Tag Archive for: shutdown

How the government shutdown is flushing away federal cyber-talent

/in
A sign outside Big Bend National Park reads

Enlarge / The true consequences of the government shutdown for information security may not yet have been felt. (credit: Gary Kemp Photography/Getty Images)

The US Federal government is in the midst of the longest gap in funding for many of its agencies in history. As the “shutdown” extends into a second month, the economic impact is mounting for federal workers—including civil servants and government contractors working in IT and information security roles for the government—as well as the communities they work and live in.

Furloughs have had a real impact on the government’s security posture as well. Work at the National Institutes of Standards and Technology on a number of initiatives, including work on encryption, has been suspended. Some “non-essential” agencies have had to furlough security teams, leaving them with no way to respond to incidents during the shutdown. Routine maintenance on IT systems, such as patches and updates to websites and server operating systems, are being deferred. And those still at work at agencies operating without a budget are doing so without pay and under financial duress—not exactly an ideal situation for maintaining a top security posture.

“I saw something a few days ago where 100-odd government SSL certs were expiring,” said Chris Eng, Vice President of Research at the software security firm Veracode. “There’s a lot of this sort of ongoing work that’s not even the high-pressure instant response stuff that’s not being done. Imagine if something like a Heartbleed came out tomorrow—what is going to be the capability of government agencies to respond to that when they’re operating on a skeleton crew?”

Read 8 remaining paragraphs | Comments

Biz & IT – Ars Technica

Government shutdown lays out “welcome mat” for hackers, security experts warn – CBS News

/in

Government shutdown lays out “welcome mat” for hackers, security experts warn  CBS News

Trained staffers at the nation’s most important cyber-defense agencies are not working due to the partial government shutdown.

“computer security news” – read more

Government Shutdown Means Government Website Security Certs Aren’t Being Renewed

/in

With all the news about the ongoing government shutdown and the big messes it has caused, it’s creating lots of little messes with potentially big impact as well. For example, scammers and robocallers have upped their game during the shutdown, knowing that (1) there’s no one investigating these scams right now, and (2) as I discovered when I tried to report one, the FTC has literally shut down the web portal where you used to be able to submit complaints.

Another one, however, pointed out last week by Netcraft, is the fact that government website security certificates are expiring… and there’s no one around to renew them:

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

As Netcraft notes, some of those sites you can’t even get around the security warning, such as certain DOJ sites:

In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium’s HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.

There are some government websites that you can click through on, but as Netcraft notes, this could allow for man-in-the-middle attacks or other security risks:

This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.

If the shutdown continues for a while, this problem could get significantly worse. I know that Wall Street put pressure on the government to make certain IRS employees suddenly deemed “essential” to help Wall Street keep functioning smoothly, perhaps someone might want to deem the people renewing security certs similarly essential? Or, you know what, maybe just re-open the damn government.

Permalink | Comments | Email This Story

Techdirt.

Government Shutdown Hits Federal Websites – Wall Street Journal

/in
  1. Government Shutdown Hits Federal Websites  Wall Street Journal
  2. Shutdown: Government sites with lapsed security certificates pose risk  CNET
  3. Shutdown Makes .Gov Websites Insecure Due to Expired TLS Certificates  Digital Trends
  4. Some US government websites won’t load after HTTPS certificates expire during shutdown  TechCrunch
  5. US government shutdown disrupts website access  BBC News
  6. View full coverage on read more

“internet security news” – read more