Slashdot Mirror
Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
The root password is "password1".
> 70,000 Healthcare.Gov Records In 4 Minutes
Lie! There aren't even 70,000 people who have successfully registered yet.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.
Clearly the other readers will be as shocked as I am.
We all know that the private sector could have done better!
.....
Bwahahahahahahahahahahahahahahahaahahahah!
Oh! I shit my pants!
Quick, throw money at it! Hire more smart guys! If they worked at Google or Facebook or Microsoft they must know how to make a website, so keep throwing money at them!
Seriously, this is what you get when lawyers and politicians from on high direct their inefficient bureaucracies to handle a job they've never done before, bypass all Federal Acquisition Regulations to get it running to meet a political deadline, and basically give them a blank check. Forget the military-industrial complex; sequestration is shutting that down. Soon we'll have the government healthcare-internet developer complex to worry about.
Whats this about every US citizen?
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
What data was he able to access?
Two ends of a possible spectrum I see...
- Being able to tell 70k accounts exist by some numerical ID
- Getting full personal information for 70k accounts including name, address, ssn, payment details
Are you guys ever going to do anything?
If I was a US Citizen I would be on the phone and In my local Mp's Office faster than Slashdots robot voice could finish this article.
Isn't enough, enough! or do you need more convincing that the people you have elected have only their interests at heart and are filling their pockets as fast as they can. /Sigh as a non-US citizen I am slightly scared about what's going to happen every day, at some point I'm sure a breaking point will be reached and as sad as this is the USA still has quite a hold on global markets (not to mention warfare) its generally not as much as they think but a civil war in the USA would be a global problem.
While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.
It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
By history you mean current events, in the form of Target?
never a better time to consider ourselves in relation to creation & our centerpeace momkind. little miss dna cannot be wrong we are good sports with good spirits who have been bushwhacked etc...
Doesn't it seem like everything done by the Obama administration so far has been a huge disappointment? I was doing much better financially under bush. My insurance premiums are almost double what they were before the ACA. I really wish they would change the name to something more appropriate like the Unaffordable Care Act. My parents are still waiting for the rural broadband Obama promised back in 2008. They are finding it difficult to use the internet on their dialup modem.
If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).
Commericial company who did Healthcare.gov
And my 'favorite' - Oregon's botched by Oracle
It wouldn't be politically correct, but they could have had the work done much cheaper by cutting out the middle man and just hire Indians or an Indian firm directly.
Instead, they hired Indian developer resalers. Yep, that's all N. American companies - especially US companies - are: resalers of Indian and other Third World development talent.
Why spend the money on flashy suits with Rolex watches? Go direct! Go Indian!
somehow I don't think that a group of people looking for government subsidies for their healthcare represent the best targets for identity fraud.
Average Intelligence is a Scary Thing
Yeah, as much as I think criticism of Obamacare is overblown(and claims of success also overblown, it didn't fix pricing problems), being legally mandated to do something dangerous isn't good.
Mitnick is no hacker. He's little more than a scammer and a con-man.
History suggests so.
The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.
If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.
Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!
Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.
To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.
There's no place I could be, since I've found Serenity...
Our de-facto national ID, the social security number, will not survive the increasing ubiquity of the Internet and the utter lack of security on behalf of the government.
Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:
1. Create an account on the site. /showUserProfile?userID=70001
2. Log in.
3. Notice that your URL ends in something like
4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.
A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.
Koans and fables for the software engineer
In my last job for fortune 10 company, whole families worked on the projects. Uncle helped hiring niece, her husband, some friends etc.
In USA they call it "networking" - hiring your family, neighbours and school friends.
I would not surprised if similar approach was used here.
No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!
Even worse, after accessing all those records, he logged in again as Bobby Tables and...
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Obama's ACA plan will be hacked and all other plans will point to it.
End result. Obama owes IRS AND a vast assortment of [sarc]Healthcare providers[/sarc] more money than Greece owes the ECB!
No wonder Obama is going to the Vatican to meet Pope Francis! Now, Obama REALLY needs a miracle that even the NSA can't steal.
Ha ha
I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).
I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.
This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.
ranton,
Stop trolling slashdot all day and get back to work on that security analysis for healthcare.gov.
