Slashdot Mirror

← Back to Stories (view on slashdot.org)

2016 Presidential Candidate Security Investigation (infosecinstitute.com)

Posted by timothy on from the hate-report-hards dept.

New submitter Fryan writes: InfoSec Institute has assessed the security posture of 16 of the presidential candidates' websites. This is an indicator of the level of security awareness the candidate and the campaign staff has. The recent breaches and security lapses of high profile individuals highlight the absolute need for everyone to take security awareness seriously. The hacking of the Director of the CIA's (John Brennan) personal email account, and the storage of classified emails on a personal email server with Hillary Clinton, show how damaging a lack of basic good security hygiene can be. In this survey (of only the best known presidential candidates, not the scads of others), the authors give both their highest grade (an A) and lowest (a D) for candidates still in the race to two Republicans, Ben Carson and Jim Gilmore, respectively; surprising for a tech-focused campaign, Lawrence Lessig (who has ended his candidacy since the survey began) ranked even lower, with a D-.

Speaking of presidential candidates, the fourth Republican debate, hosted by Fox Business, will kick off about an hour after this post goes live (9:00 PM Eastern, 0200 GMT). Feel free to discuss it alongside the security report.

52 of 97 comments (clear)

  1. So where are the ratings? by bobbied · · Score: 1

    I'd love to see the site ratings there folks..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:So where are the ratings? by bobbied · · Score: 1

      Never mind.. I found it... Cool PDF with lots of detail... Hacker's dream if you think about it...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:So where are the ratings? by BarbaraHudson · · Score: 1

      Terrible UI design - green on green, in the smallest font used on the page. For a tech site, that's a huge fail.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  2. Link to source by alvinrod · · Score: 1

    I know that no one reads TFA, but at least link to the source. I'm assuming it's the following article: http://resources.infosecinstitute.com/doesnt-any-presidential-candidate-know-how-to-secure-wordpress/

    However, that data points to Democratic candidate Jim Webb as having the highest rating with an A- and doesn't include Ben Carson at all.

    1. Re:Link to source by bws111 · · Score: 2

      The link is right next to the title, like is has been for all Slashdot articles for a while.

    2. Re:Link to source by Anonymous Coward · · Score: 1

      "Requires HTTPS" as a positive... Site critiquing uses plain HTTP... Try HTTPS and the site is using a certificate for wpengine.com instead of a valid certificate.

      What a joke.

    3. Re:Link to source by DrXym · · Score: 1

      The new design sucks and it's hardly surprising that people don't know where to look for it. It's so anti-intuitive it reminds me of the way Facebook, Google etc. put links they'd rather you didn't use in places where people least expect them to be.

  3. Username and login page by tepples · · Score: 1

    The short report claims that username exposure and login page exposure are vulnerabilities. But if you don't expose usernames, how do readers track to whom each comment in the comment section belongs? And if you don't expose a login page, how do posters track which of their comments have been replied to, and how do users manage their subscriptions to various newsletters?

    1. Re:Username and login page by ftexperts · · Score: 2
      Hi, I'm Jonathan Lampe, the author of the original research.

      >> if you don't expose usernames, how do readers track to whom each comment in the comment section belongs? And if you don't expose a login page, how do posters track which of their comments have been replied to, and how do users manage their subscriptions to various newsletters?

      NONE of the presidential campaigns were using any any self-registration or comment features of WordPress. (You'll see "registration" as a column in my WordPress report.) All of the users on all of the systems seemed to be admins, editors or their assistants, and none of the sites seemed to make any effort to distinguish one author from another. With that in mind, there really is no good reason for these sites to expose the list of usernames available on the system, nor is there a particularly good reason to permit the entire Internet to try their hand brute forcing sign-ons again a list of known usernames.

  4. Really? by TWX · · Score: 5, Informative
    From TFA:

    InfoSec Institute has assessed the security posture of 16 of the presidential candidates' websites. This is an indicator of the level of security awareness the candidate and the campaign staff has.

