Jan 24, 2019

News outlets' email security gap

Illustration: Aïda Amer/Axios

An Axios study shows that very few news organizations — around 6% of a broad sample — successfully use a critical technology that guarantees emails they send are authentic.

The big picture: We've written before about the Department of Homeland Security's struggle to get federal agencies and the White House to implement DMARC, a security protocol that prevents someone from successfully sending an email using someone else's email address. It's only fair to turn that lens on our own industry.

Why it matters: As the news industry increases its reliance on email alerts and newsletters (represent!), our credibility makes us a target for spammers, scammers and purveyors of disinformation or fraud.

  • Imagine a news alert that appears to come from a business publication claiming a company was going bankrupt.
  • Or consider a newsletter on Election Day claiming a candidate had suddenly changed position on a key issue.

Details: Axios used a tool designed by email security company Valimail to check the DMARC status of 199 different news sites — including overlapping lists of the Alexa top 100 news providers, news outlets serving cities of 100,000 or more, and prominent online news sources.

  • Only 12 use DMARC in a way that would prevent fake email from getting to its target.
  • Of the 98 local news sites, only 1 had fully operational DMARC.
  • The list of sites not protected by DMARC includes influential news sources, from the New York Times and USA Today to Fox and NBC networks to Voice of America and major international outlets.
  • Axios is on that list, too.

We ran the tests twice, first last weekend and again Wednesday night, contacting the outlets named in this story after the first test. No one but Axios responded.

  • Axios's response, via Megan Swiatkowski, associate director of communications: "Axios has recently implemented DMARC and is working to finish configuration and testing to begin enforcement. ... Making sure that readers safely and reliably receive Axios newsletters is a top priority."

Fake news is a major concern: "If you want to spread misinformation and fake news, we know that one tool Russians and others have used is to host a fake website," said Dylan Tweney, VP of communications at Valimail. "It seems like the next logical step would be to send out a fake newsletter. "

  • Ben Nimmo, senior fellow for information defense at the Atlantic Council's Digital Forensic Research Lab, agreed. "We’ve seen a few times propagandists have learned from hackers," he said. "Faking email news would entirely fit the pattern of what we’ve seen."

But disinformation isn't the only issue. Phil Reitinger, president and CEO of the Global Cyber Alliance, a security advocacy group, noted, "Media could be very useful as an infection vector for malware."

The intrigue: There didn't appear to be a relation between whether a site used DMARC and how sensitive its content was. One outlet that implemented DMARC solely provides weather updates, while several of the sites providing investment newsletters did not.

DMARC lets inboxes verify that an email was actually sent by the email server it claims to come from. If the email is fake, the server can direct the inbox to deliver the email straight to the trash, to a spam folder or to the inbox anyway.

  • More than half of the sites we tested had no form of DMARC whatsoever.
  • In our study, we considered any site that didn't correctly configure DMARC to prevent 100% of fake emails from reaching recipients' inboxes as failing our test.
  • Sites that have DMARC but haven't set it to screen emails are often still testing it out, trying to ensure that all legitimate emails are successfully delivered.

Go deeper

Scoop: Census Bureau is paying Chinese state media to reach Americans

Illustration: Sarah Grillo/Axios

The 2020 Census Paid Media Campaign, which sends U.S. taxpayer dollars to community media outlets to run ads about the upcoming census, is including a Chinese state-run broadcaster as one of its media vendors.

Why it matters: After China's yearslong campaign to co-opt independent Chinese-language media in the U.S., Washington is now paying Beijing-linked media outlets in order to reach Chinese Americans.

Go deeperArrow27 mins ago - World

Live updates: Coronavirus spreads to Latin America

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens.

Brazil confirmed the first novel coronavirus case in Latin America Wednesday — a 61-year-old that tested positive after returning from a visit to northern Italy, the epicenter of Europe's outbreak.

The big picture: COVID-19 has killed more than 2,700 people and infected over 81,000 others. By Wednesday morning, South Korea had the most cases outside China, with 1,261 infections. Europe's biggest outbreak is in Italy, where 374 cases have been confirmed.

Go deeperArrowUpdated 2 hours ago - Health

GOP congressman accuses California pension official of working for China

Illustration: Rebecca Zisser/Axios

The latest season of Red Scare has come to Sacramento.

Driving the news: Rep. Jim Banks (R-Ind.) has repeatedly accused Ben Meng, chief investment officer of the California Public Employees' Retirement System (CalPERS), of tacitly working on behalf of the Chinese government. Banks also says that, were it up to him, Meng would be fired — and has questioned the patriotism of California Gov. Gavin Newsom for not at least investigating Meng.

Go deeperArrow2 hours ago - World