July 25, 2016

Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, suggesting that anyone who is so lax with email security isn’t fit to become president. But a closer look at the Web sites for each candidate shows that in contrast to hillaryclinton.com, donaldjtrump.com has failed to take full advantage of a free and open email security technology designed to stymie email spoofing and phishing attacks.

atballAt issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

DMARC may not yet be widely deployed beyond the major email providers, but that’s about to change. Google announced late last year that it will soon move gmail.com to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification. And others are already moving in the same direction.

Probably the easiest way to understand DMARC is to walk through a single site’s records. According to the DMARC compliance lookup tool at dmarcian.com — a DMARC awareness, training and support site — hillaryclinton.com has fully implemented DMARC. This means that the campaign has posted a public policy that enables email providers like Google, Microsoft and Yahoo to quickly determine whether a message claiming to have been sent from hillaryclinton.com was actually sent from that domain.

Specifically, (and this is where things can quickly descend into a Geek Factor 5 realm of nerdiness) DMARC sits on top of two existing technologies that try to make email easy to identify: Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

SPF is basically a list of Internet addresses and domains which are authorized to send email on behalf of hillaryclinton.com (in case anyone’s interested, here’s a copy of the SPF record for hillaryclinton.com). DKIM allows email receivers to verify that a piece of email originated from an Internet domain through the use of public key cryptography. Deploying both technologies gives email receivers two ways to figure out if a piece of email is legitimate.

The DMARC record for Clinton’s site includes the text string “p=quarantine.” The “p” bit stands for policy, and “quarantine” means the Web site’s administrators have instructed email providers to quarantine all messages sent from addresses or domains not on that list and not signed with DKIM – effectively consigning them to the intended recipient’s “spam” or “junk” folder. Another blocking option available is “p=reject,” which tells email providers to outright drop or reject any mail sent from domains or addresses not specified in the organization’s SPF records and lacking any appropriate DKIM signatures.

Turning Dmarcian.com’s tool against donaldjtrump.com, we can see that although the site is thinking about turning on DMARC, it hasn’t actually done so yet. The site’s DMARC records are set to the third option — “p=none” — which means the site administrators haven’t yet asked email providers to block or quarantine any messages that fail to match the site’s SPF records. Rather, the site merely asks email providers to report to “postmaster@donaldjtrump.com” about the source of any email messages claiming to have been sent by that domain.

Dmarcian founder Tim Draegen said this “p=none” setting of DMARC is a data collection feature designed to give organizations a better idea of their total email footprint before setting strict DMARC “reject” or “quarantine” rules.

Why on earth would any organization not know where its email was coming from? As this video at Dmarcian notes, one reason is that anti-spam and anti-malware filters at major email providers have essentially spawned an entire email deliverability industry that exists solely to help organizations keep their emails flowing into inboxes worldwide. As a result, many companies rely on an array of third-party providers to send messages on their behalf, yet those business relationships may not be immediately evident to the geeks in charge of setting up DMARC rules for the organization.

“DMARC was designed so that it says, ‘All you email providers….give me feedback on how you’re seeing email from us being received,'” Draegen said. “Based on that feedback, the organization can then can go back and identify and specify their legitimate sources of email, and then tell the email providers, ‘Hey, if you get a piece of email not covered by these sources, reject or quarantine it.”

As for why more organizations haven’t deployed DMARC already, Draegen said larger entities often have multiple divisions (think marketing and sales teams) that may develop their own methods of getting their email messages out. Trouble is, those divisions don’t always do a great job at informing the tech folks of what they’re up to.

The “p=none” option thus gives organizations an easy and free way to tell email providers to report any and all mail claiming to be sent by the domain in question. Armed with that information, the organization can then set strict, global policies about which emails to reject or quarantine going forward.

“It really depends on the size of the infrastructure or complexity of the company,” Draegen said. “The tech part of DMARC is pretty easy, but what we tend to see in large companies is that there’s a domain that has traditionally been shared by everyone at the organization, and it often involves a lot of hard work to find all the legitimate sources of email for the organization.”

Alexander Garcia-Tobar, CEO and co-founder of email security firm Valimail, agreed.

“The answer is that it’s extremely tricky to get right,” he said, of identifying all of a company’s legitimate email sending activity. “Most organizations are lot more concerned about blocking good stuff going out, until they get phished.”

So how long does it take for organizations to gather enough information with DMARC’s “p=none” option in order to build an effective (yet not overly restrictive) “quarantine” or “reject” policy? For larger organizations, this can often amount to a long, laborious process, Draegen said. For smaller outfits — such as presidential campaigns — it shouldn’t take long to gather enough data with DMARC’s “p=none” option to fashion targeted rules that block phishing and spoofing attacks without endangering legitimate outgoing emails.

I asked Draegen whether he thought the Trump Campaign was somehow derelict in not fully adopting DMARC, given the candidate’s statements about how anyone who’s lax with email security doesn’t deserve to be the next Commander-in-Chief of the United States. Draegen admitted he “can’t stomach” Trump, and that he found Clinton’s email scandal likewise nauseating given a lifetime of experience as an email administrator and the challenges involved in protecting a private email server from determined cyber adversaries.

