[ISN] Congratulations, Barack - Now fix your websites
InfoSec News
alerts at infosecnews.org
Thu Nov 20 01:06:07 CST 2008
http://www.theregister.co.uk/2008/11/20/barack_obama_website_insecurity/
By Dan Goodin in San Francisco
The Register
20th November 2008
President elect Barack Obama's embrace of online video and social
networking may have propelled him to victory, but unless he's careful,
his administration could be brought down by the same sloppy security
problems that have plagued MySpace, Facebook, and dozens of other Web
2.0 properties.
A cursory look at Change.gov and MyBarackObama reveal enough amateur
mistakes to make even the most ardent supporters wonder just who in the
heck is in charge of security. For one, the content management system
for both of the sites is easily accessible to anyone. And as far as we
can tell, neither page is protected by secure sockets layer - the "s"
following a web address's "http" that assures you the connection is
encrypted.
Security 101 would dictate that pages this sensitive should be
restricted to select internet protocol addresses, or at the very least,
encrypted to prevent so-called man-in-the-middle attacks. There are no
such protections on Change.gov or MyBarackObama, the latter suggesting
that this lack of attention to security has been allowed to persist for
some time now.
Even more troubling is the discovery that administrative pages for both
sites are linked to Google Analytics. This is a hard configuration to
make sense of. It means that Google, a private company with important
business before the US government, has complete administrative access to
one of the government's most important websites. It would also appear to
run contrary to this privacy policy pledging "not to make Personal
Information available to anyone other than our employees, staff, and
agents."
[...]
More information about the ISN
mailing list