[BreachExchange] Hackers down House Democrats' websites

Tue Jun 28 17:03:41 EDT 2016

http://www.politico.com/story/2016/06/hackers-house-democrats-websites-224904

More than a dozen House Democrats’ official websites have been down since
shortly after an overnight sit-in to push for gun control legislation, and
the contractor operating the sites told POLITICO that hackers are to blame.

The outage is affecting the congressional sites of Reps. Earl Blumenauer
<https://cd.politicopro.com/member/51280>, John Carney
<https://cd.politicopro.com/member/151744>, Rosa DeLauro
<https://cd.politicopro.com/member/51351>, Lloyd Doggett
<https://cd.politicopro.com/member/51359>, Tammy Duckworth
<https://cd.politicopro.com/member/198768>, Donna Edwards
<https://cd.politicopro.com/member/61889>, Sam Farr
<https://cd.politicopro.com/member/51376>, Tulsi Gabbard
<https://cd.politicopro.com/member/36630>, Alan Grayson
<https://cd.politicopro.com/member/66847>, Marcy Kaptur
<https://cd.politicopro.com/member/51457>, William Keating
<https://cd.politicopro.com/member/158349>, John Larson
<https://cd.politicopro.com/member/51477>, Jim McDermott
<https://cd.politicopro.com/member/51511>, Richard Neal
<https://cd.politicopro.com/member/51543>, Ed Perlmutter
<https://cd.politicopro.com/member/51317>, Jackie Speier
<https://cd.politicopro.com/member/57066> and Filemon Vela
<https://cd.politicopro.com/member/198780>.

With the exception of of Perlmutter, all of these lawmakers have contracts
with a company called DCS to manage their websites. DCS builds websites
using Joomla, a content management system that has suffered from serious
security flaws
<http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-websites-at-risk-of-remote-takeover-hacks/>
.

“The sites were hacked,” Scott Ferson, the president of the public affairs
group representing DCS, told POLITICO. Ferson said that DCS expected to
restore site functionality “by the end of the week.”

Gordon Stanton, DCS’s director of congressional services, told POLITICO
that the hacker uploaded a file called a web shell to the database for one
of the lawmakers’ websites and used it to launch a “coordinated attack”
against the other sites. The Department of Homeland Security warned
<https://www.us-cert.gov/ncas/alerts/TA15-314A> last November about this
kind of attack.

Stanton said the attack began at 1:05 p.m. on June 23, roughly two hours
after House Democrats ended a day-long sit-in protesting a lack of action
on gun control legislation.

“We are working with House Security to remedy the situation in a way that
restores the websites as quickly as possible while still ensuring
comprehensive security,” he said.

According to Ferson, “no information was compromised” in the hack.

Several Hill staffers told POLITICO that many offices have expressed
frustration with the inability of DCS to quickly respond to outages and
security concerns. One affected office said it was the second time in 2016
that their website had gone down. Anger at DCS is so widespread that some
aides asked colleagues on an internal email list for suggestions of other
vendors.

The role of Joomla in the hack remains unclear. The company did not respond
to several requests for comment about whether its engineers knew of
unpatched flaws in its code. Stanton said that DCS was "still investigating
how the web shell was deployed, but we believe that Joomla’s security is as
robust as any other CMS used by the House."

A spokesman for the House Chief Administrative Officer, which handles
logistical functions like IT for members’ office, said in a statement that
the CAO was “working with these offices and [DCS] to ensure the offices'
information is secure before the websites are relaunched.”

Ferson said that DCS has spent time “coordinating with the House in terms
of having the right solution in place” to deal with hacks.

Stanton said that the House’s security team audits DCS’s servers and the
websites it produces for lawmakers. The last such audit took place in
March. The company also applies the latest security updates to its software
every night, according to Stanton.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160628/d31e5936/attachment.html>