Alleged leaks connecting Democratic presidential candidate Joe Biden to his son's dealings in Ukraine immediately raised alarm bells to forensic analysts. The race to determine what is real and what is doctored mirrors challenges faced by security teams needing to validate company files.
Specifically, one of the most explosive emails released by the New York Post was published in such a way to hide Domain Keys Identified Mail information, or DKIM, which is used to detect forged sender addresses. It also displayed metadata that called into question whether the email supplied to the Post was the original file. Whether the email is legitimate or not is still under debate.
The situation points to a widespread challenge for political campaigns and businesses alike: Technologies that could provide some evidence that a particular file is fake or manipulated only work in specific cases and may be cost-prohibitive and impractical for many industries and many sized organizations to implement.
“You’re trying to prove a negative,” said Mike Weber, vice president of innovation at Coalfire. “It’s hard to prove data was never on your network.”
Just like political campaigns, companies across a variety of sectors have suffered data leaks that resulted in the release of often sensitive emails and files – from defense and aerospace contractors to financial institutions and film studios. Ensuring none of the files were falsified factors into these situations, but networkwide systems designed for non-repudiation aren’t particularly suited for broad enterprise operations. A Department of Defense-style PKE network is expensive and cumbersome, Weber said, and not likely to "span all industries and all size companies.”
Even in diligently designed systems, hackers could use access to a network to plant a document to meet the non-repudiation checks, cryptographic keys might fall out of a company’s control, and hackers could claim damaging leaked documents came from a vendor outside the PKE system.
And that’s all assuming the most expensive, best implemented system of signatures and back-ups and evidence building is in place. Most firms, he said, are nowhere near that point.
“Even in organizations we work for, some huge ones with mergers and acquisitions that would blow your mind, communications are not handled with integrity and security,” he said. “Ease of use is a hard thing to battle.”
Creating a forensic trail for email is a slightly different story. In the case of the alleged Biden leak, the New York Post did not make it possible for researchers to check DKIM on the emails. But that approach is indeed one tactic to authenticate whether an email was genuinely sent from a server. WikiLeaks relied on DKIM to verify emails in the 2016 leaks of emails from the Democratic National Committee – a leak that also included a number falsified documents.
Indeed, DKIM isn’t perfect. There are a few tricks to create a false DKIM match, plus emails that pass through multiple hands can create false negatives (something a new protocol called ARC is designed to combat). And, said Seth Blank, vice president of Standards and New Technology at Valimail, it would ideally be paired with DMARC, a standard to make sure the email address in the “from” line isn’t being spoofed.
A validated signature can be faked, Blank added, “but the bar to do that is a lot higher."
Another challenge, however, is that non-repudiation features of DKIM were designed to be used in the moment a email was sent, not weeks or months later when a leak would in theory would take place. A corporation could cycle through cryptographic keys, leaving old emails unverifiable.
Nonetheless, Blank said, is that DKIM is a relatively easy add to email security that could potentially eliminate some bad actors.
“Without it, email is a perfect impersonation technique, because, when it was designed, no one envisioned it being used for state secrets or business,” he said.