have been described as ‘planned chaos’, and involved close coordination among 12 agencies from a number of countries, including Thailand, the Netherlands, Lithuania, Canada, the UK, and France, demonstrating the long list of jurisdictions that need to work together for an operation on that scale to be effective. Moreover, it looks like one of the operation’s psychological goals, to poison the web of trust that enables dark web markets to operate, has succeeded; a widespread advisory was promulgated in the dark web community warning against using any dark web market, at least for the time being.

Cyber-diplomacy may soon take a hit if the US Department of State’s cybersecurity office gets shuttered. Current office head Christopher Painter, a two-decade veteran of the portfolio, is resigning the post at the end of July, and it’s been suggested that the office will be merged into other bureaus, or will go entirely unfilled amid other, ongoing staffing changes in the State Department.

Sweden has revealed that it suffered a nationwide data breach exposing the sensitive personal information of millions of its citizens. The country’s transport agency, in the midst of a database outsourcing project with IBM, reportedly e-mailed a plain-text database full of highly sensitive registration and identification information to a number of subscribers in the first half of 2015. Sweden’s prime minister has announced that an investigation is being conducted, but concerns have been raised over the slow response—while Sweden’s security services immediately began taking action, the prime minister reportedly was only made aware of the issue in January of this year, and a number of other failures of communication and accountability have been reported. Similarly, in the US, the Social Security numbers of 5.5 million people were accessed across several states after a massive breach of the Kansas Department of Commerce’s data system in March 2017. The breach wasn’t disclosed by the agency and only became public after the Kansas News Service filed an open records request.

Cryptocurrency users have also been hit hard this week. Users of Parity Technologies’ Ethereum wallet software became victims of a massive cryptocurrency heist in which hackers grabbed the equivalent of US$30 million from vulnerable wallets. It was the third, and largest in fiscal value, of four attacks on Ethereum this month. Interestingly, when Parity employees and other ethical hackers noticed the initial grab, they used the same vulnerability to safely Noah’s Ark away another US$208 million worth of Ether from vulnerable wallets while fixes were pushed out. The ethical hackers, calling themselves the ‘White Hat Group’, have promised to return the funds to their owners once wallets are secure.

Back in more conventional financial and cyber crime, new research from Digital Shadows, a digital risk management company, has taken a deep dive into the ‘carding’ industry, or the industry around the theft and resale of credit card details for fraudulent use. They’ve found a number of formal, in-depth online courses available for less than US$1,000 for Russian-speaking students, offering training on how to start gathering, using and reselling credit card data themselves.

Researchers from Harvard’s Belfer Center, including Bruce Schneier, have taken a look at parallel discovery in vulnerability research. From a corpus of 4,300 discovered vulnerabilities, they found that 15–20% were discovered independently at least twice in the same year. That’s much higher than the figure of 5.7% previously reported by the RAND Corporation. The new finding has implications for intelligence agencies looking to discover and exploit vulnerabilities for intelligence collection. How likely is it that an adversary will also identify the same vulnerability and exploit it to your detriment?