TrustCor Systems verifies web addresses, but its address is a UPS Store


An outside company that major web browsers and other tech companies trust to ensure websites are legitimate has connections to contractors for US intelligence and law enforcement agencies, according to security researchers, documents and interviews.

Google’s Chrome, Apple’s Safari, Firefox and others allow the company, TrustCor Systems, to operate as the root certificate authority, a strong point in the Internet’s infrastructure that ensures websites aren’t fake, and guides users to them smoothly.

Company registration records in Panama show it has a matching list of officers, agents and partners as a spyware maker identified this year as a subsidiary of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communications interception services to US government agencies for more than a decade of time.

A TrustCor partner bears the same name as a managed holding company By Raymond Solino, quoted in a 2010 Wired article as a spokesperson for Packet Forensics.

Saulino also emerged in 2021 as a contact for another company, Global Resource Systems, which caused speculation in the tech world when it was briefly activated and powered over 100 million previously inactive IP addresses allocated to the Pentagon decades earlier. The Pentagon regained the digital area months later, and it remains unclear what the brief transfer was all about, but researchers said activating these IP addresses could have given the military access to a massive amount of Internet traffic without revealing that the government was you receive. .

The Pentagon did not respond to a request for comment on TrustCor. After this story was published, a TrustCor executive said the company had not cooperated with any government information requests or helped third-party surveillance of its customers on behalf of others. Mozilla demanded more detailed answers and said it might remove TrustCor’s authority.

Minutes before Trump left office, millions of the Pentagon’s idle IP addresses came to life

TrustCor’s products include an email service that claims to be end-to-end encrypted, although experts consulted by The Washington Post said they found evidence that undermines that claim. a A test version of the email service also included spyware developed by a Panamanian company linked to Packet Forensics, researchers said. Google subsequently banned all software containing this spyware code from its App Store.

A person familiar with Packet Forensics’ work confirmed that it used the TrustCor certification process and its email service, MsgSafe, to intercept communications and help the US government catch suspected terrorists.

“Yes, Packet Forensics does,” the person said, speaking on the condition of anonymity to discuss clandestine practices.

Catherine Temel, a consultant for Packet Forensics, said the company had no business relationship with TrustCor. She declined to say if she had one before.

The latest discovery shows how the technological and commercial complexities of the Internet’s inner workings can be leveraged to a degree that is rarely revealed.

Also Read :  🌱 Federal Grant Funds High-Speed Internet + Soccer Coach Saves Life

However, concerns about root certification authorities have surfaced before.

In 2019, a UAE government-controlled security company known as DarkMatter applied to be promoted to a high-level root authority from an intermediary authority with less autonomy. This came on the heels of the revelations of DarkMatter hacking dissidents and even some Americans. Mozilla denied its root power.

In 2015, Google withdrew root authority for the China Internet Network Information Center (CNNIC) after it allowed an intermediary body to issue fake certificates to Google sites.

Using Packet Forensics, the paper trail has led to it being recognized by researchers twice this year. The company is best known mostly for selling interception devices and tracking services to authorities, and four months later a $4.6 million Pentagon contract for “data processing, hosting and related services.”

On the issue of past spyware, researchers Joel Reardon of the University of Calgary and Serge Eagleman of the University of California, Berkeley, found that a Panamanian company, Measurement Systems, had been paying developers to embed code in a variety of harmless applications to record and transmit users’ phone numbers, email addresses, and exact locations. . They estimated that these apps had been downloaded over 60 million times, including 10 million downloads of Muslim prayer apps.

The Measurement Systems website is registered by Vostrom Holdings, according to historical domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia State Registries. Virginia’s measurement systems were recorded by Saulino, according to another state filing.

After the researchers shared their findings, Google ran all the apps with a spy code from the Play Store.

Tremel said that “a company previously associated with Packet Forensics was a customer of measurement systems at one time” but that there was no ownership stake.

When Reardon and Eagleman looked deeper into Vostrom, they found that it had registered the domain name, which directed visitors to the main TrustCor site. TrustCor has the same principal, agents and partners in the holding company listed in the Panamanian records as Measurement Systems.

A company named after one of the holding companies behind both TrustCor and Measurement Systems, Frigate Bay Holdings, filed papers for its dissolution in March with the Wyoming Secretary of State, where it was formed. The papers were signed by Saulino, who mentioned his title as manager. He could not be reached for comment.

The researchers said TrustCor has issued more than 10,000 certificates, many of which are for sites hosted with a dynamic domain name service provider called No-IP. This service allows websites to be hosted with constantly changing IP addresses.

Because the root authority is so powerful, TrustCor can also give others the right to issue certificates.