But Draegen said DMARC compliance is one of the easiest and cheapest ways that any organization can use to better protect itself and its customers from email-based phishing and malware attacks.

“If you’re going to invest in click-tracking technologies or enterprise security products of any flavor and you haven’t yet done DMARC, you’re wasting your time,” Draegen said, noting that enabling DMARC can often help organizations increase delivery rates by as much as five or ten percent. And for campaigns that aren’t adopting DMARC, that may mean lots of email appeals to voters (and, more importantly, potential donors) go undelivered.

“Get the easy, free tech stuff done first because you’re going to get a lot of bang for your buck by deploying DMARC,” he said. “And if you’re a presidential candidate, someone at your campaign should recognize that the first thing you do is enable DMARC.”

Incidentally, given the breaking news today about Russian hackers reportedly hacking into networks at the Democratic National Committee (DNC) — allegedly to make Mr. Trump a more sympathetic candidate — it’s worth noting that while hillaryclinton.com takes full advantage of DMARC, the same cannot be said of the Web sites for the DNC (dnc.org/democrats.org) or the Republican National Committee (gop.com/rnc.org).

Further reading: dmarc.org.


86 thoughts on “Trump, DNC, RNC Flunk Email Security Test

  1. stu sjouwerman

    And the above is the exact reason why you want to step all employees through effective security awareness training as an additional layer.

    Warm regards, Stu

    1. Alexander García-Tobar

      Full disclosure: I am a DMARC vendor and quoted in the article.

      Training is most effective when there are obvious and detectable differences between real and malicious emails. The main point here is that a well crafted email can escape detection – in fact experts frequently fail to detect “real” from “fake”. The power of email authentication is that it is authoritative and doesn’t require human intervention/detection (always the weakest link).

      Authenticating a sender’s principal domains removes these primary attack vectors from criminal abuse.

    2. Alex

      Just that _effective_ training doesn’t exist. People will mostly just “sit through” the training and that’s it. Good luck having any real effect. You need 100% of people to take email security serious. The attacker needs just one person to be lax.

      1. BrianKrebs Post author

        Doesn’t mean the training and resulting real-life exams don’t give you a much better idea of which users to monitor more closely, or even further restrict on the network.

        1. David Morrish

          DMARC is only part of the solution but sure is a step in the right direction. As for training it is generally accepted that security awareness training takes place often with all employee’s for a complete range of threats including cyber security.

        2. Alex

          Not to be too pessimistic here but in many big organizations that would not reduce the target audience to monitor much. Heck ifi look at the security awareness of our IT people I don’t want to even think about regular users (I’m a developer) and my developer colleagues don’t make a much better picture than IT. There are a few people I know that take it seriously but we’re talking a couple percent of security conscious people vs 95% ignorant ones.

      1. Jim

        Many of us know what Stu does, however, there was no self promotion, only a suggestion that employee training would be helpful in a layered security program. LAYERED. At least that’s how I took it.

      2. Jill

        I agree – this isn’t self promotion. I recognized Stu’s name as well, but he didn’t plug his company, just made a relevant comment.

        Full disclosure: I am not a customer of Stu’s company but I do subscribe to their emails.

  2. DaveN

    Does this mean that anyone (Putin, the Clinton campaign) can easily send mail “from” the Trump campaign? Many interesting possibilities come to mind.

    1. DJT

      Go ahead and try it, you’re in for a (h)yo͞oj surprise.

    2. bob

      No.

      DKIM and SPF provide a level of authentication that, if your organisation defaults to sensible behaviour when receiving email, will protect you from spoofed messages.

      DMARC is a layer on top that allows the named sender of an email to say, eg, “we always use SPF and DKIM so if you see anything wrong, reject the email”.

    3. timeless

      I think the best answer is “sort of”.

      Security works by having layers.

      As long as some of them are complete and unbroken and both the sender and receiver are able to validate those layers, things can be ok.

      If a client doesn’t check DMARC, then the fact that a server uses it won’t help that client.

      If a client doesn’t check SPF/DKIM, then that fact that a server uses it won’t help that client.

      Let’s say your client does use DMARC, SPF, and DKIM, has mail filters, and because of this virtually all mail you see in your inbox is “genuine” and “trustworthy”. If someone sends an email pretending to be an origin that doesn’t use any of DMARC, SPF, and DKIM, then your client won’t know it’s a bad message, and might trust it. If it trusts it, it could show it to you, and you could easily be tricked into trusting its contents (after all, all the other messages in your inbox were real!).

      If a client uses DMARC+SPF+DKIM and a server only uses SPF+DKIM, then, I /think/ the client will be stuck in the position of having to decide what to do w/ the mail (equivalent of DMARC p=none). It can think “hrm, this message isn’t authentic, but I wasn’t told to quartine it, so I guess I should just deliver it”. Thus, it ends up in your inbox, and it’s as if the server didn’t have SPF/DKIM at all.

