NSA and Github ‘rickrolled’ using Windows CryptoAPI bug


Digital Technology Unlocked

Tech NewsVulnerabilities

NSA and Github ‘rickrolled’ using Windows CryptoAPI bug

On Monday this week, the big cybersecurity news was speculative.

Was there a big, bad security bug in Microsoft Windows waiting to be announced the next day?

On Tuesday, the big news was the announcement that everyone had been guessing about.

Yes, there was a big bad bug, and it was in the Windows CryptoAPI.

It wasn’t a wormable remote code execution hole, so it wasn’t quite a WannaCry virus waiting to break out…

…but it was the first Patch Tuesday bug ever credited to the NSA.

That’s the US National Security Agency, ironically the very same the organisation that originally came up with the ETERNALBLUE exploit that ended up in the WannaCry virus after somehow escaping from the NSA’s control.

This time, the NSA gave the bug to Microsoft to patch the hole proactively, and here we are!

The vulnerability, denoted CVE-2020-0601, is a way by which crooks can mint themselves cryptographic certificates with other people’s names on them.

The simplest way of thinking about this bug is that it’s like a magic machine that lets you crank out fake IDs that not only look good when you show them to a cop, but also stand up to scrutiny even when the cop runs them through the ID scanner that checks back with headquarters.

Back on Tuesday, when the vulnerability was officially announced, we said:

We don’t yet know how hard it is to produce rogue certificates that will pass muster, and Microsoft understandably isn’t offering any instructions on how to do it.

All we know is that Microsoft has said it can be done, and that’s why the patch for CVE-2020-0601 has been issued.

So you should assume that someone will find out how to do it pretty soon, and will probably tell the world how to do it, too.

We don’t know whether to be happy or sad that we were correct.

The first proof-of-concept “fake ID generators” are out – we’ve already seen a Python program of 53 lines, and a Ruby script of just 21 – and they really are sitting there for anyone to use for free.

What we didn’t predict, though we probably should have, is exactly what the first widely-publicised “live attack” would do to prove its point.

(We say “live attack” – but, just to be clear, the researcher who did the work and tweeted about it didn’t actually attack anyone else’s server, or tell anyone else how to do so, so we don’t mean that in a negative or critical sense.)


UK cybersecurity researcher Saleem Rashid filmed himself browsing with Edge to a rickroll page that not only claims to be Microsoft’s github.com but also shows up with a nice little checkmark saying “valid certificate”:

In a later photo in the same Twitter thread, he shows Chrome visiting the rickroll on a webpage that identifies itself as nsa.gov, with a popup saying “Connection is secure” and “Certificate (Valid)”:

Rickrolling, in case you’ve never heard of it, is a sort-of humorous tradition beloved amongst techies and internet witticists where you unexpectedly take someone to a video of Rick Astley singing his 1987 hit Never gonna give you up.

Why Rick Astley, and why that song, we simply cannot tell you, but the rickrolling craze started in 2007.

Perhaps its most infamous appearance in the cybersecurity scene was in 2009, when an Australian youngster set loose the world’s first-ever Apple iPhone virus

…which let you know you’d become a victim by changing your phone’s wallpaper to a photo of the aforementioned Rick Astley.

Rashid’s tweet is great fun, but with a serious side, because it shows how the CryptoAPI bug could, indeed, be used to lull you into a dangerously false sense of security:

Never gonna git your hub
Never gonna let you down
Never gonna hack your site and fake-cert you.