http://www.wired.com/news/infostructure/0,1377,64036,00.html By Michelle Delio June 30, 2004 George W. Bush and John Kerry may be tied in the polls, but Bush appears to be well ahead of Kerry in the number of security holes on his official campaign website. On Sunday, security analyst Richard Smith did a quick check of the Bush and Kerry campaign sites and found several security problems on each, all of which are common on many other websites. But after Smith posted a report of his findings to several security lists, others opted to do a deeper analysis and found some significant problems on Bush's website. One researcher used a commercial program called GFI LANguard to scan Bush's site. He said he found over 30 security faults. The researcher asked not to be identified because of concern that his scans could be construed as illegal under the Patriot Act. He submitted a digital copy of the results of the scan to Wired News. According to the scan, the security problems on the Bush site include potential vulnerabilities that could conceivably allow a malicious attacker to gain remote control over the server, crash it, tamper with information on Web pages and compromise stored information. "Several of the faults are critical; they can be easily exploited with serious repercussions," said the researcher. "And the fact I could run this scan remotely points to the complete lack and utter uselessness of their network security." The researcher said Kerry's site stopped the GFI LANguard scan before he could get any data. "From a network perspective, Kerry's site is not too bad as these things go. Most websites have nasty security issues. Few sites are written by professional programmers, and even fewer are written with security in mind." Smith's analysis indicated that Kerry's campaign site shows signs of being vulnerable to SQL injection errors, which could put the site's server at risk. An SQL injection error can be used to break into a website's backend database, and could allow an attacker access to private information from the database. Additionally, cross-site scripting errors (sometimes called XSS errors) exist on both sites, Smith said. These could allow malicious pranksters to create bogus Web pages that appear to originate from the Bush or Kerry websites. "A prankster could post fake news stories, slogans telling visitors to vote for the other candidate or doctored photos," said Smith. Both sites contain firm statements assuring visitors that security is a primary concern. The Bush site's privacy policy informs visitors, "Strict security measures are in place to protect the loss, misuse and alteration of any and all information pertaining to GeorgeWBush.com. In addition, GeorgeWBush.com is run on servers located in a secure server room and locked in a rack. Staff is onsite 24 hours a day, monitoring equipment and services." Kerry's privacy policy states "JohnKerry.com has state of the art, extensive security measures in place to protect against the loss, misuse or alteration of the information under our control. Our server is located in a locked, secure environment, with a guard posted 24 hours a day. Access to your information is granted only to you and authorized Kerry Committee staff." Neither campaign responded to phone calls and e-mails seeking comment. Despite these guarantees, Smith and other security experts weren't surprised to see the security problems. "These problems are typical," said security consultant Robert Ferrell. "They don't represent any significant issues you couldn't find on hundreds of other sites. Yeah, you could probably have fun with some of them, but it wouldn't be worth the fed attention you'd probably pull down on yourself." Smith also pointed out that both sites also have potential privacy problems. The Bush site has hired a company called Omniture to track visitors to the site. On its website, Omniture asks potential customers to imagine its service as "a device that could be placed by the front door of a department store to tell the store manager all kinds of detailed information about customers -- what store they came from, who they were referred by, if they have been to the store previously, what advertisement they were responding to and much more." Smith said his concern is that the Bush site's relationship with Omniture is not spelled out in the privacy policy. He discovered the presence of Omniture monitoring by looking at the HTML of the GeorgeWBush.com homepage, which contains these lines: "< ! - - SiteCatalyst code version: G.5. Copyright 1997-2003 Omniture, Inc. More info available at http://www.omniture.com - - >" "The use of Omniture Web bugs at the Bush site is a bit strange," said Smith. "It's one thing (for a commercial site) to track what kind of things people are interested in, but tracking political issues crosses the line for me." Both sites encourage visitors to add banner ads for the candidates to their own Web pages. The Bush banner ad uses JavaScript supplied from the Bush Web server. The Kerry banner ads use an embedded iframe. Smith said both methods allow the campaigns to track visitors to any Web pages where the banner ads appear. And for those who evaluate a candidate's choice of operating systems when choosing their president, Smith's check showed that the Kerry site is housed on an Apache Web server running on a Red Hat Linux box. The Bush website is hosted on a Microsoft IIS 5.0 server and uses Microsoft's ASP.net. Smith said he attempted to contact Kerry and Bush representatives by e-mail regarding the problems he discovered, but has received no reply. _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 10:57:45 PDT