      I’m used to talking about Arms-races. But this is more like an egg toss / frisbee-toss:

      You (mail client) and your partner (mail sender) are running along gently tossing eggs at each-other. But both of you are pretty careless, eggs go fairly wild — but you always try to catch the eggs, because it’s part of the game.

      You’re trying hard not to drop or break the eggs. When an egg is dropped or broken, someone gets upset — or both people get upset. Except w/ email, instead of eggs, we send packets (messages), and you generally don’t know an egg is being sent until it arrives (unless the sender told you to expect the egg).

      Imagine that a trouble-maker comes around and runs next to your partner and starts throwing rotten/cracked eggs at you (initially at your face and knees).
      1. You could decide to walk away from the game (it isn’t fun anymore), in which case your partner can no longer send you eggs.
      2. You could choose to be more particular about the precise location where you accept tossed eggs (only in the “strike zone” of knees to mid-chest”) — any other eggs, you’ll intentionally dodge.
      3. If you do 2 before your partner gets better at throwing eggs, some of your partner’s eggs are going to go splat.
      4. So, you could try to coax your partner into being more careful about tossing eggs, and for a while continue to accept eggs tossed almost anywhere, slowly being more demanding about the target.

      5. Say it’s possible to dye eggs in a unique manner — such that you can tell by watching the egg fly who tossed it. You could insist on only catching such colored eggs. But maybe your partner hasn’t learned how to dye eggs yet.

      6. For more fun, instead of having a pair of people tossing eggs. Imagine it’s two groups of people each w/ people of varying skills — sort of a relay system. Some people are very good at tossing, or dying, or even both. Some are good at catching, or idetifying color, or ducking, or all of these. Some aren’t. And randomly different people will be responsible for catching/throwing eggs.

      That’s email. It’s messy. Eggs go splat or get dropped. And people are disappointed about lost eggs.

  3. Lucas Cooper

    I’ve worked at an ESP for several years and DMARC is still in its infancy as far as adoption goes. I agree that it’s fairly simple, but setting it up incorrectly can cause some terrible results, such as an entire email campaign being missed.

    Additionally, there are plenty of email servers out there that simply ignore DMARC. Nothing from a major public provider, but lots of regional ISP email servers will do it, for example.

    I agree that they’re a little bit behind the cutting edge of prevention of spam and phishing, but I think the title of this slightly sensationalist. Most email servers are at least configured to reject anything from the outside “appearing” to be from itself.

    And all of this doesn’t prevent the all-too-common purchase of a similar domain used in targeted phishing. DMARC is nice, but I think “flunking” security using a feature probably only 5% of the email marketing world even knows about is a bit harsh, regardless of company or political affiliation.

    Don’t get me wrong, DMARC is good, but it often causes people more problems than they bargain for all the sudden. I had one person lose their entire list to bounces (as we automatically remove those) due to turning on DMARC.

    Doesn’t Gmail also “flunk” since they haven’t set p=reject? Technically yahoo and AOL are the only ones currently “passing”.

    1. timeless

      Gmail is in the process of transitioning — And it’s raising awareness. It’s quite large (in fact, I’m going to be bitten when it transitions since I use mail forwarding to a Gmail account and haven’t investigated my options — I’ll probably have to abandon my vanity domains…).

      @Brian is thankfully raising awareness by reporting on this.

      Without awareness, we can’t move forward. Awareness, and a stick. Gmail switching to a more aggressive stance (quartine=spam) will result in more providers adapting (or disappearing from the “Internet”).

      It’ll be interesting to see if the DNC, RNC, or Trump improve their DMARC postures…

  4. Scott Schober

    Brilliant post. Scary how much money is spent on negative ads and criticizing other candidates and how little toward security. Glad I am not in politics. Thanks for the research and bringing this to light Brian.

    Scott Schober, Pres/CEO of BVS
    Author of Hacked Again
    http://www.hackedagain.com

  5. Robert Zager

    DMARC is a valuable tool. But is not a silver bullet to solve the problems of fraudulent emails. Bad guys use deceptive sender identification information to trick users. From section 2.4 of the DMARC spec:

    “DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it does not address the use of visually similar domain names (“cousin domains”) or abuse of the RFC5322.From human-readable .”

    DMARC would not have solved the we11point.com attack on Anthem or similar attacks which do not abuse the real domain name.

    You don’t need the real domain of Hillary Clinton or Donald Trump to trick people. This is because people don’t know what the real domains of things are. More generally, most people can’t decode URLs. The National Republican Congressional Committee set up domains that trick Democrats into opposing Democratic candidates – http://thinkprogress.org/justice/2014/02/03/3242381/republicans-trick-voters-donating-democratic-candidates/

    When you assume that fraud needs to use the real domain, you are using an invalid assumption.

    1. timeless

      It’s true that those (phishing) campaigns wouldn’t have been stopped by DMARC, but the Internet is an evolving system where we try to fix the pieces we can figure out how to fix.

