Australian telco giant Optus was operating a “revoked” online safety certificate – meaning it was on a cybersecurity blacklist – on its “API” subdomain, and was operating an insecure customer site at least as far back as February last year.
The Klaxon can exclusively reveal Optus’s “API” subdomain – api.optus.com.au – was carrying the “revoked” and “insecure” safety certificate, in a failure described by cyber experts as reflecting the company’s lax approach to security.
It can also be revealed external cybersecurity experts discovered Optus was running a “not secure” customer login website more than 18 months ago, in a “major error and configuration issue” that “can enable all manner of external digital intrusion and nefarious actions”.
Despite repeated claims from Optus CEO Kelly Bayer Rosmarin the breach was a “sophisticated attack”, cybersecurity experts widely view it as a simple breach involving an exposed “API”.
An API, or application programming interface is a way for computer programs to share information, often used for software development given their ease of use.
UK-based cybersecurity group Cybersec Innovation Partners (CIP) examined Optus’ online security after news emerged it had suffered one of the worst cyber breaches in Australian history, with the personal details of 9.8 million people stolen.
It found a “plethora of issues”, “within hours”, including the API site revocation and “insecure and not secure websites” and servers.
CIP’s Global CEO, Andrew Jenkinson, one of the world’s top cybersecurity experts, alerted Optus to the issue on September 24, two days after news of the breach emerged.
Optus failed to rectify the problem until October 6, two weeks ago.
“Optus failed to rectify the problem until October 6, two weeks ago”
That’s when a new digital certificate, or SSL, was put in place over the API site.
“The Optus people, who once I spoon fed them, finally, after two weeks, found the API server that was not secure because it was using a revoked certificate,” Jenkinson said.
Experts said the revoked API safety certificate was concerning as it meant data could potentially be decrypted as it was sent across the internet.
The matter went to the heart of “the company’s lax attitude to security” but was not the most likely cause of the breach, which was very basic and has been described as Optus having “left the window open” rather than being subject to a “break and enter”.
“What it reflects is the company’s lax attitude to security”
“The smoking gun seems to be an unauthenticated API, so having unexpired certificates would not have prevented the breach,” said one expert.
“But what it reflects is the company’s lax attitude to security”.
The “Revoked” and “INSECURE” Optus API site safety certificate. Source: CIP
Optus CEO Bayer Rosmarin has steadfastly and repeatedly claimed it was a “sophisticated attack”.
Bayer Rosmarin’s claims are despite the Federal Government – whose top cybersecurity arm the Australian Cyber Security Centre (ACSC) conducted a week-long investigation inside Optus – stating it was a “basic breach” that never “never should have occurred”.
The Optus CEO has provided no evidence to back her claims.
Singtel is controlled and majority-owned by the Singaporean Government.
No comment: Singtel chair Lee Theng Kiat and Optus CEO Kelly Bayer Rosmarin. Source: Supplied
Safety certificates enable encrypted connections so as to prevent “criminals from reading or modifying information transferred between two systems”.
They are issued by major cybersecurity companies, who publish certificate revocation lists (CRLs), which are security blacklists naming the sites whose safety certificates they have revoked.
“It’s a cardinal sin to have a revoked certificate in an API” – Andrew Jenkinson
“It’s a cardinal sin to have a revoked certificate in an API,” said Jenkinson.
“It’s like a house of dominos, when that bit’s wrong, the whole thing can fall over”.
Security report on the Optus “API” subdomain – overall rating: “F”
Security certificates have been a cornerstone of web security since 2018.
All major web browsers warn a site is “not secure” if it has a revoked or otherwise invalid safety certificate in place.
The safety certificate for Optus’s API site was issued on October 18 2021, with a nominal “expiry date” of November 16 this year.
If a security certificate has been revoked its expiry date becomes irrelevant.
Before and after. New safety certificate installed on October 6 (bottom). Source: CIP
Bayer Rosmarin and Lee Theng Kiat, chair of Singtel, which owns Optus, both did not respond to questions The Klaxon put to them Tuesday.
Yesterday marked four weeks since Optus announced the mass breach.
