Late last night news broke that could be devastating to Bernie Sanders run for the Democratic nomination:
Officials with the Democratic National Committee have accused the presidential campaign of Sen. Bernie Sanders of improperly accessing confidential voter information gathered by the rival campaign of Hillary Clinton, according to several party officials.
Jeff Weaver, the Vermont senator’s campaign manager, acknowledged that a staffer had viewed the information but blamed a software vendor hired by the DNC for a glitch that allowed access. Weaver said one Sanders staffer was fired over the incident.
That software vendor is NGP-VAN, and yes they have admitted it was their fault:
NGP VAN, the vendor that handles the master file, said the incident occurred Wednesday while a patch was being applied to the software. The process briefly opened a window into proprietary information from other campaigns, said the company’s chief, Stu Trevelyan. He said a full audit will be conducted.
NGP-VAN is a company I am very familiar with through my duties in our local county Democratic party, so that right there peeks my curiosity. But I'm also a web developer with 30 years of software development experience, so that too arouses my interests.
The product at question with the Sanders issue is called Vote Builder. It's a database of Democratic voters, where campaigns and organizations can go in, build call sheets, walking sheets and even track contributions. But NGP-VAN also offers another product to their customers, offering them hosted websites. Since I work in the web development field, and the backbone of their web product is Drupal, of which I specialize in and even powers Crooks and Liars, I decided to take a look into their security.
So how is NGP-VAN handling the security of another of their products? Honestly this is pretty simple to investigate, especially when security best practices of Drupal are ignored, which they are by NGP-VAN.
Drupal ships with a file called CHANGLOG.txt, which highlights all the changes from version to version. By default this is available in the web site's root directory, so if you go to a Drupal powered website's home page and simply add /CHANGELOG.txt to the end of the URL, you can view this file. For an example, you can view the CHANGELOG.txt file on my own blog by simply going to http://intoxination.net/CHANGELOG.txt. Now generally blocking access to this file is a recommended security approach, but I don't do that on my server for examples like this, plus because of the fact that my server automatically updates Drupal and any addon modules automatically.
So, let's take a look at the CHANGELOG.txt file on my own site:
Drupal 7.41, 2015-10-21 ----------------------- - Fixed security issues (open redirect). See SA-CORE-2015-004.
That's just the top part, which is the version I am currently running. If you go over to the Drupal release page and you get a list of all releases, complete with a summary and if the release is either a bug or security fix. As you can see the most recent version of Drupal is 7.41, released on 10/21/2015. So yeah, my site is good!
But what about NGP-VAN? How does the company that the DNC has put so much trust in handle this? Well there's no easy way to find out which sites are actually handled by NGP-VAN, but here are three that I know for a fact are:
| Site | Changelog | Version | Release Date | Missed Security Updates |
|---|---|---|---|---|
| Butler County Democrats | Link | 7.37 | 5/7/2015 | 3 |
| Vermont State Democrats | Link | 7.37 | 5/7/2015 | 3 |
| Washington State Democrats | Link | 7.34 | 11/19/2014 | 4 |
Out of those three sites, everyone is running insecure versions of Drupal. That is really troubling. These are Democratic Party sites, paying good money to a company that the DNC recommends, and their security is apparently an after thought.
So, again, should the DNC be putting their trust of their most valuable data in the hands of a company that apparently ignores security? Perhaps they should ask themselves this and take a serious look at their relationship with NGP-VAN.
