TrustCor Systems checks addresses on the internet, but their address at UPS Store

Panama company registration records show that it has a matching listing of officers, agents, and partners as spyware maker. This year, it was identified as a subsidiary Arizona-based Packet Forensics. Public contracting records and company documents indicate that Packet Forensics has sold communications intercept services to the US government agencies for more then a decade.

TrustCor partners have the same name as managed holding companies. Raymond Solino, quoted as such in a Wired article from 2010. Spokesman For forensic packages.

Saulino also appeared in 2021As a contact for Global Resource Systems, I was responsible for this Speculation in the tech world when it will be activated and turned on for a short timeOver 100 million IP addresses, which were once dormant, were assigned to the Pentagon in the 1980s. The Pentagon Take back the digital areaMonths later, it is still unclear what the abbreviated Transfer is about. However, the researchers suggested that activating these addresses could have allowed the military access a huge amount of Internet traffic without it being revealed that the government was receiving it.

TrustCor was not mentioned by the Pentagon. A TrustCor executive stated that the company had not responded to any government information requests and had not assisted third-party surveillance of customers for others after this story was published. Mozilla demanded more details and threatened to remove TrustCor’s authority.

Minutes before Trump left office, millions of the Pentagon’s idle IP addresses came to life

TrustCor’s products contain an email service that claims it is end-to-end encrypted. However, experts consulted By The Washington Post stated that they found evidence that contradicts that claim. This is a Researchers discovered that the email service’s test version also contained spyware from a Panamanian firm linked to Packet Forensics. Google then removed all spyware code-containing software from its App store.

A person who is familiar with Packet Forensics’ work confirmed that it used TrustCor certification to intercept communications and helped the US government catch suspected terrorists.

“Yes, Packet Forensics does,” the person said, speaking on the condition of anonymity to discuss clandestine practices.

Catherine Temel, a consultant with Packet Forensics said that the company had no business relationship to TrustCor. She declined to disclose if she ever had one.

This latest discovery demonstrates how the technical and commercial complexities of Internet’s inner workings can often be leveraged to a level that is rarely seen.

However, root certification authorities have been a topic of concern in the past.

In 2019, a UAE government-controlled security company known as DarkMatter applied to be promoted to a high-level root authority from an intermediary authority with less autonomy. That followed detection Mozilla denies its root power in the DarkMatter hack by opponents and even some Americans

Google was founded in 2015 pull root saladAfter it allowed an intermediary authority, the China Internet Network Information Center CNNIC issued fake certificates to Google websites.

Researchers have twice recognized the paper trail using Packet Forensics. The company is most well-known for selling interception and tracking devices to authorities. Its annual revenue is $4.6 Million. Pentagon contract For “Data Processing, Hosting and Related Services”

Concerning past spyware, researchers Joel Reardon of University of Calgary, and Serge Eagleman of University of California at Berkeley found that Measurement System, a Panamanian firm, was paying developers to embed code into a variety of harmless applications in order to record and send users’ phone numbers, emails addresses, and exact locations. . They estimated that the apps had been downloaded more than 60,000,000 times, including 10,000,000 downloads of Muslim prayer app apps.

Vostrom Holdings holds the registration for Measurement Systems, according to historical domain names records. According to Virginia State Registries, Vostrom filed papers in 2007 to operate as Packet Forensics. According to another state filing Saulino measured Virginia’s measurement system.

After the researchers shared what they had discovered, Google Boot all applicationsWith the spy code outside of the Play App Store.

Tremel stated that a company that was previously associated with Packet Forensics was a customer at one point of measurement systems, but that there was no ownership.

Eagleman and Reardon looked into Vostrom more deeply and discovered that Vostrom had registered the domain name. TrustCor.coThis link took visitors to TrustCor’s main website. TrustCor has the same principal and agents as Measurement Systems’ partners.

Frigate Bay Holdings, one of the holding companies behind TrustCor, Measurement Systems and Measurement Systems, was the company that was named after it. It filed papers with the Wyoming Secretary Of State in March for its dissolution. It was formed. Saulino signed them, indicating his title as manager. He was not available for comment.

TrustCor has issued more that 10,000 certificates to sites using a dynamic domain name provider called No-IP, according to the researchers. This service allows websites hosting to be hosted with constantly changing IP addresses.

TrustCor can issue certificates for others, as the root authority has such power.

