If you regularly use a computer, chances are you spend at least part of your time reading internet news. If you have a subscription, you might even log in and enter your payment info. But how secure are news sites? Here at UpGuard, we took a look at six of the top news media sites on the internet to see how their security stacked up. Many big names had low scores, while a few did very well. What does this mean for the average online news reader?
Huge multimedia companies like CNN, MSNBC,and The New York Times did rather poorly overall, while the best of the bunch was Yahoo, which should come as no surprise since internet business is their bread and butter. The Guardian scored comparatively well overall, proving that media and cybersecurity can go together. We'll take a look at each site in detail and see what's going on with its security.
CNN may regard itself as the leader in news, but its cybersecurity comes in last among the sites we scanned. Its score of 334 puts it in the Warning range, meaning that with its current external security profile it faces a high risk of falling victim to an attack. Why is this? CNN, like almost all of the other sites in this field, lacks sitewide SSL/TLS. This means that at best, readers are bounced between unencrypted connections and encrypted connections, usually on pages with logins or other customer data entry. Web security best practice is to have the entire site behind SSL, so that traffic between the site and its users is always encrypted against third parties.
But the website isn't its only problem. CNN also lacks security protocols for email on the cnn.com domain. It has neither SPF nor DMARC enabled in DNS. This means it's missing the ability to authenticate email sent from its domain, allowing phishing scams and other address spoofing attacks much more leeway than domains with these measures enabled. As a journalism site, the integrity of CNN's communications should be paramount. These measures are not costly or complicated to implement, but would increase the security profile of the site significantly.
MSNBC improves on CNN's score, but still fails in the high end of the warning range at 513. It also lacks sitewide SSL and DMARC, but at least has SPF enabled to help protect their email. However, MSNBC takes a hit in the business section of the score due to a 30% approval rating for President Phil Griffin. Employee satisfaction affects cyber risk just like misconfigurations on a server. An organization can spend billions on cutting edge security tech and still be undone by someone inside misusing privileged access.
Fox News scored just higher than MSNBC with 574, taking it out of the warning range. Its website lacks sitewide SSL, so it's still scored fairly low. However, Fox News is using both SPF and DMARC for email, and its communications score is a 925. What this means in the real world is that Fox News has a lower risk of email based cyber attacks than CNN and MSNBC. It doesn't mean it can't happen, just that they have implemented the best practice security measures against such attacks, making them less likely to succeed. Another real world application of this data is that a malicious actor looking to spoof a Fox News email to another organization would be hard pressed to make it past a spam filter, because modern spam filters check SPF, DMARC, DKIM and other measures to verify email at the edge before the recipient even sees it.
The New York Times website is similar to Fox News when it comes to cybersecurity, in that its email is well protected, but its website is lacking some basic protection. The business and communications sections of the scores are very good, in the 900s, but the website is so poorly configured that it brings the overall score down to a 480.
Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?
What this means for the average news reader is that attacks focused around the NYTimes.com website are more likley to succeed. For example, because they lack sitewide SSL and are not using HTTP Strict Transport Security, a man-in-the-middle attack would be possible when the reader is handed off to an encrypted page, such as a login page. Sitewide SSL ensures that every page comes through the encrypted tunnel.
Maybe you've heard that website cookies can be security issues sometimes. This is true when the site fails to utilize what are called the Secure and HttpOnly cookie options. These options protect vistors to the website from having the website's cookies used against them, by ensuring that 1) cookies aren't sniffed in transit across unencrypted connections, and 2) preventing scripts from accessing the cookies, which would allow someone to impersonate you to the website.
With The Guardian, we start to see how a properly configured SSL setup can affect the overall resiliency of the organization. A score of 731 puts the Guardian squarely in the good range, having helped ensure readers of their site can connect on secure channels. But because they are not strictly enforcing SSL, unencrypted connections are still allowed. Likewise, they face the same problem with cookies as the New York Times. But overall, their security is good.
Yahoo News has our highest score of the lot, with a good score of 846. This makes sense, since Yahoo is an internet company first and a news outlet second, so cybersecurity is perhaps more in the forefront of its operations than some of these other companies who began using the internet as a secondary or tertiary business outlet. However, the imminence of online business can't be denied in 2016, and news media is now reaching more people through the internet than through traditional channels. With data breaches, ransomware and other high cost attacks increasing, companies who want to be successful on the internet must address their security for their sake and their customers'.
There are many facets to an online media user experience: design, content, ads and so forth. These seem obvious because they stare us in the face when we look at a webpage. Cybersecurity isn't quite so apparent, since it happens behind the scenes. But just because you can't see it, doesn't mean it isn't important. That's why we developed the CSTAR risk grader web application and chrome extension. Both are free for anyone to check the security of any site they use or operate.