New research found gaping security holes in several SuperPAC public websites – from weak or nonexistent encryption and open ports to old and outdated server platforms.
Security firm UpGuard assessed the security postures of top SuperPACs active in the 2016 US election, and rated them with a FICO-like score between 0 and 950, with 950 as the most secure. UpGuard found scores as low as 266 for the Conservative Solutions PAC, and 409 for Priorities USA Action, to scores as high as 836 for both Rebuilding America Now and NextGen Climate Action.
And 501(c) group websites, which also are not required to disclose donor names publicly, scored on the high-end security-wise. The National Rifle Association's 501(c) had the highest score among those groups, with 836, followed by the US Chamber of Commerce, 751; American Future Fund, 751; and Americans for Prosperity, 751.
Overall, SuperPACs scored similarly to other sectors. "They were average, not stellar, and not lower than what we see for websites in other groups," says Greg Pollock, vice president of product for UpGuard. "The interesting point will be what if these sites were breached. What would happen? There could be more identity and reputational damage."
These groups typically don't store payment card information, he notes, but SuperPACs can keep personal information of donors, for example. "The whole purpose of these organizations is to shroud who's giving money," so a breach could expose donors' identities, he notes.
SuperPACs are controversial political groups that can raise and spend unlimited funds and then use that money to independently campaign for or against a political candidate or party.
Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.
Pollock says his firm used its CSTAR risk assessment method when it analyzed the SuperPAC websites. The main security weaknesses were in lack of encryption - aka no HTTPS – no email authentication to avoid phishing scams, and no DNSSEC adoption. One of the weakest sites had a wide-open MySQL port. "It had its SSH port exposed," he says.
On the plus side, the NextGen Climate Action SuperPAC site, for example, was running NGNIX, one of the more modern web platforms. "Some [others] were exposing their PHP version [software], with several headers showing," he says.
Overall, SuperPAC sites have better security postures than healthcare websites UpGuard has assessed. And so far, no major incidents: "We have no indicators" that any of the SuperPAC sites have been breached, he says.
Efforts to reach the lowest-scoring SuperPACs, Conservative Solutions PAC and Priorities USA Action, were unsuccessful as of this posting.
The other SuperPACs UpGuard scored by risk: Get Our Jobs Back, 399; For Our Future, 475; Congressional Leadership Fund, 513; Right to Rise USA, 523; Senate Leadership Fund, 561; Senate Majority, 561; and House Majority PAC, 561.
- 9 Sources For Tracking New Vulnerabilities
- 7 Regional Hotbeds For Cybersecurity Innovation
- 'Heisenberg Cloud' Spots Exposed Database Services, Misconfigurations