Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker

 

Sources:

  1. https://www.instantssl.com/ssl-certificate-products/https.html
  2. https://info.ssl.com/faq-what-is-a-private-key/
  3. https://www.instantssl.com/ssl-certificate.html
  4. https://twitter.com/svblxyz/status/969220402768736258
  5. https://twitter.com/Manawyrm/status/969230542578348033
  6. https://twitter.com/cujanovic/status/969229397508153350
  7. https://twitter.com/ebuildy/status/969230182295982080
  8. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BLvabFwcJqo
  9. https://gbhackers.com/google-announces-final-distrusting-symantec-ssl-certificates/
  10. https://www.trustico.com/news/2018/symantec-revocation/certificate-replacement.php
  11. https://bitkan.com/news/topic/69234
  12. https://gbhackers.com/23000-ssl-certificates-revoked/
Advertisements

A More “Intimate” IoT Issue

As humans get more attached to technology, it appears that we also get more detached from reality and those around us. The meaning of interpersonal relationships gets foggier as our practical need for face-to-face interaction is lost. But the loss of the practicality of it in day-to-day life does not mean that humans do not desire personal relationships. To be more specific, the human desire for a romantic relationship does not dwindle even as our desire to go out and create one does. Some would say that a solution to this issue would be, gently put, robotic escort services.

Whether these robotic prostitutes are for hire or are personally owned is beyond the scope of this discussion. As is whether this is a good direction for humanity to go in. The issue to be discussed is much graver than that.

As the IoT grows more populous with frivolous devices, one cannot help but come across articles stating the dangers of having these devices on the internet. Sure, hacking a toaster can allow you access to someones home network. And yes, a juice press that connects to World Wide Web seems more than a little bit silly. But they are merely pocket change when compared to the possibility of being killed by an IoT device. If during use, one of these sex robots was to be hacked it could be commanded to kill you. If this sounds ridiculous to you, I’m certain that you’re not alone. But Dr. Nick Patterson of Deankin University in Australia will have you know that this is not at ridiculous as it may seem.

“Hackers can hack into a robot or a robotic device and have full control of the connections, arms, legs and other attached tools like in some cases knives or welding devices,” Patterson says. “Often these robots can be upwards of 200 pounds, and very strong. Once a robot is hacked, the hacker has full control and can issue instructions to the robot. The last thing you want is for a hacker to have control over one of these robots. Once hacked they could absolutely be used to perform physical actions for an advantageous scenario or to cause damage.”

While an immediate threat is not thought to be present, it is certainly a consideration one should make before purchasing one of these machines in the future.

-Alan Richman

Sources: Patterson initially gave this information to the Daily Star in the United Kingdom. The given link is to the source with this information containing no graphic, explicit, or sexual imagery.

http://bgr.com/2017/09/11/sex-robot-hack-security-cyborg/

Hacker Group Makes Profit Off Of Selling Hacking Tools

In the past few years, the mysterious hacker group known as the “Shadow Brokers” have been responsible for the stealing and releasing of NSA secrets on the internet. Now, more recently, they have done more than just expose this classified information; They have created a way to make money off of it. The Shadow Brokers have started a service that sells their stolen hacking tools to anyone who is subscribed to them. Little is known about the service, as only a handful of subscribers have been identified. However, it has been estimated that the group has made almost $90,000 in the selling of these hacking tools.

Image result for shadow brokers

Although the group’s intentions have mainly been releasing secret and valuable hacking information, it seems as though that the Shadow Brokers are not interested in the satisfaction of their own customers. Earlier this summer, an anonymous subscriber to this service publicly detested it. Stating that the “Shadow Brokers had ripped [him or her] off,” it was explained that the tool received was old and dated compared to the kinds of hacking tools used today.

It is unclear as to what specific tools can be bought from the Shadow Brokers, but those investigating believe that the best they have to offer are the tools that they initially exposed. This might explain why there could be some complaint among their subscribers. Unless there are more people willing to provide insight about the Shadow Broker’s service, it could be very difficult to uncover more information about this underground hacking market.

https://motherboard.vice.com/en_us/article/neejqw/the-shadow-brokers-have-made-almost-dollar90000-selling-hacking-tools-by-subscription-researcher-says

 

– Jared Albert

Hacking group claims to offer cyberweapons in online auction

nsa-logo

Hackers going by the name Shadow Brokers said they will auction stolen surveillance tools that are linked to the U.S. National Security Agency.   The group said interested parties had to send funds in advance of winning the auction via Bitcoin currency and would not get their money back if they lost.  To arouse interest in the auction, the hackers released samples of programs they said could break into popular firewall software made by companies including Cisco Systems, Juniper Networks and Fortinet.  The companies did not respond to request for a comment and there was no response from the NSA.  The Shadow Brokers promised in postings on a Tumblr blog that the auctioned material would contain “cyberweapons” developed by the Equation Group, a hacking group that cybersecurity experts widely believe to be an arm of the NSA.

The Shadow Brokers said the programs they will auction will be “better than Stuxnet,” which is a  malicious computer worm.  Reuters could not contact the Shadow Brokers or verify their assertions. Some experts who looked at the samples posted on Tumblr said they included programs that had previously been described and therefore were unlikely to cause major damage.  Professionals stated that some of the data released was fairly old and even a couple years old in some cases.  Still, they appeared to be genuine tools that might work if flaws have not been addressed. Other security experts warned the posting could prove to be a scam.

You can find the whole article at

http://www.cnbc.com/2016/08/16/hacking-group-claims-to-offer-cyberweapons-in-online-auction.html

-Andrewvcsec

 

Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.

http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach

  • Gavin Millikan