{"id":17636,"date":"2024-03-15T10:55:30","date_gmt":"2024-03-15T14:55:30","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=17636"},"modified":"2024-03-28T13:28:47","modified_gmt":"2024-03-28T17:28:47","slug":"pki-mistakes-that-were-so-bad-they-made-headlines","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/pki-mistakes-that-were-so-bad-they-made-headlines\/","title":{"rendered":"PKI Mistakes That Were So Bad They Made Headlines (12 Examples)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-explore-the-public-key-infrastructure-pki-related-lessons-gleaned-from-public-and-private-entities-that-got-publicity-for-all-the-wrong-reasons\">Explore the public key infrastructure (PKI)-related lessons gleaned from public and private entities that got publicity for all the wrong reasons\u2026 &nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PKI is a critical part of most IT systems. When it works well, it\u2019s largely invisible \u2014 authenticating connections and encrypting data without most users knowing it\u2019s there. But when things go wrong, the results can be devastating. Let\u2019s take a look at three common PKI mistakes and the (bad news) headlines they create.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we\u2019re not here to bash organizations who made a PKI \u201coopsie.\u201d However, we\u2019re sharing all of this information to help you learn from their mistakes and avoid having it happen to your organization in the future.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pki-mistake-1-poorly-managing-your-pki-certificates-leads-to-outages-downtime\">PKI Mistake #1: Poorly Managing Your PKI Certificates Leads to Outages &amp; Downtime<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">It doesn\u2019t matter whether you\u2019re a mom-and-pop store or one of the world\u2019s leading governments; you\u2019re not infallible. Important tasks \u2014 such as managing your certificates to ensure they\u2019re replaced before their expiration dates \u2014 will fall through the cracks and get forgotten if you don\u2019t have a management system and documented processes in place to help you manage them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">All x.509 digital certificates have an expiration date. Industry leaders have agreed that <a href=\"https:\/\/cabforum.org\/uploads\/CA-Browser-Forum-TLS-BRs-v2.0.2.pdf\">website security certificates (SSL\/TLS certificates)<\/a> must have a maximum validity period of no more than 398 days. This means that by no later than the end of the 398<sup>th<\/sup> day, your digital certificate will expire and leave you floundering to find out why your app, website, or other online services associated with that certificate are inaccessible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you don\u2019t manage your lifecycle properly (meaning you lack visibility of the PKI assets within your network and IT ecosystem and don\u2019t have the processes and tools in place to manage them), then I\u2019m certain things won\u2019t go the way you hope.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Certificate expirations alone lead to serious issues, including service outages and risks of man-in-the-middle attacks. <a href=\"https:\/\/www.businesswire.com\/news\/home\/20230830994935\/en\/Nearly-60-of-All-Data-Breaches-Attributed-to-Avoidable-Digital-Certificate-related-Management-Issues-According-to-recent-Independent-Study\">AppViewX data from a Forrester Consulting study<\/a> shows that nearly 60% of reported data breaches were related to digital certificates. Of those, more than half of survey respondents indicated those incidents cost upwards of $100,000 per outage.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the biggest challenges for big organizations and enterprises is that they\u2019re responsible for managing <em>so many<\/em> digital certificates. <a href=\"https:\/\/www.keyfactor.com\/state-of-machine-identity-management-2023\/\">KeyFactor\u2019s State of Machine Identity Management 2023<\/a> report puts the average number of certificates issued within an organization at 256,000. That\u2019s the equivalent of issuing <strong>701 certificates per day<\/strong> for a year (or one certificate every two or so minutes).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-real-world-examples-of-what-happens-when-certificates-are-allowed-to-expire\">5 Real-World Examples of What Happens When Certificates Are Allowed to Expire<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Yup, there\u2019s a reason why we always emphasize the importance of proper certificate lifecycle management and the use of lifecycle automation. We\u2019ve repeatedly seen what happens when public and private organizations lose sight of the certificates within their networks and systems\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-equifax\">Equifax<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">We all know the story about <a href=\"https:\/\/www.thesslstore.com\/blog\/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate\/\">Equifax\u2019s headline-making data breach.<\/a> The data breach heard \u2018round the world resulted in the compromise of more than 145.5 million consumers\u2019 personal data. As it turns out, a PKI certificate had expired 10 months before the breach occurred. This expired asset prevented the credit agency from inspecting its traffic, during which time some advantageous cybercriminals found and exploited an <a href=\"https:\/\/www.thesslstore.com\/blog\/equifax-data-breach-learn\/\">Apache Struts-related vulnerability on Equifax\u2019s network.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result? They were able to hide in the company\u2019s encrypted network traffic and remained undiscovered for more than two-and-a-half months (76 days). Imagine having some unknown and unwanted intruder in your network. How would you respond to the situation?