Optus customer site was on cybersecurity blacklist

Following one of Australia's biggest cyber hacks, a shocking revelation of Optus' lax attitude to security has been discovered. Anthony Klan reports.

AUSTRALIAN TELCO giant Optus was operating a “revoked” online safety certificate – meaning it was on a cybersecurity blacklist – on its Application Programming Interface (API) subdomain and was operating an insecure customer site at least as far back as February last year.

It has been revealed that Optus’ API subdomain – api.optus.com.au – was carrying the “revoked” and “insecure” safety certificate, in a failure described by cyber experts as reflecting the company’s lax approach to security.

It can also be revealed external cybersecurity experts discovered Optus was running a “Not Secure” customer login website more than 18 months ago, in a ‘major error and configuration issue’ that ‘can enable all manner of external digital intrusion and nefarious actions’.

Despite repeated claims from Optus CEO Kelly Bayer Rosmarin the breach was a “sophisticated attack”, cybersecurity experts widely view it as a simple breach involving an exposed API.

Optus hack reveals fragile state of Australian cyber security

The recent breach of Optus data shows that we need to do more in terms of cyber security, both from companies and users.

An API is a way for computer programs to share information, often used for software development given their ease of use.

UK-based cybersecurity group Cybersec Innovation Partners (CIP) examined Optus’ online security after news emerged it had suffered one of the worst cyber breaches in Australian history, with the personal details of 9.8 million people stolen.

It found a ‘plethora of issues’, ‘within hours’, including the API site revocation and ‘Insecure and Not Secure websites’ and servers.

CIP’s global CEO, Andrew Jenkinson, one of the world’s top cybersecurity experts, alerted Optus to the issue on 24 September, two days after news of the breach emerged.

Optus failed to rectify the problem until 6 October, over two weeks ago.

That’s when a new digital certificate, or SSL, was put in place over the API site.

Jenkinson said:

‘The Optus people, who once I spoon fed them, finally, after two weeks, found the API server that was Not Secure because it was using a revoked certificate.’

$Dated and fractured: Optus and data protections Down Under$

Dated and fractured: Optus and data protections Down Under

The recent Optus data breach has shown an urgent need for reform of Australia's data protection laws.

Experts said the revoked API safety certificate was concerning as it meant data could potentially be decrypted as it was sent across the internet.

The matter went to the heart of ‘the company’s lax attitude to security’ but was not the most likely cause of the breach, which was very basic and has been described as Optus having “left the window open” rather than being subject to a “break and enter”.

‘The smoking gun seems to be an unauthenticated API, so having unexpired certificates would not have prevented the breach,’ said one expert.

‘But what it reflects is the company’s lax attitude to security.’

The "Revoked" and "Insecure" Optus API site safety certificate (Source: CIP)

Bayer Rosmarin has steadfastly and repeatedly claimed it was a “sophisticated attack”.

Her claims are despite the Federal Government – whose top cybersecurity arm, the Australian Cyber Security Centre (ACSC), conducted a week-long investigation inside Optus – stating it was a “basic breach” that never should have occurred.

The Optus CEO has provided no evidence to back her claims.

Singtel is controlled and majority-owned by the Singaporean Government.

Safety certificates enable encrypted connections so as to prevent ‘criminals from reading or modifying information transferred between two systems’.

They are issued by major cybersecurity companies publishing certificate revocation lists (CRLs), which are security blacklists naming the sites whose safety certificates they have revoked.

Jenkinson said:

‘It’s a cardinal sin to have a revoked certificate in an API. It’s like a house of dominos, when that bit’s wrong, the whole thing can fall over.’

Security report on the Optus API subdomain — overall rating: F (Source: CIP)

Security certificates have been a cornerstone of web security since 2018.

All major web browsers warn a site is “Not Secure” if it has a revoked or otherwise invalid safety certificate in place.

The safety certificate for Optus’ API site was issued on 18 October 2021, with a nominal “expiry date” of 16 November this year.

If a security certificate has been revoked, its expiry date becomes irrelevant.

Before and after. New safety certificate (bottom) installed on 6 October (Source: CIP)

Bayer Rosmarin and Lee Theng Kiat, chair of Singtel, which owns Optus, both did not respond to questions put to them last Tuesday.

