TrustCor Systems verifies the URL, but its address is a UPS store

Comment

An offshore company trusted by major web browsers and other tech companies to vouch for the website’s legitimacy has ties to contractors for U.S. intelligence agencies and law enforcement, security researchers, documents and interviews show.

Google’s Chrome, Apple’s Safari, the nonprofit Firefox, and others allow TrustCor Systems to act as a so-called root certificate authority, a powerful feature in the internet’s infrastructure that guarantees websites aren’t fake and guides users seamlessly visit them.

The company’s Panama registration records show the company’s list of officers, agents and partners is the same as the spyware maker identified this year as an Arizona-based Packet Forensics affiliate, which The company has sold communications interception services to U.S. government agencies for more than a decade, public contract records and company documents show.

One of the TrustCor partners has the same name as the managing holding company Raymond Saulino was quoted as a spokesperson for Packet Forensics in a 2010 Wired article.

Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, which briefly activated and ran more than 100 million previously dormant IP addresses assigned to the Pentagon decades ago, sparking the tech world. guess. A few months later, the Pentagon reclaimed the digital territory, and it’s unclear what the brief transfer was about, but researchers say the activation of these IP addresses could have given the military a lot of internet traffic without revealing that the government was receiving it.

The Pentagon did not respond to a request for comment on TrustCor. TrustCor also did not respond to a request for comment.

Millions of dormant Pentagon IP addresses come alive minutes before Trump leaves office

TrustCor’s products include an email service that claims to be end-to-end encrypted, although experts consulted by The Washington Post said they found evidence to undermine that claim.One The beta version of the email service also included Packet Forensics-related spyware developed by the Panama company, the researchers said. Google later banned all software containing the spyware code from its app store.

A person familiar with Packet Forensics’ work confirmed that it used TrustCor’s certificate process and its email service MsgSafe to intercept communications and help the US government catch suspected terrorists.

“Yes, that’s what Packet Forensics does,” said the person, who spoke on the condition of anonymity to discuss classified practices.

Packet Forensics attorney Kathryn Temel said the company has no business relationship with TrustCor. She declined to say whether it had happened before.

New findings show how the technical and business complexities of the internet’s inner workings are exploited to a degree that is rarely revealed.

However, concerns about root certificate authorities have arisen before.

In 2019, a security firm called DarkMatter, controlled by the United Arab Emirates government, applied for an upgrade from a less independent mid-level authority to a top-level root authority. This was followed by revelations about DarkMatter hacking against dissidents and even some Americans. Mozilla denies it root privileges.

In 2015, Google revoked the root authority of the China Internet Network Information Center (CNNIC) after allowing intermediaries to issue fake certificates for Google sites.

With Packet Forensics, a paper clue led researchers to discover it twice this year. The company, known primarily for selling interception equipment and tracking services to authorities, signed a four-month contract with the Pentagon for “data processing, hosting and related services” worth $4.6 million.

In an early spyware incident, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley found that Measurement Systems, a Panama-based company, had been paying developers to include code in various harmless application to record and transmit the user’s phone number, email address and exact location. They estimate that these apps have been downloaded more than 60 million times, including 10 million downloads of the Muslim prayer app.

Measurement Systems’ website is registered by Vostrom Holdings, according to domain history records. Vostrom filed documents to do business as Packet Forensics in 2007, according to Virginia records. According to another state filing, Measurement Systems is registered in Virginia by Saulino.

After the researchers shared their findings, Google launched all apps with spy code from its Play app store.

Tremel said “a company formerly associated with Packet Forensics was a Measurement Systems customer” but had no ownership.

When Reardon and Egelman dug into Vostrom, they discovered that it had registered the domain name TrustCor.co, which directed visitors to the main TrustCor site. TrustCor has the same president, nominee and holding company partners as Measurement Systems, which are listed on the Panama Records.

A company with the same name as Frigate Bay Holdings, one of the holding companies behind TrustCor and Measurement Systems, filed dissolution papers with Wyoming’s secretary of state in March this year, where did it form. The documents were signed by Saulino, who listed his manager title. He could not be reached for comment.

Researchers say TrustCor has issued more than 10,000 certificates, many of which are used to host websites hosted by a dynamic domain name service provider called No-IP. This service allows websites to be hosted with changing Internet Protocol addresses.

Because root authority is so powerful, TrustCor can also give others the right to issue certificates.