<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-ericsson\">Ericsson<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve also previously shared about <a href=\"https:\/\/www.thesslstore.com\/blog\/expired-certificate-ericsson-o2\/\">Ericsson\u2019s expired certificate issue<\/a> that knocked out services for tens of millions of cellular users in December 2018. As a result, customers in upwards of <a href=\"https:\/\/www.theverge.com\/2018\/12\/7\/18130323\/ericsson-software-certificate-o2-softbank-uk-japan-smartphone-4g-network-outage\">11 countries<\/a> were <a href=\"https:\/\/www.ericsson.com\/en\/press-releases\/2018\/12\/update-on-software-issue-impacting-certain-customers\">unable to make or receive phone calls or texts<\/a>. The cause? An expired certificate tied to Ericsson\u2019s management software that was used by several European and Japanese telecommunication companies, including O2 (the United Kingdom\u2019s biggest mobile service provider).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Needless to say, it wasn\u2019t a good look for Ericsson or the other cellular service providers using their software.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-spacex\">SpaceX<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Last year, SpaceX\u2019s <a href=\"https:\/\/cybernews.com\/news\/starlink-outage-certificate-elon-musk\/\">Starlink satellite internet services system experienced downtime<\/a> for several hours due to an expired digital certificate in an unspecified system.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/musk-tweet-starlink-certificate-outage-1024x568.png\" alt=\"A screenshot from Elon Musk's X post regarding the expired digital certificate that caused a Starlink service outage.\" class=\"wp-image-17639\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/musk-tweet-starlink-certificate-outage-1024x568.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/musk-tweet-starlink-certificate-outage-300x166.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/musk-tweet-starlink-certificate-outage-768x426.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/musk-tweet-starlink-certificate-outage.png 1145w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot from <\/em><a href=\"https:\/\/twitter.com\/elonmusk\/status\/1644505414296322048?lang=en\">Elon Musk\u2019s X (formerly Twitter) post<\/a><em>.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It goes to show how something seemingly so simple \u2014 a single certificate reaching its end-of-life date \u2014 could impede an application or service for a time. That downtime translates to inaccessibility of services for Starlink\u2019s customers and their customers\u2019 customers.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-spotify\">Spotify<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The music streaming service <a href=\"https:\/\/www.thesslstore.com\/blog\/the-day-the-music-died-certificate-expiration-takes-down-spotify\/\">Spotify experienced a certificate expiration<\/a> that knocked out its streaming services for an hour back in August 2020. The culprit? An expired SSL\/TLS certificate. Thankfully, the downtime was over pretty quick, and listeners could get back to enjoying their music.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"717\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/spotify-tweet-outage-status-1024x717.png\" alt=\"A screenshot from Spotify's then-Twitter (now X) post regarding the expired SSL\/TLS certificate that caused a Spotify service outage.\" class=\"wp-image-17638\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/spotify-tweet-outage-status-1024x717.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/spotify-tweet-outage-status-300x210.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/spotify-tweet-outage-status-768x538.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/spotify-tweet-outage-status.png 1152w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image source: Spotify\u2019s X account (formerly Twitter).<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Spotify\u2019s online podcast platform, Megaphone, also <a href=\"https:\/\/www.theverge.com\/2022\/5\/31\/23148682\/spotify-podcast-outage-ssl-joe-rogan-ringer-megaphone\">reported experiencing a service outage<\/a> in May 2022 that lasted nearly 10 hours in total. The downtime that cut podcasters off from their listeners was an expired certificate that someone hadn\u2019t renewed ahead of time.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-u-s-government\">U.S. Government<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Even the federal government can be remiss when managing expiring certificates. In early 2019, we reported that <a href=\"https:\/\/www.thesslstore.com\/blog\/80-gov-ssl-tls-certificates-have-expired-during-the-shutdown\/\">130 U.S. government websites\u2019 SSL\/TLS certificates weren\u2019t renewed in time<\/a>. The expired certificates left websites and their associated services unreachable to U.S. users during the critical period of a federal government shutdown. Furthermore, once the certificates expired, the sites\u2019 infrastructures were vulnerable to threat actors who might have wanted to take advantage of the situation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because many of the websites have implemented HTTP strict transport security (HSTS), which forces secure HTTPS connections, it means that browsers using Google Chromium\u2019s HSTS preload list won\u2019t provide users with an option to bypass the security warning. (NOTE: Bypassing insecure website warnings is never a good idea.