Remuneration coming for TrustCor customers impacted by CA revocation

In brief Certificate Authority TrustCor responded to its ejection from Mozilla and Microsoft's browsers by offering refunds for some customers, while leaving other resellers to pick up the mess on their own.

In a list of upcoming changes published to TrustCor's website, the company said all of its resellers had been notified that TrustCor "will not offer new or renewed server certificates commercially at this time." 

As for refunds, we noted in our previous TrustCor coverage that Microsoft opted to terminate TrustCor's certificates retroactively on November 1, while Mozilla gave the outfit a distrust date of November 30. According to TrustCor VP of Operations Rachel McPherson, that was done without her company being given any advance notice.

"We requested Microsoft's help in writing to correct this by shifting the date 29 days to adopt the same dates as the larger community, and we are disappointed more could not be done," TrustCor said in an upcoming changes list.

A Microsoft spokesperson said that company had nothing to share, aside from notes verifying it had revoked TrustCor's certificates.

As a result of the date discrepancy, TrustCor said it would "remunerate our wholesale customers financially to cover their re-issuance of competitive replacement certificates for their end-users during this period."

TrustCor also issued some update news regarding MsgSafe – its encrypted email service which was also called into question. While OpenPGP-based capabilities will retain support and enterprise-level users would continue to get support for user-provided S/MIME public keys, "Provisioning of S/MIME certificates for each customer identity will no longer be offered or supported," the company said. 

TrustCor has been accused of being evasive during discussions on Mozilla's dev.security.policy (MDSP) mailing list, and even of "taking the Mozilla Forum Etiquette to its limits" with some of its responses to inquiries, one contributor opined. Aside from its short update note, TrustCor has been silent since Mozilla and Microsoft took action.

The Register has been in communication with TrustCor VP McPherson, who told us last Thursday that an official response to Mozilla and Microsoft's moves would be forthcoming that evening.

If it's anything like TrustCor's response to the Washington Post story which raised the issues that got it dropped as a CA, a full and frank response will likley not be offered.

• Rackspace rocked by 'security incident' that has taken out hosted Exchange services
• Medibank prognosis gets worse after more stolen data leaked
• FBI warns about Cuba, no, not that one — the ransomware gang
• DoJ worries messaging apps could hide evidence of crime, corruption

'Baby Al Capone' accomplice gets prison term, $20 million fine

A second defendant in the $24 million cryptocurrency SIM swapping scam led by a 15 year old has been sentenced to 18 months in prison, and told to pay victim Michael Terpin more than $20 million in restitution within 60 days.

Ellis "Baby Al Capone" Pinsky, the teenager who led the gang, has also been ordered to pay $22 million in restitution to Terpin. With the addition of $20 million from today's defendant, Nicholas Truglia, Terpin is well ahead of his $24 million in crypto losses from the theft. 

Pinsky and his crew used their access to Terpin's accounts to empty his crypto wallet. The Department of Justice said that's when Truglia entered the picture by offering to launder the stolen cryptocurrency. Truglia "made [his] Account available to other Scheme Participants to receive the Victim's stolen cryptocurrency, where it was converted into Bitcoin," the DoJ said. 

In addition to his sentence, Truglia will also get three years of supervised release, and was ordered to forfeit an additional $983,010.72.

Pinksy, meanwhile, hasn't faced any charges, and will testify against AT&T in a lawsuit Terpin filed alleging the telco failed to protect his account.

Survey says: Defense contractors fail security basics

A survey of US Department of Defense contractors has found that 87 percent fail to meet the DoD's Supplier Performance Risk System (SPRS) scores to be considered to have adequate cyber security.

Security provider CyberSheath commissioned the study, which spoke to employees at 300 DoD contracting firms with cyber security responsibilities. Its findings weren't great, but they explain a lot. 

Less than a third of defense contractors have deployed Security Information and Event Management (SIEM) software, and only one in five have an Endpoint Detection and Response Solutions (EDR) system in place, utilize a vulnerability management solution, have 24/7 security monitoring, use multi-factor authentication, or rely exclusively on US-based security monitoring systems.

On the flip side of that, more than four out of five said they had experienced a "cyber-related incident," and almost three-fifths have experienced a business loss due to such an event. 

"Our military secrets are not safe and there is an urgent need to improve the state of cyber security for this group, which often does not meet even the most basic cyber security requirements," said CyberSheath CEO Eric Noonan. 

The DoD is currently in the process of overhauling its Cybersecurity Maturity Model requirements, of which SPRS scores are a component, and as such enforcement is currently suspended. Good news for those who've become, or always were, lax: You have time to fix things. ®