Website certificates are publicly visible, so sooner or later a bad certificate will be exposed. So far, there have been no reports of TrustCor certificates being used inappropriately, such as to vouch for imposter sites. The researchers speculate that the system was only used against high-value targets for short periods of time. Those familiar with the operation of Packet Forensics agree that this is actually how it is used.

“They have a position of ultimate trust, and they can issue encryption keys for any website and any email address,” Eggelman said. “It’s being done by some shady private company, and it’s scary.”

The leadership page of TrustCor’s website lists only two people identified as co-founders. Although the page doesn’t say so, one of them died a few months ago, and another’s LinkedIn profile shows he left the CTO role in 2019. That person declined to comment.

The site lists a contact phone number in Panama that has been disconnected, while a phone number in Toronto has not received a response after more than a week. The email contact form on the website does not work. The physical address 371 Front St. West in Toronto given in its audit report has a UPS store for mail delivery.

TrustCor’s external audit firm adds another layer of mystery. Instead of using a large accounting firm that evaluates the security of Internet infrastructure companies, TrustCor chose an accounting firm called Princeton Audit Group, which is based in a residential townhouse in Princeton, NJ

In addition to TrustCor’s certificate capabilities, the company also offers MsgSafe.io, which it claims is end-to-end encrypted email. But the researchers said the email was not encrypted and could be read by the company, which had marketed it to various groups concerned about surveillance.

MsgSafe has touted its safety to various potential clients, including Trump supporters who are unhappy Parler has been removed January 2021 by users of the app store and encrypted mail service Tutanota who are blocked from logging into Microsoft services.

“Create free end-to-end encrypted email today, with 40+ domains to choose from, and guaranteed to work with Microsoft Teams,” the company tweet in August.

Reardon sends test messages through MsgSafe, which appear unencrypted in transit, meaning that MsgSafe can read them at will. Egelman ran the same test with the same results.

Jon Callas, a cryptography expert at the Electronic Frontier Foundation, also tested the system at the request of The Washington Post, and said MsgSafe generated and saved private keys for his account so it could Anything he sends can be decrypted.

“Private keys have to be under human control to be end-to-end,” explained Callas.

Packet forensics first caught the attention of privacy advocates more than a decade ago.

In 2010, researcher Chris Soghoian attended an invite-only industry conference nicknamed Wiretapper’s Ball and was given a packet forensics playbook for law enforcement and intelligence agency clients.

The booklet is a piece of hardware that helps buyers read web traffic deemed safe by all parties. but it is not the truth.

“IP communications requires random inspection of encrypted traffic,” the booklet reads, according to a WIRED report that cited Saulino as a spokesperson for packet forensics. “Your investigators will gather the best possible evidence, while users are fooled by the false sense of security provided by network, email or VOIP encryption,” the brochure adds.

The booklet tells customers that they can use a decryption key or “similar key” provided by a court order.

The researchers believed at the time that the most likely way to use the box would be to use a certificate issued by a monetary authority or under a court order to guarantee the authenticity of the imposter communication site.

they didn’t come to a conclusion The whole certificate authority itself could be compromised.

Getting a trusted root certificate authority takes time and money for the audits required by infrastructure and browsers, experts say.

Each browser has slightly different requirements. In Mozilla’s Firefox, the process takes two years, including crowdsourcing and direct review and auditing.

But all of this usually focuses on formal statements of technical steps, rather than mysteries of ownership and intent. People familiar with Packet Forensics said big tech companies may have been unknowingly playing TrustCor’s game: “Most people weren’t paying attention.”

“With enough money, you or I can be a trusted root certificate authority,” said Daniel Schwalbe, vice president of technology at DomainTools, a web data tracker.

Mozilla currently recognizes 169 root certificate authorities, three of which are from TrustCor.

The case brings into new focus the problems of a system in which key tech companies outsource their trust to third parties with their own agendas.

“You can’t channel trust, it has to come from somewhere,” Reardon said. “The root certificate authority is the heart of trust, everything is built on it. And it’s always unstable because it always involves people, committees and decisions.”

Reardon and Egelman informed Google, Mozilla and Apple about their TrustCor research in April. They said they received almost no response.

Google did not respond to a request for comment.

Mozilla says it will say more after reviewing the researchers’ details.

Leave a Reply

Your email address will not be published. Required fields are marked *