As the partial government shutdown nears 21 days, dozens federal websites have become vulnerable to attack. According to Netcraft, who first reported the vulnerability, affected websites include: NASA, Department of Justice, and the Court of Appeals. Many of the websites have become inaccessible because TLS certificates have begun to expire.
TLS certificates ensure all communications occurring from the user and the website are secure and encrypted. Expired certificate allow websites to be easily impersonated and vulnerable to attack.
Over 80 TLS certificates have expired thus far because federal employees are in furlough. Some federal websites have shut down because of strong, security measures put in place before the shutdown. A U.S Department of Justice or DOJ website has had an expired certificate since December 17, 2018. HSTS policies have saved websites like the DOJ because of Chromium’s HSTS preload list. This policy forces modern, browsers like Google Chrome and Mozilla FireFox to prevent users from visiting HTTPS sites.
However, there are many sites allowing access because the preload lists have not been implemented in organizations. This leaves the organizations and users vulnerable to attacks like man-in-the-middle. Netcraft said:
“Only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header – but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before.”
The shutdown has left 800,000 federal employees and millions of government contractors in furlough with thousands working without pay. As cyber security experts at these organizations stay or furlough or leave for the private sector, the ripple effect of the shutdown will only become greater.
Netcraft commented saying:
“With Donald Trump seemingly unwilling to compromise on his demands for a wall along the border with Mexico, and Democrats refusing to approve a budget containing $5.7bn for the wall, the hundreds of thousands of unpaid federal employees might not be the only ones hurting. As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens.”
If you believe you organization has been victim to a cyber-attack, contact LIFARS immediately.