26 percent of federal websites lack the proper configuration to thwart attackers from intercepting data entered by citizens, study finds.
More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study.
Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered.
The study, released Wednesday, looked at 50 cabinet-level and other high-traffic, consumer-oriented federal websites, as well as purported federal sites set up by fraudsters. Phishing emails luring citizens to the bogus sites also were examined.
Industrywide, the average score for so-called SSL configuration was 83.4 on a 100-point scale, whereas the government average was 70.5. The government rating was dragged down by the large number of sites, 26 percent, that scored lower than 50, said Craig Spiezle, founder of the alliance and a study co-author. About 10 of the sites had no discernible SSL connection, he said.
An SSL connection secures data transmitted when a citizen fills out, for instance, an online application for veteran benefits. This year, the results of the annual online trust audit incorporated tests for the infamous Heartbleed bug, a hole in SSL software that went unnoticed for two years. Social media and financial institution sites tied for first place in SSL use, with 86 points.
The study does not name the 50 government sites studied or list individual scores for security reasons.
"There's a risk if you start calling these things out, you could expose a vulnerability of a site -- and that's the last thing we want to do," Spiezle said. "We're using tools that are readily available that anyone can use" to assess systems, “which means the cyber criminals can certainly use the same exact tools to evaluate how strong a site is or how weak it is."
In addition to neglecting site security, many federal agencies failed to seal employee email addresses with technology to prevent mimicry, or "spoofing," the researchers found. One-third of agencies did not use email authentication, a technique that locks down email domains so swindlers can't impersonate a legitimate email sender.
By comparison,100 percent of e-commerce sites used some form of email authentication, as did 96 percent of social media sites. Because the federal sector has yet to fully embrace email authentication, "government sites are ripe for spoofing and spear-phishing attacks not only against constituents but also employees at other agencies," Spiezle said.
He cited a scenario of a criminal searching LinkedIn to find the name of a division director and someone who works for him, and then spoofing the boss' email address to send the employee an email fishing for sensitive information.
Many lower-level employees have public email addresses. The message purportedly from the boss could say something such as, "Great job on that presentation last week. Can you send me all the background details?" Spiezle offered as an example.
A bright spot in the assessment is the government's supremacy in converting sites to Domain Name System Security Extension, a configuration that thwarts “man-in-the-middle” attacks where hackers redirect visitors to copycat sites.
Of the federal sites, 92 percent used DNSSEC, up from 88 percent last year. No other sector had transitioned more than 5 percent of sites. In 2008, the White House required all agencies to apply the system throughout the dot-gov domain by December 2009.
Obama administration officials did not respond to a request for comment on this year's report.
To conduct the study, researchers reviewed more than 300 million email headers and about 8,500 Web pages, across sectors, between April 15 and May 23. The report has a least two limitations, the researchers acknowledged. A site's security practices might have changed since the sampling, and some sites might have been using security technologies the alliance's tools could not detect.
NEXT STORY: Tweetdeck hack snares Oval Office staff