[ISN] Campaign Sites Lack Security

From: InfoSec News (isn@private)
Date: Wed Jun 30 2004 - 07:24:59 PDT

  • Next message: InfoSec News: "[ISN] NIST aims to ease XP security setup"

    By Michelle Delio
    June 30, 2004
    George W. Bush and John Kerry may be tied in the polls, but Bush
    appears to be well ahead of Kerry in the number of security holes on
    his official campaign website.
    On Sunday, security analyst Richard Smith did a quick check of the
    Bush and Kerry campaign sites and found several security problems on
    each, all of which are common on many other websites.
    But after Smith posted a report of his findings to several security
    lists, others opted to do a deeper analysis and found some significant
    problems on Bush's website. One researcher used a commercial program
    called GFI LANguard to scan Bush's site. He said he found over 30
    security faults. The researcher asked not to be identified because of
    concern that his scans could be construed as illegal under the Patriot
    Act. He submitted a digital copy of the results of the scan to Wired
    According to the scan, the security problems on the Bush site include
    potential vulnerabilities that could conceivably allow a malicious
    attacker to gain remote control over the server, crash it, tamper with
    information on Web pages and compromise stored information.
    "Several of the faults are critical; they can be easily exploited with
    serious repercussions," said the researcher. "And the fact I could run
    this scan remotely points to the complete lack and utter uselessness
    of their network security."
    The researcher said Kerry's site stopped the GFI LANguard scan before
    he could get any data.
    "From a network perspective, Kerry's site is not too bad as these
    things go. Most websites have nasty security issues. Few sites are
    written by professional programmers, and even fewer are written with
    security in mind."
    Smith's analysis indicated that Kerry's campaign site shows signs of
    being vulnerable to SQL injection errors, which could put the site's
    server at risk. An SQL injection error can be used to break into a
    website's backend database, and could allow an attacker access to
    private information from the database.
    Additionally, cross-site scripting errors (sometimes called XSS
    errors) exist on both sites, Smith said. These could allow malicious
    pranksters to create bogus Web pages that appear to originate from the
    Bush or Kerry websites.
    "A prankster could post fake news stories, slogans telling visitors to
    vote for the other candidate or doctored photos," said Smith.
    Both sites contain firm statements assuring visitors that security is
    a primary concern. The Bush site's privacy policy informs visitors,
    "Strict security measures are in place to protect the loss, misuse and
    alteration of any and all information pertaining to GeorgeWBush.com.  
    In addition, GeorgeWBush.com is run on servers located in a secure
    server room and locked in a rack. Staff is onsite 24 hours a day,
    monitoring equipment and services."
    Kerry's privacy policy states "JohnKerry.com has state of the art,
    extensive security measures in place to protect against the loss,
    misuse or alteration of the information under our control. Our server
    is located in a locked, secure environment, with a guard posted 24
    hours a day. Access to your information is granted only to you and
    authorized Kerry Committee staff."
    Neither campaign responded to phone calls and e-mails seeking comment.
    Despite these guarantees, Smith and other security experts weren't
    surprised to see the security problems.
    "These problems are typical," said security consultant Robert Ferrell.  
    "They don't represent any significant issues you couldn't find on
    hundreds of other sites. Yeah, you could probably have fun with some
    of them, but it wouldn't be worth the fed attention you'd probably
    pull down on yourself."
    Smith also pointed out that both sites also have potential privacy
    problems. The Bush site has hired a company called Omniture to track
    visitors to the site. On its website, Omniture asks potential
    customers to imagine its service as "a device that could be placed by
    the front door of a department store to tell the store manager all
    kinds of detailed information about customers -- what store they came
    from, who they were referred by, if they have been to the store
    previously, what advertisement they were responding to and much more."
    Smith said his concern is that the Bush site's relationship with
    Omniture is not spelled out in the privacy policy. He discovered the
    presence of Omniture monitoring by looking at the HTML of the
    GeorgeWBush.com homepage, which contains these lines:
    "< ! - - SiteCatalyst code version: G.5. Copyright 1997-2003 Omniture,
    Inc. More info available at http://www.omniture.com - - >"
    "The use of Omniture Web bugs at the Bush site is a bit strange," said
    Smith. "It's one thing (for a commercial site) to track what kind of
    things people are interested in, but tracking political issues crosses
    the line for me."
    Both sites encourage visitors to add banner ads for the candidates to
    their own Web pages. The Bush banner ad uses JavaScript supplied from
    the Bush Web server. The Kerry banner ads use an embedded iframe.  
    Smith said both methods allow the campaigns to track visitors to any
    Web pages where the banner ads appear.
    And for those who evaluate a candidate's choice of operating systems
    when choosing their president, Smith's check showed that the Kerry
    site is housed on an Apache Web server running on a Red Hat Linux box.  
    The Bush website is hosted on a Microsoft IIS 5.0 server and uses
    Microsoft's ASP.net.
    Smith said he attempted to contact Kerry and Bush representatives by
    e-mail regarding the problems he discovered, but has received no
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 10:57:45 PDT