January 24, 2019

Welcome to Codebook, the cybersecurity newsletter throwing stones from a glass house.

Tips? Story ideas? Send me a note by replying to this email.

1 big thing: Big hole in newsletter security

Illustration: Aïda Amer/Axios

This email is authentic. But an Axios study shows that very few news organizations — around 6% of a broad sample — successfully use a critical technology that guarantees emails like this are authentic.

The big picture: We've written before about the Department of Homeland Security's struggle to get federal agencies and the White House to implement DMARC, a security protocol that prevents someone from successfully sending an email using someone else's email address. It's only fair to turn that lens on our own industry.

Why it matters: As the news industry increases its reliance on email alerts and newsletters (represent!), our credibility makes us a target for spammers, scammers and purveyors of disinformation or fraud.

  • Imagine a news alert that appears to come from a business publication claiming a company was going bankrupt.
  • Or consider a newsletter on Election Day claiming a candidate had suddenly changed position on a key issue.

Details: Axios used a tool designed by email security company Valimail to check the DMARC status of 199 different news sites.

  • Only 12 use DMARC in a way that would prevent fake emails from getting to their targets.
  • Of 98 local news sites tested, only 1 had fully operational DMARC.
  • The list of sites not protected by DMARC includes influential news sources, from the New York Times and USA Today to Fox and NBC networks to Voice of America and major international outlets.
  • Axios is on that list, too.

We ran the tests twice, first last weekend and again Wednesday night, contacting the outlets named in this story after the first test. No one but Axios responded.

  • Axios' response, via Megan Swiatkowski, associate director of communications: "Axios has recently implemented DMARC and is working to finish configuration and testing to begin enforcement. ... Making sure that readers safely and reliably receive Axios newsletters is a top priority."

Fake news is a major concern: "If you want to spread misinformation and fake news, we know that one tool Russians and others have used is to host a fake website," said Dylan Tweney, VP of communications at Valimail. "It seems like the next logical step would be to send out a fake newsletter."

  • Ben Nimmo, senior fellow for information defense at the Atlantic Council's Digital Forensic Research Lab, agreed. "We’ve seen a few times propagandists have learned from hackers," he said. "Faking email news would entirely fit the pattern of what we’ve seen."

But disinformation isn't the only issue. Phil Reitinger, president and CEO of the Global Cyber Alliance, a security advocacy group, noted, "Media could be very useful as an infection vector for malware."

The intrigue: There didn't appear to be a relation between whether a site used DMARC and how sensitive its content was. One outlet that implemented DMARC solely provides weather updates, while several of the sites providing investment newsletters did not.

For more details, including methodology and how DMARC works, see the full story here.

2. DHS directive demands DNS defense

After a FireEye report two weeks ago outlined a multiyear campaign of so-called DNS hijacking, Homeland Security is ordering federal agencies to investigate and secure security holes in their internet infrastructure.

The Domain Name System (DNS) is sort of like an internet phonebook, turning domain names like "axios.com" into computer-readable, numeric internet addresses. DNS hijacking happens when hackers change the DNS record, detouring traffic meant for one server to visit another server.

  • From there, hackers can read or change any communications without the server or the user being any the wiser.

The DHS directive, dated Tuesday and widely publicized Wednesday, gives agencies 10 days to audit whether they were victims of the DNS attacks, change passwords to the DNS records, implement multifactor authentication and begin monitoring to prevent any further attempts.

The FireEye report found some evidence that the hackers in the campaign used infrastructure in Iran, but not enough to attribute the campaign to Iran.

3. Report: A data firm exposed 24 million banking documents

Researcher Bob Diachenko discovered a trove of 24 million banking documents left unsecured online, first reported by Zack Whittaker at TechCrunch.

Details: With help from Whittaker, Diachenko traced the documents to Ascension, a firm that converted paper documents into digital ones for the financial industry.

It's important to note that data exposures don't mean that data has actually been downloaded maliciously, just that it would be possible for a bad guy to steal without first hacking the firm.

The documents included ones pertaining to mortgages and other loans, and other issues from "CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development," according to the TechCrunch write up.

4. Passwords are a window to the soul

The software developer and cybersecurity practitioner who uses the handle e-sushi noted yesterday that it's actually kind of fun to search through Have I Been Pwned's password databases, which aggregate data from thousands of breaches to determine how often passwords were used.

Screencap: Twitter

Codebook likes fun things:

Screencap: Twitter

Lesley Carhart, of Dragos, noted that a bunch of these passwords likely relate to temporary accounts, which bears out.

Screencap: Twitter

Things get dark, fast. Here's a bunch of passwords that, I guess, confess to crimes?

Screencap: Twitter

The big picture: Just to keep a sense of scale, the password "password" appears 3,645,804 times in the database.

5. Odds and ends

See you next week!