http://www.theregister.co.uk/2008/11/20/barack_obama_website_insecurity/ By Dan Goodin in San Francisco The Register 20th November 2008 President elect Barack Obama's embrace of online video and social networking may have propelled him to victory, but unless he's careful, his administration could be brought down by the same sloppy security problems that have plagued MySpace, Facebook, and dozens of other Web 2.0 properties. A cursory look at Change.gov and MyBarackObama reveal enough amateur mistakes to make even the most ardent supporters wonder just who in the heck is in charge of security. For one, the content management system for both of the sites is easily accessible to anyone. And as far as we can tell, neither page is protected by secure sockets layer - the "s" following a web address's "http" that assures you the connection is encrypted. Security 101 would dictate that pages this sensitive should be restricted to select internet protocol addresses, or at the very least, encrypted to prevent so-called man-in-the-middle attacks. There are no such protections on Change.gov or MyBarackObama, the latter suggesting that this lack of attention to security has been allowed to persist for some time now. Even more troubling is the discovery that administrative pages for both sites are linked to Google Analytics. This is a hard configuration to make sense of. It means that Google, a private company with important business before the US government, has complete administrative access to one of the government's most important websites. It would also appear to run contrary to this privacy policy pledging "not to make Personal Information available to anyone other than our employees, staff, and agents." [...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.orgReceived on Wed Nov 19 2008 - 23:06:07 PST
This archive was generated by hypermail 2.2.0 : Wed Nov 19 2008 - 23:16:06 PST