Donald Trump’s official website suffered from a serious misconfiguration that exposed campaign intern résumés to the public internet according to a report from Chris Vickery of the blog, . After Chris contacted intermediaries to get to the Trump campaign, the problem was fixed. IT security experts from Tripwire, Lieberman Software and Redscan commented below.
Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire:
“Cybersecurity isn’t a partisan issue. Both Democrats and Republicans alike are capable of misconfiguring settings and failing to patch vulnerabilities. Campaigns are often difficult entities to secure. They aren’t permanent organizations, and their staff and needs change rapidly. Campaigns do handle sensitive information routinely, and securing that data needs to be part of their charter from the start.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The Trump website leak could have happened to anyone – anyone who is more concerned about business results than security. When you put it that way, it sounds as if the Trump campaign was extremely careless with this data, but the sad truth is that’s not the exception, it is the rule. Some person likely set up the system in the most expedient way possible, and no one reviewed the security until someone acted like a bad guy, which is the story of most breaches. There’s also a question here about the design of the system itself encouraging better security in how it walks the user through set up. In the end, this falls to the person hired by Trump to do this configuration, someone who may today be heading towards the iconic “you’re fired” right from the man who made it famous.”
Robert Page, Lead Penetration Tester at Redscan:
“Vulnerabilities like the one affecting the official website of Donald Trump are all too common, enabling hackers to bypass authorisation controls to access sensitive files.
While in this instance, the breach appears not to have been particularly serious, intrusions like this can be significantly more damaging if hackers research site file naming conventions to conduct wider, more targeted brute force attacks.
A cyber breach can cause severe reputational damage to an individual or organisation so it’s important that websites are regularly penetration tested by security experts to ensure that flaws, such as the one highlighted here, are addressed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.