Presentation is loading. Please wait.

Presentation is loading. Please wait.

Democrats and Republicans agree: Our Cybersecurity SUCKS

Published byAlexina Harris Modified over 7 years ago

Similar presentations

Presentation on theme: "Democrats and Republicans agree: Our Cybersecurity SUCKS"— Presentation transcript:

1 Democrats and Republicans agree: Our Cybersecurity SUCKS
Jonathan Lampe, CISSP, CFTP, GSNA Cybertical – Cybersecurity for Political Campaigns CypherCon – Milwaukee – March 2017

2 “Walking the Perimeter”
"Evaluating the Security of Potential Partners - Without Permission!“ 2015 (ISC)2 Congress (Anaheim) Originally developed for Milwaukee-area corporation who wanted security’s opinion of whether or not they should be doing business with company X Hackless Recon – Like looking though a fence - Ergo: NO Permission Needed Proper use of HTTPS (SSL/TLS) to protect traffic Quality of X.509 certificate Hackability of "client-side" web app Outdated software Secure site headers Location and protection of assets Information leakage Sign on forms and other "frontdoors" Web APIs and other "backdoors" Special classes of attacks applicable to site type Public info about site and authors External connections (DNS entries and "deep links") involving the site

3 Walking Presidential Web Site Perimeters
Evaluated Web Sites of 16 Different 2016 Presidential Candidates - Performed Initial Analysis (by hand and with ZAP and WPScan) in Late 2015 - Most used unsecured Wordpress sites and many allowed username enumeration - Clinton’s site advertised “done is better than perfect” and had a phishing vulnerability Repeated Research in Early 2016 for Thotcon (Chicago) - Good News: Major Wordpress-based candidates ALL secured their sites! - Bad News: Clinton’s campaign said their vulnerability was “by design” (and never fixed it) - Bad News: NO campaign ever responded to repeated attempts to discuss results - Press: Several mentions in written articles, unaired TV segment at NBC5 in Chicago

4 CYBERTICAL FORMS in 2016 Cyber = “What government types call information systems. It is usually followed by the word ‘Security”” Tical = “The second part of the word ‘Political’ Cybertical = “Cybersecurity for Political Campaigns” SECURITY CYBER CYBERTICAL TICAL POLI Logo based on a 16x16 icon of an elephant and a donkey

5 Walking SENATORIAL Web Site Perimeters
Evaluated Web Sites of 67 Different 2016 Senatorial Candidates - Too many sites to scan by hand, wanted tools like NetCat and WPScan that could be customized and optimized to avoid alerting their targets with too much noise - Developed a new python script that could scan a list of sites, store complete evidence of findings, and reuse local evidence from earlier scans to avoid “beating on” targets Published Report in October 2016 - Good News: Some candidates had secure sites! - Bad News: Found Dozens of admins, usernames and known vulnerabilities - Bad News: Report was largely ignored (only one unlikely candidate engaged) - Press: Filmed a TV segment on local candidates on NBC4 in Washington DC

6 March 2017: Cybertical Releases Recon Utility
Github.com/Cybertical/PoliticalSiteScanner Requires Python, Runs on Mac OS and probably Linux Script is called “pScan.py” Original version (0.8) is the script I used to inspect Senatorial sites in late 2016

7 How Cybertical “PSCAN” Works
Detailed Log List of Target Sites #1 – A list of sites is passed in. Cybertical pScan Application #5 – A high-level report and detailed log are written. #3 – New site information is drawn from live sites. #2 – Existing site information is loaded from an existing evidence folder. (Optional.) #4 – New site information is written to an evidence folder. CSV Report of Findings Evidence Folder

8 How CYBERTICAL Grades similar Sites
#3 – Weights are applied to scorable values. #1 – CSV report of findings is obtained from pScan utlity. #2 – CSV report is converted to scorable values. #4 – Weighted values are compiled into “GPAs” and letter grades are assigned appropriately.