    This assertion is false. First, the candidate has other things to be concerned about. His IT staff, who will probably not follow him to the political office if he's elected given the nature of government bureaucracy, handle it. Second, a web site is a glorified poster and graffiti wall. It's there for John Q Public. Media organizations are provided with itineraries and possibly with the contents of speeches and other material directly, they do not have to go to the candidate's website. Third, any maliciousness done to the candidate only serves to strengthen the candidate, as those who were already in-favor of the candidate will not lessen their opinions based on a website hack, and those who were undecided may sympathize with the candidate after such an attack. Fourth, given the propensity for semianonymous abuse of comments sections, the candidate's staff already have to peruse comments to moderate/censor, so long-term abuse that could paint a candidate as something that they don't want to be is unlikely.

    If you want to know how a candidate handles security, follow how they handle money, and how quickly they return contributions that come from undesirable sources, or how they handle public appearances and interaction with specific persons. At this early stage that's probably more of a tell than any website.

    --
    Do not look into laser with remaining eye.
    1. Re:Really? by ftexperts · · Score: 4, Informative
      Hi, I'm Jonathan Lampe, the author of the original article.

      >> If you want to know how a candidate handles security, follow how they handle money

      I started my research after I noticed that most of these sites DO handle money, either through merchandise stores or donations. My original report (http://www2.infosecinstitute.com/l/12882/2015-10-19/zbwt6/12882/121089/2016_Presidential_Hacks.pdf) dug into how the top five candidates handle money on their web sites; it looks like most of the links in this thread are reading my SECOND bit of research about who's using WordPress and how badly it's been configured (http://resources.infosecinstitute.com/doesnt-any-presidential-candidate-know-how-to-secure-wordpress/).

  5. infosec institute is bullshit by hsmith · · Score: 4, Informative

    Why not evaluate the candidate shitty policies on information security? Like Carly who can't grasp math and is in favor of back doors into software and encryption.

    What a stupid "investigation"

    Even their page doesn't have SSL by default, when you go to the HTTPS site, it uses outdated encryption even with a modern browser.

    http://i.imgur.com/de0eBK8.png

    1. Re:infosec institute is bullshit by tepples · · Score: 2

      HMAC-SHA1 is probably what's considered "obsolete".

    2. Re:infosec institute is bullshit by Anonymous Coward · · Score: 1

      Why not evaluate the candidate shitty policies on information security? Like Carly who can't grasp math and is in favor of back doors into software and encryption.

      Or Hillary who thinks carrying two phones is so much a hassle, security should take a backdoor.

  6. Re:WordPress? by hsmith · · Score: 1

    infosec institute uses wordpress for their own website, lol

  7. Live-commenting the debate by PopeRatzo · · Score: 1, Informative

    Donald Trump just said, "Wages are too high."

    Discuss.

    --
    You are welcome on my lawn.
    1. Re:Live-commenting the debate by fustakrakich · · Score: 3, Funny

      He's right. Politicians get paid too much

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Live-commenting the debate by turkeydance · · Score: 1

      and Trump is Right Again. wages ARE too high. reading /., i expect the robotic revolution to reduce wages to 0.

    3. Re:Live-commenting the debate by ClickOnThis · · Score: 2

      Donald Trump just said, "Wages are too high."

      Discuss.

      Whose wages are too high?

      I'm sure he doesn't think his own wage is too high.

      --
      If it weren't for deadlines, nothing would be late.
    4. Re:Live-commenting the debate by tepples · · Score: 1

      But then who will have any money to buy things made by robots?

      ObManna

    5. Re:Live-commenting the debate by dywolf · · Score: 1

      the market HAS been setting the wages...as low as it can.
      and the result is a middle class that is shrinking, and has decreasing buying power, creating a self reinforcing cycle that continues to make people poorer.

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    6. Re:Live-commenting the debate by dywolf · · Score: 2

      "real americans" being people willing to earn starvation wages, and be subservient to the economy, instead using our power through our government of the people to make the economy serve us? yeah, fuck you

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    7. Re:Live-commenting the debate by JackieBrown · · Score: 1

      Can you provide more context for this one sentence quote?

    8. Re:Live-commenting the debate by PopeRatzo · · Score: 1

      See further context in my comment below.

