The White House, which has boasted of taking unprecedented actions to secure the nation’s digital infrastructure, isn’t doing enough to protect its own emails from being copycatted by hackers and spammers, according to data shared with me by the email security firm ValiMail.
It isn't following its own administration's rules that require protections against the threat known as email spoofing, according to the company.
That makes it comparatively easy for fraudsters posing as White House officials on email deliver malware to citizens or to con them into giving up personal information. Hackers could also use emails that appear to be from the White House to trick high profile targets such as political donors, executives and activists into giving up personal and organizational information, Phil Reitinger, a former Homeland Security Department official, told me.
“You’re a lot more likely to open an email that says it’s from the White House — particularly if you’re a person who might be rightly or wrongly expecting to receive an email from the White House,” Reitinger told me. The White House didn't reply to request for comment.
The White House’s apparent failure to manage email protections risks undermining its authority as it tries to lead a governmentwide push to improve the cybersecurity of government systems and data.
Trump and other administration officials famously promised to hold cabinet secretaries and other top agency officials to account for cybersecurity lapses within the government. But the ValiMail research, which focuses on email security across the federal government, comes 15 months after the Homeland Security Department first ordered government agencies to install protections against email spoofing on all their Web domains -- and the final DHS deadline to do so was three months ago.
The mandate focused on a tool called DMARC, which basically pings an email sender’s domain and asks whether the sender really belongs to that organization. If the domain says the sender is illegitimate, DMARC can reject the email, quarantine it in a spam folder or simply note that it’s suspicious. The tool comes standard with free consumer email services such as Gmail and Yahoo Mail.
As of October 2018, government domains are supposed to reject those phony emails so they never arrive in recipient’s inboxes. About one-quarter of government Web domains still haven’t complied with the mandate, but the White House is the most prominent of them.
The domain that hosts most White House email accounts, eop.gov, is set up only to divert phony emails to recipients’ spam folders, according to the ValiMail data, while phony whitehouse.gov emails won’t be stopped at all.
White House employees don’t actually email from whitehouse.gov email addresses, but, because most people who aren’t in regular contact with the White House don’t know that, phony emails from the domain would still be very useful to hackers and scammers, Reitinger told me.
The two White House domains also have “invalid” DMARC records. That means the White House hasn’t properly set up all record-keeping aspects of the system but doesn’t necessarily mean DMARC isn’t functioning.
Only a handful of other federal websites have invalid DMARC records at this late date, including the Health and Human Services Department’s inspector general’s office and an Interior Department website devoted to scenic rivers, according to ValiMail.
The data has a silver lining: The 69 percent of federal Web domains that are complying with the DHS directive makes government far better protected against email spoofing than other industry sectors, ValiMail Vice President Dylan Tweney told me.
A ValiMail report from August, before the final DHS deadline, found government DMARC adoption was about 20 percent higher than in the tech sector and about 30 percent higher than the banking sector.
“I haven’t seen anything like this in any other industry,” Tweney told me. “This has done a lot to increase the general trustworthiness of emails from the federal government.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: William P. Barr, Trump's nominee for attorney general, said in written testimony that he would let special counsel Robert S. Mueller III complete his investigation into Trump's presidential campaign, The Washington Post's Matt Zapotosky and Devlin Barrett reported. Barr also said it is “very important” that Congress and the public be informed of the results of the probe.
“If confirmed, I will not permit partisan politics, personal interests, or any other improper consideration to interfere with this or any other investigation,” Barr said in written testimony released a day before his confirmation hearing. “I will follow the Special Counsel regulations scrupulously and in good faith, and on my watch, Bob will be allowed to complete his work.” Barr is scheduled to appear before the Senate Judiciary Committee today for his confirmation hearing.
Meanwhile, Trump denied that he worked for Russia, according to The Post's John Wagner and Karoun Demirjian. “I never worked for Russia,” Trump told reporters, before adding: “Not only did I never work for Russia, I think it’s a disgrace that you even asked that question because it’s a whole big fat hoax. It’s just a hoax.”
