[ISN] Obama Campaign Hopes for Better Web Security

From: InfoSec News (alerts@private)
Date: Fri Jun 13 2008 - 00:02:17 PDT


http://www.pcworld.com/businesscenter/article/146997/obama_campaign_hopes_for_better_web_security.html

Robert McMillan
IDG News Service
June 11, 2008

Two months after their Web site was hacked, the organizers of Barack 
Obama's presidential campaign are looking for a network security expert 
to help lock down their Web site.

"Obama for America is looking for a network security expert who wants to 
play a key role in a historic political campaign," reads the ad, posted 
to the Barackobama.com Web site.

The requirements are pretty much what you'd read in any e-commerce 
security help-wanted ad: VPN (virtual private network) and Unix or Linux 
experience, along with a "deep understanding" of LAMP (Linux, Apache, 
MySQL and Perl) development. And of course, the successful candidate 
must be willing to "respond off-hours to high urgency security 
situations."

Successful candidates will join Obama's Boston team and should expect to 
find a new job come November.

Security experts said this is the first time they can remember seeing a 
Web security job advertised for a political campaign. In fact, Internet 
security has not always been a priority on political Web sites, 
according to Paul Ferguson, a network architect with computer security 
company Trend Micro. "Normally, I don't think they've paid much 
attention to it," he said.

Obama's Web site, built by Facebook cofounder Chris Hughes, has been the 
model of Web 2.0 campaigning, using social-networking techniques to 
raise funds and build a broad base of active, Internet-savvy supporters.

But security experts have long warned that powerful Web site features 
also open new avenues for attack.

With the Internet driving the majority of the campaign's contributions, 
Web security is probably more important to Obama than it has been to any 
other presidential candidate. A Web outage could cost his campaign 
millions of dollars, and a widely publicized privacy breach could put 
the brakes on his most important source of cash.

"The Obama campaign has got a bigger bull's-eye on them now that they've 
stitched up the nomination," Ferguson said. "It's worth their time to be 
more security conscious."

In April, a programming error allowed a Hillary Clinton supporter to 
redirect part of Obama's Web site to Clinton's, but today's Web attack 
techniques could lead to much more serious consequences.

"Attacks like SQL injection would be far more of a concern," said Oliver 
Friedrichs, a director with Symantec Security Response who has written 
about computer security and the 2008 presidential election. "If I was 
able to get access to the database that houses their donor information, 
that would be very concerning."

So-called SQL injection attacks take advantage of programming errors and 
allow attackers to get unauthorized access to parts of a Web site. They 
can be used to install malicious software or gain access to sensitive 
information.

Obama's site isn't the only one to suffer from Web security bugs. A 
similar flaw popped up in Mitt Romney's site in January, and Hillary 
Clinton's name was used in a spam campaign that delivered messages laced 
with malicious Trojan Horse software programs, Friedrichs said.

Internet security is always a top priority for political campaigns, even 
if security jobs are not always advertised, said Henry Poole, founder of 
the Internet campaign consultancy CivicActions. "We've always had 
somebody looking at the security issues," he said. "Maybe it's just an 
issue of the Obama campaign being more transparent."

While Web defacements and denial of service attacks may be the most 
common security problems, a Web privacy breach could quickly become a 
major campaign issue, Poole said. "For a big office, things like the 
reputation of the candidate are really important," he said.

Obama's campaign staff did not respond to requests for comment on this 
story.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 13 2008 - 00:13:07 PDT