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consequences-why-it-s-a-big-deal-when-your-certificates-expire\">Consequences: Why It\u2019s a \u201cBig Deal\u201d When Your Certificates Expire<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When a PKI digital certificate expires, is revoked, or otherwise invalidated, it means the system will become inaccessible and\/or go down. The result? A <em>really<\/em> bad time for you and your customers \u2014 you\u2019ll experience everything from downtime and service outages to compliance concerns and lost customer relationships.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-you-can-do-to-avoid-these-certificate-related-issues\">What You Can Do to Avoid These Certificate-Related Issues<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The best defense is a good offense. What I mean by that is being proactive in your certificate lifecycle management is crucial to enabling you to protect the security of your organization\u2019s most sensitive data.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-the-solution-use-certificate-lifecycle-automation\">The Solution: Use Certificate Lifecycle Automation<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A good certificate lifecycle management system makes it a lot easier to avoid certificate expirations, with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate discovery scanners to keep unknown certificates from slipping through the cracks,<\/li>\n\n\n\n<li>Centralized dashboard where you can view all certificates across your organization (and set up notifications), and<\/li>\n\n\n\n<li>Lifecycle automation to automatically renew and re-install certificates before they expire.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pki-mistake-2-poor-key-management-lets-bad-guys-steal-your-keys\">PKI Mistake #2: Poor Key Management Lets Bad Guys Steal Your Keys<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Everyone makes mistakes. Sometimes, it\u2019s as simple as not double-checking a setting or accidentally clicking a toggle that changes a setting from \u201cprivate\u201d to \u201cpublic.\u201d But the stakes are pretty high when it comes to encryption keys.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-real-world-examples-of-when-organizations-didn-t-protect-their-keys\">3 Real-World Examples of When Organizations Didn\u2019t Protect Their Keys<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Hopefully, we all know that passwords and cryptographic private keys should never be shared or posted openly. Unfortunately, some companies make mistakes that wind up sharing their cryptographic keys and other secrets on the internet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless of whether it\u2019s an accident or done intentionally by a malicious insider, the fact is that key exposures due to security misconfigurations and poor key security practices keep happening. Here are a handful of such examples\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-bmw\">BMW<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/socradar.io\/sensitive-information-belonging-to-bmw-exposed-due-to-misconfigured-cloud-bucket\/\">SOCRadar researcher Can Yoleri<\/a> discovered that the popular European automaker had a misconfigured server that was accessible on the internet. The Microsoft Azure storage dev bucket, which contained all sorts of sensitive data, including private keys, was set to \u201cpublic access\u201d rather than \u201cprivate.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But just what did this bucket contain? Some of this sensitive company data included access information for Azure containers, specifics on cloud services, and private keys that are used to access other private buckets. This means that whatever data was in those buckets that the keys were used to secure were also at risk of compromise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The good news? <a href=\"https:\/\/techcrunch.com\/2024\/02\/14\/bmw-security-lapse-exposed-sensitive-company-information-researcher-finds\/\">According to BMW\u2019s statement in a TechCrunch report on the incident<\/a>, \u201cno customer or personal data was impacted as a result.\u201d But that still doesn\u2019t excuse storing keys in an Azure storage bucket instead of a secure key management solution such as a hardware security module (HSM) or a key vault.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-microsoft\">Microsoft&nbsp;<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-incident-1\">Incident #1<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">When it comes to movement in the realm of artificial intelligence (AI), it\u2019s no secret that leaders within the global tech industry are engaged in a \u201crat race.\u201d Companies are scrambling to build bigger and better mousetraps, meaning better and more effective AI technologies. As part of these efforts, they invest vast amounts of time, people, and financial resources to the cause. &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, things go wrong sometimes. In this case, <a href=\"https:\/\/www.wiz.io\/blog\/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers?ref=thestack.technology\">Wiz\u2019s research team<\/a> discovered that 38 terabytes (TB) of Microsoft\u2019s sensitive data, which included private keys, passwords, and private communications, were exposed on GitHub. The data exposure occurred when Microsoft\u2019s AI team published a bucket of open-source training data using the wrong security configuration setting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But the bad news doesn\u2019t end there for Microsoft\u2026<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"h-incident-2\">Incident #2<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">In April 2021, <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/07\/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email\/\">the company\u2019s consumer signing system crashed<\/a>. It\u2019s thought that this crash, which triggered a data dump that included a signing key that should have been (but was not) redacted, is what gave the threat actor an opportunity to nab the secret. However, <a href=\"https:\/\/msrc.microsoft.com\/blog\/2023\/09\/results-of-major-technical-investigations-for-storm-0558-key-acquisition\/\">Microsoft doesn\u2019t know with certainty<\/a> whether this was the true cause of the key compromise: \u201cDue to log retention policies, we don\u2019t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.