[Cryptography] Threatwatch: CIN - Corruptor-Injector Network
oshwm
oshwm at openmailbox.org
Wed Aug 12 02:44:50 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
yeh but then...
crt.sh - owned by comodo
comodo involved with privdog mitm
comodo issues certs for cloudflare
ben laurie works for google
none of above is a killer but would suggest not necessarily proof of no wrongdoing.
also, is injecting a modified version of chrome into an http stream impossible - i dont think so.
do ppl in general check md5 or other sums - nope, only paranoid cpunks :D
as for cryptostorm, they generally have been reliable and i would need to read more about CIN before i either dismiss or agree with them on this topic.
cheers,
oshwm.
On 12 August 2015 06:33:29 BST, Ben Laurie <ben at links.org> wrote:
>On Sun, 9 Aug 2015 at 20:25 ianG <iang at iang.org> wrote:
>
>> There's a long post by "cryptostorm_team" that describes a capture of
>> the activity of a CIN or Corruptor-Injector Network.
>>
>> https://cryptostorm.org/viewtopic.php?f=67&t=8713
>>
>> The short story appears to be malware injected into the router which
>> then proceeds to present a false view of many things, including
>google
>> sites and chrome downloads.
>>
>> That last part again - the CIN appears to be capable of injecting a
>> special download of Chrome which then participates in the false
>> presentation to user. Given the complexity of modern software I'd
>say
>> this to be an impossible task except for a very well funded, long
>term
>> adversary.
>>
>
>Or, actually, it is impossible.
>
>That article appears to be complete nonsense.
>
>For example:
>
>"This certificate identifies itself (via CN field) as *.google.com
>despite
>being served during a putative session with google.fr(again, this kind
>of
>obvious certificate misconfiguration is all but impossible to imagine
>google doing in production systems):"
>
>Impossible to imagine, but ... true. The certificate is fine, google.fr
>is
>a SAN.
>
>This supposedly fake certificate, btw, is well known to CT:
>
>https://crt.sh/?q=4B9D33E64EF6104E2043BF1E0928924F6D41337A
>
>Another example:
>
>"http://clients1.google.com/ocsp 404s when loaded.This is not the sort
>of
>thing one will find in a legitimately Google-issued certificate,
>created
>less than 10 days ago."
>
>Oh yes it is. That is completely correct behaviour for an OCSP
>responder.
>
>The alleged bad certificate, btw, for future record is:
>
>-----BEGIN CERTIFICATE-----
>MIIGxTCCBa2gAwIBAgIIa4/pt17tKWYwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
>BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
>cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNTA2MTAzMzE1WhcNMTUwODA0MDAwMDAw
>WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
>TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
>b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6qywJ47uyuZZh7I4
>4f3qvA9T+u3Zy6fI3V0M2W1sQ/fWd9hgs2Ieobbo9lDh3wM912o++qSsLUKA/zud
>+wa5uqOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG
>A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw
>ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt
>YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds
>ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds
>ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv
>b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q
>Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n
>bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou
>Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv
>b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv
>LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq
>Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq
>LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1
>YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k
>cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv
>b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu
>YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC
>B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds
>ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v
>Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBRYmgbDFeI+6yulnYNz+u8RSD6b7TAMBgNV
>HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud
>IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
>Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCSRnI2r+DE
>aeRcZNOWvOrf9XlRnQVRiBjC46eRWp4aP2IU/au5wh8w7hXK8044hcjrlVXl/Z1K
>oL65aEyFwdKM33Mx7Dle74jL12aSHPitnFJQsFkDQ+oB6ydMz1bk8fH3A5Lq3L03
>yIgNwF+pU1MlKL5rbhZ8ekQOw4EwGXVd4PsgAxT0KESx3MD/K9CgSZxf/Z7D00m2
>3wHvx9WPjiWBqjqoHBG0YU+asMtPa0GplNpDlTU0qfxFQlhG05446DbjIAAZ1JTQ
>jhV5+ga4YI/Mvnt4Xf2qEi8Jj1HsdB2Vz94V4NqjyBI2gjPKu5uZFLXHYJY8olUK
>fPfn9P6xBumP
>-----END CERTIFICATE-----
>
>To be clear, it isn't fake.
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>The cryptography mailing list
>cryptography at metzdowd.com
>http://www.metzdowd.com/mailman/listinfo/cryptography
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQI7BAEBCgAlBQJVyutiHhxvc2h3bSA8b3Nod21Ab3Blbm1haWxib3gub3JnPgAK
CRAqeAcYSpG1iPIxD/0YSVCvVamvnkyTg86a4MWMKSGcmSXuAwfTi4YxPh4aUk37
zMWqp9sYqld1GoH7hJjRUDdJILjVwWSdCztGjIqCTl8dBlJChva7LfMQCYTC6K6d
O1dHvBVAaOTJ5iBk8ZdfSlDIoJnLU1aNAe+Fd7hXsbMFBzH885WZaK+A6wMuMqP1
ZltsBUFP44MO/qOU8Y2MRj7viG+hX2ol/GsVd/M4SYwPTKXR2eAjyRyNyNbYUX9b
rKlhF8ERFa04PSK8wsYaXGNSTvyP3J81h0MXG1eKPizIqKiyhw1xqCaOxN5s2iY3
nfccZ9+vVd8KC4zbpO6TWJbGNFld/eHIe7E63CbvivYlqKcjU/TQynWP+zIHigwK
et1zDi/XiKdDlumwYstx3IDrirIwr+VAx+IZohKYQxNn9G0hg2seoZ7pSKWiYavw
5zLZf/6Wbo3XXrOHlS+w0vG5twx66bM57QuCc0Zof9/bxlKw3Y1mESvhnk1SKVVi
K1x1/XjWHFXn67JcfGBynPKml4drQQhV87rE5reMeunGHe8vISYJVYhgPeIz8wPu
MYOUepfkqpgYdisswEkskjl5vZcgAagpEXUmz+EEygMpsD3yCUSeNSAcfU0wRJia
Z/+b4zfM7y8NOcJvdnkYVZdBVLA5/gzuGPcoTlEJZ7aBCMSfV6igXmTFm8j2wQ==
=q6vf
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list