The Equifax Data Breach went undetected for 76 days because of an expired certificate
Once again, unforeseen certificate expiry rears its ugly head. And the damage is well-documented.
It’s Friday so we’re going to keep things light today and talk about one of our favorite topics: certificate expiry. I know, you’re thinking ‘didn’t we just talk about certificate expiry?’ We did! But it’s in the news again. So here we are.
Anyway, Equifax probably would have discovered its breach – you know, the big one from last year – a lot sooner if not for an expired digital certificate.
The United States Government Accountability Office released its 36-page report on the 2017 Equifax data breach and it autopsies the events of that incident in great detail. We’re not going to re-hash every aspect of the breach (though you should definitely read the report yourself). Instead we’re going to focus on the part that’s most germane to our scope: digital certificates.
After scanning the Equifax network for vulnerabilities and finding one in the form of an Apache Struts problem that had been reported by USCERT (United States Computer Emergency Readiness Team) three days earlier. That got the attackers in. From there they hid in the encrypted traffic on Equifax’s network, querying various databases and exfiltrating personal data from them.
This went on for 76 days.
Equifax probably would have caught it sooner, but…
…while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected. According to Equifax officials, the misconfiguration was due to an expired digital certificate. The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period.
Ok, so there’s a lot to unpack from that excerpt. Traffic inspection (sometimes called HTTPS interception) is a fairly standard practice at this point. Research has shown it does undermine encryption, but it’s also the only way to discern malicious traffic and requests from legitimate traffic.
But referring to the issue as a “misconfiguration” is an extremely charitable way to wallpaper over simple negligence. The certificate expired. That’s not a configuration problem, it’s a certificate expiry problem. While the GAO report didn’t go into specifics, my assumption is that the certificate went out on a middlebox and, because it could no longer re-encrypt the traffic post-inspection, it just stopped inspecting it all together.
Either way, and this is the egregious part, nobody noticed it for 10 months. Now think about that for a second, accidental certificate expiry happens. It’s forgivable. With Enterprise companies, especially one the size of Equifax, certificate visibility is always going to be a challenge.
But failing to notice for 10 months goes beyond negligence and into the realm of gross incompetence.
How do you not notice that you’ve lost visibility over the traffic in your network? Even someone that was completely incurious would have to notice, ‘yesterday we had this capability, today we don’t—what happened?’
That means someone didn’t perform an essential function of their job for 10 months. Imagine how that conversation would go with your boss:
“Hey, you know that thing you pay me to do? Well I haven’t done it in ten months.”
Equifax officials stated that, after the misconfiguration was corrected by updating the expired digital certificate and the inspection of network traffic had restarted, the administrator recognized signs of an intrusion, such as system commands being executed in ways that were not part of normal operations.
So, according to the GAO report, as soon as traffic inspection resumed, the threat was detected. By this point the attack had been ongoing for 76 days.
This attack occurred 75 days too long because of an expired digital certificate.
So add this one to the list of high profile expired digital certificates. And put it at the top.
This could potentially be the most damage certificate expiry has ever caused.
As always, leave any comments or questions below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown