US Intelligence: Foreign Hackers Spying on Campaigns

Amid all the stories of hacked emails, there is another aspect in which digital malfeasance might impact the United States at this point in time:

The United States sees evidence that hackers, possibly working for foreign governments, are snooping on the presidential candidates, the nation's intelligence chief said Wednesday. Government officials are working with the campaigns to tighten security as the race for the White House intensifies.

In our modern, internet connected age, one has to account for the possibility that invaders need not enter your physical premises in order to steal from you and do you harm. It doesn't matter if your server is under guard in a secure location if it is online and you have any kind of presence in the digital landscape, you also need to have cyber security measures in place.

In October, he evaluated the security of sixteen candidates' websites and wrote a pair of 20-page reports. Using the reconnaissance skills of a casual hacker, Lampe pulled full lists of site user names and technologies used on most sites. In some cases, he discovered which directories were accessible from the Internet and which weren't. He learned what software products Hillary Clinton campaign's used from a job posting soliciting a computer-wise staffer.

This is a similar technique Guccifer used in his exploits. You really would have thought the Clinton campaign would have learned from her previous "carelessness" and "mistakes" but apparently she and her team have not.

Forgot source:

Associated Press

Additionally, Clapper makes the following statement:

"If they shut down a candidate's website, I mean OK. So what? It impacts fundraising for 24 to 48 hours," Miller said. "It's the sensitive information that's the driver on this one."

a reply to: jadedANDcynical

Says he learned what software they were using from a job posting. That's not getting into her system but it almost, if you don't read carefully, sounds like he did.
Point if I'm looking for a job candidate and I say must know XYZ System in the ad I post for such candidates, the ad says we use XYZ System. But that is info gleaned online. Not from her campaigns system. Read it again. They smashed them together to mislead.

a reply to: Sillyolme

Its all information, generally when doing this sort of stuff its just one piece of information that can help you get in. You will need a lot more info than just that but if you start to collect all that information up its amazing what you can find.

If you can get a staff list as well you can play the social engineering method to gain more details and while the candidates systems may be well protected quite often the lesser staff like receptionists etc just get given a stock machine and since you pretend to be the IT bod you can try to get them to give you a password and thus you're in.

a reply to: Sillyolme

Here is the excerpt regarding Hillary's campaign from the report:

Hillary Clinton (Leading Democrat) Despite her campaign’s woman-first messaging, Clinton’s website seems to be built on a stereotypical “brogrammer stack” of Node.js, Rudy and other technologies in a git-based continuous integration environment. I gleaned much of that information before I even looked at the site since Clinton’s technologies are well documented in the job descriptions of the DevOps and Engineering Manager positions open on her IT team.

Clinton’s custom application encompasses all major functions of a campaign website, including her store, donations, and volunteer registration, though some ecommerce and credit card functions seem to be built on top of Shopify. This approach affords Clinton’s campaign excellent control over the appearance of her site and the information it exchanges with its users, but the control comes with the risk of having a relatively large attack surface.
Shopify is used to power the store on Hillary Clinton’s web site.
Almost a million bytes of Javascript are sent to each browser from a server called “a.hrc.onl...” alone, and many more Javascript libraries are linked in from other sources. These Javascript applications talk to multiple web services on the back end, including one called “The Claw”, and some use OAuth authentication. Unfortunately, the use of these varied technologies by a dev team that lives by the motto of, “ship early and often; done is always better than perfect” creates the potential for an attack surface that is much larger than that of other candidates.

Hillary Clinton’s site uses a web service called “The Claw” to reset a password. and some use OAuth authentication. Unfortunately, the use of these varied technologies by a dev team that lives by the motto of, “ship early and often; done is always better than perfect” creates the potential for an attack surface that is much larger than that of other candidates.

On the other hand, there are signs that the Clinton team is taking some security precautions. The site itself seems to be running a piece of “obfuscation” software called “varnish” that regularly lies about its identity so would-be hackers would have a harder time locking on with a targeted attack. At the time of my research, Clinton’s code relied on JQuery 2.1.3, just one minor version behind cutting edge, which suggests that the team’s continuous integration process is successfully getting new versions of software (and their security fixes) published. There were also openings on the team for pair of Security Engineers and a security lead to look for vulnerabilities in the code the rest of the developers publish and in the systems that run the sites.

Hillary Clinton’s web site appears to use software called “varnish” to obfuscate (or lie about) the identity of the web server (e.g., “Server: AmazonS3”), and runs a modern version of JQuery

source .pdf

Her overall score was a B, which tied for second place with Trump's campaign. So her exposure isn't the worst, but there are some areas for improvement.