Political Parties in DMARC Fail Ahead of Elections


Security experts have warned of potential attempts to interfere in upcoming national elections in the UK, Norway and Germany after revealing gaps in political parties’ email authentication policies.

Agari claimed that of the parties that have published an email authentication policy, none appear to have properly configured it to ensure malicious emails don’t reach their targets.

The open standard DMARC (Domain-based Message Authentication, Reporting and Conformance) represents industry best practice for email authentication, allowing recipients to check whether messages comes from a verified source.

However, for it to work effectively, said political parties need to publish a DMARC “reject” policy, which none of them had done at the time of the research, Agari claimed. This will send unauthenticated messages to the spam folder or block them outright.

The UK’s Liberal Democrat and Green Party did best, with a DMARC “none” policy record in place. However, even this is not sufficient protection and needs to be upped to “quarantine” or “reject” to block spoofing attempts, the vendor argued.

Agari chief scientist, Markus Jakobsson, claimed the current state of affairs is a “disaster waiting to happen”, given the well-publicized attempts by Russia-linked hackers to destabilize the US and French presidential elections by hacking and leaking sensitive emails from political parties.

“Most organizations, including political parties, use antiquated inbound email filters, with no protection against identity deception. If an organization simply uses a spam filter, all they avoid is getting unwanted Viagra advertisements; they have no protection against phishing emails,” he explained.

“Similarly, and sadly, even those that do have phishing filters only have partial protection, since traditional phishing filters rely on the blacklist paradigm, which is not applicable to spear phishing attacks. It is vital for political organizations to recognize the risks they are taking by not addressing this problem.”

Source