Mysterious company with government ties plays key internet role

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.

One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics.

Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.

The Pentagon did not respond to a request for comment on TrustCor. TrustCor also did not respond to a request for comment.

Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life

TrustCor’s products include an email service that claims to be end-to-end encrypted, though experts consulted by The Washington Post said they found evidence to undermine that claim. A test version of the email service also included spyware developed by a Panamanian company related to Packet Forensics, researchers said. Google later banned all software containing that spyware code from its app store.

A person familiar with Packet Forensics’ work confirmed that it had used TrustCor’s certificate process and its email service, MsgSafe, to intercept communications and help the U.S. government catch suspected terrorists.

“Yes, Packet Forensics does that,” the person said, speaking on the condition of anonymity to discuss confidential practices.

Packet Forensics counsel Kathryn Temel said the company has no business relationship with TrustCor. She declined to say whether it had had one previously.

The latest discovery shows how the technological and business complexities of the internet’s inner workings can be leveraged to an extent that is rarely revealed.

Concerns about root certificate authorities, though, have come up before.

In 2019, a security company controlled by the government of the United Arab Emirates that had been known as DarkMatter applied to be upgraded to top-level root authority from intermediate authority with less independence. That followed revelations about DarkMatter hacking dissidents and even some Americans; Mozilla denied it root power.

In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites.

With Packet Forensics, a paper trail led to it being identified by researchers twice this year. Mostly known for selling interception devices and tracking services to authorities, the company is four months into a $4.6 million Pentagon contract for “data processing, hosting and related services.”

In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.

Measurement Systems’ website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing.

After the researchers shared their findings, Google booted all apps with the spy code out of its Play app store.

Tremel said that “a company previously associated with Packet Forensics was a customer of Measurement Systems at one time” but that there was no ownership stake.

When Reardon and Egelman looked deeper at Vostrom, they found it had registered the domain name TrustCor.co, which directed visitors to the main TrustCor site. TrustCor has the same president, agents and holding-company partners listed in Panamanian records as Measurement Systems.

A firm with the same name as one of the holding companies behind both TrustCor and Measurement Systems, Frigate Bay Holdings, filed papers to dissolve this March with the secretary of state in Wyoming, where it was formed. The papers were signed by Saulino, who listed his title as manager. He could not be reached for comment.

TrustCor has issued more than 10,0000 certificates, many of them for sites hosted with a dynamic domain name service provider called No-IP, the researchers said. That service allows websites to be hosted with constantly changing Internet Protocol addresses.

Because root authority is so powerful, TrustCor can also give others the right to issue certificates.

Certificates for websites are publicly viewable so that bad ones should be exposed sooner or later. There have been no reports so far that the TrustCor certificates have been used inappropriately, for example by vouching for impostor websites. The researchers speculated that the system is only used against high-value targets within short windows of time. The person familiar with Packet Forensics’ operations agreed said that was in fact how it has been used.

“They have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address,” Egelman said. “It’s scary this is being done by some shady private company.”

The leadership page of the TrustCor’s website lists just two men, identified as co-founders. Though that page does not say so, one of them died months ago, and the other’s LinkedIn profile says he left as chief technology officer in 2019. That man declined to comment.

The website site lists a contact phone number in Panama, which has been disconnected, and one in Toronto, where a message had not been returned after more than a week. The email contact form on the site doesn’t work. The physical address in Toronto given in its auditor’s report, 371 Front St. West, houses a UPS Store mail drop.

TrustCor adds another layer of mystery with its outside auditing firm. Instead of using a major accounting firm that rates the safety of internet infrastructure companies, TrustCor selected one called Princeton Audit Group, which gives its address as a residential townhouse in Princeton, N.J.

In addition to TrustCor’s certificate power, the firm offers what purports to be end-to-end encrypted email, MsgSafe.io. But researchers said the email is not encrypted and can be read by the company, which has pitched it to a variety of groups worried about surveillance.

READ MORE HERE