Is DHS running honeypots?
When in September 2015 DHS published its own Security Audit Report, I was rather speechless I could not find any mention of "SSL" or "TLS" in the text, but apparently DHS has been aware of Transport Layer Security earlier than that.
Today KrebsOnSecurity published a post titled DHS Giving Firms Free Penetration Tests containing a link to a document which include the status update about the ongoing cyber programs and efforts underway at the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).
In a rather confusing timeline, we read first about a DHS ignoring SSL/TLS during its own Security Audit Report (Sept. 2015) and today about how SSL (TLS) related vulnerabilities occupy 5/5 of the Top 5 (Occurring) Vulnerabilities list in the DHS NCATS Year-Engagement Report 2014 (which indeed might have more conveniently be published at an earlier date).
The reason for this post is not the confusing order with which DHS has released the mentioned documents but whether it should probably first fix its own SSL/TLS websites.
I have been monitoring the Recent Worst table at Ivan Ristic's SSL Labs page for awhile and sometimes I compare the reports for the same (sub)domain over time.
In September 2015 I verified a list of dhs.gov subdomains, finding 11 subdomains getting F scores (MitM vulnerable) and 4 subdomains still vulnerable to Poodle and/or FREAK (yes, in 2015) on a total of 18 - supposedly secure - websites;
if you (also) think this is... surreal
...then think this is not actually changed. 3 months later. No one could even think we are looking at 1 afternoon running with default settings or 1 weekend from the wrong snapshot cases: 3 months Poodle, FREAK, RC4, SHA-1 signature, no Forward Secrecy on such a scale is probably not an incident. Subdomains like payment, myaccount, universalenrollment don't seem exactly honeypots ...or are they?
(except myaccount.uscis.dhs.gov, the only site scoring an A in September gets an F now - yes, not an improvement from A- to F - and the 2 untrusted certificates have been fixed)
Today KrebsOnSecurity published a post titled DHS Giving Firms Free Penetration Tests containing a link to a document which include the status update about the ongoing cyber programs and efforts underway at the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).
In a rather confusing timeline, we read first about a DHS ignoring SSL/TLS during its own Security Audit Report (Sept. 2015) and today about how SSL (TLS) related vulnerabilities occupy 5/5 of the Top 5 (Occurring) Vulnerabilities list in the DHS NCATS Year-Engagement Report 2014 (which indeed might have more conveniently be published at an earlier date).
The reason for this post is not the confusing order with which DHS has released the mentioned documents but whether it should probably first fix its own SSL/TLS websites.
I have been monitoring the Recent Worst table at Ivan Ristic's SSL Labs page for awhile and sometimes I compare the reports for the same (sub)domain over time.
In September 2015 I verified a list of dhs.gov subdomains, finding 11 subdomains getting F scores (MitM vulnerable) and 4 subdomains still vulnerable to Poodle and/or FREAK (yes, in 2015) on a total of 18 - supposedly secure - websites;
if you (also) think this is... surreal
...then think this is not actually changed. 3 months later. No one could even think we are looking at 1 afternoon running with default settings or 1 weekend from the wrong snapshot cases: 3 months Poodle, FREAK, RC4, SHA-1 signature, no Forward Secrecy on such a scale is probably not an incident. Subdomains like payment, myaccount, universalenrollment don't seem exactly honeypots ...or are they?
(except myaccount.uscis.dhs.gov, the only site scoring an A in September gets an F now - yes, not an improvement from A- to F - and the 2 untrusted certificates have been fixed)
Comments