Last Friday marked four weeks since Optus announced the mass breach.

In a confidential client’s report on 28 September that was obtained by The Klaxon, Jenkinson wrote:

The cyberattack was termed…a sophisticated attack.

However, our security research within hours identified a plethora of Insecure and Not Secure websites, servers and domain name systems (DNS).

Today [is] 28 September and all the insecure, exposed positions remain identical and further exploitable.

Furthermore, these exposed positions have been Insecure for many months.

Of Optus’ API site, Jenkinson writes in the report:

‘This subdomain/server is missing its critical digital certificate and is using Deprecated Protocols and is dated 24 September 2022.’

Data retention law reform needed to combat serious crime

Unnecessary data retention measures are an incitement for unlawful access and Australia needs to follow examples set by the EU.

Jenkinson, who has been the global CEO of CIP for the past five years, has authored two books on cybersecurity and managed major projects for telco giants BT and Virgin Media.

He is a fellow of the New York-based Cyber Theory Institute (which recently named him the Global DNS Vulnerability expert), sits on the International Advisory Council of the Human Health Education and Research Foundation (HHERF) and was in January named among the 2021 Top 30 Risk Communicators in Cybersecurity by the European Risk Policy Institute.

Jenkinson said CIP, which has conducted over 1,000 reviews of cyberattacks, constantly externally monitors the online security of many major companies worldwide.

He said CIP discovered Optus was running a “Not Secure” site in February last year.

Jenkinson writes:

In addition to the very concerning Revoked (certificate above) the below shows a Not Secure customer login Optus website.

This screenshot was originally taken and shared in February 2021.

To confirm, a Not Secure website lacks authentication, can enable all manner of external digital intrusion and nefarious actions.

This is another major error and configuration issue.

The "Not Secure" Optus customer portal, February 2021 (Source: CIP)

On 10 October, it was revealed that Optus owns and operates, along with its parent Singtel, a “world-class” global cybersecurity arm, Trustwave, which has over 200,000 business and government customers in 96 countries.

Optus and Singtel are refusing to say whether Trustwave was being used to protect the 9.8 million consumer customers whose data was exposed.

Bayer Rosmarin and Singtel’s governance arrangements have repeatedly come under serious scrutiny, including after Bayer Rosmarin announced in February she had appointed to a senior role former NSW Premier Gladys Berejiklian, who was at the time and remains the subject of unresolved corruption investigations.

Last week, it emerged another Australian-based arm of Singtel, major I.T. firm The Dialog Group, had been hit with a data breach affecting ‘1,000 current Dialog employees as well as former employees’ with data published on the dark web.

On Tuesday, it was reported that Optus is running a subdomain “mirror site” which is “Not Secure” because it does not carry a safety certificate.

Mirror sites are often used by businesses and other non-consumer customers of I.T. companies.

How important is cybersecurity? Do we overestimate the dangers?

As digital technology use increases, so do the negative aspects of its use.

Jenkinson said although some I.T. companies continued to operate “Not Secure” mirror sites, it was ‘very, very poor practice’ and ‘simply creates opportunity for crime’.

The revelations contained in this article are yet more serious.

The week after Optus announced the mass data breach – and after the Federal Government said it was a “simple hack” – Bayer Rosmarin hit out at “misinformation”.

“Our data was encrypted,” she said.

The former head of the ACSC, Alastair MacGibbon, has said that description represented a “word salad” because the Optus data appeared to have been unencrypted when it reached the hacker.

MacGibbon has said the consensus among cyber security experts was that it was a simple breach that involved an “exposed API”.

The unredacted "Revoked" and "Insecure" Optus API certificate (Source: CIP)

Jenkinson said a “Not Secure” website ‘often enables plain text to be captured to and from the server’.

‘These days, installing [a safety] certificate on your site is a must,’ says major cybersecurity firm Sectigo.

‘Insecure websites are vulnerable to cyberthreats, including malware and cyberattacks.’

Anthony Klan is an investigative journalist and editor of The Klaxon. You can follow him on Twitter @Anthony_Klan. This article was originally published on The Klaxon and has been republished with permission.