      --
      You are welcome on my lawn.
  8. What does it say about the candidates? by damn_registrars · · Score: 2

    I really don't see what this says about the candidates, other than which ones hired better webmasters. If a candidate has a shitty, unsecured website, that doesn't really say they don't understand or care about security, it just shows they didn't pick a webmaster who does. And how knowledgeable on IT security do we expect the POTUS to be? We don't usually blame the CEO of a company when their website is hacked.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:What does it say about the candidates? by AHuxley · · Score: 1

      If the IT staff are internal to the candidate and creating a very good web 2.0 page much could be deduced about the rest of the staff.
      Spending and advance skill sets usually do not occur in just one part of a team.
      ie what will the rest of the campaign staff be like, get-out-the-vote strategy, ability to track big-name donors, finance team database.
      How can computer lists best help supporters and paid staff track voters, ads? That needs a really good, dedicated IT team. How and where to be buying advertising. Real time feedback on huge ad buys.
      Can the team work block by block to get millions of new voters? ie a good web site might just show good, fast internal data and analytics teams.
      Or is an outside firm used for the web page and all other needs? Data trust methods?
      Two very different ideas can be attempted, in house or less staff hires and a lot of outside firms.
      ie is the candidate getting on well with a team of trusted experts everyday or so hard to work with they can only be sold as another brand by outside experts.

      --
      Domestic spying is now "Benign Information Gathering"
  9. Rand Paul by chiasmus1 · · Score: 1

    How can this be considered worth reading if it does not even look at Rand Paul. Clearly this was created by the joint Republican/Democratic party.

    1. Re:Rand Paul by PopeRatzo · · Score: 2

      How can this be considered worth reading if it does not even look at Rand Paul. Clearly this was created by the joint Republican/Democratic party.

      I thought Rand Paul was a Republican. I guess you wouldn't know it by his polling numbers, though.

      --
      You are welcome on my lawn.
    2. Re:Rand Paul by ftexperts · · Score: 1

      Hi - Jonathan Lampe, original research author here.

      Round 1 of my research was about the "top five candidates" and Rand Paul wasn't included. Round 2 was about candidates that ran WordPress, which covered Bush and Sanders from Round 1 again and picked up about a dozen more candidates, but still didn't include Rand Paul. I hope to circle back around to Paul, Cruz, Rubio, Fiorina and anyone else I missed (Christie?) soon in a "not top five, not running WordPress" third round of research soon.

      My initial take? Could be an A or a B. Paul has a site developed by CanDo.com in 2014, and appears to have been doing business with them since at least 2012. The most interesting thing on his home page is the "recent donor" display (which is phoning home for data) powered by /js/moneybomb-inner.js. (If I had more time, I'd play with that to see if I could get it to cough up more information.) His JQuery seems to be up to date and he's running PHP on the server. (Again, with more time, I'd dig in further.) Paul uses a separate site, also written by CanDo.com, for donations (https://secure.randpaul.com/). The most interesting information in there seems to be some leftover code about "tickets" that's hidden from end users. (If I had more time, I might look for interesting overposting behavior there.)

  10. More live-debate commenting by PopeRatzo · · Score: 1

    Carly Fiorina just said we need "Uber, but for health care".

    Thoughts?

    --
    You are welcome on my lawn.
    1. Re:More live-debate commenting by Anonymous Coward · · Score: 3, Interesting

      Carly Fiorina just said we need "Uber, but for health care".

      In theory, the Democrats are generally more compassionate so I feel a certain social obligation to vote for them. But, on the personal issues that matter to me, the centrists Democrats have made a lot of unforced errors.

      As a biomedical research scientist who values individual freedom, Obama's stifling of (direct-to-consumer) personal genomics - e.g. what the FDA did to 23andMe - is going to make it very hard for me to vote for any of the "centrist" Democrats.

