Campaign Sites Lack Security

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,64036,00.html

By Michelle Delio
June 30, 2004

George W. Bush and John Kerry may be tied in the polls, but Bush
appears to be well ahead of Kerry in the number of security holes on
his official campaign website.

On Sunday, security analyst Richard Smith did a quick check of the
Bush and Kerry campaign sites and found several security problems on
each, all of which are common on many other websites.

But after Smith posted a report of his findings to several security
lists, others opted to do a deeper analysis and found some significant
problems on Bush's website. One researcher used a commercial program
called GFI LANguard to scan Bush's site. He said he found over 30
security faults. The researcher asked not to be identified because of
concern that his scans could be construed as illegal under the Patriot
Act. He submitted a digital copy of the results of the scan to Wired
News.

According to the scan, the security problems on the Bush site include
potential vulnerabilities that could conceivably allow a malicious
attacker to gain remote control over the server, crash it, tamper with
information on Web pages and compromise stored information.

"Several of the faults are critical; they can be easily exploited with
serious repercussions," said the researcher. "And the fact I could run
this scan remotely points to the complete lack and utter uselessness
of their network security."

The researcher said Kerry's site stopped the GFI LANguard scan before
he could get any data.

"From a network perspective, Kerry's site is not too bad as these
things go. Most websites have nasty security issues. Few sites are
written by professional programmers, and even fewer are written with
security in mind."

Smith's analysis indicated that Kerry's campaign site shows signs of
being vulnerable to SQL injection errors, which could put the site's
server at risk. An SQL injection error can be used to break into a
website's backend database, and could allow an attacker access to
private information from the database.

Additionally, cross-site scripting errors (sometimes called XSS
errors) exist on both sites, Smith said. These could allow malicious
pranksters to create bogus Web pages that appear to originate from the
Bush or Kerry websites.

"A prankster could post fake news stories, slogans telling visitors to
vote for the other candidate or doctored photos," said Smith.

Both sites contain firm statements assuring visitors that security is
a primary concern. The Bush site's privacy policy informs visitors,
"Strict security measures are in place to protect the loss, misuse and
alteration of any and all information pertaining to GeorgeWBush.com.  
In addition, GeorgeWBush.com is run on servers located in a secure
server room and locked in a rack. Staff is onsite 24 hours a day,
monitoring equipment and services."

Kerry's privacy policy states "JohnKerry.com has state of the art,
extensive security measures in place to protect against the loss,
misuse or alteration of the information under our control. Our server
is located in a locked, secure environment, with a guard posted 24
hours a day. Access to your information is granted only to you and
authorized Kerry Committee staff."

Neither campaign responded to phone calls and e-mails seeking comment.

Despite these guarantees, Smith and other security experts weren't
surprised to see the security problems.

"These problems are typical," said security consultant Robert Ferrell.  
"They don't represent any significant issues you couldn't find on
hundreds of other sites. Yeah, you could probably have fun with some
of them, but it wouldn't be worth the fed attention you'd probably
pull down on yourself."

Smith also pointed out that both sites also have potential privacy
problems. The Bush site has hired a company called Omniture to track
visitors to the site. On its website, Omniture asks potential
customers to imagine its service as "a device that could be placed by
the front door of a department store to tell the store manager all
kinds of detailed information about customers -- what store they came
from, who they were referred by, if they have been to the store
previously, what advertisement they were responding to and much more."

Smith said his concern is that the Bush site's relationship with
Omniture is not spelled out in the privacy policy. He discovered the
presence of Omniture monitoring by looking at the HTML of the
GeorgeWBush.com homepage, which contains these lines:

"< ! - - SiteCatalyst code version: G.5. Copyright 1997-2003 Omniture,
Inc. More info available at http://www.omniture.com - - >"

"The use of Omniture Web bugs at the Bush site is a bit strange," said
Smith. "It's one thing (for a commercial site) to track what kind of
things people are interested in, but tracking political issues crosses
the line for me."

Both sites encourage visitors to add banner ads for the candidates to
their own Web pages. The Bush banner ad uses JavaScript supplied from
the Bush Web server. The Kerry banner ads use an embedded iframe.  
Smith said both methods allow the campaigns to track visitors to any
Web pages where the banner ads appear.

And for those who evaluate a candidate's choice of operating systems
when choosing their president, Smith's check showed that the Kerry
site is housed on an Apache Web server running on a Red Hat Linux box.  
The Bush website is hosted on a Microsoft IIS 5.0 server and uses
Microsoft's ASP.net.

Smith said he attempted to contact Kerry and Bush representatives by
e-mail regarding the problems he discovered, but has received no
reply.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)