http://www.theregister.co.uk/2008/11/20/barack_obama_website_insecurity/
By Dan Goodin in San Francisco
The Register
20th November 2008
President elect Barack Obama's embrace of online video and social
networking may have propelled him to victory, but unless he's careful,
his administration could be brought down by the same sloppy security
problems that have plagued MySpace, Facebook, and dozens of other Web
2.0 properties.
A cursory look at Change.gov and MyBarackObama reveal enough amateur
mistakes to make even the most ardent supporters wonder just who in the
heck is in charge of security. For one, the content management system
for both of the sites is easily accessible to anyone. And as far as we
can tell, neither page is protected by secure sockets layer - the "s"
following a web address's "http" that assures you the connection is
encrypted.
Security 101 would dictate that pages this sensitive should be
restricted to select internet protocol addresses, or at the very least,
encrypted to prevent so-called man-in-the-middle attacks. There are no
such protections on Change.gov or MyBarackObama, the latter suggesting
that this lack of attention to security has been allowed to persist for
some time now.
Even more troubling is the discovery that administrative pages for both
sites are linked to Google Analytics. This is a hard configuration to
make sense of. It means that Google, a private company with important
business before the US government, has complete administrative access to
one of the government's most important websites. It would also appear to
run contrary to this privacy policy pledging "not to make Personal
Information available to anyone other than our employees, staff, and
agents."
[...]
______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Received on Nov 19 2008
Intro