      There are other countries in the world where speech is seen as more dangerous than action - where porn is outlawed but prostitution is legal. But I think the USA really got it right with it's first amendment. When it comes to actions, particularly actions that can hurt or kill someone (even just selling someone a bad burrito), then government regulation is appropriate. But when it comes to pure speech - even for commercial purposes - then the government should do everything it can to stay out of the way. When medical diagnostic procedures are invasive and can cause harm just by themselves then regulation is appropriate. But for diagnostic procedures that involve low risk activities like spitting in a tube, there really needs to be a distinction between diagnosis and treatment. One of the reasons I voted for Obama was that he was billed as a scholar of constitutional law - who would presumably believe in freedom of speech - which makes his decision to shut down 23andMe particularly disappointing.

      And it's not just DTC personal genomics. One of the reasons that health care in the USA is so bad is because of certain key artificial monopolies imposed by the US government. In particular, the AMA works closely with the US government to create a severe shortage of medical doctors. Of course, this drives up wages for medical doctors. But patients have to pay much more for much less. And then the USA also imposes bizarre and dysfunctional artificial monopolies on medical drug production in the form of its horribly broken patent system.

      Supposedly Obama deserves all kinds of credit for reforming healthcare in the USA, but all he really did was layer on additional bureaucracy in the form of mandatory health insurance while failing to address the underlying market failures (e.g. dysfunctional artificial government imposed monopolies).

      So, while government funding for basic biomedical research has been the worst in many decades, Obama is also layering on all kinds of additional bureaucracy to stifle private sector innovation. I mean, good luck getting insurance reimbursement for 23andMe.

      Would the Republicans be better? Probably not. But the centrist Democrats sure ain't heroes either.

    2. Re:More live-debate commenting by drinkypoo · · Score: 5, Insightful

      As a biomedical research scientist who values individual freedom, Obama's stifling of (direct-to-consumer) personal genomics - e.g. what the FDA did to 23andMe - is going to make it very hard for me to vote for any of the "centrist" Democrats.

      As a person concerned with privacy, I cannot imagine why anyone would use 23andMe.

      One of the reasons I voted for Obama was that he was billed as a scholar of constitutional law - who would presumably believe in freedom of speech

      Don't presume.

      Supposedly Obama deserves all kinds of credit for reforming healthcare in the USA, but all he really did was layer on additional bureaucracy

      That's what government does.

      Would the Republicans be better? Probably not. But the centrist Democrats sure ain't heroes either.

      Correct. They're mostly a bunch of assholes. People with the courage to actually be far-left (or even far-right) are typically drummed out of government in a hot second.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:More live-debate commenting by drinkypoo · · Score: 2

      There are also downsides. But most people drive around in their cars with a big "license" plate on the back that has a unique identifier in large easily readable letters.

      Identification is not the problem. Nice straw man though.

      In a world where 20,000 children a day die of poverty,

      red herring

      it will be a long time before the governments of the world develop the resources and competence to misuse genetic information in a severe way.

      It already has ramifications for health care.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. We're not the MSM by Okian+Warrior · · Score: 4, Insightful

    Given that the Donald wants to force Christian law the entire USA [...]

    This is what I *hate* about political debate in this country. It's all sock-puppetry by people making unbased predictions about the other candidates. In previous elections, it started about 6 weeks before the election. At 2 weeks before, it reached fever pitch.

    Everyone and their dog argues back and forth "if *the other guy* get elected, they'll eat your babies and cancel Christmas!!!"

    Don't tell me what they *want*, and don't tell me what they'll *do*. Tell me what they *did*. Tell me what they *said*.

    Base your rhetoric on concrete information - what people have *done* and *said* - and maybe I'll listen. Saying that the democrats will raise taxes, that the republicans will kill social security, is simple guesswork by "some dude on the net".

    Trump said "wages too high", that's true - but what were the previous 3 words in that sentence?

    The totality of what he said, all six words and the following words to the end of the sentence, are worthy of discussion. The excised 3-words are not - that's just a childish emotional appeal.

    OH NO!!! Trump wants to reduce our wages!!!

    We're not the mainstream media, we're better than that. Let's have an honest and real discussion instead of childish pot-shots.

    1. Re:We're not the MSM by Okian+Warrior · · Score: 3, Informative

      "If I become president, we're all going to be saying Merry Christmas again, that I can tell you."

