[Cryptography] Threatwatch: CIN - Corruptor-Injector Network

ianG iang at iang.org
Fri Aug 14 15:49:26 EDT 2015


On 12/08/2015 07:44 am, oshwm wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> yeh but then...
>
> crt.sh - owned by comodo
> comodo involved with privdog mitm
> comodo issues certs for cloudflare
> ben laurie works for google
>
> none of above is a killer but would suggest not necessarily proof of no wrongdoing.
>
> also, is injecting a modified version of chrome into an http stream impossible - i dont think so.
> do ppl in general check md5 or other sums - nope, only paranoid cpunks :D
>
> as for cryptostorm, they generally have been reliable and i would need to read more about CIN before i either dismiss or agree with them on this topic.


Basically, yes.  The situation we are looking at isn't verifiable from 
the outside.

It's like the financial system, without auditing.  (And we all know 
where that's gone.)  It all works perfectly fine when nobody's doing 
anything wrong, and the insiders know what they're getting out of it. 
We get verbal assurances that all is good, go back to sleep.

But as soon as something goes wrong, we get another complicated 
description, and no assurances of any value - we'll fix it, go back to 
sleep.

It used to be that a standard techie - say a university student - could 
come in, check what the browser and server was up to, and declare it 
safe and secure.

The user could take on some risk, be part of the process.

Now, we can't even rely on a crypto-security org to come in and verify 
the situation.  Audit is no longer tractable.  The barriers to entry are 
written so high that only specialist insiders at every point can check 
these things.



iang



> On 12 August 2015 06:33:29 BST, Ben Laurie <ben at links.org> wrote:
>> On Sun, 9 Aug 2015 at 20:25 ianG <iang at iang.org> wrote:
>>
>>> There's a long post by "cryptostorm_team" that describes a capture of
>>> the activity of a CIN or Corruptor-Injector Network.
>>>
>>> https://cryptostorm.org/viewtopic.php?f=67&t=8713
>>>
>>> The short story appears to be malware injected into the router which
>>> then proceeds to present a false view of many things, including
>> google
>>> sites and chrome downloads.
>>>
>>> That last part again - the CIN appears to be capable of injecting a
>>> special download of Chrome which then participates in the false
>>> presentation to user.  Given the complexity of modern software I'd
>> say
>>> this to be an impossible task except for a very well funded, long
>> term
>>> adversary.
>>>
>>
>> Or, actually, it is impossible.
>>
>> That article appears to be complete nonsense.
>>
>> For example:
>>
>> "This certificate identifies itself (via CN field) as *.google.com
>> despite
>> being served during a putative session with google.fr(again, this kind
>> of
>> obvious certificate misconfiguration is all but impossible to imagine
>> google doing in production systems):"
>>
>> Impossible to imagine, but ... true. The certificate is fine, google.fr
>> is
>> a SAN.
>>
>> This supposedly fake certificate, btw, is well known to CT:
>>
>> https://crt.sh/?q=4B9D33E64EF6104E2043BF1E0928924F6D41337A
>>
>> Another example:
>>
>> "http://clients1.google.com/ocsp 404s when loaded.This is not the sort
>> of
>> thing one will find in a legitimately Google-issued certificate,
>> created
>> less than 10 days ago."
>>
>> Oh yes it is. That is completely correct behaviour for an OCSP
>> responder.
>>
>> The alleged bad certificate, btw, for future record is:
>>
>> -----BEGIN CERTIFICATE-----
>> MIIGxTCCBa2gAwIBAgIIa4/pt17tKWYwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
>> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
>> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNTA2MTAzMzE1WhcNMTUwODA0MDAwMDAw
>> WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
>> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
>> b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6qywJ47uyuZZh7I4
>> 4f3qvA9T+u3Zy6fI3V0M2W1sQ/fWd9hgs2Ieobbo9lDh3wM912o++qSsLUKA/zud
>> +wa5uqOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG
>> A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw
>> ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt
>> YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds
>> ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds
>> ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv
>> b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q
>> Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n
>> bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou
>> Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv
>> b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv
>> LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq
>> Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq
>> LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1
>> YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k
>> cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv
>> b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu
>> YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC
>> B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds
>> ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v
>> Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBRYmgbDFeI+6yulnYNz+u8RSD6b7TAMBgNV
>> HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud
>> IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
>> Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCSRnI2r+DE
>> aeRcZNOWvOrf9XlRnQVRiBjC46eRWp4aP2IU/au5wh8w7hXK8044hcjrlVXl/Z1K
>> oL65aEyFwdKM33Mx7Dle74jL12aSHPitnFJQsFkDQ+oB6ydMz1bk8fH3A5Lq3L03
>> yIgNwF+pU1MlKL5rbhZ8ekQOw4EwGXVd4PsgAxT0KESx3MD/K9CgSZxf/Z7D00m2
>> 3wHvx9WPjiWBqjqoHBG0YU+asMtPa0GplNpDlTU0qfxFQlhG05446DbjIAAZ1JTQ
>> jhV5+ga4YI/Mvnt4Xf2qEi8Jj1HsdB2Vz94V4NqjyBI2gjPKu5uZFLXHYJY8olUK
>> fPfn9P6xBumP
>> -----END CERTIFICATE-----
>>
>> To be clear, it isn't fake.
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> The cryptography mailing list
>> cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
>
> iQI7BAEBCgAlBQJVyutiHhxvc2h3bSA8b3Nod21Ab3Blbm1haWxib3gub3JnPgAK
> CRAqeAcYSpG1iPIxD/0YSVCvVamvnkyTg86a4MWMKSGcmSXuAwfTi4YxPh4aUk37
> zMWqp9sYqld1GoH7hJjRUDdJILjVwWSdCztGjIqCTl8dBlJChva7LfMQCYTC6K6d
> O1dHvBVAaOTJ5iBk8ZdfSlDIoJnLU1aNAe+Fd7hXsbMFBzH885WZaK+A6wMuMqP1
> ZltsBUFP44MO/qOU8Y2MRj7viG+hX2ol/GsVd/M4SYwPTKXR2eAjyRyNyNbYUX9b
> rKlhF8ERFa04PSK8wsYaXGNSTvyP3J81h0MXG1eKPizIqKiyhw1xqCaOxN5s2iY3
> nfccZ9+vVd8KC4zbpO6TWJbGNFld/eHIe7E63CbvivYlqKcjU/TQynWP+zIHigwK
> et1zDi/XiKdDlumwYstx3IDrirIwr+VAx+IZohKYQxNn9G0hg2seoZ7pSKWiYavw
> 5zLZf/6Wbo3XXrOHlS+w0vG5twx66bM57QuCc0Zof9/bxlKw3Y1mESvhnk1SKVVi
> K1x1/XjWHFXn67JcfGBynPKml4drQQhV87rE5reMeunGHe8vISYJVYhgPeIz8wPu
> MYOUepfkqpgYdisswEkskjl5vZcgAagpEXUmz+EEygMpsD3yCUSeNSAcfU0wRJia
> Z/+b4zfM7y8NOcJvdnkYVZdBVLA5/gzuGPcoTlEJZ7aBCMSfV6igXmTFm8j2wQ==
> =q6vf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>



More information about the cryptography mailing list