Welcome to Codebook, the cybersecurity newsletter throwing stones from a glass house.
Tips? Story ideas? Send me a note by replying to this email.
Illustration: Aïda Amer/Axios
This email is authentic. But an Axios study shows that very few news organizations — around 6% of a broad sample — successfully use a critical technology that guarantees emails like this are authentic.
The big picture: We've written before about the Department of Homeland Security's struggle to get federal agencies and the White House to implement DMARC, a security protocol that prevents someone from successfully sending an email using someone else's email address. It's only fair to turn that lens on our own industry.
Why it matters: As the news industry increases its reliance on email alerts and newsletters (represent!), our credibility makes us a target for spammers, scammers and purveyors of disinformation or fraud.
Details: Axios used a tool designed by email security company Valimail to check the DMARC status of 199 different news sites.
We ran the tests twice, first last weekend and again Wednesday night, contacting the outlets named in this story after the first test. No one but Axios responded.
Fake news is a major concern: "If you want to spread misinformation and fake news, we know that one tool Russians and others have used is to host a fake website," said Dylan Tweney, VP of communications at Valimail. "It seems like the next logical step would be to send out a fake newsletter."
But disinformation isn't the only issue. Phil Reitinger, president and CEO of the Global Cyber Alliance, a security advocacy group, noted, "Media could be very useful as an infection vector for malware."
The intrigue: There didn't appear to be a relation between whether a site used DMARC and how sensitive its content was. One outlet that implemented DMARC solely provides weather updates, while several of the sites providing investment newsletters did not.
For more details, including methodology and how DMARC works, see the full story here.
After a FireEye report two weeks ago outlined a multiyear campaign of so-called DNS hijacking, Homeland Security is ordering federal agencies to investigate and secure security holes in their internet infrastructure.
The Domain Name System (DNS) is sort of like an internet phonebook, turning domain names like "axios.com" into computer-readable, numeric internet addresses. DNS hijacking happens when hackers change the DNS record, detouring traffic meant for one server to visit another server.
The DHS directive, dated Tuesday and widely publicized Wednesday, gives agencies 10 days to audit whether they were victims of the DNS attacks, change passwords to the DNS records, implement multifactor authentication and begin monitoring to prevent any further attempts.
The FireEye report found some evidence that the hackers in the campaign used infrastructure in Iran, but not enough to attribute the campaign to Iran.
Researcher Bob Diachenko discovered a trove of 24 million banking documents left unsecured online, first reported by Zack Whittaker at TechCrunch.
Details: With help from Whittaker, Diachenko traced the documents to Ascension, a firm that converted paper documents into digital ones for the financial industry.
It's important to note that data exposures don't mean that data has actually been downloaded maliciously, just that it would be possible for a bad guy to steal without first hacking the firm.
The documents included ones pertaining to mortgages and other loans, and other issues from "CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development," according to the TechCrunch write up.
The software developer and cybersecurity practitioner who uses the handle e-sushi noted yesterday that it's actually kind of fun to search through Have I Been Pwned's password databases, which aggregate data from thousands of breaches to determine how often passwords were used.
Codebook likes fun things:
Lesley Carhart, of Dragos, noted that a bunch of these passwords likely relate to temporary accounts, which bears out.
Things get dark, fast. Here's a bunch of passwords that, I guess, confess to crimes?
The big picture: Just to keep a sense of scale, the password "password" appears 3,645,804 times in the database.
See you next week!