Website certificates are publicly viewable, so sooner or later bad certificates must be exposed. There have been no reports so far of TrustCor certificates being used inappropriately, for example by sponsoring fraudulent websites. The researchers speculated that the system was only used against high-value targets over short periods of time. A person familiar with Packet Forensics’ operations agreed that this is actually how to use it.

Also Read :  22% of US Internet Households use Their Smart Watches and Other Wearables for Safety Purposes

“They have this attitude of absolute trust, where they can issue encryption keys to any arbitrary website and any email address,” Eagleman said. “It’s scary that some shady private company is doing this.”

TrustCor’s leadership page lists only two men, who have been identified as co-founders. Although this page doesn’t mention it, one of them passed away months ago, and the LinkedIn profile of the other says he left the CTO position in 2019. This man declined to comment.

The website lists a contact’s phone number in Panama, who has been disconnected, and one in Toronto, where a message has not been returned after more than a week. The email contact form on the website is not working. The physical address in Toronto given in the auditor’s report 371 Front St. West, includes UPS mail.

TrustCor adds another layer of ambiguity with its third-party audit firm. Instead of using a major accounting firm that evaluates the integrity of internet infrastructure companies, TrustCor has chosen one called Princeton Audit Group, which gives its address as a residential home in Princeton, NJ.

In her comments Tuesday to Mozilla’s developer email list, TrustCor CEO Rachel MacPherson said her company has been the victim of sophisticated attacks that involved registering companies with names similar to those of their shareholders, possibly to help create some kind of phishing attack. She said she would look into why some people were listed as officers.

In addition to the strength of the TrustCor certificate, the company offers what it claims is end-to-end encrypted email, But the researchers said the email is not encrypted and can be read by the company that offered it to various groups concerned about monitoring.

MsgSafe has promoted its security to a variety of potential customers, including Trump supporters annoyed Parler . has been dropped By app stores in January 2021, and for users of the Tutanota encrypted mail service who have been banned from signing in to Microsoft services.

Create free end-to-end encrypted email today with 40+ domains to choose from and guaranteed to work with Microsoft Teams. chirp in August.

Reardon sent test messages via MsgSafe which appeared to be unencrypted in the transmission, which means that MsgSafe can read them however you like. Eagleman ran the same test with the same result.

John Callas, a cryptographic expert at the Electronic Frontier Foundation, tested the system at The Post’s request and said that MsgSafe generated and kept the private key for his account, so he could decrypt anything he sent.

Also Read :  Planning the journey from SD-WAN to SASE

“The private key has to be under one’s control to be universal,” Kallas explained.

Packet Forensics first caught the attention of privacy advocates over a decade ago.

In 2010, researcher Chris Sogoyan attended an invitation-only industry conference called Wiretapper’s Ball and obtained a Packet Forensics brochure intended for clients of law enforcement and intelligence agencies.

The brochure was for a piece of hardware to help buyers read web traffic that parties thought was safe. But it wasn’t.

According to a report in Wired citing Saulino as a spokesperson for Packet Forensics, “IP connectivity dictates the need to scan encrypted traffic at will.” “Your investigative team will gather the best evidence while users are lulled into the false sense of security offered by web, email, or VOIP encryption,” the brochure added.

The brochure told customers that they could use the decryption key provided under a court order or a “similar key”.

Researchers at the time believed that the most likely way to use the fund was with a certificate issued by a financial authority or a court order guaranteeing the credibility of a fraudulent communications site.

They did not conclude That the entire certification authority itself might be compromised.

Experts say that obtaining a trusted root certificate authority takes time and money for the infrastructure and auditing that browsers require.

Each browser has slightly different requirements. In Mozilla’s Firefox, the process takes two years and includes group and live audits as well as audits.

But it all usually focuses on official statements of technological steps, rather than mysteries of ownership and intent. The person familiar with Packet Forensics said big tech companies may have been inadvertently involved in the TrustCor play: “Most people just don’t pay attention.”

“With enough money, you or I can become a trusted root certificate authority,” said Daniel Schwalbe, VP of technology at DomainTools for tracking web data.

Mozilla currently recognizes 169 root certificate authorities, including three from TrustCor.

The case gives a new focus to the problems with this system, as major tech companies outsource their trust to third parties with their own agendas.

“You can’t trust the boot, it has to come from somewhere,” Reardon said. “Root CAs are the nucleus of the trust on which it is all built. And it will always be shaken, because it will always include humans, committees, and decision-making.”

Reardon and Eagleman alerted Google, Mozilla and Apple about their research on TrustCor in April. They said they had heard very little as of Tuesday.

After this story was published, Mozilla gave TrustCor two weeks to respond to a series of questions, including about its relationships with Measurement Systems and Packet Forensics, the officers involved, and how the banned spyware code from Measurement Systems entered the early MsgSafe implementation.


Leave a Reply

Your email address will not be published.