\u201d \u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If this is the case, <a href=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/\">Elias Groll at Cyberscoop<\/a> summed up the situation nicely:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cIf a crash dump is the garbage generated by a failing computer system, stealing a signing key via a crash dump is like rifling through a garbage can and discovering the key to the family safe.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consequences-why-it-s-a-big-deal-when-these-key-management-related-exposures-occur\">Consequences: Why It\u2019s a \u201cBig Deal\u201d When These Key Management-Related Exposures Occur<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">While our long-term readers are intimately familiar with this subject, the impact of key compromises might be a new concept for some of our newer readers. So, let\u2019s quickly cover what all of this means.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When <a href=\"https:\/\/www.thesslstore.com\/blog\/heres-what-happens-when-your-private-key-gets-compromised\/\">private key compromises and exposures occur<\/a>, any data secured using the associated key pairs is at risk of compromise. The exposed data can be stolen, bartered, sold, or used by nefarious individuals to commit any number of crimes. Depending on the types of keys exposed, they also can be used to impersonate whatever entities are associated with them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another issue with poorly managing your keys is that <a href=\"https:\/\/insights.sei.cmu.edu\/blog\/implications-and-mitigation-strategies-for-the-loss-of-end-entity-private-keys\/\">when private keys get lost<\/a>, then you can kiss any data that they keys were used to encrypt goodbye.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-you-can-do-to-avoid-suffering-a-similar-fate\">What You Can Do to Avoid Suffering a Similar Fate<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When it comes to securely managing secrets such as keys and passwords, the best thing to do is adhere to industry best practices. This includes securely storing your keys using a <a href=\"https:\/\/www.thesslstore.com\/blog\/the-ultimate-guide-to-key-management-systems\/\">key management system<\/a> or <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-key-management-service-key-management-services-explained\/\">key management service<\/a>. For passwords, you\u2019ll want to adhere to <a href=\"https:\/\/www.thesslstore.com\/blog\/password-security-what-your-organization-needs-to-know\/\">strong password security guidelines<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-securely-store-your-keys\">Securely Store Your Keys<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Depending on the use case, there are several types of secure key storage mechanisms:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure USB token, which can be lost or stolen if not securely stored.<\/li>\n\n\n\n<li>Hardware security module (HSM), an on-prem solution that\u2019s expensive to purchase and maintain.<\/li>\n\n\n\n<li>Key vault or cloud key storage mechanism, which stores your key data in a FIPS 130-2 level 2 or level 3 compliant device.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-rotate-your-keys\">Rotate Your Keys<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, cryptographic keys need to be rotated. It\u2019s never a good idea to keep using the same keys. A good practice is to rotate them out for new ones periodically. However, the industry seems to lack consensus regarding key rotation cycles. For example, <a href=\"https:\/\/tools.ietf.org\/html\/draft-ylonen-sshkeybcp-01#page-35\">NIST says key rotation should take place every 12 months<\/a>, whereas <a href=\"https:\/\/www.cloudconformity.com\/knowledge-base\/aws\/IAM\/ssh-public-keys-rotated-45-days.html\">Trend Micro recommends approximately every 45 days<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Looking For More Information?<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\"><strong>Related resource:<\/strong> <a href=\"https:\/\/www.thesslstore.com\/blog\/14-ssh-key-management-best-practices-you-need-to-know\/\">14 SSH Key Management Best Practices You Need to Know<\/a><\/p><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-restrict-access-to-your-keys\">Restrict Access to Your Keys<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">While securely storing and rotating your keys is important, that\u2019s not everything you need to do. This is an important reminder to be equally (if not even more) careful when assigning access to your key management system or devices.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Access privileges should be assigned on a highly limited basis. Only give key access to those who need that access to perform their job. That\u2019s it \u2014 no one else should have access (no matter how nicely they ask).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pki-mistake-3-publishing-your-keys-where-anyone-can-find-them\">PKI Mistake #3: Publishing Your Keys Where Anyone Can Find Them<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Some software developers, firmware creators, and network admins have a nasty habit they refuse to quit: hard-coding secrets into projects and systems. This practice, which involves embedding secrets (i.e., cryptographic keys, credentials, passwords, etc.) into your codes, scripts, and systems in order to facilitate authentication, is bad on its own, but it becomes a severe issue when those secrets migrate to your production environment and, eventually, to an open repository like GitHub.