Website certificates are public viewable so bad certificates should be exposed sooner or later. There have been no reports of TrustCor certificate being misused inappropriately, such as by sponsoring fraudulent websites. Researchers speculated that the system was not used for high-value targets and only for short periods. An individual familiar with Packet Forensics’ operations confirmed that this is how the system works.

“They have this attitude of absolute trust, where they can issue encryption keys to any arbitrary website and any email address,” Eagleman said. “It is scary that some shady company is doing such a thing.”

TrustCor’s leadership pages only names two men, who were identified as cofounders. Although the page doesn’t mention it, one man died months ago and the LinkedIn profile for the other indicates that he left the CTO job in 2019. The man declined to comment.

The website lists a Panama contact’s phone number, which has been disconnected, as well as one in Toronto, which has not received a message for more than a week. The website does not have an email contact form. The auditor’s report 371 Front St. West gives Toronto’s physical address. This includes UPS mail.

TrustCor adds an additional layer of uncertainty to its third-party auditor firm. TrustCor chose to use a major accounting firm to evaluate the integrity of internet infrastructure businesses. Instead, it selected Princeton Audit Group. This address is located in Princeton, NJ.

TrustCor CEO Rachel Macpherson claimed Tuesday that her company was the victim to sophisticated attacks. She said this in her comments to Mozilla’s developers email list. The attacks included registering companies with names that are similar to their shareholders. This could have been done to set up phishing attacks. . She stated that she would investigate why certain people were listed as officers.

The TrustCor certificate is strong and the company claims it offers encrypted email. MsgSafe.io. Researchers said that the email was not encrypted and could be read by the company who sent it to different groups concerned about monitoring.

MsgSafe has promoted the security of its products to a variety potential customers, including Trump supporters. Parler . has been droppedApp stores in January 2021. For users of the Tutanota encrypted email service, who have been banned to sign in to Microsoft services.

Get free encrypted email from 40+ domains. It’s guaranteed to work with Microsoft Teams. chirp August

Reardon sent MsgSafe test messages which appeared to have been unencrypted in their transmission. This means MsgSafe can still read them. Eagleman ran the same test and got the same result.

John Callas is a cryptographic expert from the Electronic Frontier Foundation. He tested the system at The Post’s request. He stated that MsgSafe generated and kept his private key for the account so he could decrypt everything he sent.

Kallas explained, “The private key must be under one’s control for it to be universal.”

Privacy advocates first became aware of Packet Forensics over a decade back.

Chris Sogoyan, a researcher from Georgia, attended an industry conference called Wiretapper’s Ball. He was invited only and received a Packet Forensics brochure that was intended for law enforcement and intelligence agency clients.

The brochure was about hardware that could be used to help buyers navigate web traffic that was thought to be safe. It wasn’t.

“IP communications dictate the need to scan encrypted traffic at will,” according to the brochure Report in WiredWhich cited Saulino to be a spokesperson of Packet Forensics. “Your investigator team will gather the most evidence while users are lulled in to the false sense security offered by email, web, or VoIP encryption,” the brochure said.

The brochure informed customers that they could use a decryption key given under court orders or a “similar” key.

At the time, researchers believed that the best way to access the fund was to obtain a certificate from a financial authority or a court order confirming the credibility of a fraudulent communications website.

They didn’t conclude The entire certification authority could be compromised.

Experts believe that it takes time to find a trusted root authority. They also need to do the infrastructure and auditing that browsers demand.

Each browser has different requirements. Mozilla Firefox’s Firefox is the best. Two yearsIt includes audits of groups and individuals.

It focuses more on the official statements of technological steps than on the mysteries of ownership or intent. A source familiar with Packet Forensics suggested that large tech companies may have been involved in TrustCor.

“With enough money, you or I can become a trusted root certificate authority,” said Daniel Schwalbe, VP of technology at DomainTools for tracking web data.

Mozilla currently recognizes 169 root certification authorities, including three from TrustCor.

The case brings to light the problems of this system. Large tech companies have begun to outsource their trust to people with their own agendas.

Reardon stated, “You can’t trust a boot, it must come from somewhere.” “Root CAs are the nucleus of the trust on which it is all built. And it will always be shaken, because it will always include humans, committees, and decision-making.”

Reardon, Eagleman and Mozilla alerted Google, Mozilla, and Apple about their April TrustCor research. They claimed that they had received very little information as of Tuesday.

Mozilla gave TrustCor two weeks to answer a series questions about its relationships to Measurement Systems and Packet Forensics. They also asked about the officers involved and how the banned spyware code of Measurement Systems got into the MsgSafe early implementation.