Sunday, November 15, 2015

How securely will presidential candidates handle your data?

If you haven't been living under a rock recently, you know that the presidential candidates can't talk enough about cyber security and how committed they are to it.  But mostly they talk about making big corporations accountable for breaches, securing health care data, and making China/Iran/Whoever pay for stealing US intellectual property.  Then they usually get some word in about the proliferation of cyber weapons and how we'll have to "do something" about that.

All of that is great - but how secure are the candidates themselves today?  Johnathan Lampe at Infosec Institute has already covered how securely the candidates' websites are and the results are pretty abysmal.  Most candidates can't even lead their own campaigns, devoid of US government beuaracracy to properly secure their own websites.

But when it comes to insecurely handling the data of the people that work for you (or want to), that's where I draw the line.  If a candidate can't get it right inside their own campaign, I seriously doubt their ability to secure our data once they are elected.  You can argue that it's not the candidate's job to secure the data.  But that's a hollow argument.  The judgment they exercise in selecting staff today is the same judgment they'll exercise in selecting appointees after they are elected.

To that end, I note that Hillary Clinton's campaign has done a terrible job in their intern application process by using an HTTP only page to have intern applicants upload potentially sensitive data.

I'm sure that in response to this blog post, site changes will be made so I've chosen to document a screenshot here.

I do a lot of interviews for tech companies looking to recruit top tier cyber talent.  I can assert that candidates, particularly those right out of college put an amazing amount of private information in their resumes.  Sometimes this includes date of birth, social security number, home address, etc.  In essence, more than enough data to steal the identity of a candidate.  Unfortunately, the very people most likely (in my experience) to upload their sensitive data are the very people Clinton is trying to attract - college students.  They are also the most likely to upload their data over public, unencrypted wifi since many lack dedicated internet access otherwise.

I know there are those who will feel like I have an axe to grind with this post - I do not.  When shenanigans like these are observed, it is our duty to call them out regardless of political leanings.  Furthermore, in Clinton's specific case, this is another example of poor judgement surrounding IT security (her private email server with RDP exposed to the Internet is the prime example).

I hope Clinton's campaign issues apologies to all those who applied for internships and takes steps to resolve this mis-handling of personal data.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.