Welcome to Codebook, the only cybersecurity newsletter once confused for Rep. Will Hurd (R-Texas).
Tips? Hit reply to this email.
Photo: Mike Clarke/AFP via Getty Images
A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between 1/4 and 1/2 of those agencies' web domains failed to meet the Tuesday deadline.
Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent email messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.
Details: DMARC (formally Domain-based Message Authentication, Reporting and Conformance) lets email programs check whether a message really came from the server that claims to have sent it.
DMARC can be set to instruct inquiring email systems to reject fraudulent messages, send them to spam or accept the emails as normal. Homeland Security gave agencies until Tuesday to implement the "reject" option.
Intelligence and defense agencies were exempt and, according to a study by security advocacy group Global Cyber Alliance and Agari, almost entirely did not comply.
By the numbers: Of 1,315 federal web domains checked Monday morning, email security company ValiMail determined only 57% had met the federal mandate. In the more formal study by the Global Cyber Alliance and Agari, a different sample of 1,144 sites found that 74% had complied. That leaves between 26% and 43% that have not.
Some big-name agencies fall far short on DMARC, according to the Global Cyber Alliance/Agari study.
ValiMail CEO Alex Garcia-Tobar notes that the results of his group’s work are encouraging and disappointing at the same time.
Don't forget: Not all compliant domains are created equal. Valimail found the compliance rate was, for example, much higher in domains that did not send out emails than in the ones that did.
The National Institute of Standards and Technology today is starting a process to develop privacy guidelines. It will host its first of a series of workshops featuring various interested groups, ranging from companies that guard personal data to citizens' groups interested in protecting users.
The big picture. The federal government has struggled to get involved in the country's growing privacy concerns following several high-profile Cambridge Analytica-type privacy flubs. NIST is a well-respected nonregulatory body with experience impacting practices without needing legislation or penalties — a great first step while legislators untangle any other action.
The best-case scenario: NIST's best-known previous work in the privacy and security space was the "cybersecurity framework," a comprehensive, customizable system to help companies, governments and other organizations design cybersecurity programs. The framework is a completely optional system for companies, but the framework became an international gold standard for groups designing a cybersecurity regimen.
But, but, but: One thing the cybersecurity framework had going for it that a privacy framework does not is that businesseses had an interest in not being breached. But companies have a financial interest in selling user data.
NBC News reported that "DHS [found] increasing attempts to hack US election infrastructure."
Counterpoint: The report leaked to NBC News did "not necessarily mean that our partners are seeing an increase in threats to their networks. ... As we have consistently said, we have not seen any activity of the scale or level of coordination that we saw in 2016," a DHS official told Codebook.
What is actually happening: According to DHS, the report cited by NBC doesn't so much show an increase in attacks on election security, but rather an increase in reporting between states and the agency. Until this year, states and DHS had a more dicey relationship and a worse reporting structure.
Security group Anomali reports finding a dark web sale of voter records from 19 states on a dark web hacker forum.
Stay calm: This is not as scary as it sounds. Voter records are public. States sell them. In fact, states sell them for less than the dark web prices.
That said: There are limits to what recipients of voter records are supposed to do with the data. Selling it to criminals is, obviously, outside the lines.
Codebook will return on Thursday.