Obama campaign hopes for better Web security

by Robert McMillan

June 11, 2008 —

Two months after their Web site was hacked, the organizers of Barack Obama's
presidential campaign are looking for a network security expert to help lock
down their Web site.

"Obama for America is looking for a network security expert who wants
to play a key role in a historic political campaign," reads the ad, posted
to the Barackobama.com Web site.

The requirements are pretty much what you'd read in any e-commerce security
help-wanted ad: VPN (virtual private network) and Unix or Linux experience,
along with a "deep understanding" of LAMP (Linux, Apache, MySQL and
Perl) development. And of course, the successful candidate must be willing to
"respond off-hours to high urgency security situations."

Successful candidates will join Obama's Boston team and should expect to find
a new job come November.

Security experts said this is the first time they can remember seeing a Web
security job advertised for a political campaign. In fact, Internet security
has not always been a priority on political Web sites, according to Paul Ferguson,
a network architect with computer security company Trend Micro. "Normally,
I don't think they've paid much attention to it," he said.

Obama's Web site, built by Facebook cofounder Chris Hughes, has been the model
of Web 2.0 campaigning, using social-networking techniques to raise funds and
build a broad base of active, Internet-savvy supporters.

But security experts have long warned that powerful Web site features also
open new avenues for attack.

With the Internet driving the majority of the campaign's contributions, Web
security is probably more important to Obama than it has been to any other presidential
candidate. A Web outage could cost his campaign millions of dollars, and a widely
publicized privacy breach could put the brakes on his most important source
of cash.

"The Obama campaign has got a bigger bull's-eye on them now that they've
stitched up the nomination," Ferguson said. "It's worth their time
to be more security conscious."

In April, a programming error allowed a Hillary Clinton supporter to redirect
part of Obama's Web site to Clinton's, but today's Web attack techniques
could lead to much more serious consequences.

"Attacks like SQL injection would be far more of a concern," said
Oliver Friedrichs, a director with Symantec Security Response who has written
about computer security and the 2008 presidential election. "If I was able
to get access to the database that houses their donor information, that would
be very concerning."

So-called SQL injection attacks take advantage of programming errors and allow
attackers to get unauthorized access to parts of a Web site. They can be used
to install malicious software or gain access to sensitive information.

Obama's site isn't the only one to suffer from Web security bugs. A similar
flaw popped up in Mitt Romney's site in January, and Hillary Clinton's name
was used in a spam campaign that delivered messages laced with malicious Trojan
Horse software programs, Friedrichs said.

Internet security is always a top priority for political campaigns, even if
security jobs are not always advertised, said Henry Poole, founder of the Internet
campaign consultancy CivicActions. "We've always had somebody looking at
the security issues," he said. "Maybe it's just an issue of the Obama
campaign being more transparent."

While Web defacements and denial of service attacks may be the most common
security problems, a Web privacy breach could quickly become a major campaign
issue, Poole said. "For a big office, things like the reputation of the
candidate are really important," he said.

Obama's campaign staff did not respond to requests for comment on this story.

IDG News Service