Security experts at Tripwire have commented on the Syrian Electronic Army attack on the US President’s webpage. According to security researcher Ken Westin, “Although the SEA may not have compromised an official government site associated with the President, the PR damage of gaining control of his fund raising website may have a similar propaganda effect. We don’t know what data the SEA has access to as a result of the breach, in Blue State Digital's case study for the Obama campaign they state they had 13 million emails and helped gather 6.5 million donations totaling $500 million ...is this information now in the hands of SEA for possible spear-phishing attacks?
It appears that the SEA did not gain access to the main website itself, but a third party service that his campaign uses for managing donations to his campaign.
Blue State Digital's website is now showing a blank page and it appears their website is down, so odds are that the entire system has been compromised, meaning it could be more than just the President's donation website that has been compromised.”
Tim Erlin, director of IT risk and strategy at Tripwire continued, “The headline says ‘Obama's hacked’, but it wasn't Obama per se -- this fact alone demonstrates the importance of business partners' information security.
It's doubtful that anyone on Obama's team considered whether using their own URL shortener represented an increased threat over a more standard implementation, but perhaps they should have considered this. After all, URL shortener hacks have happened before.
Any attack like this demonstrates the value of a solid threat model for all points of content production that's outsourced. It’s clear that attackers understand that business partners often represent the weakest link in security.
URL shortening represents a underrated threat vector in social media. Even when a click can mean compromise, we routinely trust obfuscated links through Twitter and Facebook.”