Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes 351
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
New job for NSA (Score:5, Insightful)
Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.
Re:Okay, but... (Score:5, Insightful)
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
What data? (Score:4, Insightful)
What data was he able to access?
Two ends of a possible spectrum I see...
- Being able to tell 70k accounts exist by some numerical ID
- Getting full personal information for 70k accounts including name, address, ssn, payment details
Re: Okay, but... (Score:5, Insightful)
While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.
It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.
Re:Throw money at it! (Score:5, Insightful)
> Forget the military-industrial complex; sequestration is shutting that down.
ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?
Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.
I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.
The military industrial complex is alive and well.
Sometimes I wonder about numbers (Score:5, Insightful)
If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).
Re:Okay, but... (Score:2, Insightful)
Commericial company who did Healthcare.gov [washingtonpost.com]
And my 'favorite' - Oregon's botched by Oracle [oregonlive.com]
It wouldn't be politically correct, but they could have had the work done much cheaper by cutting out the middle man and just hire Indians or an Indian firm directly.
Instead, they hired Indian developer resalers. Yep, that's all N. American companies - especially US companies - are: resalers of Indian and other Third World development talent.
Why spend the money on flashy suits with Rolex watches? Go direct! Go Indian!
Re:Every citizen? (Score:5, Insightful)
You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.
Re:Okay, but... (Score:5, Insightful)
Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!
Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.
To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.
$700 million - and still insecure!!! (Score:2, Insightful)
No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!
Re:New job for NSA (Score:4, Insightful)
I'm not personally familiar with the database they're using, but it's worth noting that injection attacks work on some noSQL databases too. It all depends on how the data is added and accessed; any language (for even very loosely defined values of "language") that fails to clearly distinguish instructions from data risks the latter being interpreted as the former.
Just in case you were being serious. :-)
Re:Throw money at it! (Score:5, Insightful)
Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.
Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).
Re:This Was Commercial (Score:3, Insightful)
I think it is important to point out that effectively this was the work of a commercial company.
No its not. A commercial company would be losing money hand over fist, being sued by customers by the thousands, no one would choose to do business with it, and they would have run out of investment money long ago.
The ONLY way to have a failure of this magnitude is with the unlimited coffers of the government, funded by tax payers with no say in it.
Re:Go Team USA! (Score:4, Insightful)
Hence the reason why decoupling your insurance from your employer is a great idea.
Re:Okay, but... (Score:3, Insightful)
Re: Okay, but... (Score:4, Insightful)
But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.
No. It's NOT the same thing (Score:4, Insightful)
The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.
No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.
With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.
A big corp's nusence is a citizen's nightmare and ruin.
NOT The same thing.
Re:Then Why No Hack Job? (Score:4, Insightful)
The whole point is that it probably has, and their security is so bad they can't even detect it, let alone prevent it.
Re:Government! (Score:1, Insightful)
Based on specs from the government...
Re:Okay, but... (Score:5, Insightful)
How many commercial companies would have this much customer data at risk?
Well.. I can name at least three: Equifax [equifax.com], Experian [experian.com], and TransUnion [transunion.com].
Re:Go Team USA! (Score:5, Insightful)
We have representatives
Coulda fooled me...
Re: Okay, but... (Score:5, Insightful)
Its a false dichotomy because you can never know the inherent security of a company you do business with really. Often these companies are veiled behind the companies you do perform business with anyways, so who's to say that although 'Walmat' may be secure, but maybe their downstream credit merchant bureau has huge leaks, or maybe their third party BI / sales data processing service has some inherent flaw, or ... Security isn't as simple as putting the onus on a very complicated problem and just saying 'sure, I trust Walmat with my credit, address, phone', etc..
Ideally all this 'information' will become a lot less valuable (like making the ability to attain credit a lot more difficult than some data entered into a web page) but that'll happen sooner or later, be assured. The Internet's rather new in this respect, and although safeguards help, they are by no means perfect. You could increase the security (which is always a good idea for items of value), but ideally, we just make a credit card number useless. Who cares. Its a 16 digit number. Its the hundreds / thousands of sites accepting that as 'sufficient' for merchant exchanges that make the number important.
Re:How do I get clients like this? (Score:4, Insightful)
Re:Throw money at it! (Score:5, Insightful)
> You're a fool and clearly never worked in Defense Contracting.
Fool must mean, person with a conscience.
I certainly hope your post is accurate, its the best news I have heard about the sequesters yet.
The offence (calling it Defence is bordering on Orwellian and has been for generations now) industry could stand some deep cuts. Mortal blows even.
Re: This Was Commercial (Score:4, Insightful)
So when a government agency does something good, it's because it outsourced some work to the private sector. If it does something bad, it is because it is a government agency. Did I get that right? For some reason , I smell a variation of the "privatize profits, socialize losses" mantra.
Re:Government! (Score:5, Insightful)
I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.
CGI botched up the long gun registry in Canada in the same way many years ago.
Re:Okay, but... (Score:1, Insightful)
Yeah, probably a vast right-wing conspiracy among all the Republican software developers.
Gimme a fuckin' break.
Obamacare was always a bad idea. That the implementation sucks is secondary to the fact that it was bad law to begin with. But you're on the right track -- find anything and anyone to blame but the Obamessiah. Fucking liberals are going to whine about this for years.
It's like those people who tell us that communism was a great idea, but it just hasn't been implemented right.
Spec? What spec? They were making changes ... (Score:5, Insightful)
I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.
Spec? What spec? They were making changes two weeks before launch. From the congressional testimony, http://www.cnn.com/2013/10/24/... [cnn.com]:
... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."
... It appears that politicians were in control.
"In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch
"... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."
The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready