Aug 27, 2018

State elections emails are easy for hackers to fake

Photo: Stephen Maturen/Getty Image

Very few (only 4%) of state elections offices across the 50 states, Washington D.C. and the three U.S. territories use adequate protection to keep hackers from sending email from those offices' official email addresses, according to a new study by the security company Anomali.

Why it matters: Nothing in the basic email protocol guarantees that a sender's address is authentic. To do that, web sites need to add a handful of additional security protocols. That could lead to voter suppression if a dirty tricks-wielding campaign sends emails from the official account saying that polling places have moved, election days changed, or groups of people are no longer registered to vote.

The Anomali study looked at 6 different security protocols: DANE, DKIM, DMARC, DNSSEC, SPF and STARTTLS.

  • DKIM, DMARC and SPF all have different functions to protect recipients from fake or “spoofed” email addresses.
  • DNSSEC, DANE and STARTTLS work together to ensure the message reaches the right recipient without being altered along the way.

The details: If a website fails to have SPF and DMARC in place and configured to prevent it, a bad guy can fake (or "spoof") an email from the site.

  • Properly set up, SPF identifies if a server has permission to send an email from a domain and DMARC tells an email client to either reject emails that fail SPF or mark them as spam.
  • Only 4% of elections sites had both set up in a way to prevent spoofing.
  • DKIM ensures specific emails were in fact sent by the senders listed. Only 10 percent of states use DKIM.
  • None of the security protocols had even 50% adoption accross the states.

Go deeper

Sanders takes aim at Bloomberg: "Trump will chew him up and spit him out"

Photo: Mario Tama/Getty Images

Bernie Sanders told CBS "60 Minutes" that he was surprised by Mike Bloomberg's lackluster performance at Wednesday's Democratic debate.

What he's saying: "If that's what happened in a Democratic debate, you know, I think it's quite likely that Trump will chew him up and spit him out."

Scoop: Lyft acquires cartop advertising startup Halo Cars

Photo: Drew Angerer/Getty Images

Lyft has acquired Halo Cars, a small startup that lets ride-hailing drivers earn money via ad displays mounted atop their cars. Lyft confirmed the deal but declined to share any details.

Why it matters: Ride-hailing companies are increasingly eyeing additional ways to generate revenue, and Lyft rival Uber has been quietly testing a partnership with New York-based Cargo that gives it a cut of the advertising revenue, as I previously reported.

Scoop: New White House personnel chief tells Cabinet liaisons to target Never Trumpers

McEntee, shown with White House counselor Kellyanne Conway and White House senior adviser Stephen Miller, walks on the South Lawn of the White House Jan. 9. Photo: Drew Angerer/Getty Images

Johnny McEntee called in White House liaisons from cabinet agencies for an introductory meeting Thursday, in which he asked them to identify political appointees across the U.S. government who are believed to be anti-Trump, three sources familiar with the meeting tell Axios.

Behind the scenes: McEntee, a 29-year-old former body man to Trump who was fired in 2018 by then-Chief of Staff John Kelly but recently rehired — and promoted to head the presidential personnel office — foreshadowed sweeping personnel changes across government.