      And you translated that to "force Christian law the entire USA".

      Please stop posting political pot-shots. You're not very good at it.

    2. Re:We're not the MSM by Anonymous Coward · · Score: 1

      No, OzPeter did - you got your posters mixed up. PopeRatzo opened the thread with an invitation to discuss Trump's assertion that wages are too high, which doesn't seem like an unreasonable topic, even though I hardly ever agree with PopeRatzo on anything. OzPeter chimed in with a baseless extrapolation of Trump's quip about "Merry Christmas" greetings, which arguably is a political pot-shot.

      With respect to "wages are too high", it came right after "taxes are too high", so most of Trump's supporters will ignore it. When combined with his promises to bring manufacturing jobs back to the US, it essentially means "You'll have lots of low-paying drudge work under my administration", but nobody in the large media outlets is taking his declarations seriously enough to do even that sort of shallow analysis.

      With respect to the "Merry Christmas", he's pushing more political buttons, which is where he excels. In case you're not in the US, there's this (manufactured) meme here about a "war on Christmas", because starting a few years ago some large and medium retailers started directing their employees to say "Happy Holidays" (or similarly neutral phrasing) instead of "Merry Christmas". Why? Well, anyone with a lick of sense would see that they decided that making their Jewish/Muslim/whatever customers feel more included when they first walk in the door would be good for business. However, if you're Bill O'Reilly, it's all part of some vague conspiracy to marginalize Christianity; he didn't invent it, but he brought it to the forefront again a few years back. It's not clear how a US president could possibly force companies to start saying "Merry Christmas" again, given there are at least two strong arguments against such policy based on the first amendment; maybe a tax break/incentive. But that's moot speculation - he has no plan or intention of even trying any such thing, just pushing buttons.

      - T

    3. Re:We're not the MSM by dywolf · · Score: 2

      you could reduce taxes to zero, and it still wouldnt compensate for "wages too high".
      youre a fool to cheerlead for the fool with the hairdo

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    4. Re:We're not the MSM by dywolf · · Score: 1

      its not the first time he's parroted the 'war on xtians' bullshit

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    5. Re:We're not the MSM by TopherC · · Score: 1

      I just take this kind of comment from Trump as the usual "I'm not politically correct so get used to it" bluster. If we take his statement literally, I guess it would translate into an executive order that everyone must say "Merry Christmas" at a certain time on Dec 25, probably while kneeling and facing Bethlehem. :-) Hopefully that's crazy... I think it's just Trump being the expert demagogue he is.

      There is something to be said about excessive political correctness and hypersensitivity, but a U.S. President is not in a good position to take on cultural issues like that.

  12. The best candidate is... by nensondubois · · Score: 2

    Rand Paul but nobody is going to vote for him because they're obsessed with pop culture relics telling them otherwise. Weeeeeelp!

    --
    http://gamehacking.org/vb/threads/12747-nensondubois-codes http://twitter.com/nensondubois_
    1. Re:The best candidate is... by dywolf · · Score: 1

      explaining why he was wrong about why i wouldnt vote for Rand Paul isnt trolling.

      and neither is pointing out that he's pretty much like every other politician ever,
      despite his 'libertarian' label.

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    2. Re:The best candidate is... by dywolf · · Score: 1

      here's a (woefully incomplete) list of said flipflops:

      Rand Paul, serial panderer: 5 major flip-flops that reveal his brazen hypocrisy
      http://www.salon.com/2015/05/2...

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    3. Re:The best candidate is... by nensondubois · · Score: 1

      Hypocrisy is not going away as long as there are politicians, much less from anyone under pressure but he is still the least hostile towards civil liberties than any of the other candidates.

      Hilary is just going to continue the problems Obama started. Donald trump is going to give to big business and screw the average worker and one of those two are the most likely to be elected.

      --
      http://gamehacking.org/vb/threads/12747-nensondubois-codes http://twitter.com/nensondubois_
  13. Uh, he didn't make ANYTHING up by Anonymous Coward · · Score: 1

    Trump REALLY REALLY did say that. It REALLY REALLY means what he says.

