DHS mandates new security standards for federal networks

The Department of Homeland Security is requiring agencies to use new email and web security guidelines that address man-in-the-middle attacks.

A binding operational directive from DHS gives federal agencies 90 days to implement a pair of tools, Domain-based Message Authentication Reporting and Conformance (DMARC) and STARTTLS. DMARC is an email authentication tool designed to prevent email spoofing and provide data on where a forgery may have originated. STARTTLS helps protect against passive man-in-the-middle attacks by allowing for email encryption while data is in transit.

The directive also requires agencies to switch all publicly accessible federal websites to HTTPS and HSTS-secure connections within 120 days. Doing so could potentially eliminate a large swath of security flaws that affect most federal government websites.

"According to DHS's Cyber Hygiene scanning data, seven of the ten most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to web security," wrote Acting DHS Secretary Elaine Duke in a memo to Office of Management and Budget Director Mick Mulvaney.

The directive landed the same day as a dangerous flaw in the WPA2 protocol used to secure Wi-Fi routers was publicized. The United States Computer Emergency Readiness Team at DHS shared news of the discovery of a security bug that may leave nearly every Wi-Fi-enabled device open to man-in-the-middle attacks by malicious hackers.

The vulnerability allows hackers to potentially read and steal previously encrypted information sent over wireless networks, such as credit card numbers, passwords, cookies, chat messages, emails photos and other data, according to a website set up by the researchers who discovered the flaw, Mathy Vanhoef and Frank Piessens of the Belgium-based university KU Leuven.

The attack "works against all modern protected Wi-Fi networks," wrote the researchers, who dubbed their flaw KRACK or Key Reinstallation Attacks.

In order to take advantage of the vulnerability, an attacker must be in close physical proximity between the network's access point and the victim in order to disrupt the timing and transmission of authentication data and trick users into reinstalling already-used keys.

"With a little cleverness, this can lead to full decryption of traffic streams," Matthew Green, cryptographer and professor at Johns Hopkins University, wrote on his cryptography blog.

Because the vulnerability exists at the protocol level, it affects most if not all personal and enterprise wireless networks. Certain operating systems, such as Android 6.0 and Linux, are particularly vulnerable.

In a statement, the Wi-Fi Alliance, a nonprofit industry organization dedicated to promoting best standards and practices around the technology, said there is no indication yet that the attacks have been used by other parties, and the problem can be largely fixed through straightforward software updates by platform providers.