Late last night news broke that could be devastating to Bernie Sanders run for the Democratic nomination:
Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials.
Jeff Weaver, the Vermont senator’s campaign manager, acknowledged that a staffer had viewed the information but blamed a software vendor hired by the DNC for a glitch that allowed access. Weaver said one Sanders staffer was fired over the incident.
That software vendor, NGP-VAN, and yes they have admitted it was their fault:
NGP VAN, the vendor that handles the master file, said the incident occurred Wednesday while a patch was being applied to the software. The process briefly opened a window into proprietary information from other campaigns, said the company’s chief, Stu Trevelyan. He said a full audit will be conducted.
Now it’s no secret that I am a Sanders supporter, but I’m also a web developer, owns my own company and handle numerous large scale sites, so this story also peeks my interest from that angle. Not only that, but being involved with our county Democratic Party, I have experience dealing with NGP-VAN. We have access to this data, as well as use another of their services to manage our website. So with news of such a blatant oversight by the trusted vendor of the most valued asset the DNC has, I had to put my work hat on and do some digging.
NGP-VAN offers hosting to their customers to supply websites. The websites are built in a platform that I not only know, but have a very close relationship with – Drupal. It’s the software that powers this site and that platform I work almost exclusively in.
So with NGP-VAN in the spotlight right now over what can only be called a security breach, how do they handle the security of another of their products? Honestly, this is very easy to find out.
Drupal ships with a file called CHANGLOG.txt, which highlights all the changes from version to version. By default this is available in the web site’s root directory. For an example, you can view my CHANGELOG.txt file by simply going to http://intoxination.net/CHANGELOG.txt. Now generally blocking access to this file is a recommended security approach, but I don’t do that on my server for examples like this, plus because of the fact that my server automatically updates Drupal and any addon modules automatically.
Now if you look at that link you will see at the top the current version of Drupal the site is running. Here’s mine:
Drupal 7.41, 2015-10-21 ----------------------- - Fixed security issues (open redirect). See SA-CORE-2015-004.
So am I running the latest, most secure version of Drupal? You betcha! You can even check for yourself. Head on over to the Drupal release page and you get a list of all releases, complete with a summary and if the release is either a bug or security fix.
But what about NGP-VAN? How does the company that the DNC has put so much trust in handle this? Well, they just ignore it. Checking a few sites I know are powered by NGP-VAN, here’s what I have come up with:
|Site||Changelog||Version||Release Date||Missed Security Updates|
|Butler County Democrats||Link||7.37||5/7/2015||3|
|Vermont State Democrats||Link||7.37||5/7/2015||3|
|Washington State Democrats||Link||7.34||11/19/2014||4|
So out of the 3 sites above, all are running on insecure software. I should also note that there is no simple way to find out what sites are hosted by NGP-VAN and which aren’t. These are the sites that I just so happen to know are and they are running 100% miss on keeping their software up to date.
One thing I do want to make clear about this is that I am talking about a separate product from Vote Builder, which is the product the DNC uses to store voter information. That system is ran on custom software. But that really doesn’t matter here, as we are talking about the security practices of the company that offers both of these products.
This brings me back to my original question, should the DNC be trusting NGP-VAN with their most vital data, considering the company does appear to ignore security on another of their key products? If I were in charge at the DNC, I would definitely be looking for a vendor that puts security at front and center stage of their product offerings. NPG-VAN obviously does not.