It’s not unusual to hear candidates on the campaign trail pushing potential voters to their websites for donations or more information, but how do you know the site you’re visiting is safe and secure? Jonathan Lampe, the founder of Cybertical, says that can vary from campaign to campaign.
Lampe’s what’s called a "white hatter," a cyber expert working to improve security. “The trouble with most of these templates is they do not take into account security," he told the News4 I-Team. "So, they get the site up and then they stop. In 10 seconds I know [the] version he's using, potentially some vulnerabilities on the site."
Lampe examined and graded current presidential candidate sites on their potential for being hacked. He said most of the campaigns made the easy security fixes after he contacted them by March of this year. But he showed the I-Team a potential "phishing" risk remains on www.hillaryclinton.com. Lampe demonstrated how anyone who has signed up with an account can send out invites to people from the official site for events supporting the candidate. But a person who wanted to do harm could also include malware or links for people to click on, Lampe said.
"It’s the best bait for a phisher because it’s official,” he said.
The I-Team reached out to the Clinton campaign but did not hear back.
Lampe has looked at more than just presidential candidate sites. When he was recently in town for a security conference, the I-Team asked him to check out other big races in the D.C. area. He graded them based on whether they had basic protections, updated security features and how easily usernames running the site were attainable to would-be hackers. "If they find usernames, they can get into the site. They can change any of the usernames, and potentially, they can upload malware onto the site which allows them to steal everything else that passes through that site," explained Lampe.
“Your supporters need to be able to trust you and know that in leadership, you take that very seriously," Szeliga said. "One of the first things we did was make sure that the company we hired prioritized security."
Matt Proud, with Strategic Partners and Media, is the developer behind Szeliga’s site. “Every morning we sit down, we go through everything just to make sure people haven’t gained access to things they’re not supposed to. But it’s something that, every day, we see that there are new vulnerabilities that are discovered,” said Proud.
Two sites Lampe checked out were graded with a B: Republican Virginia 10th Congressional District incumbent Rep. Barbara Comstock's site and Maryland's Amie Hoeber, the Republican candidate for the 6th District. Lampe said each had some protections. But he said he was still able to get a list of usernames. Lampe said if he was an actual hacker, “I would take 5,000 or 10,000 of my favorite passwords; I would try those passwords against the administrators account until I got in."
Two sites Lampe researched got his lowest grade of D, including Maryland Democratic candidate for U.S. Senate Rep. Chris Van Hollen.
Lampe said he easily found 10 usernames and logins and vulnerabilities that might allow an attacker to upload files through the website. "They can deface the campaign's website. That's bad. However, there have also been serious cases where people have used legitimate websites as a backchannel to traffic illegal files," said Lampe. He said he found the same potential risk on the site for two-term incumbent Democrat Rep. John Delaney in Maryland's 6th District.
The I-Team reached out to all the campaigns. A spokesman for Congressman Delaney said, “Congressman Delaney takes cybersecurity seriously and is always open to ways to improve it. We have hosted multiple events in the district on identity theft, fraud and cybersecurity. We update our campaign website’s security features regularly and do not store any personal or financial information on the campaign website. We are not clear of the scope of this vendor's analysis or what the aim of his work was so it is hard for us to comment more specifically on these claims.” Van Hollen's campaign said, "We are currently undertaking a regular upgrade to our website, including its security features."