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Still not sure why this is such a big issue? Because, as succinctly stated by <a href=\"https:\/\/blog.gitguardian.com\/why-its-urgent-to-deal-with-your-hard-coded-credentials\/\">Thomas Segura at GitGuardian<\/a>, \u201chardcoded secrets go where source code goes.\u201d So, any time it\u2019s cloned, leaked, or otherwise shared, then the embedded secrets go with it. And if you don\u2019t realize that the secrets have been exposed, then you\u2019re unaware that they need to be revoked ASAP.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Welp, that sucks. But just how common is this bad coding practice? According to <a href=\"https:\/\/blog.gitguardian.com\/uncovering-thousands-of-unique-secrets-in-pypi-packages\/\">data from researcher Tom Forbes and GitGuardian<\/a>, it\u2019s more widespread than we\u2019d like. Of the 3,938 exposed secrets they tracked down, nearly 20% (768) of them were still valid. These exposed secrets include Azure AD API keys, Auth0 keys, SSH credentials, and many other examples of sensitive data that, as a business, you\u2019d never want to see outside your secure environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-real-world-examples-of-organizations-whose-hard-coded-credentials-were-made-publicly-available\">4 Real-World Examples of Organizations Whose Hard-Coded Credentials Were Made Publicly Available<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, it seems that not everyone has gotten the memo that <strong>hard-coded credentials = bad news<\/strong>. Now, it\u2019s time to take a look at some examples of what happens when employees don\u2019t follow industry advice (or, in some cases, their organizations\u2019 internal policies)\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-mercedes-benz\">Mercedes-Benz<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A major European auto manufacturer found itself in hot water when an employee accidentally <a href=\"https:\/\/redhuntlabs.com\/blog\/mercedes-benz-source-code-at-risk-github-token-mishap-sparks-major-security-concerns\/\">posted their authentication token<\/a> in a public GitHub repository. The authentication token provided \u201cunrestricted\u201d and \u201cunmonitored\u201d access to the company\u2019s GitHub Enterprise Server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, this exposed private source code repository was filled with a plethora of intellectual property and other sensitive data, including API keys and single sign-on (SSO) passwords. The breach remained undetected for more than three months before it was discovered by researchers at RedHunt Labs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While that\u2019s a long time to leave any key exposed, it\u2019s nothing compared to the nearly <em>five years<\/em> that the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/toyota-discloses-data-leak-after-access-key-exposed-on-github\/\">sensitive customer data of one of its competitors<\/a> was left exposed in a similar fashion\u2026<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-toyota\">Toyota<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Yup, the Japanese automaker had to warn customers that their personal info may have been exposed after discovering that one of its access keys was left publicly available on GitHub for almost half a decade.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to <a href=\"https:\/\/global.toyota\/jp\/newsroom\/corporate\/38095972.html\">Toyota\u2019s official statement<\/a> (as translated by Google Translate):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cOn September 15, 2022, we confirmed that part of the source code (text that describes computer processing) of the &#8220;T-Connect&#8221; user site has been published on GitHub (a software development platform). [\u2026]&nbsp;As a result, it was discovered that a third party had been able to access part of the source code on GitHub from December 2017 to September 15, 2022.&nbsp;It has been discovered that the released source code contains an access key to the data server, which can be used to access email addresses and customer management numbers stored on the data server.&nbsp;On the same day, we immediately made the source code private on GitHub, and on September 17th we took measures such as changing the data server access key, and no secondary damage has been confirmed.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">It was thought that the leak was the result of a third-party dev contractor that was hired to develop the \u201cT-Connect\u201d website uploaded part of its source code to GitHub. However, Toyota ultimately took responsibility for the breach.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-github\">GitHub<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Someone at GitHub (likely either an employee or a contractor) posted the company\u2019s RSA SSH host private key in a public GitHub repository. The good news, however, is that <a href=\"https:\/\/github.blog\/2023-03-23-we-updated-our-rsa-ssh-host-key\/\">the company reported in a blog post<\/a> in March 2023 that it acted immediately to contain the risks by replacing the key:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cAt approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub\u2019s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">It went on to provide instructions on how to remove the old key and replace it with the new one as an entry in their <em>~\/.ssh\/known_hosts<\/em> file for individuals who connect to Gitub.com using SSH manually or using an automatic update.