9 Current Grading Scale Start with 3.6 (A-)
-0.2 for a useful server header -0.2 for a useful “X-Powered-By” +0.1 if HTTPS is available +0.2 is HTTP is required -0.3 if running Wordpress or Nationbuilder for each day CMS is old (noncurrent only) -0.05 for each known CMS vulnerability -0.1 if CMS sign on page is exposed -1.0 if CMS registration page is exposed -0.3 if CMS password reset is exposed -0.05 for each CMS user identified -0.5 if CMS user enumeration allowed -1.0 if CMS default admin found -0.3 if other likely CMS admin found

10 Walking Some Wisconsin Perimeters
Governor Scott Walker (R) US Rep. Mike Gallagher (R) US Rep. Paul Ryan(R) US Rep. Sean Duffy (R) US Rep. Mark Pocan (D) Senator Tammy Baldwin (D) US Rep. Glenn Grothman (R) US Rep. Jim Sensenbrenner (R) Senator Ron Johnson (R) US Rep. Ron Kind (D) US Rep. Gwen Moore (D) St. Superintendent Candidate Lowell Holtz (R-ish) Republican Party of Wisconsin St. Superintendent Tony Evers (D-ish) Democratic Party of Wisconsin State* Officers, State** Parties and National Reps * Major or Contested State Officers (Sorry La Follette, Kleefish and Adamczyk) ** Major Parties (Sorry Green, Constitutional, etc.)

11 Lessons Learned In Wisconsin 2017
4 of 15 sites scanned used “Nationbuilder” Cloud-Based CMS - Added “Nationbuilder” detection and slug retrieval to script (pScan v0.9) - Future To-Do: Attempt to query author and self-registered user information - Running “Phusion Passenger Enterprise ” (released April 28, 2016, current is 5.1.2) - Related ngnix contains “HIGH” local priv escalation vulnerability (CVE ) - Recent history of Stored XSS Due to Unsanitized Input (April 2016) - Recent history of reported and unpatched XSS (November 2016) - I found Nationbuilder registration Pages, but did not explore them enough to score - Scored -0.3 points against GPA if Nationbuilder detected 9 of 15 sites used Wordpress (-0.3 points) 2 sites (Pocan and WisDems) used custom code (no point adjustment)

12 2017* Wisconsin cybersecurity grades
* Conducted March 15-16, 2017

13 Opportunities for Improvement
Top of the Class What They Did Well Opportunities for Improvement Avoided off-the-shelf CMS’s (which makes it hard for hackers to “lock on”) Offered HTTPS (Pocan) Turn on HTTPS and require it (it has SEO benefits too!)

14 Opportunities for Improvement
Easily Passing What They Did Well Opportunities for Improvement Avoided revealing site usernames Offered HTTPS (Duffy) Required HTTPS (Ryan) Trim server headers (to stop giving clues to smart hackers) Hide/disable password reset and login pages on Wordpress sites (Ryan, Moore, Duffy) Pressure vendor (Nationbuilder) to update outdated software components

15 Opportunities for Improvement
Hanging ON What They Did Well Opportunities for Improvement Running current version of software Required HTTPS (Walker, Johnson, GOP) Stop revealing site (Wordpress) usernames (Walker, Johnson, GOP) Trim server headers (Holtz) Hide/disable password reset and login pages on Wordpress sites

16 Opportunities for Improvement
Due for a Detention What They Did Well Opportunities for Improvement Avoided revealing site usernames (Sensenbrenner) Running current version of software (Baldwin) Required HTTPS (Baldwin) Upgrade Wordpress (Sensenbrenner’s version may have serious vulnerabilities) Stop revealing site (Wordpress) usernames (Baldwin) Trim server headers (Baldwin) Hide/disable password reset and login pages on Wordpress sites

17 This Report Relative to Cybertical Services
Less Invasive Automated Scan (Running pScan) Free Reports, Free Tools, Convention Talks Items Below This Line Are Billable Manual + Automated Scan and Analysis Cybertical “Perimeter Walk” Items Below This Line Involve Hacking and Require Permission Attempt to Verify, Dig and Exploit Findings Cybertical “Penetration Test” More Invasive Cybertical “Security Contact” (e.g.,

18 Questions? Performing Reconnaissance That Doesn’t Require Permission
Previous Political Findings (2016 Presidential or Senatorial) Development of the pScan tool ( Use of the pScan Tool 2017 Wisconsin Findings Have More Questions? Contact: or

Download ppt "Democrats and Republicans agree: Our Cybersecurity SUCKS"

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
The Legislative Branch

The Legislative Branch
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Understand Database Security Concepts

Understand Database Security Concepts
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.

The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
FCC Registration Number (FRN) Phase I Enhancements Online FRN Password Reset and ULS FRN Association FCC Commission Meeting Room Washington, D.C. September.

FCC Registration Number (FRN) Phase I Enhancements Online FRN Password Reset and ULS FRN Association FCC Commission Meeting Room Washington, D.C. September.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Port Scanning.

Port Scanning.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.

Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.
XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.

XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Similar presentations

Ads by Google