“The cyberattack was termed…a sophisticated attack,” Jenkinson wrote in a confidential client’s report on September 28, obtained by The Klaxon.
“However, our security research within hours identified a plethora of Insecure and Not Secure Websites, Servers and Domain Name Systems (DNS),” he wrote.
“Today (is) the 28 September and all the insecure, exposed positions remain identical and further exploitable.
“Furthermore, these exposed positions have been Insecure for many months,” he wrote.
Of Optus’ API site, Jenkinson writes in the report: “this subdomain/server is missing its critical digital certificate and is using Deprecated Protocols and is dated 24 September 2022”.
Jenkinson, who has been global CEO of CIP for the past five years, has authored two books on cybersecurity and managed major projects for telco giants BT and Virgin Media.
He is a fellow of the New York-based Cyber Theory Institute (which recently named him the Global DNS Vulnerability expert), sits on the International Advisory Council of the Human Health Education and Research Foundation (HHERF) and was in Januarynamed among the 2021 Top 30 Risk Communicators in Cybersecurity by the European Risk Policy Institute.
Jenkinson said CIP, which has conducted “over 1000” reviews of cyberattacks, constantly externally monitors the online security of many major companies worldwide.
He said CIP discovered Optus was running a “Not Secure” site in February last year.
“In addition to the very concerning Revoked (certificate above) the below shows a Not Secure customer login Optus website,” Jenkinson writes.
“This screenshot was originally taken and shared in February 2021.
“To confirm, a Not Secure website lacks authentication, can enable all manner of external digital intrusion and nefarious actions”.
The “Not Secure” Optus customer portal, February 2021. Source: CIP
“This is another major error and configuration issue,” Jenkinson writes.
On October 10 The Klaxon revealed Optus owns and operates, along with its parent Singtel, a “world-class” global cybersecurity arm, Trustwave, which has “over 200,000 business and government customers” in “96 countries”.
Optus and Singtel are refusing to say whether Trustwave was being used to protect the 9.8m consumer customers whose data was exposed.
Bayer Rosmarin and Singtel’s governance arrangements have repeatedly come under serious scrutiny, including after Bayer Rosmarin announced in February she had appointed to a senior role former NSW Premier Gladys Berejiklian, who was at the time, and remains, the subject of unresolved corruption investigations.
Last week it emerged another Australian-based arm of Singtel, major IT firm The Dialog Group, had been hit with a data breach affecting “1,000 current Dialog employees as well as former employees” with data published on the dark web.
On Tuesday The Klaxon reported Optus is running a subdomain “mirror site” which is “not secure” because it does not carry a safety certificate.
Mirror sites are often used by business and other non-consumer customers of IT companies.
Jenkinson said although some IT companies continued to operate “not secure” mirror sites, it was “very, very poor practice” and “simply creates opportunity for crime”.
The revelations contained in this article are yet more serious.
The week after Optus announced the mass data breach – and after the Federal Government said it was a “simple hack” – Bayer Rosmarin hit out at “misinformation”.
The former head of Federal Government cybersecurity agency the ACSC, Alastair MacGibbon has said that description represented a “word salad” because the Optus data appeared to have been unencrypted when it reached the hacker.
MacGibbon has said the consensus among cyber security experts was that it was a simple breach that involved an “exposed API”.
The “Revoked” and “INSECURE” Optus API certificate (unredacted). Source: CIP
Jenkinson said a “not secure” website “often enables plain text to be captured to and from the server”.
“These days, installing a (safety) certificate on your site is a must,” says major cybersecurity firm Sectigo.
“Insecure websites are vulnerable to cyberthreats, including malware and cyberattacks.”
WE HAVE A FAVOUR TO ASK: We receive zero government funding and are entirely funded by our readers. Our financial position is currently extremely tight. If you appreciated this article, and our high-quality investigative journalism, please DONATE HERE to help keep us afloat. Thank you very much for your support.
Help us get the truth out from as little as $10/month.
The need for fearless, independent media has never been greater. Journalism is on its knees – and the media landscape is riddled with vested interests. Please consider subscribing for as little as $10 a month to help us keep holding the powerful to account.