Network News

X My Profile
View More Activity

Barackobama.com 'hack' is a hoax

A hacker's claim that he compromised the successor to President Obama's campaign Web site appears to be a hoax, according to information that surfaced since the matter came to light early Monday.

The kerfuffle started when a hacker and blogger with a history of posting evidence of security vulnerabilities in popular and high-traffic Web sites published evidence indicating that poor security at barackobama.com had exposed internal databases at the site.

The hacker, identified only as "Unu," claimed that a security flaw in barackobama.com allows anyone to view the user names and passwords needed to administer the site. With that access, an attacker could view database information, upload content to the site - including malicious software - or simply deface the landing page with digital graffiti.

Barackobama.com is now managed by the Democratic National Committee's Organizing for America. Hari Sevugan, national press secretary for the DNC, dismissed the claim, and said the DNC has no evidence that the site is insecure or has been compromised.

"We take security seriously and look closely at any reported incident," Sevugan said. "Based on a number of incorrect assertions, the claim in this case does not seem to be credible. There has been no security breach."

Several tech bloggers seized on the claim, and at least one noted Web site security expert vouched for the hacker's prior exploits. Jeremiah Grossman, chief technology officer for WhiteHat Security, a Web security firm based in Santa Clara, Calif., said Unu's claims have a history of being spot-on.

"This Unu guy...I've been following him for a while, and his other stuff in the past seems to have been legit and checked out," Grossman said.

odchx.JPG

A screen shot posted by the hacker showing what appear to be user names and passwords for donate.barackobama.com suggests that the data in the picture belongs to faculty members at Roosevelt University in Chicago.

Indeed, Lynn Y. Weiner, dean of the college of arts and sciences at Roosevelt, confirmed that the partially obscured password in that image looked like hers. The same was true of Michael Ensdorf, associate dean and professor in the school's Department of Communication. and Julie Rowen, assistant dean of the school. All three acknowledged having donated to Barack Obama's presidential campaign.

Ensdorf said while they initially thought the credentials could have been the ones they picked when setting up accounts at barackobama.com, the school ultimately discovered that the user names and partially blacked out passwords were the credentials each faculty member uses to add items to Roosevelt University's online calendar of events.

Roosevelt's technology and security team is now investigating whether a university server was breached, Ensdorf said.

By Brian Krebs  |  October 27, 2009; 12:45 PM ET
Categories:  From the Bunker , U.S. Government  | Tags: hoax, obama  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms
Next: Former anti-virus researcher turns tables on industry

Comments

Another way to install Ubuntu without partioning the disk is to download Wubi. Wubi creates a file on Windows. Supported Window versions are 98, 2000, XP and Vista. You can download it at http://wubi-installer.org/ and if you have questions about it, you can ask them at http://ubuntuforums.org/ .

Posted by: jo-ker | October 27, 2009 1:30 PM | Report abuse

They will stop at nothing to try and discredit President Obama and Organizing for America. Absolutely nothing. Which is roughly equal to how much they value the American ideal of equality, at least compared to how much they value the almighty Dollar.

With respect,
Alex Brant-Zawadzki
Volunteer
Organizing for America

Posted by: beezling | October 27, 2009 4:14 PM | Report abuse

What I want to know is what idiot stores passwords plaintext in database. Hashing was vogue 20 years ago. Get with the times.

Posted by: wng_z3r0 | October 27, 2009 4:16 PM | Report abuse

Yeah, I don't think Unu was misrepresenting the attack willfully, I think the tool fell through the Obama site because of the /smartproxy/ redirect that was in place, and a cached path to the Roosevelt U calendar.

Also fairly sure our Romanian friend is not out to get Obama, only web sites with poor validation or lack of filtering for escape characters.

That whole web site, although not the victim of an SQL injection, needs a good once over from a web application security team.

More analysis on the specific problem:

http://praetorianprefect.com/archives/2009/10/the-barack-obama-donations-site-was-hacked%e2%80%a6err-no-it-wasn%e2%80%99t/

Posted by: Prefect | October 27, 2009 4:46 PM | Report abuse

Let’s presume that we are on the Roosevelt University page and their server is vulnerable. Scenarios emerge :
- the potential attacker, using the found passwords logs in as administrator on the Roosevelt University, uploads a php shell, using that shell he then browses to the Barack Obama’s server… because the “responses” and the queries that are coming from the Roosevelt University are accepted, are legit for barackobama.com.
-the potential attacker, using the found/cracked passwords logs in as admin on the Roosevelt University server, uploads a trojan dropper or a keylogger to infect all the sites visitors of donate.barackobama.com. Then the personal data of these visitors will be stolen, passwords to other sites (including internet banking) or the credit card data, will make the difference between Roosevelt University server or the barackobama.com server ? I DON’T THINK SO. They will tell you that barackobama.com infected them, because they visited it.

Posted by: unu1234567 | October 28, 2009 2:45 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company