3rd party providers are difficult to secure, even for spooks Or ants Over the years, I've collected data on the general health of various government encryption certificates on the internet. Although most have improved over time, they’re not 100% up-to-date and secured. Understandably, nothing is 100% risk-free or secure. However, there‘s a perception; not based in reality, that governments would be better at security than us mere mortals. I believed in until I was 5, that didn't make him real. Santa Information is sanitised The target information is sanitised. For purposes of this article, we will use in place of the real 3rd party provider. GCHQ.3rdPartyProvider.com I attempted on numerous occasions to responsibly report these and other issues to GCHQ via the NCSC-UK. However, after pleading in the and privately speaking with a UK Ministry The NCSC-UK reached out promptly after the minister lent a hand. There was one major problem, the information was sensitive and must be secured when sending over email. Most type organisations use . The only PGP key the NCSC-UK sent me, to secure the information. A two-year-old expired PGP key from a different, defunct organisation. The previous UK CERT’s PGP key. Leaving me unable to disclose to GCHQ responsibly. news media CERT PGP or similar methods to encrypt email communications New UK Government 3rd party requirements for cyber security Like most government agencies, GCHQ uses various third parties for some technology services. Recently, the UK started a new scheme to help bring up necessary levels of cyber security, especially with companies which do business with the UK government. The scheme, Cyber Essentials, is required for central UK government contracts advertised . The required program upper levels, entail a technology review, audit and penetration/vulnerability test. Not sure why or how this particular technology service provider wasn't required to be part of the Cyber Essentials scheme. However, it’s a excellent example why to audit 3rd party services. after 1 October 2014 The scheme highlights technology products and services One of GCHQ’s third part technology services provider, has no Cyber Essentials certification posted. provides services to the UK government; as well as, 22,000 UK businesses. 3rdPartyProvider.com Nice, a rating posted on their website ;-) Bad GCHQ is listening but not encrypting very well The SSL certificate provided by the 3rd party, was graded an F, fail. Due to using , incomplete certificate chains and weak encryption elements. GCHQ.3rdPartyProvider.com SSL version 2 Qualys SSL report fail In addition to a weak certificate, The service provider appeared to use the same HTTPS and SMTPS encryption certificate for all it’s IP addresses. Using the SSL certificate serial in Shodan, I was able to quickly discover 24 instances using the same exact serial number on 24 different IP addresses. The same encryption certificate appeared in use across the entire third party provider network. The could have exposed all other businesses to GCHQ listening and GCHQ communications to all the other 22,000 businesses and IP addresses. The same supposedly private key was instead in use with everyone. Not very private…. * wildcard * wildcard HTTPS, email SMTPS, * wildcard “A “wildcard certificate” ( is a certificate which contains, as possible server name, a name which contains a “ " character. Details are in . The bottom-line: when the server certificate contains , it will be accepted as a valid certificate for any server whose matches that name.” * wildcard) * RFC 2818, section 3.1 *.example.com by clients apparent name StackExchange Using three web based tools, Shodan.io, Censys.io and Qualys SSL labs. The results were the same, the GCHQ 3rd party was using the same exact encryption certificate on up to 98 different internet facing IP addresses. * wildcard Sanitised IP addresses, too many for a screen shot Pivot table by port/service using the same vulnerable SSL key Conclusion Major issues with the encyrtpion with GCHQ’s 3rd party: Difficult to near impossible to report responsibly to GCHQ’s NCSC-UK, the UK’s CERT replacement. 3rd party provider used the same weak certificate for HTTPS web and email services. Giving customers a false sense of security and possibly exposing business customer and GCHQ sensitive data to each other. Why was GCHQ using a 3rd party encryption certificate? This implies trust between a 3rd party and an intelligence agency. Cyber Essentials, where? Was the requirement waived because the technology services contract wasn't a general UK government contract? Did the contract fall through the cracks? Was the used on purpose? Questions remain. * wildcard For an organisation which deals directly with encryption. The 3rd party utilised weak encryption algorithms and elements such as SHA-1 with RSA, RC4 , with all IPs. TLS_RSA_WITH_RC4_128_SHA ( **_0x5_** ) TLS_ECDHE_RSA_WITH_RC4_128_SHA ( **_0xc011_** ),etc… The warning on all the 98 IP addresses using the same wildcard certificate Let’s be bluntly honest: Third party suppliers and technology providers are some of the most difficult things to secure. This sanitised example shows even the big time professionals are challenged. There is no magic network cable to waive over all your cyber stuff and, viola, magically secured. I was not expecting to discover an encryption in use with a third party of an intelligence organisation. The issues were found using web-based search and certificate checking tools. No “hacking”, unauthorised access or decryption took place. If I found them with ease, super secret spies from other countries could too. Lastly, I wish to state categorically: , ….. :0 * wildcard I do not own a sports bag just in case Again, for the record, unlike Gareth Williams. I do not own a sports bag This post is a case study from my upcoming book: OSINT Through the Looking Glass. The book is based on open source intelligence gathering tools and techniques using various intelligence and government agencies as targets. This OSINT example involves no illegal activity (per Dutch laws). No authentication, or breaking of encryption took place. Leave a clap (or ) and a please feel free to comment. 50+
