It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
The United States sees evidence that hackers, possibly working for foreign governments, are snooping on the presidential candidates, the nation's intelligence chief said Wednesday. Government officials are working with the campaigns to tighten security as the race for the White House intensifies.
In October, he evaluated the security of sixteen candidates' websites and wrote a pair of 20-page reports. Using the reconnaissance skills of a casual hacker, Lampe pulled full lists of site user names and technologies used on most sites. In some cases, he discovered which directories were accessible from the Internet and which weren't. He learned what software products Hillary Clinton campaign's used from a job posting soliciting a computer-wise staffer.
"If they shut down a candidate's website, I mean OK. So what? It impacts fundraising for 24 to 48 hours," Miller said. "It's the sensitive information that's the driver on this one."
Hillary Clinton (Leading Democrat) Despite her campaign’s woman-first messaging, Clinton’s website seems to be built on a stereotypical “brogrammer stack” of Node.js, Rudy and other technologies in a git-based continuous integration environment. I gleaned much of that information before I even looked at the site since Clinton’s technologies are well documented in the job descriptions of the DevOps and Engineering Manager positions open on her IT team.
Clinton’s custom application encompasses all major functions of a campaign website, including her store, donations, and volunteer registration, though some ecommerce and credit card functions seem to be built on top of Shopify. This approach affords Clinton’s campaign excellent control over the appearance of her site and the information it exchanges with its users, but the control comes with the risk of having a relatively large attack surface.
Shopify is used to power the store on Hillary Clinton’s web site.
Hillary Clinton’s site uses a web service called “The Claw” to reset a password. and some use OAuth authentication. Unfortunately, the use of these varied technologies by a dev team that lives by the motto of, “ship early and often; done is always better than perfect” creates the potential for an attack surface that is much larger than that of other candidates.
On the other hand, there are signs that the Clinton team is taking some security precautions. The site itself seems to be running a piece of “obfuscation” software called “varnish” that regularly lies about its identity so would-be hackers would have a harder time locking on with a targeted attack. At the time of my research, Clinton’s code relied on JQuery 2.1.3, just one minor version behind cutting edge, which suggests that the team’s continuous integration process is successfully getting new versions of software (and their security fixes) published. There were also openings on the team for pair of Security Engineers and a security lead to look for vulnerabilities in the code the rest of the developers publish and in the systems that run the sites.
Hillary Clinton’s web site appears to use software called “varnish” to obfuscate (or lie about) the identity of the web server (e.g., “Server: AmazonS3”), and runs a modern version of JQuery