Application Security

1/11/2019
04:15 PM
50%
50%

Government Shutdown Brings Certificate Lapse Woes

Among the problems: TLS certificates are expiring and websites are becoming inaccessible.

The partial shutdown of the federal government is having an impact in ways both anticipated and not. One that probably falls under the latter is expiring TLS certificates that leave some .gov websites marked as "unsafe" or completely inaccessible from most browsers.

Websites from NASA, the Department of Justice, and the Court of Appeals are among those using one of the 80 certificates that have not been renewed since the beginning of the shutdown.

"The government shutdown has left a mark on the digital world. Several government websites now greet users with a 'CERT_DATE_INVALID' warning in place of the website itself. At best, this isn't a good look for the departments concerned. At worst, the thousands of Americans who rely on these websites are left cut off from the services they need," says Martin Thorpe, enterprise architect for Venafi.

Some experts say the issue goes beyond mere Web page inaccessibility. "I think the biggest risk is far beyond expired SSL certificates. How many critical governmental systems are currently unmaintained, outdated, and thus vulnerable?" asks High-Tech Bridge CEO Ilia Kolochenko. "It seems to be a great opportunity for nation-state hacking groups to exploit US momentary weakness to steal or alter extremely sensitive information."  

Franklyn Jones, CMO at Cequence Security, agrees with Kolochenko and points to specific risks in the moment. "It creates a great opportunity for bad actors to launch automated bot attacks, testing previously stolen credentials to gain access to private accounts on government sites," he explains.

Read more here and here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/14/2019 | 8:43:35 AM
Air traffic controllers....
Not getting paid.  Now this is significant, if they are not on the job and an aircraft crashes --- then Trump, Pelosi and Schumer all have blood on their hands. 

IT related - how many remember Don Estridge of IBM fame?
Ratteau
100%
0%
Ratteau,
User Rank: Strategist
1/14/2019 | 8:32:19 AM
On the other hand...
On the other hand, there are a lot fewer working at the speed and accuracy of government to click on phishing emails and corrupt their systems in the first place
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.