PATCHED: A judge in California ruled that the government cannot force people to use their face or finger to unlock their mobile device, Forbes's Thomas Brewster reported. Kandis Westmore, a magistrate judge for the U.S. District Court for the Northern District of California, “declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features,” Brewster wrote.
Westmore denied a search warrant for a property in Oakland that had been filed in relation to a probe into a Facebook extortion crime. Investigators also wanted to be able to unlock any phone using facial recognition, iris or fingerprint, Brewster reported. “If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device,” Westmore wrote, according to Forbes.
PWNED: Chinese authorities urged foreign countries to stop “fabrications” about Chinese telecommunications giant Huawei following the arrest of a Chinese employee of the company in Poland on suspicion of spying, Reuters reported. “We urge relevant parties to cease the groundless fabrications and unreasonable restrictions toward Huawei and other Chinese companies, and create a fair, good and just environment for mutual investment and normal cooperation by both sides’ companies,” Chinese Foreign Ministry spokeswoman Hua Chunying said in Beijing. Hua's comments came in response to a Polish official who said that Poland's authorities could limit the use of Huawei products by state entities, according to Reuters.
Meanwhile, Huawei CEO Ren Zhengfei pledged in a rare public appearance following his daughter’s arrest in Canada that his company does not spy on behalf of the Chinese government and never has, the Journal’s Dan Strumpf and Josh Chin reported.
— House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said Federal Communications Commission Chairman Ajit Pai refused to brief the committee's staff about the disclosure of users' location data by wireless carriers. “There’s nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil,” Pallone said in a statement. “The Committee will continue to press the FCC to prioritize public safety, national security, and protecting consumers.”
Motherboard reported last week that T-Mobile, Sprint and AT&T sold access to their customers' location data to third-party companies. The FCC said in a statement that it “has been investigating wireless carriers' handling of location information” and will resume the probe when the partial government shutdown comes to an end, the Hill's Harper Neidig reported.
— More cybersecurity news from the public sector:
— Security researchers will have a chance to try to hack a Tesla Model 3 electric car at the Pwn2Own Vancouver competition, according to the Verge's Russell Brandom. The car will be awarded to a single winner in the contest's automotive category. “Our work with the security research community is invaluable to us,” said David Lau, Tesla’s vehicle software chief, according to the Verge. “We look forward to learning about and rewarding great work in Pwn2Own so that we can continue to improve our products and our approach.”
Tesla in 2014 started a bug bounty program for security researchers to report weaknesses, according to Bloomberg News's Dana Hull. “These are common [in] the technology industry, but rare in the auto business,” Hull wrote. “That’s beginning to change as more vehicles are connected to the internet, leaving them vulnerable to hacking.”
— Positive Technologies, a firm that assesses vulnerabilities, announced that Schneider Electric fixed three security weaknesses in a charging station for electric vehicles that the company makes, CyberScoop's Zaid Shoorbajee reported. “The most serious of the vulnerabilities in the EVlink charging stations involved hard-coded credentials, meaning the units were shipped with default passwords or security keys embedded in their firmware,” according to CyberScoop. “If hackers discover such credentials in any type of device, they can use them to gain wide access to them.”
— More cybersecurity news from the private sector:
— Security researcher Paulos Yibelo identified bugs that could make it possible to take over customers' accounts from the Web-hosting companies Bluehost, DreamHost, Hostgator, OVH and iPage, according to TechCrunch's Zack Whittaker. “The results of his vulnerability testing likely wouldn’t fill customers with much confidence,” Whittaker wrote. “The bugs, now fixed — according to Yibelo’s write-up — represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base — with the potential to go easily wrong.”
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats.
- S4x19 industrial control systems security conference in Miami Beach through Thursday.
- The Council on Foreign Relations holds a panel discussion titled “Hacking and the Internet of Things” on Thursday.
- ShmooCon hacker conference in Washington on Friday through Sunday.
The many times Trump touted Russian talking points:
When you have stage IV cancer, the shutdown is about more than a missed paycheck:
8 unforgettable Super Bowl halftime show moments: