[ISN] Congratulations, Barack - Now fix your websites

From: InfoSec News <alerts_at_private>
Date: Thu, 20 Nov 2008 01:06:07 -0600 (CST)
http://www.theregister.co.uk/2008/11/20/barack_obama_website_insecurity/

By Dan Goodin in San Francisco
The Register
20th November 2008

President elect Barack Obama's embrace of online video and social 
networking may have propelled him to victory, but unless he's careful, 
his administration could be brought down by the same sloppy security 
problems that have plagued MySpace, Facebook, and dozens of other Web 
2.0 properties.

A cursory look at Change.gov and MyBarackObama reveal enough amateur 
mistakes to make even the most ardent supporters wonder just who in the 
heck is in charge of security. For one, the content management system 
for both of the sites is easily accessible to anyone. And as far as we 
can tell, neither page is protected by secure sockets layer - the "s" 
following a web address's "http" that assures you the connection is 
encrypted.

Security 101 would dictate that pages this sensitive should be 
restricted to select internet protocol addresses, or at the very least, 
encrypted to prevent so-called man-in-the-middle attacks. There are no 
such protections on Change.gov or MyBarackObama, the latter suggesting 
that this lack of attention to security has been allowed to persist for 
some time now.

Even more troubling is the discovery that administrative pages for both 
sites are linked to Google Analytics. This is a hard configuration to 
make sense of. It means that Google, a private company with important 
business before the US government, has complete administrative access to 
one of the government's most important websites. It would also appear to 
run contrary to this privacy policy pledging "not to make Personal 
Information available to anyone other than our employees, staff, and 
agents."

[...]


______________________________________________      
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Wed Nov 19 2008 - 23:06:07 PST

This archive was generated by hypermail 2.2.0 : Wed Nov 19 2008 - 23:16:06 PST