Slashdot Mirror

← Back to Stories (view on slashdot.org)

US House Candidates Vulnerable To Hacks, Researchers Say (reuters.com)

Posted by msmash on from the closer-look dept.

About 30 percent of House candidates running for office this year have significant cybersecurity issues with their campaign websites, according to a new study. Reuters: The research was unveiled on Sunday at the annual Def Con security conference in Las Vegas, where some attendees have spent three days hacking into voting machines to highlight vulnerabilities in technology running polling operations. A team of four independent researchers led by former National Institutes for Standards and Technology security expert Joshua Franklin concluded that the websites of nearly one-third of U.S. House candidates, Democrats and Republicans alike, are vulnerable to attacks. NIST is a U.S. Commerce Department laboratory that provides advice on technical issues, including cyber security. Using automated scans and test programs, the team identified multiple vulnerabilities, including problems with digital certificates used to verify secure connections with users, Franklin told Reuters ahead of the presentation. The warnings about the midterm elections, which are less than three months away, come after Democrats have spent more than a year working to bolster cyber defenses of the party's national, state and campaign operations.

35 comments

  1. "Hack" by Anonymous Coward · · Score: 0

    Are these the same fake html "hack" vulnerabilities exploited by dozens of children at DefCon that /. reported earlier today?

  2. Re:ANTIFA by Anonymous Coward · · Score: 0

    f u bitch

  3. Extremely misleading article. by Anonymous Coward · · Score: 1, Insightful

    This article is misleading and poorly written. Those house members are NOT vulnerable and never have been. No proof was provided and all sources were obviously biased towards Democrat party Clinton and Soros fundeds. This writeup of bad journalism is example again of why many regular Americans see mainstream media as enemy of people, and not friend.

    1. Re: Extremely misleading article. by peragrin · · Score: 1

      It is misleading since nothing of real value can be done to those websites.

      It is the old xkcd.
      https://xkcd.com/932/

      I don't hide tricks using links.

      --
      i thought once I was found, but it was only a dream.
    2. Re: Extremely misleading article. by Anonymous Coward · · Score: 0

      I agree. And if even they get hacked by russians, lets say... so what? Better to be russian than democrat.

    3. Re:Extremely misleading article. by Plus1Entropy · · Score: 1

      You've got an interesting way of speaking. If I had to guess I'd say... Minnesota?

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    4. Re:Extremely misleading article. by Anonymous Coward · · Score: 0

      Found the libtard. All conspiracy is of Russia, huh? You would think that you idiots learned youre lessons in 2016, but this year you will learn again the hard way and then blame it on more made up conspiracies about Russia. Sad.

    5. Re:Extremely misleading article. by Plus1Entropy · · Score: 1

      Who said anything about Russia?

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    6. Re:Extremely misleading article. by Anonymous Coward · · Score: 0

      ivan is illiterate and just saw the "M"

    7. Re:Extremely misleading article. by Plus1Entropy · · Score: 1

      The M which stands for... Russia?

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    8. Re:Extremely misleading article. by Anonymous Coward · · Score: 0

      Stands for Matushka (Rossiya).

    9. Re: Extremely misleading article. by Anonymous Coward · · Score: 0

      I will laugh at the libtard tears when republicans win big again because all libtards have is russia hoax.

    10. Re: Extremely misleading article. by Anonymous Coward · · Score: 0

      go choke on putins cock faggot

    11. Re:Extremely misleading article. by sabbede · · Score: 1
      Biased towards Democrats? Read it again - it makes the DNC's security people look like ineffectual dolts. They aren't requiring or enforcing secure practices, they're asking people to pledge that they're following basic (yet still insufficient) standards. Are they running audits to make sure? NO! They're sending out a survey.

      Even if it is biased towards them, it's done in such an unintentionally backhanded way that it only ends up making the DNC look like a pack of idiots.

    12. Re:Extremely misleading article. by Anonymous Coward · · Score: 0

      The victim mentality among conservatives these days is just baffling. I realize this started with talk radio and got amplified by Trump, but they seem to think that white male Christians are somehow at a huge disadvantage in this country despite all evidence to the contrary.

  4. Seems the DNC is ready. by bob4u2c · · Score: 2

    Since Krikorian joined the DNC a year ago, the party has moved email and data storage to Google cloud and replaced most Windows computers with easier-to-defend Apple hardware and Google Chromebooks, he said.

    Ahh, security by moving things into the cloud and using a different OS. That should fix everything. As we all know nobody has ever gotten a hold of cloud data and there are viruses/vulnerabilities for MAC; at least that's what my users tell me.

    1. Re:Seems the DNC is ready. by JackieBrown · · Score: 3, Informative

      Which is funny since the DNC breach was due to them falling for a phishing scheme and had nothing to do with OS security.

    2. Re:Seems the DNC is ready. by Anonymous Coward · · Score: 0

      Everyone knows phishing attacks don't work on a Macintosh.

    3. Re:Seems the DNC is ready. by Anonymous Coward · · Score: 0

      Since Krikorian joined the DNC a year ago, the party has moved email and data storage to Google cloud and replaced most Windows computers with easier-to-defend Apple hardware and Google Chromebooks, he said.