    Just because it shows the clown up to be the idiotic crazy man he is, YOU have to assume it's unsupported scurrilous attack.

  14. No Store? by eedwardsjr · · Score: 1

    I pulled up the report and saw Carson had an 'A' site. Out of curiosity, I found the site. they stated it had no store. What thu heck is this: http://store.bencarson.com/

    1. Re:No Store? by ftexperts · · Score: 1

      Hi - I'm Jonathan Lampe, the author of the original research.

      >> they stated it had no store. What thu heck is this: http://store.bencarson.com/

      That's new to me; I did the research a full month ago and there was no store on Carson's page then.

      A quick look at Carson's store shows he's using a skinned instance of Shopify. Security-wise, I still think Carson's approach (brand a white-labeled version of an established ecommerce store) is a wise choice vs. the approach that some campaigns seem to have made (where they develop their own ecommerce site).

    2. Re:No Store? by Ice+Station+Zebra · · Score: 1

      How is that not the same as:

      Meanwhile, a different candidate rapidly built a large and complex web application that could have several undiscovered vulnerabilities (security experts call this a “large attack surface”). And not a single candidate returned my attempts to contact them about possible security vulnerabilities.

      ?

      Isn't Shopify a large an complex web application. Has anyone done a security audit on shopify or reviewed its source code?

    3. Re:No Store? by ftexperts · · Score: 1

      Jonathan Lampe (research author) again. These are good questions.

      >> Isn't Shopify a large an complex web application.

      Yes, like Hillary's site, Shopify is large and complex.

      >> Has anyone done a security audit on shopify or reviewed its source code?

      At the risk of sounding like a shill, I feel better about Shopify's security than Hillary's because:
      1) Shopify has a process to contact them about vulnerabilities (https://www.shopify.com/security-response) - Hillary didn't respond to my inquiry
      2) Shopify has a history of engaging with the security community and responding to complaints (https://hackerone.com/shopify) - Hillary doesn't have this
      3) Shopify has taken the time to become PCI-DSS compliant (https://www.shopify.com/pci-compliant) - Hillary doesn't have this
      4) Hillary's dev team is advertising a "shipped before perfect" (not exact phase) attitude and is still hiring security people to catch up with her fast-moving team - Shopify's been around a few years and, while they could also be moving fast, has hammered out well over a hundred security bugs in a more mature codebase

  15. Private email server is lilely _more_ secure by the+stapler · · Score: 1

    When you think about it, the government email servers are giant targets for hacking. Its not often reported, but the government systems get hit and experience a lot of downtime. A private, properly secured email server would get far fewer attacks and could be more stable. Just sayin'

  16. Re:Carson by JackieBrown · · Score: 1

    What's this "latin temper" you referred to? Go on, please explain. Also, Senator Rubio is currently 44 years old, which is not a "kid".

    It is just more racism from the left. He is a minority so they refer to him as a kid and then talk about his "latin" temper.

  17. Re:Lessig: Deliberately Downgraded? by ftexperts · · Score: 1

    >> if Dr. Lessig was downgraded on purpose because he is actively opposing [something]

    Hi - Jonathan Lampe, original research author here.

    To be honest I'd never even heard of Lessig until his name appeared on the list of "presidential candidates running WordPress" I borrowed from Bryan Quigley. I didn't spend any time researching the positions of Lessig or any of the other candidates; I just looked at their tech.

    (Pulls up spreadsheet with grading criteria.) It looks like I marked Lessig as the candidate with the least secure site because his WordPress site had the most problems: an out-of-date and vulnerable WordPress version, a username enumeration issue (which revealed 14 usernames), a default "admin" account, exposure of internal directory paths and an unprotected sign on page.

  18. Re:Carson by JackieBrown · · Score: 1

    He is referred to as a kid because he dramatically oversimplifies complex issues which is something children do.

    Like Obama? That was a major selling point for him. It made anyone that actually tried to go into detail look like they were bullshitting.

    It's part of his "common-sense" verbiage. "I think we can all agree on this common-sense approach".