DHS issues new email and web security standards
- By Derek B. Johnson
Agencies will soon be required to follow new email and web security guidelines to help prevent man-in-the-middle attacks.
Under a binding operational directive from the Department of Homeland Security, federal agencies have 90 days to implement two tools, STARTTLS and Domain-based Message Authentication Reporting and Conformance. STARTTLS allows for email encryption while data is in transit, which helps protect against passive man-in-the-middle attacks. DMARC is an email authentication tool designed to prevent email spoofing and provide data on where a forgery may have originated.
The directive also mandates that agencies switch all publicly accessible federal websites to HTTPS and HSTS-secure connections within 120 days, potentially eliminating a large swath of security flaws that affect most federal government websites.
"According to DHS's Cyber Hygiene scanning data, seven of the ten most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to web security," wrote Acting DHS Secretary Elaine Duke in a memo to Office of Management and Budget Director Mick Mulvaney.
The directive landed the same day as a dangerous flaw in the WPA2 protocol used to secure Wi-Fi routers was publicized. The United States Computer Emergency Readiness Team at DHS shared news of the discovery of a security bug that may leave nearly every Wi-Fi-enabled device open to man-in-the-middle attacks by malicious hackers.
The vulnerability allows hackers to potentially read and steal previously encrypted information sent over wireless networks, such as credit card numbers, passwords, cookies, chat messages, emails photos and other data, according to a website set up by the researchers who discovered the flaw, Mathy Vanhoef and Frank Piessens of the Belgium-based university KU Leuven.
The attack "works against all modern protected Wi-Fi networks," wrote the researchers, who dubbed their flaw KRACK or Key Reinstallation Attacks.
In order to take advantage of the vulnerability, an attacker must be in close physical proximity between the network's access point and the victim in order to disrupt the timing and transmission of authentication data and trick users into reinstalling already-used keys.
"With a little cleverness, this can lead to full decryption of traffic streams," Matthew Green, cryptographer and professor at Johns Hopkins University, wrote on his cryptography blog.
Because the vulnerability exists at the protocol level, it affects most if not all personal and enterprise wireless networks. Certain operating systems, such as Android 6.0 and Linux, are particularly vulnerable.
In a statement, the Wi-Fi Alliance, a nonprofit industry organization dedicated to promoting best standards and practices around the technology, said there is no indication yet that the attacks have been used by other parties, and the problem can be largely fixed through straightforward software updates by platform providers.