Crooks Reused Passwords On the Dark Web So Dutch Police Took Over Their Accounts (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Crooks Reused Passwords On the Dark Web So Dutch Police Took Over Their Accounts (bleepingcomputer.com)

Posted by msmash on Friday July 28, 2017 @10:15PM from the gotcha dept.

An anonymous reader writes: Dutch Police is aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market. According to reports, police is using the Hansa login credentials to authenticate on other Dark Web portals, such as Dream. If vendors reused passwords, police take over the accounts and set up traps or map the sales of illegal products. Other crooks noticed the account hijacks because Dutch Police changed the PGP key for the hijacked accounts with their own, which was accidentally signed with the name "Dutch Police." The second method of operation spotted by the Dark Web community involves so-called "locktime" files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20. Under normal circumstances a locktime file is a simple log of a vendor's market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa's signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale's conclusion, or if the market was down due to technical reasons. Before the market went down, these locktime files were replaced with Excel files that contained a hidden image that would beacon back to police servers, exposing the vendor's real location. Dutch Police was able to do this because they took over Hansa servers on June 20 and operated the market for one more month, collecting data on vendors.

38 comments

Min score:

Reason:

Sort:

"...police is using... by turkeydance · 2017-07-28 22:46 · Score: 1

they is?
1. Re:"...police is using... by arth1 · 2017-07-28 22:59 · Score: 2, Informative
  
  they is?
  It is. It's American English, where group nouns usually take singular form in both determined and undetermined form.
  British English: Harrods are having a sale.
  American English: Macy's is having a sale.
2. Re:"...police is using... by Anonymous Coward · 2017-07-28 23:03 · Score: 0
  
  Acceptable but not preferable.
  Anaheim: The police ARE cracking heads, yay!
  East L.A.: The police IS cracking heads, hide!
3. Re:"...police is using... by arth1 · 2017-07-28 23:23 · Score: 4, Funny
  
  Anaheim: The police ARE cracking heads, yay!
  East L.A.: The police IS cracking heads, hide!
  Brooklyn The police ARE crackheads, vey!
4. Re:"...police is using... by darthsilun · 2017-07-29 00:02 · Score: 2
  
  Usually? No, not really. Not in my experience anyway.
  But what do I know? (I've been speaking (American) English for nearly 60 years. That probably doesn't count for much.).
  The Dutch police are is the correct usage, IMO.
5. Re:"...police is using... by Anonymous Coward · 2017-07-29 00:34 · Score: 1
  
  they is?
  It is. It's American English, where group nouns usually take singular form in both determined and undetermined form.
  British English: Harrods are having a sale.
  American English: Macy's is having a sale.
  NO!!
  American English:
  Macy's here is just one company or is being referenced to as a specific store that is having a sale.
  The police are using.. (They are a group of people, so is should never be used. Anyone using that is using it incorrectly or it could possibly be a region slang.)
6. Re:"...police is using... by Anonymous Coward · 2017-07-29 00:38 · Score: 0
  
  Usually? No, not really. Not in my experience anyway.
  But what do I know? (I've been speaking (American) English for nearly 60 years. That probably doesn't count for much.).
  The Dutch police are is the correct usage, IMO.
  No need to add IMO. "The Dutch police are..." is the correct usage.
7. Re:"...police is using... by arth1 · 2017-07-29 00:53 · Score: 1
  
  The police are using.. (They are a group of people, so is should never be used. Anyone using that is using it incorrectly or it could possibly be a region slang.)
  I beg to differ. I think most Americans (with regional and personal exceptions) would say:
  Congress is debating...
  The military is bombing...
  The police is investigating...
  Personally, I would use "are", but my impression is that in the US, I'm in the minority.
8. Re:"...police is using... by Anonymous Coward · 2017-07-29 01:17 · Score: 0
  
  It all depends on what you definition of "is" is.
9. Re:"...police is using... by Highdude702 · 2017-07-29 01:31 · Score: 1
  
  Congress is
  Military is
  Police are raiding the trap
  Raised in Las Vegas and this is what I would say and everybody I know.
10. Re:"...police is using... by Anonymous Coward · 2017-07-29 04:30 · Score: 0
  
  Congress is debating...
  Congressmen are debating...
  The military is bombing ...
  The soldiers are bombing...
  The police are investigating...
11. Re:"...police is using... by MrMr · 2017-07-29 05:03 · Score: 1
  
  No he's not
12. Re:"...police is using... by Anonymous Coward · 2017-07-29 10:27 · Score: 0
  
  Bleeping Computer is registered in New York. Uses American English styleguide. Mystery solved.
13. Re:"...police is using... by Anonymous Coward · 2017-07-29 14:25 · Score: 0
  
  buy the car,
  mow the lawn,
  pay the tax,
  hang the wallpaper,
  clip the nails,
  listen to crickets,
  blow up balloons,
  drink orange juice,
  forget the past,
  pass the mustard,
  pull down the shades,
  take the pills,
  check the temperature,
  lace on the gloves,
  the bell is ringing,
  the pearl is in the oyster,
  the rain falls
  as the shadows get ready to fall again.
Legality by Njovich · 2017-07-28 22:52 · Score: 4, Insightful

