We were pleasantly surprised to see a letter from Senator Ron Wyden of Oregon to the Department of Homeland Security today, asking the DHS “to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies.”
Sen. Wyden’s letter was specific and concrete in its recommendations:
- DHS already scans federal agencies for known security vulnerabilities. It should add DMARC checks to this program.
- DHS should work with the General Services Administration to collect automatic DMARC reports from all federal agencies.
- DHS should issue a directive requiring executive branch agencies to enable DMARC with a reject or quarantine policy.
That last point is particularly critical, since Valimail’s analysis of more than 1 million domains has shown that, of the domains that have published a DMARC record, approximately 70% of them -- regardless of size -- fail to enforce the rules their DMARC records set up (i.e., they lack a reject or quarantine policy). Without enforcement, there’s no real protection.
Wyden has been talking about DMARC since April of this year. And we’ve been making the same point since January, when we urged the new administration to make email great again. At the time, 9 out of 10 agencies we checked lacked DMARC enforcement, including IRS.gov, DHS.gov, CIA.gov, FBI.gov, and NSA.gov. Only one, SSA.gov, had DMARC fully configured and set to enforcement mode.
Six months later, and the email authentication status of all 10 agencies is unchanged.
What’s more, Sen. Wyden’s own domain, wyden.senate.gov, is not protected by DMARC. (There’s a DMARC record but it’s not set to enforce the rules it specifies.)
It shouldn’t come as a surprise that federal agencies are a major target for hackers. What is surprising is how few agencies are prepared to defend against the primary vector of attack: Phishing.
At government organizations as elsewhere, hackers often launch attacks by sending emails impersonating those agencies. It’s remarkably easy to do -- in some cases, hackers only need to craft a legitimate-looking message and put an IRS.gov address in the From field of the email, for instance, and it will look to recipients like a legitimate missive from the tax man.
That’s bad enough when the hackers are using an IRS address to target law-abiding, tax-paying citizens with some kind of tax scam. It gets even more dangerous when hackers target people within those agencies, while using emails that appear to come from senior officials (for instance, by using firstname.lastname@example.org in the From field). It’s a variant on the “CEO to CFO” scam, where hackers pose as a chief executive and use emails to underlings to request sensitive information, such as personnel files or passwords, via a channel the hacker controls.
It’s such a glaring vulnerability that as many as 91% of cyberattacks begin with phish, according to one estimate.
Photo by Jon Frazier Photo/Flickr