IDG News Service
June 11, 2008
Two months after their Web site was hacked, the organizers of Barack
Obama's presidential campaign are looking for a network security expert
to help lock down their Web site.
"Obama for America is looking for a network security expert who wants to
play a key role in a historic political campaign," reads the ad, posted
to the Barackobama.com Web site.
The requirements are pretty much what you'd read in any e-commerce
security help-wanted ad: VPN (virtual private network) and Unix or Linux
experience, along with a "deep understanding" of LAMP (Linux, Apache,
MySQL and Perl) development. And of course, the successful candidate
must be willing to "respond off-hours to high urgency security
Successful candidates will join Obama's Boston team and should expect to
find a new job come November.
Security experts said this is the first time they can remember seeing a
Web security job advertised for a political campaign. In fact, Internet
security has not always been a priority on political Web sites,
according to Paul Ferguson, a network architect with computer security
company Trend Micro. "Normally, I don't think they've paid much
attention to it," he said.
Obama's Web site, built by Facebook cofounder Chris Hughes, has been the
model of Web 2.0 campaigning, using social-networking techniques to
raise funds and build a broad base of active, Internet-savvy supporters.
But security experts have long warned that powerful Web site features
also open new avenues for attack.
With the Internet driving the majority of the campaign's contributions,
Web security is probably more important to Obama than it has been to any
other presidential candidate. A Web outage could cost his campaign
millions of dollars, and a widely publicized privacy breach could put
the brakes on his most important source of cash.
"The Obama campaign has got a bigger bull's-eye on them now that they've
stitched up the nomination," Ferguson said. "It's worth their time to be
more security conscious."
In April, a programming error allowed a Hillary Clinton supporter to
redirect part of Obama's Web site to Clinton's, but today's Web attack
techniques could lead to much more serious consequences.
"Attacks like SQL injection would be far more of a concern," said Oliver
Friedrichs, a director with Symantec Security Response who has written
about computer security and the 2008 presidential election. "If I was
able to get access to the database that houses their donor information,
that would be very concerning."
So-called SQL injection attacks take advantage of programming errors and
allow attackers to get unauthorized access to parts of a Web site. They
can be used to install malicious software or gain access to sensitive
Obama's site isn't the only one to suffer from Web security bugs. A
similar flaw popped up in Mitt Romney's site in January, and Hillary
Clinton's name was used in a spam campaign that delivered messages laced
with malicious Trojan Horse software programs, Friedrichs said.
Internet security is always a top priority for political campaigns, even
if security jobs are not always advertised, said Henry Poole, founder of
the Internet campaign consultancy CivicActions. "We've always had
somebody looking at the security issues," he said. "Maybe it's just an
issue of the Obama campaign being more transparent."
While Web defacements and denial of service attacks may be the most
common security problems, a Web privacy breach could quickly become a
major campaign issue, Poole said. "For a big office, things like the
reputation of the candidate are really important," he said.
Obama's campaign staff did not respond to requests for comment on this
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com