Online lockdown

Campaigns & Elections,  June, 2007  by Joel Berg

• E-mail
• Print
• Link

A campaign's home page sits in the sort of neighborhood where it's best to make sure all the doors are shut tight.

The Internet is teeming with hackers and viruses probing for weak spots like a burglar at the window. An unguarded opening can let in someone intent on vandalizing a Web site or carrying away confidential data.

"There's no shortage of damage that they could do," said Michael Sutton, security evangelist for SPI Dynamics, a Web security company in Atlanta.

Like a house, a Web site is designed to allow entry, according to Sutton and other Internet security experts. The doors and windows include any place people are asked for information, such as their name or e-mail address. By casing those openings, and looking for others, hackers try to force their way in.

[ILLUSTRATION OMITTED]

If they succeed, hackers can change a site's content, find pages meant to remain hidden or crack open a database and steal credit card numbers, e-mail addresses or other personal information, said Varun Nagaraj, chief executive officer of NetContinuum, a security company in Santa Clara, Calif.

The basic level of protection for Web sites is a managed security service. These services are available from companies that host Web sites and cost $1,000 a month on up, depending on a site's traffic, said Tracy Hulver, vice president of marketing and product management for netForensics, an online security firm in Edison, N.J.

"They both protect you and let you know what went wrong," Hulver said.

Another countermeasure is controlling the servers that host your site and whatever appears on it. This spring, outside control of a server feeding images to Sen. John McCain's MySpace page left it vulnerable and allowed someone outside his presidential campaign to alter messages.

Other measures include running routine security audits and coding sites securely.

Secure coding lessens the risk of someone breaking in through online forms.

A typical form might ask for a name and address. A hacker might enter computer code that tricks the Web site into coughing up the contents of a campaign's database. Secure code would accept only what's expected and reject anything unusual.

Security audits look for any openings that a hacker could exploit. The audits, which cost between $5,000 and $25,000, should be handled by vendors unrelated to the company that develops or hosts the Web site, experts said.

"Frankly, for a campaign that's going to raise $6 million or $7 million or so, that's money very, very well spent," said Juan Proano, president of Plus Three, a New York-based political technology company working for John Edwards' campaign

Weaknesses also exist on the inside.

Internally, campaigns should limit who has passwords for databases and the programs that run Web sites, said Proano. "That's where the majority of the intrusions occur, where that information is passed around by word of mouth or in an e-mail."

Proano recommended changing passwords often and using combinations of letters, numbers and characters that are harder to decipher than variations of people's names.

Password protection should extend to Web pages set up for staff members to communicate among themselves, said Brent Littlefield, partner and co-founder of Political Solutions Inc., a Republican consulting firm in Washington, D.C.

More and more, campaigns are sharing documents internally on Web sites that branch off from their home pages, Littlefield said.

"With that increased accessibility also comes increased vulnerability," Littlefield said. A clever hacker could find those documents.

Whatever a campaign does, it should keep the precautions reasonable, Littlefield added.

He recalls privacy-obsessed campaign staff in the early 1990s who would shred documents, stuff the remains in plastic bags and drive them to a dump across town.

"You can take things a little bit too far," he said. "I think it's important to have a degree of security. But you don't want to spend half your campaign budget just buying security programs."

COPYRIGHT 2007 Campaigns & Elections, Inc.
COPYRIGHT 2008 Gale, Cengage Learning