      For the web, there are a couple of tools to try to help you determine if a site is real, one is Web Of Trust [1], another is by Netcraft [2].

      These tools can tell you about age and popularity of a domain, and they can use a color code or something to try to help your brain think about what it’s expecting.

      I think McAfee (which I wouldn’t endorse) may do something similar for email.

      It’s definitely possible to build a plugin for mail clients which maintains a sense of domains from which you’ve received mail and compares new mail against that.

      But right now, since DMARC isn’t yet sufficiently rolled out, it isn’t worth investing a lot in that area.

      [1] https://www.mywot.com/
      [2] http://toolbar.netcraft.com/

  6. Mike

    Well, I have been saying for quite a while (as others have) that email should never be looked at as private or all that secure in the first place. There are so many things so very wrong with email and the whole world seems to trust it like it is the most secure thing on the planet.

    Even with DMARC, it doesn’t take much to create a short lived domain and send out email that runs script that pulls in code from all kinds of other domains. Infact, it seems like Krebs had an article regarding such things. The use of DMARC is a good thing. I just don’t see it as going far enough to deal with many of the bigger issues.

    As far as Trump…..
    Clinton was actually a very serious security issue. Atleast up to this point, Trump does not have that kind of access, clearance, or power. Although I can certainly understand the high level of scrutiny as he might be given all that in short order. But ya know, there isn’t a website out there that you wont find problems with if you look hard enough

    1. timeless

      Actually, at this point, Trump is about to get National Security Briefings [1].

      As for her email server. It didn’t really have classified information (you can read the report, 3 items had internal markings, but they weren’t really secrets, they were things for which the classification had been removed; other things were foolishly retroactively classified, which was pointless).

      And it seems that the State Department’s servers really weren’t much better.

      Remember, the reason that the DNC was notified by the FBI about its hack is that the FBI had found this problem within government servers and was looking around for similar instances.

      [1] http://www.nytimes.com/2016/07/29/us/politics/donald-trump-hillary-clinton-intelligence-briefings.html

      1. somguy

        False, read the FBI head Coney’s statement.

        He said her emails WERE classified.
        He also implied that were it anyone else they would be prosecuted.
        He then said since no one wanted to take the case against her, he wasn’t going to recommend charges be filed.

  7. James D391

    Using the same tool, the domain, krebsonsecurity.com does not appear to be configured correctly. Authentication concerns

  8. JD391

    Interesting. The domain, krebsonsecurity.com reports authentication issues and some anti-phishing and reporting concerns.

  9. Alan Welsh

    Good segway into DMARC. But I think the outrage that is justified against Clinton still stands, and it wasn’t really “her implementing poor ‘lax email security'”. The outrage was, without any real IT security expertise, let alone government oversight, Clinton decided to ignore advice of the State dept, IT dept and decided that she had the expertise to hire a firm to set up a totally separate email server outside any government advice or oversight. The guy that did set it up was amazed that he was “allowed” to set up and administer this server without government oversight.

    If any of you Krebs readers were asked to set up a server, knowing that it was going to be used for US State Dept. official business, I’m fairly sure you’d be working very hard to “get it right”, or work extremely hard vetting the company that was contracted to do so. Even so, I’d still feel a bit uncomfortable, wondering if I’d done enough. But, Clinton wasn’t an expert, and decided to make the decision to contract the work, herself on behalf of the State dept.

    The outrage is that she would be so clueless to believe she was qualified to even decide who could competently set up or administer a server that most certainly would have been intended to handle some US State secrets. Worse, her plan had already been vetoed when she asked to set up a separate server. And that, I believe, is the fairly the outrageous error in judgment, and a predictor of future errors.

    1. Carl Weetabix

      I don’t make the assumption she believed she was “qualified”, I think at best she believed she was simplifying her email management and at worst, and more likely in my mind, trying to draw a firewall to avoid FOIA requests. The topic of FOIA comes up multiple times in the exchanges we do have, indicating she was likely concerned about insulating herself from them.

      Given the toxic environment we live today, I can’t entirely blame her for the sentiment of wanting to avoid access to her email exchanges – even as part of her job, however everything done in a government position should be public domain (generally is in fact). Trying to avoid FOIA is not only technically illegal, but violates the public need to know (ie: so we don’t repeat history, so we understand how/why decisions were made).

      Regardless, as you indicate – it was at a minimum, a sign of extremely bad judgement and I’m not fond of Krebs potentially giving her cover here by making a false comparison.

      1. OO

        The documentary Clinton-Money and searches into Epstien and Clinton sex slaves, will give you a better idea of why she wanted her own server. Now ask why the media isn’t running any of this? Then ask where are the movies?

        Giving any of these people more email security is TTPing your future into the Nafta latrine of happiness.

        Otherwise yea DMARC and linking to spamhaus block lists, gives you a better feeling when your users will click on anything half awake and jacked up on 5hour energy drinks to make it through the day.

