Blog Post

Research: Democratic Candidates Fail Domain Security

Earlier this year CNN published an article highlighting that “only four of the then-14 Democratic candidates’ websites were using any form of a security protocol that helps ensure emails sent from campaign addresses are genuinely from the campaign.”

In other words, basic steps have not been taken to defend against spear phishing attacks like the ones that quashed Hillary Clinton’s 2016 campaign.

However, the article focused solely on a protocol named Domain-based Message Authentication, Reporting and Conformance (DMARC). In simple terms, DMARC helps ensure that emails come from the domain they purport to come from. With DMARC enabled, it becomes a little more difficult for an attacker to send an email with a source address spoofed from your boss; a common technique for tricking people into fulfilling an attacker’s needs.

There’s a significant issue here, though. If you reexamine the expanded form of the DMARC acronym, you’ll see the “Authentication, Reporting, and Conformance” is “Domain-based.” Being domain-based means we should also be thinking about the protocol “Domain Naming System,” or DNS, in addition to email. As was so eloquently stated in research published by the University of Michigan, Google, and University of Illinois:

Mail security, like that of many other protocols, is intrinsically tangled with the security of DNS resolution. Rather than target the SMTP protocol, an active network attacker can spoof the DNS records of a destination mail server to redirect SMTP connections to a server under the attacker’s control.

Worded differently, it could be said that the CNN article focused on securing the treehouse, but an attacker can still uproot the entire tree.

Why does this matter?

When an email is sent to [email protected], for example, the sending computer first needs to figure out where betoorourke.com is, then find the associated email server before finally going through the process of sending the actual bits and bytes of the email. But, as noted by the academic researchers above, attackers can redirect the entire domain – including its web servers, email servers, file servers, etc. – to servers controlled by the attacker.

Cutting to the punchline, this allows the attacker to harvest usernames, passwords, and authentication tokens through a large variety of mechanisms. This is ultimately accomplished through an attack known as cache poisoning (or DNS hijacking).

Most people haven’t heard of DNS cache poisoning attacks, likely because detecting them is far more difficult than detecting something that encrypts and / or deletes all your files, like ransomware. The question is: are these attacks theoretical, or real? Most people would probably agree with the assertion of “real,” based on the fact that DHS issued Emergency Directive 19-01 after DNS hijack attacks from Iran affected six agencies earlier this year.

Unfortunately, that was not an isolated incident. There has been a strong emergence in DNS attacks in very recent years, as a simple news search for “DNS hijacking” will show. From rerouting and intercepting Gmail, Yahoo, and Outlook email, to attacking Amazon to steal crypto currencies, to infecting home routers, to classified monitoring operations by telecommunications companies using code names like QUANTUM and FOXACID, the technique is effective and broadly applicable – especially to high-value targets like presidential campaigns.

In fact, 2019 has seen a significant uptick in DNS attacks, as evidenced by an unprecedented report, after report, after report, after report on the subject. However, when the Internet Corporation for Assigned Names and Numbers (ICANN – the international organization responsible for supervising DNS) issues a statement that opens with the sentence, “ICANN believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure,” then it’s time to pay attention to this threat.

As you can see, to hijack a domain gives adversaries the ability to attack campaigns and their supporters in a variety of ways.

What’s a campaign to do?

There is some good news, though: a very powerful and free solution already exists to help mitigate many forms of DNS attack: DNSSEC (short for DNS Security Extensions). As stated in research published in the Journal on Information Security:

We review domain name system security extensions (DNSSEC), the defence [sic] against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing cache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks.

In fact, DNSSEC is the foundation of ICANN’s statement on mitigating the risk posed by the increased attacks against DNS:

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity.

But when we attempt to identify how many candidates from the Democratic party are securing their operations with DNSSEC, the answer is worse than the metrics published in the CNN article about DMARC:

When we first checked in April, only one out of the candidates had configured DNSSEC for their campaigns. (Elizabeth Warren: I salute your commitment to cybersecurity, Senator).

In fact, passive observation of sites belonging to a variety of the campaigns reveals many of them are exposing a number of services, at least some of which appear to have known vulnerabilities.

https://lh6.googleusercontent.com/Pz_iex_AGhc2n4xKeLgM7t24pBzbONyim3H9rHDKflvC90MUnLkhtDx2mhDef25YjqKDwMv3wckro-qKAxnIqksoFtKmkLaYgHmqVcC78YVjWzZ1dwzMalIfMx4SKFiR6ixB3I9J

At the time of this writing, Shodan (a search engine for Internet-connected devices) shows some candidate’s websites/domains are running on servers with quite a few potential known vulnerabilities.

An email was sent to the contact information published for each campaign. It should be noted that we did not find any “[email protected]” or “[email protected]” mailboxes listed for any campaign. Most security-conscious organizations have these mailboxes for people to report security issues so that they can get prompt attention. It is also worth mentioning that none of the campaigns responded to the first mailing.

The domains for the campaigns were checked again after the initial email notification – after which campaigns were again notified of the vulnerability. At the time, only candidate Tulsi Gabbard, had responded by enabling DNSSEC for their domain. (We also salute your commitment to responding swiftly to cyber issues Congresswoman!).

After a third notification in late September, the Beto O’Rourke campaign finally responded by enabling DNSSEC for their domain.

Note: The Tom Steyer campaign kicked off recently, so they’ve only been notified once.

(It’s interesting to note that most campaigns are using Cloudflare’s DNS nameservers, and Cloudflare makes it simple to setup DNSSEC within just a few minutes!)

Right now – 9 of the major Democratic candidates that were on the debate stage the other night, and the current President, are failing to enact basic security on their domains and websites to protect their supporters:

While one can hope cybersecurity history won’t repeat itself this election cycle, we’re not exactly off to a good start. It’s time for the campaigns to consider themselves like any other business that is targeted and attacked all the time. Do they have a security program in place to prevent, detect and respond to these threats? If not, each candidate is essentially a sitting duck.

Campaigns can also find additional helpful information in ICANN’s DNS Security checklist.

Given what we know about the goings on in 2016, we would have only ourselves to blame if we don’t even have the basics right. Every campaign should at this point act like an enterprise that is the target of a nation-state–ensure they have a security team and strategy to protect their assets and people.

Gary Golomb
Gary Golomb

Co-Founder & Chief Scientist