The federal closure appears to have led to expired certificates and hackers can get between you and the website you visit without them.
The shutdown of the government now on its 22nd day seems to affect the security of federal websites.
Netcraft, a web security company based in the United Kingdom, found dozens of US government websites with expired security certificates that could put visitors at risk.
The websites concerned range from the Department of Justice to the NASA website, said Netcraft. Some of the websites are payment portals, which could jeopardize visitors ‘ personal information, the company said, although CNET could not verify this independently. If the shutdown moves on, more certificates will probably expire, as employees may be required to renew them.
As a result, “There could be realistic opportunities to undermine the safety of all US citizens, ” wrote Paul Mutton, a Netcraft security researcher in a company blog post Thursday.
The findings of Netcraft underline the impact of the prolonged shutdown on US government cybersecurity, which left hundreds of thousands of federal employees and contractors dead.
Safety certificates that use a cryptographic key to verify the legitimacy of a website are essential tools for the safe operation of the website. The certificates allow websites to tap tools that encrypt information sending visitors to and from the sites. If the certificates of a website are not valid, the security tools will not work.
This leaves the information vulnerable to hackers-think passwords and credit card numbers. In addition, hackers can steadily direct visitors to download malicious masquerading software as a daily file, such as a PDF of a major document.
That’s what a “man in the middle” attack is called, ” said Marc Rogers, who runs cybersecurity in Okta, a company that manages logins on the job. Rogers said that both criminals and spy agencies have used this tactic to fool Internet users and compromise computers. Such attacks can be highly sophisticated, with hackers hijacking what visitors see even when they type in the right website.
Then visitors can show a fraudulent version of the website they tried to reach. Netcraft found more than 80 expired security certificates for US government websites, but the company does not say that hackers used vulnerable sites. Some certificates have knocked off the web subdomains or offshoots of major websites.
At present, a NASA subdomain, rocketest.nasa.com, is not accessible, which Netcraft said was due to lapsed certificates. According to the Internet archive, the page is for the Rocket Propulsion Test Program of the space exploration agency. The security certificate of the site expired Jan. 5, Netcraft ‘s according. NASA did not respond to a comment request immediately. Websites use security certificates more than ever and therefore enable an encrypted connection.
A push by Internet security experts and major companies in Silicon Valley, including Google and Mozilla, has made it easier for website owners to obtain certificates. In fact, it is so common that fraudsters have also begun to encrypt their websites to look legitimate.
Rogers said that the threat posed by expired certificates should lead to better plans for the next government shutdown by lawmakers and department heads. “We have to ask what we need to protect?” said Rogers. “So criminals do not take advantage when these lapses occur.”
The shutdown of the government has affected nine government departments and different agencies, leaving about 800,000 unpaid workers.