    2. Ollie Jones

      It has to be said, in the time Secretary Clinton was doing that job at the State Department, US federal government infosec was atrociously and notoriously lax. Witness the mass dump of State documents to Wikileaks. Witness the cracking of the General Services Administration tracking system for applicants for trusted jobs. Witness the National “Security” Agency making vast numbers of highly sensitive documents available — without audit or restrictions — to midlevel contractor employees in far-flung places like Hawaii.

      The assumption that government infosec is better / safer / more trustworthly than good private infosec just didn’t hold up in that era.

      Is there any evidence that the contents of “clintonemail.com” were ever compromised? I’ve never heard a whiff of that. Brian?

      By the way, using public-facing interfaces like SPF, DKIM, and DMARC to assess the diligence of the operators of private email services is a great idea.

    3. Kevin Evans

      The fact that HC carried a high level security clearance (as I did for 30 years) gets her the same security briefing that we got saying effectively that as a Government employee…you cannot perform work on non-Government computer systems.

      On top of that that…taking data OFF a classified system onto a unclassified system is a DELIBERATE act (by her and/or her employees) and is ILLEGAL. Those classified and unclassified networks do NOT talk to each other for a reason. So, removing data from a classified system is a DELIBERATE thing to do.

      As for James Comey (I retired from the FBI) I feel kinda disgusted although will note that he stated on several occasions that what she did was careless, wrong etc, etc there was no indictment (IMHO there should have been one). One has to wonder what Bill Clinton talked about to Loretta Lynch on her plane for 30 minutes the week before James Comey made his announcement. I sure don’t believe they were talking about their kids, do you?:

      1. Chi-Tsong Chen

        Why are you not aware that the FBI found no evidence that files were ever transferred from a classified system to an unclassified system. What they found was that government employees included classified information on emails they composed and sent which Clinton received and forwarded to other people. Also, it is simply not true that people with a security clearance are forbidden from doing work on a private computer system. It is forbidden to do work that involves classified information on a private computer system or on any nonclassified government computer system. Even today, if an government worker has a reason to use private email it is allowed as long as the email is forwarded to the government account within 48 hours.

        1. Greg D.

          To respond to this and your other comment below, it’s a well-known fact that Clinton’s lawyers deleted thousands of emails during the investigation. The FBI started sending back the deleted emails starting in June, so we know they were deleted. Why they were able to gain hand-on access to evidence in a investigation is beyond any of us. It’s another reason why no “smoking gun” has ever been uncovered in any Clinton-related scandal, they are always good at covering up evidence of any wrong doing.
          A simple Google search “Clinton lawyers deleted emails” should answer your question.

      2. twinmustangranchdressing

        I don’t see how James Comey is biased towards Hillary Clinton and her associates when he was the Deputy Attorney General for George W. Bush and he has donated to the campaigns of John McCain, Mitt Romney, and at least one other Republican.* And I don’t see how the current Attorney General has any sway over him when the Director of the FBI gets a ten-year term in office, and he assumed that office not quite three years ago.

        *You can see this for yourself. Go to
        http://www.opensecrets.org/indivs/
        and enter his name. You don’t have to enter any other info about him. I assume that he’s not the James Comey who was in Iowa, nor the one who was in New Jersey. But the employers shown for the other results are the same mentioned in the Wikipedia article about him.

    4. DClarke

      The State Department was hacked, and so was the White House.

  10. Klaatu

    Ditto what Alan Wlesh said and Mike made good points. To compare DJT website with HRC email and server scandal as an elected official is quite a stretch. For one thing DJT is a nominee and not an elected official – yet. Nice try Krebs. I actually am laughing at this comparison.

    1. SeymourB

      Nice try at starting a flamewar over technical statements of fact.

      1. Dretybee

        I have to agree with Kraatu. There was a clear political statement being made in this article. Krebs needs to stick to computers, and not make sly political remarks. Leave the politics to Fox and CNN. We don’t need an IT guy running around acting like he’s an WaPo reporter. This article was immature and not worth reading.

        1. Observer of Facts

          Bottom line is, Krebs is a journalist. He has an opinion for sure, but stating facts is a journalist’s job. Krebs did that. My personal beliefs are that Trump is a danger to America if he is elected in November, which many people agree with. Krebs did not make that kind of statement, only the facts that the DNC, RNC, and Trump’s own email settings do not follow best practices. There was no partisan politics in his article what so ever. It scares me to think that accusation is accepted as fact and that facts are “picking on Trump.” That’s the reason the “media is unfair to Trump,” because they report facts that he does not like. Then his sheep obediently accept that the media, judges, protesters, and scholars are “out to get him.” His supporters let him lie without consequence while maintaining full trust. Clinton spends 14 hours in front of a committee that concludes no wrongdoing, and she is derided as “a liar.” The Clinton email scandal was concerning, but the more concerning thing is that it was not an uncommon practice. She just happened to make headlines because she was a strong candidate for president. Most people that serve as elected officials are older and have little technical skill or awareness. That should be made clear by the encryption debates where they can not tell that weakening encryption would weaken all security.

  11. Robert.Walter

    Let us also not forget that The Trump Irganization’s POS terminals were hacked TWICE!

