TrustCor under fire over certificate authority concerns

TrustCor Systems, a Panamanian certificate authority, is under scrutiny from Google, Mozilla and the CA/Browser Forum following a Washington Post report that raised questions about the company's operations.

TrustCor found itself on the defensive Tuesday after The Washington Post reported its apparent connections to a notorious spyware vendor and other companies with ties to the U.S. intelligence community. As a root certificate authority (CA), TrustCor can issue its own digital certificates and let other third parties issue them.

The report uncovered Panamanian registration documents that tied the company's corporate officers, agents and partners, including CEO Raymond Alan Saulino, to a spyware vendor called Packet Forensics, which was first revealed in a 2010 Wired article. TrustCor's CEO was also tied to other entities, including surveillance vendor Vostrom Holdings, which has had multiple deals with U.S. government agencies and law enforcement agencies.

The company issued a statement Tuesday in response to the Washington Post that slammed the newspaper and the security researchers who uncovered the connections.

"[The article] is filled with ridiculous, false claims and out-of-context statements twisted to fulfill a baseless prophecy imagined by a group of researchers who are more concerned with enriching themselves and their company than they are with Internet security," wrote Rachel McPherson, TrustCor's vice president of operations, in an open letter.

One of the researchers involved was Joel Reardon, a professor at the University of Calgary. Earlier this year, Reardon and Serge Egelman of the University of California, Berkeley, revealed with reporters from the Wall Street Journal that a Panamanian company named Measurement Systems was secretly harvesting data though Android apps in the Google Play store. They also discovered records that showed Measurement Systems has connections to Vostrom Holdings and Packet Forensics.

"Along with investigative journalists at the Wall Street Journal, we discovered that Vostrom Holdings is doing business as Packet Forensics, a company that sells lawful-intercept products," Reardon said Tuesday in the Mozilla discussion group. "The Measurement Systems company was also registered in Virginia by 'Raymond Alan Saulino,' which was then made inactive when Google took action against the SDK."

Reardon said that he, alongside with the researchers and journalists, uncovered an SDK that was tracking users in Android apps and, following a ban from Google, was forced to discontinue its activity. That SDK was allegedly found to be in use by Packet Forensics while the company shared identical contact information to Vostrom and, seemingly, TrustCor.

Further adding to the intrigue, Reardon noted that despite advertising itself as having operations based in Panama and Curacao, TrustCor made job postings for locations based in Arizona.

"I am not particularly troubled by where they have their technical operations. But I think
that it is strange to omit that the data centres are in Arizona on the lengthy descriptions of the 'geo-jurisdiction advantage,'" Reardon explained. "Certificate authorities are about trust."

Reardon emphasized that he found no evidence that TrustCor had issued bad certificates or in any way abused its authority as a root CA. However, he said because the company acts as a root CA for "billions of devices," TrustCor should provide explanations.

Members of the CA/Browser Forum, an independent consortium of browser companies and CAs, agreed with Reardon. Officials from Mozilla and Google responded in the discussion group and requested TrustCor directly address the concerns with documentation.

Ryan Dickson, technical program manager for Chrome security at Google, wrote that based on the researchers' findings, along with Google's own, "identified what could be described as 'coincidences' that, when compiled, could call into question the honesty and security of a publicly-trusted root CA owner or operator," he wrote in the discussion group.

Dickson also raised additional concerns about TrustCor practices, including possible audit irregularities.

Having a CA involved with spyware vendors and data brokers would be a significant privacy concern. Any number of internet giants would then be tied to a company that stands to be compromised in the eyes of international carriers and government agencies.

TrustCor has yet to provide full responses to Google and Mozilla's requests. But McPherson issued an angry response in the Mozilla discussion group Tuesday, accusing Reardon and Egelman of "slinging more false claims."

McPherson's post in the discussion group oddly offered a different explanation for the coincidences. In her previous statement, she attributed the connections to Packet Forensics, Vostrom Holdings and Management Systems to a series of attacks -- "presumably by a U.S. defense contractor."

"The most recent attacks against us involved the creation of companies in the United States very similarly named to those of our shareholders (which have since been dissolved)," she wrote.

However, in the Mozilla discussion group, McPherson appeared to suggest clerical errors were to blame for the overlapping information between the companies.

"I'm not an attorney, but when a company registers itself as a corporate entity and lists its officers and addresses and mailing addresses and uses attorneys to do those things, often times the company initially gets registered to the attorney or there, and then that information gets immediately obsoleted through amendments pointing to the real officers," she wrote. "I can tell you we don't have any crossover between our officers and the officers of the other companies you mention, for certain."

TechTarget Editorial attempted to reach TrustCor and McPherson but was unable to obtain a response at the time of publication.

Security news director Rob Wright contributed to this article.