Certificate Carnage in Croydon

You don’t hear that very often do you? Usually the word ‘Certificate’ is missing.

This is not the news that Croydon girl Kate Moss has lost her A Level certificate and will therefore not get the new job. Oh no.

This is the news that matters at Croydon based Certificate reseller Trustico have gone the way of the pear in spectacular style. If you use them you might want to put your thinking cap on followed by your peril sensitive sunglasses and tin helmet.

Trustico is a long-standing reseller of Symantec branded digital certificates. As many of you will be aware, Symantec certificates are going to be distrusted by Google and Firefox this very month, so many of the innocent victims we are about to discuss might have already replaced them. You can get certificates free you know.

In order to prepare for this, Trustico has set up store with Comodo and in a startling and totally nuts move, emailed the private keys of 23,000 of its users to certificate authority Digicert triggering the 48-hour process of their cancellation. A fairly extreme way of having customers migrate, don’t you think?

If any of you are thinking “what was the reseller doing with its user’s Private Keys?”, you are not alone. We thought that was the sort of thing government agencies beginning with a G did. There is no reason for them to have these keys, even if they were ‘in cold storage’ as Trustico claim. Very odd, a potential can of worms.

In a further series of gobsmacking blunders, Trustico’s website has been hacked and taken down via a very straightforward command injection. This has also affected a reseller of Trustico’s further down the food chain called SSL Direct (probably staffed by the exact same people as Trustico), who coincidentally share the same Web server.

You can read the unfolding clusterf**k on El Reg here.

The long and short of it is that if you are a Trustico or SSL Direct customer, check your certs and replace them. Today would be good. If you were considering becoming a customer, caveat emptor, if you get our drift?

In what appears to be another case of shooting oneself in the foot or even squarely between the eyes, the mighty, all seeing Brian Krebs has busted the Financial Services Information Sharing and Analysis Center (FS-ISAC, obviously they spell centre incorrectly), which exists to share information on all matters cyber to non-other than the banking and finance industries, for having been (presumably Spear) Phished and internal credentials used to target third parties.

It appears that FS-ISAC detected the issue quickly and dealt with it appropriately, but if you are a member organisation, please keep a close eye on emails from them.

If you are in a flap about your Certs or wish to defend the reputation of the jewel in England’s crown that is Croydon (don’t all shout at once), please contact us at: [email protected] or call 020 7517 3900.