  12. Chris Nielsen

    We have the tools. What we don’t have is the motivation, the intelligence, and the leadership.

    The motivation to be more secure is dampened by user acceptance, vendor work-arounds, and a sense of hopelessness.

    The intelligence can be seen at times as with DMARC and in things like my previous postings here about our option to block large sections of the Internet which we have no need or interest in, thus protecting us via isolation.

    The leadership, whether by government or tech companies and professionals, is hard to see due to a lack of financial reward when protecting the “flock”.

    Most of the Internet can’t see my web site or send me spam. The spam that I do get mostly comes from Gmail, Hotmail, etc. Don’t think I would not block them if I could. If Gmail can drive most of the spammers to *.ru, 163, or yesmail I would be very, very happy!

  13. jeffrey

    I’m a sysadmin and I’ve never heard of DMARC before today.

    1. timeless

      This is the most valuable part of @Brian’s reporting. He collects important information and shares it with a wide audience of people for whom it is valuable.

      I’m glad you read the article. And I hope you’ll take the time to read more and hopefully deploy it 🙂

  14. Carl Weetabix

    I love you Brian, but DMARC is a PIA protocol to implement and has exactly jack diddly of equivalence to shipping classified State Department documents to a private server.

    Maybe this is just a bad analogy on your part. However if it’s an attempt to support a particular candidate, it’s a pretty weak and clumsy one. The only way it could appear to have relevance is to people who don’t actually understand the technology involved.

    BTW – I say this as someone who plans to cast his vote for Hillary. Still, as a security professional if anything you ought to be decrying Hillary’s personal server missteps, not trying to hide it under an irrelevant comparison. You’ve got to know as well as anyone what an egregious mistake it was for her to use that server (or servers). Infinitely more egregious than not implementing DMARC.

    Vote for or even outright support your candidate, but don’t effectively make stuff up to do it.

    1. Kevin Evans

      Carl,

      I have to believe that HC knew EXACTLY what she was doing when setting up her own server. She got the same security briefings every year that we used get at the FBI about NOT doing Government business on non-Government computers.

      Talking any data off a classified system to “go anywhere else” is illegal. David Petraeus got indicted for far less of an issue than this.

      1. Bart

        Petraeus lied to the FBI which is punishable by up to 5 years in the slammer. For his felony, he received a firm slap on the wrist.

        1. Chi-Tsong Chen

          Petreus was nailed for giving his private journals, containing the codeword names of covert operations, the names of covert agents and other classified information to his biographer. He told her while transferring the information that it was top secret so she had to keep this transfer secret. When investigated he flat out lied to the FBI. He was charged with a misdemeanor, much to Obama’s displeasure, and was immediately brought back to the Whitehouse as a senior advisor the moment his probation ended. How is this in any way shape or form less serious then what Clinton did. And no, there were no classified documents transferred from a secure system to Clintons email server.

  15. Gaurav Reddy

    Disclosure: We are DMARC vendors

    We have helped many organizations in the middle east to make their emails safer by implementing DMARC, which is not a silver bullet but is the best option available to mitigate or lower the threat of spear phishing, spoofing.

    Combined with regular user awareness trainings, organizations can take a big leap to protecting / monitoring their emails at Internet scale

    1. IA Eng

      Again, it boils down to an end user, or a technology that is not configured properly. I have seen to many products that when bought are not configured, or the defaults allow the passage of the issue, and you are no better off.

      As the hackers like to say, “it only takes one”, and they know how to play the game and choose their victim(s). Specific, targeted attacks can be played.

      People surf personal email via a web server all day long, and thats an attack avenue that will be wide open. Security awareness for most organization is a hot room, filled with BLAH BLAH BLAH and a signup sheet.

      People tend to take risks with IT equipment that is not their own. Or, worse – they treat it as if it is their own and surf badly. Companies are afraid to whitelist sites which is a shame. Going to work, it to work, not time to spend most of their day doing social interactions or watching videos or last night’s episodes they missed.

      I agree, there is no silver bullet. Unless people are properly trained and held accountable for their actions upon hiring, praised for doing a good job, tested with technology to see if they recognize a spoofed email or other rancid attack, then all of this is headed down boredom blvd.

      1. Kevin Evans

        How can be people be held accountable after seeing the Hillary Clinton email “inaction” by law enforcement?

  16. IA Eng

    There is a HUGE difference between the CONTENT of Clinton’s email server that is an EPIC fail no matter the amount of security imposed upon it. It carried classified material that was on a public server. Go ask ANYONE that has been involved in a spillage incident and they can tell you its not about just HER server – its the trail of information as it passes from server to server to reach its final destination.

    Its beyond belief that this huge issue is being swept under the rug. Then we have to say, if this is allowed, how much additional room is there going to be to sweep additional items under the rug? Do as the “Covertment ” does and sweep it under or buy a larger rug.

    They knew this was coming. Its a failure on both sides not to shore up defenses for those that wish to attack either side whether that is for poking fun, tarnishing a reputation, political reasons or whatever. A meeting a year out with planners, consultants and a CND Team could have saves them millions in votes and dollars. If anything, should plans have changed, they at least would have a better stature against what would be thrown at them.

