Listen to this Post

Introduction:
In a damning display of “do as I say, not as I do,” a recent OSINT audit of CREST, a prominent international body that certifies cybersecurity professionals, revealed foundational security failures. Despite publicly asserting their global leadership and dismissing shared threat intelligence on DNS vulnerabilities three years ago, CREST’s own digital assets were found to have critical misconfigurations in TLS, HSTS, DNS, and DNSSEC. This exposes a dangerous hypocrisy in the industry: the organizations setting the standards for cyber defense are often failing to implement them, creating potential footholds for the very attacks they claim to prevent.
Learning Objectives:
- Analyze the specific DNS and HTTP configuration failures discovered in the CREST audit.
- Learn how to manually audit an organization’s security posture using command-line tools.
- Understand the difference between securing a Top-Level Domain (TLD) and securing its subdomains.
- Implement basic hardening checklists for TLS, DNSSEC, and security headers.
- Develop a proactive OSINT routine to assess third-party and partner security postures.
You Should Know:
1. Auditing HTTP Security Headers and TLS Configuration
The initial findings against CREST pointed to suboptimal TLS/SSL and HTTP/HTTPS configurations. These are the first lines of defense for web applications. A missing or misconfigured HTTP Strict Transport Security (HSTS) policy, for example, leaves users vulnerable to protocol downgrade attacks and session hijacking.
To perform a basic audit on any domain (e.g., crest-approved.org), you can use `curl` to examine the response headers and `nmap` or `testssl.sh` to analyze the SSL/TLS setup.
Step‑by‑step guide:
1. Check HTTP Headers with cURL (Linux/macOS/Windows WSL):
curl -I https://crest-approved.org
Look for: Strict-Transport-Security, X-Content-Type-Options, Content-Security-Policy. Their absence is a red flag.
2. Test SSL/TLS Strength with testssl.sh:
This tool is the industry standard for deep TLS analysis.
Clone the repository git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh Run a standard check ./testssl.sh https://crest-approved.org
What to look for: Support for weak protocols (SSLv3, TLSv1.0), vulnerable ciphers (like those susceptible to SWEET32 or ROBOT), and expired or mis-issued certificates.
2. The DNSSEC Verification Gap
The audit specifically called out DNSSEC as being suboptimal. DNSSEC (Domain Name System Security Extensions) ensures that DNS responses haven’t been tampered with. However, a common misconception is that securing a TLD (like .org) automatically secures all its subdomains. As highlighted in the post, “Security DOES NOT flow across and down.”
You must verify DNSSEC at the specific record level.
Step‑by‑step guide:
1. Query the DNSKEY for the domain (Linux/macOS):
dig +dnssec crest-approved.org DNSKEY
If you get a response with `ad` (authentic data) flag in the header, the records are signed. However, the data may be served but not validated by your resolver.
- Force Validation with `delv` (Domain Entity Lookup & Validation):
`delv` is a tool (part of BIND) that performs its own validation, bypassing your local resolver’s settings.delv crest-approved.org A +dnssec
What to look for: A successful validation will show the full chain of trust. A failure indicates broken or missing signatures.
3. Subdomain Enumeration and Vulnerability Chaining
Andy Jenkinson’s comment underscores a critical attack vector: focusing only on the main domain while leaving subdomains exposed. Attackers routinely enumerate subdomains to find development servers, test sites, or forgotten applications that lack the security rigor of the production environment.
Step‑by‑step guide:
1. Passive Subdomain Enumeration using `sublist3r`:
Install (requires Python and pip) pip install sublist3r Enumerate subdomains for a target sublist3r -d crest-approved.org
This tool scrapes search engines (Google, Bing, Yahoo) and public sources (Virustotal, ThreatCrowd) to build a list of subdomains.
2. Active Subdomain Bruteforcing with `gobuster` (Linux):
This sends DNS queries to see if common subdomain names exist.
gobuster dns -d crest-approved.org -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Once you have a list of subdomains, you would then run the TLS and header checks from Section 1 against each one. It is highly likely that `dev.crest-approved.org` or `mail.crest-approved.org` will have weaker security than the main site.
4. Implementing Basic Hardening: A Checklist
To avoid falling into the same trap as CREST, organizations must enforce basic controls. This is not advanced “APT-level” security; it’s the digital equivalent of locking the front door.
Step‑by‑step guide (Apache/NGINX):
- Enforce HSTS: Add this header to your web server configuration to force browsers to always use HTTPS.
In your server block (NGINX) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
(Warning: `includeSubDomains` is powerful—ensure ALL subdomains support HTTPS before enabling.)
2. Enable DNSSEC (via BIND):
- Generate keys: `dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE yourdomain.com`
– Include keys in your zone file and sign it: `dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o yourdomain.com -t yourdomain.com.db`
– Publish the DS record with your domain registrar.
5. Windows-Based Reconnaissance and Monitoring
Not all security work happens on Linux. Windows administrators can use built-in tools and PowerShell to perform similar audits.
Step‑by‑step guide:
1. Using `nslookup` for DNS Interrogation:
nslookup -type=TXT crest-approved.org nslookup -type=MX crest-approved.org
2. Using `Resolve-DnsName` in PowerShell (More powerful):
Check for DNSSEC validation (if the resolver supports it) Resolve-DnsName -Name crest-approved.org -Type A -DnssecOk Verify the signature Resolve-DnsName -Name crest-approved.org -Type DNSKEY
3. Checking Certificate Information with .NET:
$WebRequest = [Net.WebRequest]::Create("https://crest-approved.org")
$WebRequest.GetResponse().Close()
$Cert = $WebRequest.ServicePoint.Certificate
$Cert.Subject
$Cert.GetExpirationDateString()
This script grabs the SSL certificate details, allowing you to programmatically check for expiration or mismatched Common Names.
6. Continuous OSINT and Threat Intelligence Integration
The core of the issue was that CREST dismissed threat intelligence they were given. A mature security program ingests threat feeds and continuously monitors its own attack surface.
Step‑by‑step guide:
1. Monitor Certificate Transparency Logs:
Attackers often register certificates for your domain (or lookalikes) before launching a phishing campaign. Use `crt.sh` via the command line:
curl -s "https://crt.sh/?q=%.crest-approved.org&output=json" | jq .
This reveals every SSL certificate issued for the domain and its subdomains, helping you spot unauthorized certificates instantly.
What Undercode Say:
- The Emperor Has No Clothes: The CREST audit proves that certification does not equal security. Organizations relying on “certified professionals” must verify that these standards are applied to the certifier’s own infrastructure. It is a stark reminder that compliance is a baseline, not a finish line.
- Subdomain Blindness is Fatal: The emphasis on subdomain security is the most critical takeaway. A fortress cannot have a single unlocked gate. Continuous monitoring of the entire digital footprint, not just the corporate homepage, is non-negotiable.
- Weaponized Transparency: The public shaming via an OSINT report is a new reality. Attackers use these same techniques. The only way to defend is to adopt the offensive mindset—constantly scanning, probing, and hardening your own assets before someone else does it for you.
Prediction:
The next major wave of supply chain attacks will not target software dependencies, but rather the “security standard” bodies and consultancies themselves. By compromising an organization like CREST, attackers can poison the well of threat intelligence and red teaming methodologies, gaining a master key to the thousands of companies that implicitly trust their guidance. We will see a push for “continuous compliance” where security posture is dynamically verified, rather than certified annually and then ignored.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


