Shutdown: Government sites with lapsed security certificates pose risk

CNET | 1/12/2019 | Laura Hautala
PaMe (Posted by) Level 3
Click For Photo: https://cnet3.cbsistatic.com/img/BA6cT8surAH2NykKARcBAmc_fpc=/724x407/2019/01/12/4d5f2562-7f3f-4cd9-a5ca-02021eb9f27b/security-getty.jpg

The government shutdown, now in its 22nd day, appears to be having an affect on the security of federal websites.

Netcraft, a UK-based web security company, found dozens of US government websites operating with expired security certificates, a situation that could put visitors at risk.

Websites - Department - Justice - NASA - Site

The affected websites range from that of the Department of Justice to NASA's site, Netcraft said. Some of the sites are payment portals, potentially jeopardizing the personal information of visitors, the company said, though CNET couldn't independently verify this.

If the shutdown drags on, more certificates are likely to expire, because they can require employees to renew them. As a result, "[T]here could be some realistic opportunities to undermine the security of all US citizens," Paul Mutton, a security researcher at Netcraft, wrote in a company blog post Thursday.

Netcraft - Findings - Toll - Government - Cybersecurity

Netcraft's findings underscore the toll taken on US government cybersecurity by the protracted shutdown, which has left hundreds of thousands of federal employees and contractors furloughed.

Security certificates, which use a cryptographic key to verify that a website is legitimate, are crucial tools for the safe operation of the web. The certificates let websites tap tools that encrypt the information the sites send to, and receive from, visitors. If a website's certificates aren't valid, the security tools won't work.

Information - Passwords - Credit - Card - Numbers

That leaves the information -- think passwords and credit card numbers -- vulnerable to hackers. What's more, hackers could stealthily direct visitors to download malicious software masquerading as an everyday file, such as a PDF of an important document.

That's what's called a "man in the middle" attack," said Marc Rogers, who runs cybersecurity at Okta, a company that manages workplace logins. Rogers said the tactic has been used...
(Excerpt) Read more at: CNET
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!