#cybersecurity | Presidential campaign websites fail at privacy, new study shows

Presidential campaign websites get a failing grade for privacy, according to a new study by the non-partisan Online Trust Alliance, an initiative of the Internet Society. The study analyzed campaign websites of 23 presidential campaigns websites, including 19 Democrat and four Republican, for correct Transport Layer Security (TLS) deployment, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for campaign email, domain locking, as well as privacy policies and data sharing practices.

“Overall, we found that campaigns have strong website security, reasonable email and domain protections, and poor privacy scores,” the report concludes. “Privacy statements are the biggest concern, causing failure for 70% of the campaigns.”

cso 2020 campaign privacy failures online trust audit overall privacy failing grades by sector 1200Online Trust Alliance

Not all is doom and gloom, however. A few bright spots stand out in the Internet Society report. Here’s the rundown on the good, the bad and the ugly.

Web security

Test all candidate campaign websites through SSL Labs and you’ll find strong, modern ciphers and solid TLS configuration. “Using public assessment tools from Qualys SSL Labs and ImmuniWeb, all sites earned an “A” or “A+” in this area,” the report says, and had trusted certificates as well as certificate transparency. As a nice bonus, 58% of campaign websites support TLS 1.3, significantly higher than any other sector.

With two exceptions, all campaign have enabled domain locking to prevent unauthorized transfer of domain ownership. (That’s probably two too many, to be honest.) One fun detail the report uncovered is that 74% of campaign sites are available over IPv6, compared to 12% in other sectors.

Email security

Given that phishing and poor email security played a key role in the 2016 presidential campaign, one would hope that campaigns would take the issue more seriously this time around. Some do, but not all.

Use of SPF and DKIM to prevent email spoofing was a bright spot. Eighty-seven percent of campaign domains have deployed both SPF and DKIM, although two campaigns had no email authentication at all.

Sixty-one percent of campaigns had a Domain-Based Message Authentication, Reporting and Conformance (DMARC) record and 30% use DMARC enforcement, which quarantines or rejects emails that messages that fail authentication. A DMARC policy “allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message,” the DMARC FAQ explains.

“Given that campaigns are using current email services and the significant concern about phishing in the political realm,” the report says, “all should be using DMARC.”

Privacy and data use

The collection and use of site visitor data, however, is a Wild West with most campaign sites offering no real data privacy, a cause for concern, the report notes. At a time when enterprise sites are moving toward greater data privacy in compliance with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), it is striking that presidential campaign sites have largely ignored visitor privacy.

The problem begins with a lack of transparency and gets worse from there. “Five campaigns had no discoverable privacy statement,” the report notes. “This yields…an automatic failure. This may be an oversight but is inexcusable since every campaign website is collecting data.” The five campaign sites without a privacy statement were Wayne Messam (D), Tim Ryan (D), Mark Sanford (R), Joe Sestak (D), and Joe Walsh (R).

Others had an inadequate privacy statement that failed to disclose data sharing and retention practices, or effectively put no limits on the use of visitor data, permitting unlimited data sharing with “like-minded entities,” which is counter to both established norms in the US in other sectors and violates the principles of both the GDPR and the CCPA.

Copyright © 2019 IDG Communications, Inc.

Click here for the Source to this story.

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

Leave a Reply