Oct 16, 2018

Axios Codebook

Welcome to Codebook, the only cybersecurity newsletter once confused for Rep. Will Hurd (R-Texas).

Tips? Hit reply to this email.

1 big thing: Feds fumble email security deadline

Photo: Mike Clarke/AFP via Getty Images

A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between 1/4 and 1/2 of those agencies' web domains failed to meet the Tuesday deadline.

Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent email messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.

Details: DMARC (formally Domain-based Message Authentication, Reporting and Conformance) lets email programs check whether a message really came from the server that claims to have sent it.

  • "It's a commonsense security measure, and it makes no sense to allow criminals to send fake emails," said Patrick Peterson, executive chairman and founder of email security firm Agari.

DMARC can be set to instruct inquiring email systems to reject fraudulent messages, send them to spam or accept the emails as normal. Homeland Security gave agencies until Tuesday to implement the "reject" option.

Intelligence and defense agencies were exempt and, according to a study by security advocacy group Global Cyber Alliance and Agari, almost entirely did not comply.

By the numbers: Of 1,315 federal web domains checked Monday morning, email security company ValiMail determined only 57% had met the federal mandate. In the more formal study by the Global Cyber Alliance and Agari, a different sample of 1,144 sites found that 74% had complied. That leaves between 26% and 43% that have not.

  • Agari found more distinct sites that met the mandate, and VailMail found more distinct sites that didn't. Based on those findings, at least 851 complied with the mandate and at least 564 did not.

Some big-name agencies fall far short on DMARC, according to the Global Cyber Alliance/Agari study.

  • 13 out of 25 — more than half — of the tested domains run by the Executive Office of The President (colloquially known as the White House) had not implemented DMARC. Another 3 of the domains implemented DMARC without setting it to reject email.
  • Just under half of the Department of Commerce domains (25 out of 52) had not implemented DMARC.
  • Amtrak's lone domain had not implemented it, either.

ValiMail CEO Alex Garcia-Tobar notes that the results of his group’s work are encouraging and disappointing at the same time.

  • "The government has made amazing progress — going from 4% last year to over 50% this year. I've never seen them work this quickly on a security project," he said.
  • On the other hand, the unimplemented systems could be a real problem, Garcia-Tobar said. "Anything less than 100%, agencies are wide open to impersonation."

Don't forget: Not all compliant domains are created equal. Valimail found the compliance rate was, for example, much higher in domains that did not send out emails than in the ones that did.

  • "It’s much harder to put rules in place for domains that send emails than ones that don't," said Garcia-Tobar.
2. Fed standards group starts workshops for privacy guidelines

The National Institute of Standards and Technology today is starting a process to develop privacy guidelines. It will host its first of a series of workshops featuring various interested groups, ranging from companies that guard personal data to citizens' groups interested in protecting users.

The big picture. The federal government has struggled to get involved in the country's growing privacy concerns following several high-profile Cambridge Analytica-type privacy flubs. NIST is a well-respected nonregulatory body with experience impacting practices without needing legislation or penalties — a great first step while legislators untangle any other action.

  • The process will take a year, but there is some reason to be optimistic. "NIST has a lot of experience trying to corral opposing opinions and different actors," said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology.

The best-case scenario: NIST's best-known previous work in the privacy and security space was the "cybersecurity framework," a comprehensive, customizable system to help companies, governments and other organizations design cybersecurity programs. The framework is a completely optional system for companies, but the framework became an international gold standard for groups designing a cybersecurity regimen.

  • "When they did the cybersecurity framework, privacy aspects were just a little ahead of the time," said Kent Landfield, chief standards and technology strategist at McAfee.
  • The cybersecurity framework was so successful because it shifted the conversation from one-size-fits-all best practices to a comprehensive, modular group of security concepts, said Richardson. Rather than suggesting products, it suggested risk-management practices.
  • At its best, Landfield and Richardson agree, a NIST privacy standard would look something like the cybersecurity framework.

But, but, but: One thing the cybersecurity framework had going for it that a privacy framework does not is that businesseses had an interest in not being breached. But companies have a financial interest in selling user data.

3. DHS sees attempts at election hacking, but it's not what you think

Getty Images

NBC News reported that "DHS [found] increasing attempts to hack US election infrastructure."

Counterpoint: The report leaked to NBC News did "not necessarily mean that our partners are seeing an increase in threats to their networks. ... As we have consistently said, we have not seen any activity of the scale or level of coordination that we saw in 2016," a DHS official told Codebook.

What is actually happening: According to DHS, the report cited by NBC doesn't so much show an increase in attacks on election security, but rather an increase in reporting between states and the agency. Until this year, states and DHS had a more dicey relationship and a worse reporting structure.

  • "This is a sign of progress," said DHS undersecretary Christopher Krebs at a Tuesday morning event in Washington, D.C.
  • There is no evidence yet that any coordinated campaign is underfoot.
4. Publicly available voter data for sale on dark web

Security group Anomali reports finding a dark web sale of voter records from 19 states on a dark web hacker forum.

Stay calm: This is not as scary as it sounds. Voter records are public. States sell them. In fact, states sell them for less than the dark web prices.

That said: There are limits to what recipients of voter records are supposed to do with the data. Selling it to criminals is, obviously, outside the lines.

  • Hackers have been crowdsourcing the purchase of state records to dump online and have already succeeded in doing so with the Kansas data.
5. Odds and Ends

Codebook will return on Thursday.