Once again, unforeseen certificate expiry rears its ugly head. And the damage is well-documented.
It’s Friday so we’re going to keep things light today and talk about one of our favorite topics: certificate expiry. I know, you’re thinking ‘didn’t we just talk about certificate expiry?’ We did! But it’s in the news again. So here we are.
The United States Government Accountability Office released its 36-page report on the 2017 Equifax data breach and it autopsies the events of that incident in great detail. We’re not going to re-hash every aspect of the breach (though you should definitely read the report yourself). Instead we’re going to focus on the part that’s most germane to our scope: digital certificates.
After scanning the Equifax network for vulnerabilities and finding one in the form of an Apache Struts problem that had been reported by USCERT (United States Computer Emergency Readiness Team) three days earlier. That got the attackers in. From there they hid in the encrypted traffic on Equifax’s network, querying various databases and exfiltrating personal data from them.
This went on for 76 days.
Equifax probably would have caught it sooner, but…
…while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected. According to Equifax officials, the misconfiguration was due to an expired digital certificate. The certificate had expired about 10 months before the breach occurred, meaning that encrypted traffic was not being inspected throughout that period.
Ok, so there’s a lot to unpack from that excerpt. Traffic inspection (sometimes called HTTPS interception) is a fairly standard practice at this point. Research has shown it does undermine encryption, but it’s also the only way to discern malicious traffic and requests from legitimate traffic.
But referring to the issue as a “misconfiguration” is an extremely charitable way to wallpaper over simple negligence. The certificate expired. That’s not a configuration problem, it’s a certificate expiry problem. While the GAO report didn’t go into specifics, my assumption is that the certificate went out on a middlebox and, because it could no longer re-encrypt the traffic post-inspection, it just stopped inspecting it all together.
Either way, and this is the egregious part, nobody noticed it for 10 months. Now think about that for a second, accidental certificate expiry happens. It’s forgivable. With Enterprise companies, especially one the size of Equifax, certificate visibility is always going to be a challenge.
But failing to notice for 10 months goes beyond negligence and into the realm of gross incompetence.
How do you not notice that you’ve lost visibility over the traffic in your network? Even someone that was completely incurious would have to notice, ‘yesterday we had this capability, today we don’t—what happened?’
That means someone didn’t perform an essential function of their job for 10 months. Imagine how that conversation would go with your boss:
“Hey, you know that thing you pay me to do? Well I haven’t done it in ten months.”
Equifax officials stated that, after the misconfiguration was corrected by updating the expired digital certificate and the inspection of network traffic had restarted, the administrator recognized signs of an intrusion, such as system commands being executed in ways that were not part of normal operations.
So, according to the GAO report, as soon as traffic inspection resumed, the threat was detected. By this point the attack had been ongoing for 76 days.
This attack occurred 75 days too long because of an expired digital certificate.
So add this one to the list of high profile expired digital certificates. And put it at the top.
This could potentially be the most damage certificate expiry has ever caused.
As always, leave any comments or questions below…