Certificate Reseller Emails Private Keys, Legal Spotify Scam
Infosec News
INFORMATION SECURITY NEWS
For The Week of 3/7-3/14 2018
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
Certificate Reseller Emailing Private Keys, Running Vulnerable Web Server as Root
Trustico, a UK-based certificate reseller (essentially a middleman between browser-trusted CAs and consumers), had some major security flaws exposed last week. Until recently, they were partnered with Symantec as their browser-trusted CA. After Symantec was acquired by DigiCert, Trustico asked DigiCert to revoke 50,000 Symantec-issued certificates en-masse. When DigiCert asked for proof that the certificates were compromised, the Trustico CEO sent the private keys for 23,000 certificates as an email attachment. A CA shouldn’t have access to users’ private keys. However, Trustico offered a service where they would generate a keypair and certificate signing request on their servers for convenience. They would then keep a record of the private keys, instead of deleting them.
Additionally, a twitter user discovered that Trustico’s website was very insecure. The webserver was running as root, and was vulnerable to a simple code injection attack. Shortly after this was discovered, their website went down.
Twitter thread where the webserver vulnerability was discovered
https://twitter.com/Manawyrm/status/969230542578348033
Legal Bulgarian Spotify Scam
Some bulgarian scammers came up with an ingenious way to scam Spotify using its royalty system. They created two playlists that climbed to the top 100 revenue generating playlists on Spotify - “Soulful Music” and “Music From the Heart”. Soulful Music, the more successful of the two, reached the number 35 spot on Spotify’s global charts. All 467 (a strangely large amount of songs for a popular playlist) were an average of 43 seconds long. A track needs to be 30 seconds or longer to be monetized on Spotify. . Using 12,000 Spotify premium accounts, they then played the playlists on infinite loops. This would cost around $12,000 a month for the accounts. The accounts could generate 72 million plays in a month, which, given a $.004 payout per play, translates to $288,000 in monthly payout. If bots were used to skip the tracks right after they had played for 30 seconds, the payout could have been increased to $415,000 monthly. The scam was probably only detected because it was too successful - if the playlists never reached top rankings, they would probably not have been detected. The best part? The scammers probably didn’t break any laws doing this. However, Spotify is justifiably cracking down on this scheme, and has removed a lot of tracks used in the scam from its library.