Sunday, October 7, 2012

Locked and Loaded

You've probably seen the ad where the CEO of LifeLock boldly lists his social security number and invites anyone to compromise his identity.

The ad is a dare, one that enough took to compromise his identity 13 times as of May 2010.

This post is not such a dare, but an update to a post earlier this year regarding our website.

Our website is mostly static, text-based.  It's more of an online encyclopedia than anything, and with a couple of exceptions, isn't table-driven.  That's bad for editing, but good for protection.  It's another example of my view that we should think like the Jetsons and live like the Flintstones.  Simple is sometimes the hardest to hack.

I'm convinced that hackers will hit an election website within the month (they already have compromised a couple in the country) and I didn't want that website to be ours.  I expect the hack will be mischievous but could be a blow to voter confidence.

It gets to what I tell visitors to our election office who would like to know our security measures to protect the vote.

Can someone do something that will change the result of an election? No.  Can they do something that can disrupt us and cause us to have a bad day?  Absolutely, and we are always attuned to that.

With websites, here's the scenario I want to avoid:

  1. A hacker paints a mischievous message on our home page, essentially saying, "Ha, ha, ha."
  2. Voters worry that if a webpage can be hacked, how can they be assured the voting system can be hacked?
  3. We respond that our website is hosted by a separate county department, out of our control.
  4. Voters worry that despite our assurances, what if aspects of our voting system are out of control?They aren't, but this is a perception path I don't want to spend energy chasing.

Our IT department stepped up and at my request enlisted a third-party to do penetration testing on our website.  This company proudly stated before the test that they could find a vulnerability with any website.

They found a minor one with ours.  Finding something, actually, made me feel better than not finding anything because it gave me comfort that they were diligent.  This isn't a place for false positives.

The vulnerability was one area that isn't text-based, our voter lookup.  Voters can enter their names and birthdates to pull up their sample ballot--the races that will appear on their specific ballot when they come to the polling place.   Once a visitor has entered one valid combination, the visitor could change some of the string in the address line of the website and call up anyone else's sample ballot without knowing the voter's birthdate.

That's a pretty lame vulnerability, particularly because it's all public-record information.  Still, the IT department has hopped on that and fixed it.  Vulnerability identified, and fixed.

Still, I live by the concept that everyone is smarter than me.  Maybe the LifeLock CEO should do the same.

This concept has us constantly evaluating security and even with our fancy study, I'm not convinced our website is impenetrable.  I think it is, but I know there could be some hotshot programmer determined to find something that this company didn't.

But I do think the chance of us having the website hacked, if that happens, is greatly reduced, and I think we've taken the proper diligence to ensure that it won't happen.