As a Dutch person I wonder what the legal basis is for all this. They are running illegal marketplaces, hacking into accounts on foreign services using data they got elsewhere, and exchanging data with countries like Thailand where people might get capital punishment for drugs related crimes. While going after black drug exchange markets is a good thing, it all gives the impression that they don't hold back. Dutch prosecutors say they have only done 'internal analysis' on the legality, which means that these actions have not even been approved by a judge. In emergencies this is allowed, but if a judge doesn't agree with any of this, or doesn't agree this was an emergency that enables doing this without court approval, Dutch police are committing a whole range of crimes here without legal backing.
1. Re:Legality by Incadenza · 2017-07-28 23:07 · Score: 1
  
  We have some interesting court sessions ahead of us. I just hope the newspapers will understand what they are writing about.
2. Re: Legality by Anonymous Coward · 2017-07-28 23:09 · Score: 0
  
  If the government does it, it's not illegal. Know your place, citizen.
3. Re:Legality by volodymyrbiryuk · 2017-07-28 23:22 · Score: 1
  
  ...like everywhere else. Which doesn't make it any better.
  
  --
  sudo rm -r -f --no-preserve-root /
4. Re:Legality by Anonymous Coward · 2017-07-28 23:53 · Score: 1
  
  It doesn't matter much whether its illegal or not. The question is whether or not it is a crime that is persecuted without petition (i.e., is just an Antragsdelikt). Just imagine the drug/weapon lord petitioning to persecute police like "they hacked my server I was using to sell drugs and weapons, here's all evidence needed...".
5. Re:Legality by Opportunist · 2017-07-28 23:59 · Score: 1
  
  You haven't been on this planet for long, have you?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Legality by postbigbang · 2017-07-29 00:08 · Score: 2
  
  The post has a lot of problems. First, you don't "accidentally" sign your pgp key with "Dutch Police". These guys were amateurs that lucked into hijacking an existing site, then doing all they could to turn up information about the users of the site.
  While the site and its users are arguably "bad people", I agree with you that the evidence obtained may be very difficult to obtain successful prosecutions from. Has all the earmarks of an amateur investigation, if the info in the post is correct.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
7. Re:Legality by Anonymous Coward · 2017-07-29 00:48 · Score: 0
  
  The post has a lot of problems. First, you don't "accidentally" sign your pgp key with "Dutch Police". These guys were amateurs that lucked into hijacking an existing site, then doing all they could to turn up information about the users of the site.
  While the site and its users are arguably "bad people", I agree with you that the evidence obtained may be very difficult to obtain successful prosecutions from. Has all the earmarks of an amateur investigation, if the info in the post is correct.
  I doubt they were actually hoping to track down anyone, let alone catch and prosecute with evidence obtained by hacking the server alone. Likely they were more interested in simply shutting down operations, everything else just as a bonus. This bonus may not be suitable as evidence alone, but provides enough leads to start normal police work. Offline. Real police men, doing real physical investigations of real physical suspects. Whatever results from that will then be used in court.
8. Re:Legality by postbigbang · 2017-07-29 00:53 · Score: 1
  
  Except that the admission of evidence might be disallowed.
  Worse, imagine putting a big red flag on all the email you send that screams: We're totally inept.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
9. Re:Legality by gijoel · 2017-07-29 02:05 · Score: 1
  
  It's based on the very important legal concept of 'Quia Ego Sic Dico'
10. Re: Legality by Anonymous Coward · 2017-07-29 02:05 · Score: 0
  
  "As a Dutch person I wonder what the legal basis is for all this."
  As an American I wonder: is there really such a thing as "illegal product" in the Netherlands??
11. Re:Legality by golodh · 2017-07-29 04:04 · Score: 1
  
  The legal basis for all this is a recently adopted Dutch law that grants the Dutch police extremely wide powers to break into any computer system it believes is being used for criminal activities.
  Once this law has been triggered, the Dutch police are basically free to use all and any computer burglary tools on the market to gain access and/or control. And once inside the system they are allowed to collect any evidence they like, and transform the system into a honeypot if they feel like it,
  Note that the police doesn't actually need to _prove_ anything to anyone in order to be allowed to gain access.
  Suspicion alone (I don't know how that works in The Netherlands; it might be something similar to "reasonable cause") is enough. It's only later, if and when the case goes to court, that they might have to convince the judge that they acted responsibly in having suspicions about the system they hacked, and that they didn't actually entrap people (as in entice them to commit any crimes).
  If you think that sounds overly broad, I entirely agree. This being The Netherlands however, I fear that they determined this is a cost-effective way of policing and went with it on that basis.
12. Re:Legality by gweihir · 2017-07-29 04:46 · Score: 1
  