      Ahh, security by moving things into the cloud and using a different OS. That should fix everything. As we all know nobody has ever gotten a hold of cloud data and there are viruses/vulnerabilities for MAC; at least that's what my users tell me.

      Pick and choose again. Even though I kind of agree that their practice isn't enough, I prefer to discuss as a whole.

      The party also requires staff to fill out monthly surveys pledging that they are following key security practices, including use of two-factor authentication for personal accounts, long and unique passwords, and encryption on computers. They are also asked if they are running operating systems and application software with up-to-date security patches.

      They attempt to use an honest system. It is good if everyone follows the practice. However, do they plan to handle the case when someone fails to follow for whatever reason? And what will their action be? Firing the person does not solve the damage from the breach anyway.

      The party uses software from San Francisco-based Okta that grants access to DNC systems only after testing devices to confirm the identity of users and verify they are not running malicious software.

      This is vague. It looks like they put their trust on the software. I hope they are right. If the software is compromised, I do not know what their plan is going to be.

      The biggest change has been psychological, as staffers and volunteers are trained to assume that the network has been breached, avoid putting the most sensitive information in emails and use end-to-end encrypted messaging like Signal.

      Again, people are humans. At some point, someone will fail. It could get to the point that someone feels comfortable enough to put sensitive info on the communication again. Who knows?

  5. They are hacks? by Oswald+McWeany · · Score: 3, Insightful

    Vulnerable to hacks? My local representative IS a hack!

    --
    "That's the way to do it" - Punch
  6. Problems with Digital Signatures by roccomaglio · · Score: 4, Interesting

    From the article "Using automated scans and test programs, the team identified multiple vulnerabilities, including problems with digital certificates used to verify secure connections with users, Franklin told Reuters ahead of the presentation." This may or may not be an issue. If the site is simply providing information and/or collecting email addresses this is not really an issue. If the site is collecting credit card info it would be an issue, but that is usually done through a third party. Basically they ran something that tested the web sites SSL implementation and without more information we cannot determine if that is really an issue.

    1. Re:Problems with Digital Signatures by Anonymous Coward · · Score: 0

      This article is probably nonsense.

      That said, about 10 years ago I noticed the Utah State website for the Democratic Party was running Drupal and had left a PHP filter enabled for anyone to post content (like comments) with. So basically you could just feed in PHP code into the comment previewer and tell the site to do whatever you wanted, including create/change accounts, passwords, database content, etc...

      Despite not being on their side politically, after validating it worked how it looked like it would work, I contacted them and let them know of the vulnerability. I'm pretty sure they eventually fixed it (all they had to do was uncheck PHP execution as an option for their available editors for anyone not an admin), but not within the couple of months I checked back to look at it.

      A lot of these political sites are built by total amateurs just to get something up and working, especially for smaller campaigns. I wouldn't expect them to even be to the level of a normal small business, who at least has a longer term business reputation to care about and an expectation that it has to be effective past the next election.

  7. Easy fix: by Tablizer · · Score: 1

    Just get your own private email server.

    --
    Table-ized A.I.
    1. Re:Easy fix: by Anonymous Coward · · Score: 0

      Just get your own private email server.

      Worked great for Hillary now didn't it?

    2. Re:Easy fix: by Tablizer · · Score: 1

      The State Dept. regular email server did get hacked, but hers did not (as far as known).

      --
      Table-ized A.I.
    3. Re:Easy fix: by Anonymous Coward · · Score: 0

      But her emails...

  8. Similar survey of 2016 Senate web sites by xxxJonBoyxxx · · Score: 1

    Similar survey of 2016 Senate web sites
    http://cybertical.com/2016-senate-cybersecurity.html

  9. The floor is lava by Impy+the+Impiuos+Imp · · Score: 3, Funny

    US House Candidates Vulnerable To Hacks, Researchers Say

    Well, hacked water heaters are a danger. Why not hacked air heaters?

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:The floor is lava by Anonymous Coward · · Score: 0

      Because air's specific heat is so much lower, they'll start a lot of fires before they cause a single blackout.

  10. I agree, your rep is a hack. by Anonymous Coward · · Score: 0

    Mine was elected through a special election last year with over $54M spent combined by both parties.
    I sent her to Washington to do 1 thing that is screwing my family and hers for $700/month extra before that law was passed. She claimed her family was paying over $1500/month more and I believed her.

      I wanted the ACA repealed. Don't care if they replace it or not.

    She didn't make that happen. I've been unhappy with almost everything else her and her party have done since she was elected.

    Sadly, the other party is worse on 60% of things.

    All politicians who accept PAC or corporate money need to be voted out.

  11. DNC still doing a really bad job by sabbede · · Score: 1
    I don't know about y'all, but my users are required to use long, secure passwords and MFA. It's enforced by policy and audited. Users have no choice in the matter. Computers are managed and patched by me, not users.

    The DNC, which has had some rather famous problems, is doing this about it:

    The party also requires staff to fill out monthly surveys pledging that they are following key security practices, including use of two-factor authentication for personal accounts, long and unique passwords, and encryption on computers. They are also asked if they are running operating systems and application software with up-to-date security patches.

    So, after devastatingly embarrassing hacks, the DNC's response is to have users promise they're following good practices? Not best practices, not CSC guidelines, not NIST recommendations, just a pledge? A PLEDGE??