    I got to give two thumbs up to Trump. He is a huge Target, not only to the vile competition, but to the enemies he makes as he says, corruption is going to knocked out of the government. There needs to be a serious re-leveling of the way business is being done. For the last eight years, its been a parody of circus antics cover-ups and executive actions that is beyond belief.

    Sure, money can be thrown at a person and they are told to fix an issue with a technology. The person who hires the consultant needs to be at least some what aware of the tactics and strategies in place. Then they can at least understand what the pros and cons are to that and assess the risk involved. The problem with all of this is, there is a HUGE gap in the IT field and unless you want to spend a ton of money to get a seasoned professional, many will opt for lower cost potentially not having the same experience level, lessons learned and tools necessary to get the job done.

    Personal communication is everything, a phone call to the person who sent the email is the best follow up.

    Its like anything else, you can find a good way to thwart or fix things, but in a short period of time the crooks find a way to navigate around it.

    If the crooks have a limited attack vector in email, all they have to do is stand up a poisoned SEO web server and have a smattering of very specific keywords upon it, and eventually – it very well may snag a representative of any organization that surfs to a search engine and types in a keyword when they are talking on the phone. Then they are victim of an attack that produces a password to the hackers with little or no effort. Take away one avenue of attack, and there are many others that the crook can perfect.

    Sure, its a technology thats out there. It may thwart some attacks, but its a matter of time before something knocks it out of the way.

    1. DavidD

      I was reading this post until I came to, “I got to give two thumbs up to Trump. He is a huge Target, not only to the vile competition, but to the enemies he makes as he says, corruption is going to knocked out of the government.” , when I realized it was a political screed masked as comments on a technical topic.

  17. Moike

    Hmmm …. STATE.GOV is not DMARC protected either.

  18. Leo

    What a shame, Brian.

    OK, lowering a trust score of your blog in my feed by a huge number.

    1. Moike

      ?? There was nothing in this post except facts. Were any of the statements wrong?

      1. Andrew Bonar

        Yes there were statements which were inaccurate and many more than implied something which was not true.

        The second sentence implies Hillary Clinton had in fact taken full advantage of DMARC, she has not.

        Paragraph three was completely inaccurate, both in the timeline intimated and in what it was that Gmail had announced.

        To go deeper and further delves into the realms of geekiness and would consume too much time, but other comments I have made below expand on some of them.

        The article is a non story, I am not American nor do I live in the US, and I care little for the politics, I simply found it disappointing that the standards of journalism I had come to expect from Brian had fallen so dramatically. Yes, I found my trust factor has dropped as a result, and believe this kind of poorly researched content will certainly reflect badly on and impact the credibility of brand Krebs.

    2. Mike

      It was a mistake to publish political content on your blog Krebs – trust score lowered.

      1. BrianKrebs Post author

        My trust score went down? Ohnoes!

        If you think this story is about politics, you didn’t read it and/or completely missed the point.

        1. GWAIN

          The only issue I have with the article is the lead in sentence to set up the real topic.

          Mishandling of classified information through unsecure systems is worlds apart from someone not using email verification techniques. It does give it a political skew from the start.

          However, it’s your blog and your editorial decision.

  19. Brian

    Nice political spin. Thank you for joining the media that has lost their way. (Sarcasm)
    Yes there is some wonderful information in this post. I just think you should try to keep opinion from tainting the tech. Please don’t follow the lead of CNN and FOX where facts are buried in opinion.
    Please do keep the great technical information flowing. It is greatly appreciated.

  20. vb

    Great information about DMARC. But the article ran off the rails with this comment “Draegen admitted he “can’t stomach” Trump …”

    That’s politics which has no place in a technical discussion. Whether you agree with Draegen’s opinion of Trump or not, it has nothing to do with DMARC.

    1. xxhaimbondxx

      You didn’t read past that sentence, did you? Ran straight to the comments. He quoted an expert who had opinion about both candidates. That’s what journalism should be about.

      1. vb

        I fail to see how a cyber security expert’s political opinions are newsworthy and thus in need of journalistic reporting. I do see the value of his cyber security opinions. If his cyber security opinions have been clouded by his political opinions, that would be worth a mention. That does not seem to be the case.

    2. SusanB

      But it is a disclosure of possible bias in the person whose opinion is being reported, so it seems like that is a good thing to include in the article. It lets you know that you may want to take the source’s opinions with a grain of salt. Sounds like good journalism to me.

      1. SusanB

        xxhaimbondxx beat me to it. That’s what I get for reading in an RSS reader and not checking on the site first.

    3. Dumbfounded

      Krebs is a cyber security JOURNALIST. That means, first and foremost, he reports news about cyber security. That’s exactly what he did. It is newsworthy and related to cyber security. He reports about who did this or that and what company patched security flaws all the time. There is certainly some technical content, but it is always about reporting the news.

