Cybersecurity alert
NSA Warns Network Administrators About the ALPACA Technique
The National Security Agency on Tuesday warned network administrators about the risks of using poorly scoped wildcard Transport Layer Security certificates. In a cybersecurity information sheet, titled, “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique,” the agency outlined the risks of falling victim to a web application exploitation method called Application Layer Protocols Allowing Cross-Protocol Attacks.
Malicious actors can use the ALPACA Technique to access sensitive information, the NSA said. This method of hacking, which exploits hardened web applications through non-HTTP services secured using a TLS certificate whose scope matches the web application, further increases the risk of using poorly scoped wildcard certificates.
The NSA said it published the new guidance as part of its mission to help secure the Department of Defense, National Security Systems and the Defense Industrial Base. “Administrators should assess their environments and mitigate wildcard certificates and ALPACA risks,” the agency added.
The agency’s cybersecurity information sheet provides mitigations for poorly implemented certificates and ALPACA. It demands that administrators develop an in-depth understanding of the scope of each wildcard certificate used in one’s organization. It also calls for the use of an application gateway or web application firewall in front of servers, including non-HTTP servers, Homeland Security Today reported Tuesday.
It was explained that wildcard certificates are often used to authenticate multiple servers and simplify credential management, saving time and money. However, if one server hosting a wildcard certificate is compromised, all other servers that can be represented by the wildcard certificate are put at risk, the NSA emphasized.
A malicious cyber actor with a wildcard certificate’s private key can impersonate any of the sites within the certificate’s scope and gain access to user credentials and protected information, the agency added.
Category: Cybersecurity