Shutdown: Government sites with lapsed security certificates pose risk – CNET

Abstract image of lock against blue backgroundPatra Kongsirimongkolchai/Getty Images

The government shutdown, now in its 22nd day, appears to be having an affect on the security of federal websites.

Netcraft, a UK-based web security company, found dozens of US government websites operating with expired security certificates, a situation that could put visitors at risk.

The affected websites range from that of the Department of Justice to NASA’s site, Netcraft said. Some of the sites are payment portals, potentially jeopardizing the personal information of visitors, the company said, though CNET couldn’t independently verify this.

If the shutdown drags on, more certificates are likely to expire, because they can require employees to renew them. As a result, “[T]here could be some realistic opportunities to undermine the security of all US citizens,” Paul Mutton, a security researcher at Netcraft, wrote in a company blog post Thursday.

Netcraft’s findings underscore the toll taken on US government cybersecurity by the protracted shutdown, which has left hundreds of thousands of federal employees and contractors furloughed.

Security certificates, which use a cryptographic key to verify that a website is legitimate, are crucial tools for the safe operation of the web. The certificates let websites tap tools that encrypt the information the sites send to, and receive from, visitors. If a website’s certificates aren’t valid, the security tools won’t work.

That leaves the information — think passwords and credit card numbers — vulnerable to hackers. What’s more, hackers could stealthily direct visitors to download malicious software masquerading as an everyday file, such as a PDF of an important document.

That’s what’s called a “man in the middle” attack,” said Marc Rogers, who runs cybersecurity at Okta, a company that manages workplace logins. Rogers said the tactic has been used by both criminals and spy agencies to fool internet users and compromise computers.

Such attacks can be very sophisticated, with hackers hijacking what visitors see even when they type in the correct website address. Hackers can then show visitors a fraudulent version of the website they were trying to reach.

Netcraft found more than 80 expired security certificates for US government websites, but the company isn’t saying hackers have actually taken advantage of vulnerable sites.

Some of the expired certificates have knocked subdomains, or offshoots of major websites, off the web. A NASA subdomain, rockettest.nasa.com, currently isn’t accessible, which Netcraft said is because of a lapsed certificate. According to the Internet Archive, the page is for the space exploration agency’s Rocket Propulsion Test Program. The site’s security certificate expired Jan. 5, according to Netcraft.

NASA didn’t immediately respond to a request for comment.

More than ever, websites are using security certificates and thus enabling an encrypted connection. A push by internet security experts and major Silicon Valley companies, including Google and Mozilla, has made it simpler for website owners to get certificates. It’s so common, in fact, that fraudsters have started encrypting their websites too, in order to look legitimate.

Rogers said the threat posed by expired certificates should prompt lawmakers and department heads to plan better for the next government shutdown.

“We need to ask, what are the things that we need to protect?” Rogers said. “So that when these lapses happen, criminals don’t take advantage.”

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Election security: Everything you need to know about election security in the 2018 US midterm elections.