  21. Frank Word

    Thanks for the config info. Good info for folks that setup an unauthorized or authorized email server.

  22. Eaglewerks

    Brian:
    Interesting story, thanks for the info and for the new knowledge of DMARC. It’s been more than 20 years since I ran an email server etc. connected to the then recently decommissioned blast proof NAVCOMMSTA Stockton backbone with links to MAE-West (both north and south). It had great bandwidth, LOL. Technology evolves over time. We are all aware that over the past several years various servers and programs associated with the Federal Government have been intruded upon by “Foreign Powers.” We all also know, or should know, that previous to the Obama Administration many upper echelon government department heads and employees failed to use a government maintained communication system. Many emails for previous administrations were simply deleted. Colin Powell’s email communications are an example. Most of what has been traditionally saved for the future has been ‘some’ of the “paper” records, sometimes in the paper format and often in the form of microfiche.

    My current personal concern is with recent notifications from password protected sites I visit on very rare occasion that note they have recently blocked access to my account from a failed login attempt originating in China. Twitter and Yahoo are two such sites that gave me such notifications. All within the past week.

    Again, interesting and informative story.

  23. JJ

    The DMARC elephant in the room is that it relies on SPF and/or DKIM to do its thing. As more companies outsource email to Office 365, Google Apps and the like, the more worthless DMARC becomes for “email authentication”.

    As Hillary’s SPF record shows, she’s letting all of Google Apps and mass-email spamming companies spoof her address. Why” Because when you add an “include:” statement you authorize every customer of those companies to send authenticated email on your behalf. With Office 365 that includes home users and college students.

    And when you “include:” a domain that has an SPF soft-fail, you just authorized every IP address in the world to your domain. Duh.

    Even worse, Google will DKIM sign your emails with their key if you don’t add your own.

    Never, never, never let someone else use your domain. Give them a different one than you use yourself or a subdomain. @americangreetings.com is used by their website and not their employees. That’s how you do it correctly.

    The only real value with DMARC is that it gives the domain owner feedback and a heads-up when someone is spoofing their domain.

    1. RupertNumberfarmer

      JJ,

      Thanks for this.

      I work for an MSP with numerous clients, a majority of which use Office 365 or Google Apps, and use the same domain. The broad “include:” statements in the SPF records always bothered me.

      I believe what you propose re: domain separation is good advice, in general, for users of cloud platforms like 365 and GApps.

      I will add an addendum in my migration workflow, to suggest to clients that they provision a separate or subdomain, for such purposes.

      Cheers.

  24. Eric Leuthardt

    I was an early adopter of DMARC through Google Apps and can attest to the fact that you MUST know where you are sending from, but also realize that a lot of marketing services and similar do not understand DMARC so as an administrator we have to jump through extra hoops to make everything sing. It is possible and highly effective..

  25. John Thomas

    Brian, this is a low blow. DMARC has NOT been widely adopted yet even via much of the worlds critical infrastructure, heck they have barely gotten SPF installed yet you are claiming Trump has poor security simply due to DMARC missing, this is political bashing plain and simple, I hope your readers can see the bias.

      1. Todd

        Funny, I was going to mention the internet- connected printer. I think that is far more relevent as far as an infraction goes compared to having DMARC on at this point in time. Nevermind sending classified documents through a public server/domain…

      2. Andrew Bonar

        Not a Trump supporter here, but no advocate of Hillary either, I found myself wondering about motive and bias reading the article. In reference to your question.

        The difference being there was something of a story in respect of the printer, and this is a non-story.

        In fact neither candidate has taken *full* advantage of DMARC and looking at the SPF record you shared for Hillary it seems to me the implementation is likely to be flawed with legitimate mail being quarantined.

      3. John Thomas

        Besides the point Brian, you would be well versed to research the global usage of a security technology before claiming that somebody who does not use it is behind the times. I estimate less than 5% DMARC usage globally, but please, be my guest and publish some real investigative statistics next time. Maybe you could have somebody scan the Alexa top 1000 for DMARC, noting those are leading companies so whatever result you come up with will be much much higher than the general populous. It will still be minimal.

  26. Ale

    Brian,

    DMARC is not ready for prime time, which is why Google is not yet honoring hard policies. The timeline shown in dmarcian’s video starts in 2003. Everytime something is wrong. When Tim Draegen came to the IETF to present DMARC (IETF 85, Atlanta) he upset many an email theorist. After years of careful compatible changes, it sounded like abating spam with sledgehammer. In particular, DMARC breaks indirect mail flows like discussion lists. However, huge mailbox providers considered that, given the amount of spam, email is broken anyway; so, the worst the better.

    Curiously, p=none suits rather a careful, attentive stance than Trump’s boldness. Most probably, neither candidate arrived to the point to permeate their email infrastructure with their personality and political thinking. Don’t know about their campaigns.

  27. mark

    Such a old method nobody even uses it anymore.

  28. Reba

    I am just aghast at how careless Hillary was with cyber-security as the Secretary of State … how much attention will be devote to being the POTUS? I’m nervous honestly…

Comments are closed.