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-uber\">Uber<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/arstechnica.com\/information-technology\/2015\/03\/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page\/\">major rideshare company made a similar gaff<\/a>, accidentally posting a private security key on GitHub that led to the exposure of a database containing confidential and proprietary data. The key remained on GitHub for several months before it was discovered and ultimately removed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2017\/08\/uber-settles-ftc-allegations-it-made-deceptive-privacy-data-security-claims\">FTC\u2019s settlement announcement with Uber<\/a> reports that this led to the AWS-hosted database, containing the names and license information of 100,000+ Uber drivers, being downloaded by an unknown individual.&nbsp; As it turns out, Ubert didn\u2019t take \u201creasonable, low-cost measures\u201d to prevent the breach, such as<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>requiring programmers and engineers to use unique access keys to access cloud data (they shared a single, full-access admin key), or<\/li>\n\n\n\n<li>implementing multi-factor authentication (MFA) to add another security layer.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consequences-why-using-hard-coding-credentials-is-a-big-deal\">Consequences: Why Using Hard-Coding Credentials Is a Big Deal<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Hard-coding credentials into your scripts, APIs, and services is playing a dangerous game for several key reasons:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Credentials and keys are difficult to distinguish from the rest of your source code.<\/li>\n\n\n\n<li>Once they\u2019re embedded, it\u2019s easy to forget and hard to track every occurrence to go back and change after the fact.<\/li>\n\n\n\n<li>Hard-coding your keys creates an attack surface that bad guys can exploit to bypass authentication security measures that you set up to protect your product.<\/li>\n\n\n\n<li>If your secret-containing source code becomes public, it gives unauthorized access to your sensitive databases, services, and other resources.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-you-can-do-to-avoid-suffering-the-consequences-of-hard-coding-secrets\">What You Can Do to Avoid Suffering the Consequences of Hard Coding Secrets<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve already covered some of this in the PKI mistake #2 section, but here are a few additional tips specifically to help you avoid leaking keys inside source code:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Follow <\/strong><a href=\"https:\/\/codesigningstore.com\/secure-coding-practices-to-implement\"><strong>secure coding<\/strong><\/a><strong> and key management best practices.<\/strong> Both include not <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/798.html\">hard-coding your credentials<\/a> or cryptographic keys into your scripts and other code. Instead, set up a configuration file that is stored separately from your project\u2019s code repository. (.gitignore file templates are a good way to keep config files out of code repositories.) <\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implement processes and policies to help avoid accidental commits of secrets by devs in local work environments.<\/strong> This helps to avoid sensitive commits making their way into your organizations\u2019 central repository, which may be accessible by others.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Final Takeaways Regarding These Significant PKI Mistakes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There is one simple truth that should be your big takeaway from this article: your data is only as secure as the methods and processes you use to secure it. There is no substitute for sound PKI management.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Businesses and other organizations must implement and adhere to strict certificate and key management best practices or face the consequences. When your cryptographic keys become exposed or are stolen due to poor key management, then it means any systems or data that those keys are used to explore is at risk of compromise. And when you allow your certificates to expire, your apps or associated services or systems will experience downtime, and your customers will suffer as a result.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you want to avoid your organization becoming another similar headline, then it\u2019s high time you did something about it.<\/p>\n\n\n<span style=\"--tl-form-height-m:801.312px;--tl-form-height-t:638.344px;--tl-form-height-d:638.344px;\" class=\"tl-placeholder-f-type-shortcode_12763 tl-preload-form\"><span><\/span><\/span>","protected":false},"excerpt":{"rendered":"<p>Explore the public key infrastructure (PKI)-related lessons gleaned from public and private entities that got publicity for all the wrong reasons\u2026 &nbsp; PKI is a critical part of most IT&#8230;<\/p>\n","protected":false},"author":17,"featured_media":17640,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,16,10200],"tags":[13270],"class_list":["post-17636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-hashing-out-cyber-security","category-monthly-digest","tag-pki-mistakes","post-with-tags"],"views":14623,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/03\/pki-mistakes-feautre-image.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=17636"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17636\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/17640"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=17636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=17636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=17636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}