  Since this is about fighting evil people that want to put things in their bodies that the government does not approve of, it surely must all be fine!
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
13. Re:Legality by gweihir · 2017-07-29 04:48 · Score: 1
  
  Incompetent amateurs (the signature on the key) with the equivalent of nuclear weapons. Who thought this was a good idea?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
14. Re:Legality by Njovich · 2017-07-29 04:54 · Score: 1
  
  The law you are talking about ('Wet computercriminaliteit III') has not been passed by the senate yet and thus cannot be the legal basis. The other parts are up to interpretation by the courts, it's quite possible that you will end up right about them.
15. Re:Legality by angel'o'sphere · 2017-07-29 08:03 · Score: 1
  
  I'm not from this planet, are you? (or do I need to write "is"?)
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
16. Re:Legality by tlhIngan · 2017-07-29 20:47 · Score: 1
  
  Well, I'm sure the people involved can go and complain to the Dutch government and file lawsuits against the police for hacking and all that, then.
  Of course, I think the primary purpose is to disrupt the markets more than catch people - the people involved generally are in countries that won't have extradition treaties anyways. And if they are based in the usual Europe/North America first world country, well, they can always report the hacking to their local police who I'm sure will be more than happy to investigate.
  In the end, you know the people won't complain - it's like a drug addict going to the police that some drug dealer ripped him off sort of deal.
reusing passwords by Anonymous Coward · 2017-07-28 23:24 · Score: 0

Also another trick to steal passwords by hijacking sites - you type a password and it gets refused, so you try again and again and again with all your "standard" ones..
2 Factor Authentication? by Anonymous Coward · 2017-07-29 01:19 · Score: 0

What kind of fool sells illegal products on the dark web without using 2 factor authentication?
Marketing campaign? by Anonymous Coward · 2017-07-29 01:45 · Score: 0

This post almost sounds as some marketing effort for the dutch police ....
Attaching Dutch Police to a PGP key and the using that key as bait is ... plain stupid.
Vendors that reuse paswords are plain ... stupid
Most sites use password + pin + 2-FA using PGP. Without the private key PGP, whatever they have is worth shit.
The 'beacon' in Excel excels in stupidity, vendors that rely on the TBB have no idea what OPSEC means, neither do vendors that use TBB on windows.
So please stop the marketing buzz, serious vendors dedicate a lot of effort and invest hefty in OPSEC so that a compromised/hijacked/seized market has zero repercussions and minimal impact on financial losses.
All that happened is that LEO got lucky, when properly done LEO never get's lucky
1. Re:Marketing campaign? by Anonymous Coward · 2017-07-29 10:25 · Score: 0
  
  Nobody said police hijacked accounts for serious vendors.
I would think many use same the password by Trax3001BBS · 2017-07-29 03:16 · Score: 1

I do for ease of use. It's knowing when to use a unique one is the trick - to add: almost all of mine are unique.
1. Re:I would think many use same the password by Areyoukiddingme · 2017-07-29 07:52 · Score: 1
  
  I would think many use same the password. I do for ease of use. It's knowing when to use a unique one is the trick - to add: almost all of mine are unique.
  Why would you ever use the same password twice when there is KeePass? You memorize one complex, annoying, long password which unlocks your database, then generate really really long, complex, annoying passwords (that tend to break the authentication software of many naively written websites) for each and every individual account. Everything goes into the database, with lots of nice metadata like the date of account creation and the recovery questions and answers. That way you can lie on the recovery answers intentionally, and not have to worry about remembering which site you told which lie. (You didn't think my dog's name actually was AdmiralNelson did you?) About the only thing which doesn't go into the database is the passphrase for the encrypted volume in which I keep all my nuclear secrets. I memorize that one too.
2. Re:I would think many use same the password by Trax3001BBS · 2017-07-29 09:27 · Score: 1
  
  I would think many use same the password. I do for ease of use. It's knowing when to use a unique one is the trick - to add: almost all of mine are unique.
  Why would you ever use the same password twice when there is KeePass? You memorize one complex, annoying, long password which unlocks your database, then generate really really long, complex, annoying passwords (that tend to break the authentication software of many naively written websites) for each and every individual account. Everything goes into the database, with lots of nice metadata like the date of account creation and the recovery questions and answers. That way you can lie on the recovery answers intentionally, and not have to worry about remembering which site you told which lie. (You didn't think my dog's name actually was AdmiralNelson did you?) About the only thing which doesn't go into the database is the passphrase for the encrypted volume in which I keep all my nuclear secrets. I memorize that one too.
  Linux tard :) I use acerose and have for many years. So buggy Wine program working site refused to post my "how to" :)
  As for my secret identity I use http://www.fakenamegenerator.c... and keep re-rolling it till my area code is close. (appears to be spam alone sides, all white space).