recommended reading

Who Needs Heartbleed When Many Dot-Govs Don't Even Encrypt Communications?


More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study. 

Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered.  

The study, released Wednesday, looked at 50 cabinet-level and other high-traffic, consumer-oriented federal websites, as well as purported federal sites set up by fraudsters. Phishing emails luring citizens to the bogus sites also were examined.

Industrywide, the average score for so-called SSL configuration was 83.4 on a 100-point scale, whereas the government average was 70.5. The government rating was dragged down by the large number of sites, 26 percent, that scored lower than 50, said Craig Spiezle, founder of the alliance and a study co-author. About 10 of the sites had no discernible SSL connection, he said. 

An SSL connection secures data transmitted when a citizen fills out, for instance, an online application for veteran benefits. This year, the results of the annual online trust audit incorporated tests for the infamous Heartbleed bug, a hole in SSL software that went unnoticed for two years. Social media and financial institution sites tied for first place in SSL use, with 86 points.

The study does not name the 50 government sites studied or list individual scores for security reasons. 

"There's a risk if you start calling these things out, you could expose a vulnerability of a site -- and that's the last thing we want to do," Spiezle said. "We're using tools that are readily available that anyone can use" to assess systems, “which means the cyber criminals can certainly use the same exact tools to evaluate how strong a site is or how weak it is." 

In addition to neglecting site security, many federal agencies failed to seal employee email addresses with technology to prevent mimicry, or "spoofing," the researchers found. One-third of agencies did not use email authentication, a technique that locks down email domains so swindlers can't impersonate a legitimate email sender.

By comparison,100 percent of e-commerce sites used some form of email authentication, as did 96 percent of social media sites. Because the federal sector has yet to fully embrace email authentication, "government sites are ripe for spoofing and spear-phishing attacks not only against constituents but also employees at other agencies," Spiezle said.

He cited a scenario of a criminal searching LinkedIn to find the name of a division director and someone who works for him, and then spoofing the boss' email address to send the employee an email fishing for sensitive information.

Many lower-level employees have public email addresses. The message purportedly from the boss could say something such as, "Great job on that presentation last week. Can you send me all the background details?" Spiezle offered as an example. 

A bright spot in the assessment is the government's supremacy in converting sites to Domain Name System Security Extension, a configuration that thwarts “man-in-the-middle” attacks where hackers redirect visitors to copycat sites.

Of the federal sites, 92 percent used DNSSEC, up from 88 percent last year. No other sector had transitioned more than 5 percent of sites. In 2008, the White House required all agencies to apply the system throughout the dot-gov domain by December 2009.

Obama administration officials did not respond to a request for comment on this year's report.  

To conduct the study, researchers reviewed more than 300 million email headers and about 8,500 Web pages, across sectors, between April 15 and May 23. The report has a least two limitations, the researchers acknowledged. A site's security practices might have changed since the sampling, and some sites might have been using security technologies the alliance's tools could not detect.

(Image via igor.stevanovic/

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.