At least 18 cybersecurity issues were found on 16 different presidential candidates’ web sites, including “known vulnerabilities” on 5 candidate’s websites; 11 websites that “leaked a complete list of administrative and contributing usernames (over 120 usernames, including several ‘admin’ users); and 2 websites that leaked internal paths, according to research performed by the InfoSec Institute, an IT Security training company.
According to the report, Donald Trump ties with Hillary Clinton with a “B,” while Jeb Bush and Bernie Sanders “split the undercard” with a “C” grade. Ben Carson walked "away as the winner” with an “A.”
While the candidates did not “respond to inquiry about reporting security vulnerabilities,” the report stated, “On the positive side, all candidates’ sites smartly required HTTPS, the security technology long advocated by consumer privacy advocates and security experts. Three locked down their sites or at least planned to, four outsourced financial donations to experts, and all five used ‘content delivery network’ technology to reduce that chances that a single hack could take them down.”
“On the negative side,” the report continued, “two candidates ran unsecured WordPress sites that exposed lists of users and other information. One other candidate might be running an old WordPress plug-in and all three WordPress users left their ‘sign on’ pages unguarded. Meanwhile, a different candidate rapidly built a large and complex web application that could have several undiscovered vulnerabilities (security experts call this a ‘large attack surface’).”
"Cybersecurity is still a foreign concept to most presidential candidates if we judge them by the security of their campaign web sites,” Homeland Security Today was told by Jonathan Lampe, product manager for InfoSec Institute who conducted the research for the report, Which Top 5 Presidential Candidate is Most Likely to Be Hacked?
“In fact, Lampe said, “Most of the 16 sites I reviewed exposed complete lists of usernames, five appeared to have vulnerabilities, and three still had their default admin account in place. Perhaps worst was the fact that none of the campaigns ever replied” to his inquiries.
"Many presidential campaigns are staffed with ‘digital experts’, but as we can see, that’s no guarantee that they understand the technology they’re using,” Lampe said, noting, "The problems I saw in my review were largely the result of unsafe default settings, leaving the original administrative users in place and neglecting to keep Internet-exposed software up to date.”
Disturbingly, Lampe pointed out to Homeland Security Today, “Any IT person who’s been through a security awareness program should have been able to catch simple mistakes like these, yet they were present on almost every candidates’ website."
The security tests Lampe performed were, according to his report, “similar but not identical reconnaissance on the public-facing websites of each candidate, including their volunteer registration, merchandise stores and donation forms …research was similar because I looked at how securely each site seemed to perform key functions, but was not identical because each site used different technology to perform each function.”
“More specifically, I looked at the quality, type and age of each web server and web application I could find,” Lampe said in his report, adding, “I also followed technology trails to cloud service providers used to provide shopping, donation, sign up or other services (except marketing or tracking). Finally, I inspected each site’s ‘content distribution’ and transport-level (i.e., HTTPS) security services.”
Discussing Carson’s grade “A” website, Lampe’s report stated that while, “To the novice researcher, Carson’s website could seem like a bit of an enigma since it does not wear its identity on its sleeve like the sites of other candidates. However, the heavy use of ‘hs’tags throughout the site and links to other Hubspot marketing resources give the site’s identity away.”
Nevertheless, “The site is tightly written, does little and outsources its major functions to other sites. From a security perspective, this approach helps reduce the site’s attack surface and makes it more difficult for hackers to mount an attack against it. Hubspot itself has a short history of vulnerabilities but it has also demonstrated the ability to identify and close them quickly.”
Furthermore, “Unlike the other top five candidates, Carson doesn’t have an online store. His donations are handled entirely by Spark eCommerce and his volunteer registration is handled entirely by HubSpot.”
“Altogether, Carson’s decisions to minimize his attack surface and outsource services to experts afford him the best grade in my research,” Lampe said.