I don't have metaphors to draw on for the state of Granicus's cybersecurity. The Federal government is an entity I have an enormous amount of respect for, and the challenges they go through every day trying to keep a country of 330 million running while still adhering to the principles of democracy is nothing to be laughed at. Let us look at just a few things wrong and weird with the Granicus IT infrastructure.

A few things:

  1. They (Granicus/GovDelivery) are in violation of many different parts of FedRAMP. This is a *big* deal.
  2. They are in violation of TAC-202 in the State of Texas, even if analyzed from the lowest priority level. This standard was always notoriously "chillax", but they still fail to meet parts of it.
  3. Bob Ainsbury has appeared to lie in a statement issued to the Electronic Frontier Foundation some 14 months ago. I want to be clear that I am saying *lying* with all that entails as far as slander, libel, etc. Not misrepresented, but *lying*.

They Are Tracking A Lot of Things:

Based on how much information they are tracking, the EFF would have said a lot more had they found content such as this. I actually thought this was a demo the first few times I saw it as the dashboards looked way too cool and full of life, but it really seems to be analytical dashboard for the surveillance of citizen interaction with government. 700+ local, state, and fed agencies over the 6 months generate the below data:

We can generate data going back five years if we want. For all of Granicus's language about connecting citizens, making government reachable, democratizing legislation, etc...it appears very few people use the service. Even after five years  many major cities only rack up a few thousand views. Also I'm not sure why heat maps are needed to show citizens. This isn't military targeting data.

What about compliance? Well both TAC-202 and FedRAMP align, for the most part, with NIST 800-53 and the checklist you can see in Appendix D. There is just no way that Granicus passed this based on its current IT infrastructure. It would have required the most sympathetic, bullied auditor (which I have no doubt they both found and bullied), endless arguing with lawyers, and just outright fraud and lying. Such individuals can easily be found in the business world in general, and the cybersecurity community is no different. Also see their response to the original EFF post over a year ago:

This is...very much not true. A simple visit to http://tacomawa.gov-i.com shows that they are not encrypting traffic. The page doesn't try to auto forward you to https either. While those things are sloppy, I could imagine them happening though. What is very strange though even more is that there are hundreds of examples of Granicus using port 443, the default for encrypted traffic for the last 25+ years, pushing unencrypted traffic over it. Imaging something like HTTP://media-011.granicus.com:443. I have never seen this before. We see tens of thousands of other examples of the non-use of HTTPS such as:

Specifically I would draw your attention to the following controls. I have assumed Granicus only needed to align to the "Low" Baseline, but even then, their failure of any audit should have been guaranteed. I am currently looking for who the auditors were and look forward to reporting back on that part. For now, pay attention to these parts of Appendix D, which I will come back to in another post.

I want to acknowledge that yes, in the strictest sense of it all, maybe the Cloud Communications product is so perfectly firewalled off and segregated from the rest of the extremely insecure IT environment that it looks and is better than I am portraying here. But if that is the case, my concern grows 10x, because to do that so precisely means these other servers and their poor condition were well known. So this becomes not an act of negligence but a consciously committed crime and attempt to deceive the government.

Other Exposed and Insecure Servers:

An open Ruby on Rails server that they simply left the default install page on.
They also left their routing administration page. It would be possible to break into this server also. 

An open API server no credentials required.

Me sending an extensive number of packets to a State of Oregon *private* server that is also clearly marked "internal videos" in the hostname.

Fixing Would Be So Easy:

Fixing all this would be trivial. As far as the http vs https piece, even back in say 2001, some 19 years ago, all you had to do was a simple one line Apache mod_rewrite, and with cloud technologies it has gotten even easier now. Why does Granicus do this? I've worked with government IT before. It is slow. It is old. Sometimes it is bad. But never like this. I cannot think of any agency in the State of Texas, and at one time I worked for all 38 of them in some capacity, that wasn't significantly better at security than this.

  • Why would they lie about something so simple and easy to fix?
  • What is with their creepy analytics?
  • Why were the Chef, Ruby on Rails, and Jenkins servers open?