Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

DMARC Not Implemented on Most White House Email Domains: Analysis

Over 95% of the email domains managed by the Executive Office of the President (EOP) haven’t implemented the Domain Message Authentication Reporting & Conformance (DMARC) protocol, the Global Cyber Alliance (GCA) has discovered.

Over 95% of the email domains managed by the Executive Office of the President (EOP) haven’t implemented the Domain Message Authentication Reporting & Conformance (DMARC) protocol, the Global Cyber Alliance (GCA) has discovered.

After analyzing 26 such domains, GCA discovered that 18 haven’t even started the deployment of DMARC, while 7 of them have implemented the protocol at the lowest level (“none”), which only monitors emails.

Because of that, none of these domains can prevent delivery of spoofed emails, GCA points out. Implementing DMARC ensures that fake emails (known as direct domain spoofing) that spammers and phishers send don’t end up in the users’ inboxes.

Some of the email domains under the control of the EOP include Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov, all well-known email domains. Only the Max.gov domain has fully implemented the defence against email phishing and spoofing, the GCA report shows.

Without DMARC, these domains can be easily “hijacked” by phishers looking to trick government employees, government contractors, and U.S. citizens. This could lead to money theft, exfiltration of secrets, and could even putt national security at risk.

This widespread lack of DMARC implementation is surprising, given that half a year ago the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering all federal agencies to start using HTTPS, DMARC and STARTTLS.

As of October 2017, only a small percentage of federal agencies had fully implemented the system, but a January report revealed that half of the U.S. government domains had implemented the protocol, yet most had only implemented the lowest level.

Advertisement. Scroll to continue reading.

Recently, 4 email domains managed by the EOP have deployed DMARC, with WhiteHouse.gov and EOP.gov, two of the most significant government domains, implementing it at its lowest setting.

“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet. The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward,” said Philip Reitinger, president and CEO of the Global Cyber Alliance.

Related: DMARC Implemented on Half of U.S. Government Domains

Related: DHS Orders Federal Agencies to Use DMARC, HTTPS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cyberwarfare

US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...