Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


2008 Election Candidates Vulnerable, Researcher Says

Campaign sites could fall victim to contribution theft, identity fraud, misinformation, or denial of service

On the eve of Super Tuesday, one security researcher is asking a simple question: Just how safe are the candidates' online campaign and contribution sites?

The answers suggest there is cause for concern.

Presidential campaign computer systems and Websites, many of them built quickly by IT volunteers in temporary facilities, may be easy targets for vandalism and theft, according to Oliver Friedrichs, director of emerging technologies at Symantec's Security Response unit.

Friedrichs will publish his findings in an upcoming Symantec security book and will discuss them in a presentation at the Black Hat DC briefings in Washington later this month.

In an interview, Friedrichs said he began the research because he saw that the 2008 presidential candidates were relying much more heavily on Internet contributions and information distribution than they had in the 2004 campaign. "If this can't be done securely, voters may lose confidence in their ability to get information or make contributions online," he said.

Both Ron Paul and John Edwards had days when they collected more than $3 million in donations on the Web, most of them in small increments of less than the $2,300 individual campaign donation limit.

In his research, Friedrichs found that many of the candidates had not done an adequate job of researching and registering potential domain names that supporters or contributors might encounter by mistake. These domains might easily be registered by detractors or identity thieves, a practice known widely as "typosquatting."

"We looked at sites like 'muttromney.com' and 'hillaryclingon.com,' and we found that only a couple of the 19 candidates who began the race had protected themselves," Friedrichs said. "Some of the typo sites were owned by advertisers, or even detractors of the candidate."

A phisher could easily set up a credible-looking site on one of these typo domains and solicit contributions from visitors, essentially stealing or rerouting the money from the candidate, Friedrichs explained. "Detractors of the candidate could set up the sites to spread misinformation, spyware, or even malware," he said.

Such attacks would not be unprecedented, Friedrichs warned. In the 2004 campaign, phishers found a way to reroute some of John Kerry's traffic to a different Website, he warned.

Other attacks might also be possible, Friedrichs stated. Researchers earlier this year discovered a cross-site scripting vulnerability in Mitt Romney's Website that might have allowed an attacker to alter the content on the site, he said. "Something like that could allow a detractor to make a subtle change in the candidate's stance on, say, abortion," Friedrichs said. "We haven't seen it done yet, but it certainly is possible."

Of course, some sites may also be open to more traditional political attacks, such as defacement or denial of service, Friedrichs observed. Joe Lieberman's campaign experienced such an attack in 2006, he noted. "It essentially paralyzed the campaign systems and froze email as well -- the campaign workers had to use their personal accounts to keep things going."

The problem, in part, is that most candidates don't have many IT resources, Friedrichs observed. In the early stages of a campaign, many candidates rely on volunteers or third-party services that might not know their systems. But as candidates collect more and more of their contributions online, these hastily laid IT infrastructures may become increasingly attractive targets for thieves or attackers, he says.

So far, Friedrichs hasn't found any evidence to suggest that candidates or their campaign staffs are intentionally trying to sabotage their opponents' sites or redirect their contributions. "I think what we've seen so far has been perpetrated by extremists or actual thieves," he said.

Friedrichs has not done any research yet into the much-ballyhooed topic of voting machine fraud, either through local or remote hacks. Earlier this year, a report suggested that voting machine hacks may have helped Hillary Clinton win the New Hampshire primary, in which Barack Obama was heavily favored. (See Did Hackers Win It for Hillary?)

"There's been so much research on the voting machine issue that I wasn't sure we could add anything to that," he said. "But the whole question of vulnerabilities in campaign systems really hasn't gotten much attention."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Symantec Corp. (Nasdaq: SYMC)

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...