In the latest episode of how badly some branches of government are at cybersecurity, a new study by the cybersecurity outfit Global Cyber Alliance indicates that 95 percent of the email domains managed by the Executive Office of the President could be spoofed and potentially used in phishing attacks.
Of the domains that are managed by the Office of the President, only the max.gov email address has fully implemented the highest level of defense against spoofing and phishing emails.
Malicious actors often tweak metadata to trick targets into thinking they are receiving email from an official-sounding domain, like whitehouse.gov.
The Domain Message Authentication Reporting & Conformance (DMARC) protocol — which verifies that an email was sent from the correct address (to prevent spoofing) and informs an email recipient that they likely received an email from a faked address — is used to prevent against these attacks. Last October, the Department of Homeland Security required that all federal agencies update their email policies to comply with the protocol.
So far, only seven White House email addresses have taken the basic step of setting up alerts to be notified when their addresses are used in phishing scams, according to the Global Cyber Alliance report. Another 18 haven’t started deploying DMARC.
Without DMARC in place, those email addresses can be spoofed by would-be scammers and recipients would have no idea they were receiving a fake email from a government account.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” said Philip Reitinger, president and CEO of the Global Cyber Alliance, in a statement. “The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward.”
Domains that have rolled out the lowest settings of DMARC are WhiteHouse.gov and EOP.gov. Other domains under the purview of the EOP include Budget.gov, OMB.gov, USTR.gov, OSTP.gov.
These security issues aren’t just academic concerns cooked up by bureaucrats to waste time and add red tape to operations. To see how significant these issues can be, look no further than the Atlanta cyberattack, which happened two weeks ago.
The city is still restoring systems after the attack — a ransomware assault that used SamSam malware to encrypt exposed files. Hackers offered to decrypt the files for a (relatively small) ransom (which it looks like the city has not paid, since systems are still offline).
At least Atlanta was able to restore some of its systems (way to back up those files, government officials), but the attack reveals how many critical systems are still vulnerable.
Now consider if hackers were using federal government addresses to distribute malware — that’s a problem everyone should be concerned about.