The shut down plan follows arrest of one of its administrators, Cha0 (Cagatay Evyapan), by Turkish police earlier this month.

The whole story is covered in great detail this story on Wired’s Blog, Threat Level.  So, what’ next after DarkMarket.ws?

DarkMarket emerged after ShadowCrew.com was taken offline and I reckon it is not going to take long before another online community fills the void left by DarkMarket’s departure from the scene.

There are already a handful of other established online forums that cater to the needs of cyber criminals and new ones crop up all the time offering some high-value loot for those in need:

Fig. 1- A post on a DarkMarket wanna-be forum

Fig. 2: Same post, more details

Some of the more established forums would welcome the extra traffic that they generate from the less experienced DarkMarket users, looking for other market places to trade in:

Fig. 3: "Real-looking" credit cards packed with actual victim data are now being sold online.

Fig. 4: They sure do look "real"

Indepent trading sites are likely to see a surge in their business too as some of the cyber criminals are likely to deal direct without exposing any of their information on any online forums:

Fig. 5: One of the more "reputable" stolen credit card sales website.

Although none of the existing online hacker market places can truly replace the stature of DarkMarket, there is likely to be a surge in competition amongst the various online underground sites to try and reach the level of popularity that DarkMarket currently enjoys.

Any new community formed by the existing DarkMarket admins is likely to see stricter membership controls which probably served as the weak link for the forum; DarkMarket user-level access accounts were being retailed at competing forums privately for US$800 and above, just a couple of weeks ago.

It would be interesting to see what comes next after DarkMarket – and how the law enforcement agencies play catch-up with the notorious underground hacker market places.

1. This year’s most popular Black Hat speaker – Dan Daminsky

2. “Phishing the phishers” – Nitesh Dhanjani & Billy K. Rios

3. The Zen of Xen – Joanna Rutkowska

4. How to make money on the web – the Black Hat way – Trey Ford & Jeremiah Grossman

5. Update on STORM botnet- Joe Stewart

More videos? Visit

The defendants come from U.S.; Estonia; Belarus; China, with one individual whose country of origin still remains unknown.

From the report:

Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

We can speculate a plenty about the poor security deployed at the major retail stores that were affected, but what intrigues me the most, is not that they had wireless network and let their RF waves propagate far and wide, but that the affected stores did not learn from similar attacks that took place in the past.

Major card hacking rings today sell off the numbers to “wholesalers” who then go on to sell the numbers in the “retail market” by advertising the same on publicly available forums and IRC channels. A quick search on Google yields plenty of these postings:

Figure 1: Credit card nos. come cheap

Figure 2: Global credit cards nos.

Although the law is catching up with the card rings, it would do us all good if the available security technologies are implemented effectively and people trained to ward off social engineers.

The RF Barrier system involves mounting a specialized Wireless Access Point on the inside Wireless perimeter with an advanced antenna extending to the outside of the Wireless perimeter. The technology inspects the traffic in real time to differentiate the “sensitive” (internal) traffic from the outside traffic. Sensitive traffic is protected by the RF Barrier by simultaneously transmitting harmless, but stronger RF waves through the external antenna. The stronger RF waves in turn degrade the sensitive traffic outside the internal wireless perimeter, leaving the wardrivers with very weak or no signals to work with.

The official press release states:

RF Barrier is the first solution using exclusively 802.11 technology to offer wireless perimeter protection for organizations with regulatory requirements or policies regarding data privacy, such as retailers, financial and government institutions, manufacturers and health-care organizations.  RF Barrier protects clients with legacy security mechanisms, such as handhelds and scanners equipped only with WEP or WPA/TKIP, as well as modern WPA2- and EAP-based networks, where it helps prevent the exposure of potentially exploitable information such as user identities.  Furthermore, it provides physical wireless security in remote branch offices where no IT personnel are present to detect or stop an attack from outside the site’s physical boundaries.

RF Barrier will be available for retail in September 2008, with starter kits expected to sell for US$3,595 that will consist of four APs, advanced antennas and cables along with software licenses. Full support for 802.11n-based is expected in the future as the present system does not support blocking 802.11n beacons.

Personally, I think the cost is going to limit the deployment figures for the system as a number of alternatives exist, such as RF shielding techniques that can be achieved by using paint, metal foils as wallpapers or even windows and doors! The application of these techniques, of course, depends entirely on the nature of the business.

For a typical small business, simply reducing the transmission power and positioning of the Wireless Access Point (and directional antenna if available) will go a long way in reducing the number of RF waves spreading outside the private space.

I issued an nmap service version and OS detection scan on the target network:

nmap -sV -O -iL case_4301_hosts_1.txt

All seemed to go well and I got my results, until about an hour later when the test subjects started to crawl and did not accept new requests. The system administrator ended up rebooting the affected systems which restored everything back to the way it was supposed to be. Good for me that it was a planned activity and no one was affected by it.

After some research, I found out that the problem faced was a known issue related to the Distributed Data Management (DDM) server and a PTF (Program Temporary Fixes) was issued by IBM. Here is the description of the problem provided with PTF SI12889:

DESCRIPTION OF PROBLEM FIXED FOR APAR SE14576 :
-----------------------------------------------
Port scanner causes DDM server for port 446 to not respond. Port scanners connect, then send RST. This wakes up select(), the application comes down to do the accept(), but the connection has already been reset, and there is nothing there to accept, so the accepts() blocks. When the problem occurs with port 446 not working anymore, it is because QRWTLSTN listens on multiple ports, 446, 447, 448. The accept got blocked waiting for a connection on either port 447 or 448, which will never come or never come for a long time. The accept() should be a non blocking accept, then this problem would not occur.

During my research I came across others who faced similar issues but did not relate to the specific issue I faced. Was a robust TCP/IP stack an after thought for the OS/400? …

If you would like to share your experiences, please feel free to do so by leaving your comment below.

RIM claims that it not possible to handover the decryption keys and claims setting up a local datacenter would serve no purpose given the end-to-end security deployed in its solution. RIM further declared that its solution architecture is designed in a way that does not allow any third party including RIM to read the email data under any circumstances. On the 23rd of May, RIM sent this note to its customers:

“The use of strong encryption in wireless technology is not unique to the BlackBerry platform. Strong encryption is used pervasively on the Internet to protect the confidentiality of personal and corporate information. Governments have a wide range of resources and methodologies to satisfy national security and law enforcement needs without compromising commercial security requirements.”

This is not to be confused with BlackBerry hosted service for which RIM has probably handed over the decryption keys to the Indian Government.

The BlackBerry enterprise solution architecture is provided below (click to enlarge):

All communications between the BlackBerry Enterprise Server (BES), located on the corporate network, and the BlackBerry handheld devices are secured using a 256-bit AES cryptosystem. Furthermore, all newer BlackBerry handheld devices contain cryptographic kernel that conforms (PDF) to the NIST’s FIPS 140-2 Overall Level 1 standard (PDF) making it the most secure commercially available wireless devices for email communications available today.

What better reason to be worried when the your technology can’t cope up with anything better than 40-bit encryption?