-Boss
Mitnick is famous still?
I mean, I'll give him his props. He's developed his security skills since his release, but wasn't Mitnick famous for socially-engineering his way into systems? Yes, this is important, considering various past stories on ./ concerning how useful SE is for exploiting security holes. But aren't the hearings focusing more on the actual code holes that exist?
He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??
Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.
* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...
There's no place I could be, since I've found Serenity...
I am not surprised, when people scream that the government should do something about an issue they never stop to think about the government and what it really can do.
When there is an issue, the government has three options in it's tool box to fix it.
#1) Make it illegal
#2) Declare war on it
#3) Throw your money at it and hope it goes away.
So, they started subsidizing your healthcare (With your own tax $$). They paid to have an exchange created (With your tax $$). The exchange had security issues. Well they can fix that as well, just through more of your tax $$ at it and hope it will go away.
While all this is going on they are obviously hurting for tax $$ as THEY sent me a letter telling me that my wife and kids do not exist and they are instructing the company I work for to change my W4 to single male and to withhold the maximum amount until I send the IRS PROOF that I have a wife and kids.
The worst thing is, you don't even have to sign up for them to get that information.
"First they came for the slanderers and i said nothing."
Would you please take a crack at Vermont's site - also made by CGI? It is crap and we are getting nothing but a snowjob from the powers-that-be.
See? Not incompetent coding; safeguards! "We mock what we don't understand."
I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?
A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.
I saw where this was going about 10 years ago. Since there is no stopping the continuous expansion of government, the only way to minimize the impact of government data collection is to stop signing up for things. Don't put your name on ANYTHING unless you absolutely have to -- and that goes double for anything related to government. Don't get speeding tickets. Don't get parking tickets. Don't go on unemployment. Don't register to vote. Throw away the census papers. I realize that it is impossible to ignore coercive authority, but you can distance yourself from the system as much as possible, which has clearly proven to be unstoppable.
But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.
OK, so if the site is so damned vulnerable why hasn't it been cracked by a Black Hat yet? Access to this sort of information is the wet dream of most hackers-for-hire. TFA quotes a Government person saying that the site is secure. The White Hat hackers say it isn't. Unless someone is lying about there having been no break-ins yet, then I have a hard time accepting that the site is a plum waiting to be picked by the next script kiddie that comes along. I could see that there would be a desire to cover up any hack job, but I don't know that a cover-up of something that juicy could hold up for long. Some missing pieces to this story.
The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.
No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.
With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.
A big corp's nusence is a citizen's nightmare and ruin.
NOT The same thing.
could reason be there are so many problems is because priorities of top men in govt/corp is other than healthcare.gov.
mfwright@batnet.com
I'm not sure why healthcare.gov needs drivers license numbers, but those others are true of private healthcare companies, who appear to have more leaks than the government at least on this graph.
I'm not saying government is more secure, I'm just saying the dangers aren't unique to healthcare.gov.
Wasn't the work contracted out to a commercial company?
Ideology: A tool used primarily to avoid the bother of thinking.
From the misery of this site it looks as if it was specifically designed to kill Obamacare.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Two things:
According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"
Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.
Never answer an anonymous letter. - Yogi Berra
When you let government control everything, then everything (including data security) is at government standards.
Some people were suggesting that this was one of many reasons that letting government control everything wasn't such a good idea.
But whew, at least we don't have binders full of women, or whatever it was we were supposed to be so worried about instead ...
How many commercial companies would have this much customer data at risk?
Well.. I can name at least three: Equifax, Experian, and TransUnion.
It must have been something you assimilated. . . .
I don't think so.
He has a history of breaking and entering, burglary, wire fraud, computer fraud, fraudulently trying to acquire identification, and cloning cell phones on top his cracking exploits which include hacking into a credit card processor and putting their credit card database on the internet.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
being legally mandated to do something dangerous isn't good.
The worrisome thing is, you don't even need to do anything to be exposed to danger. Your information is already in the system, waiting to be exposed.
"First they came for the slanderers and i said nothing."
Or you could, I dunno actually call up the credit rating agencies and actually describe the problems. Quite often they can actually help you with your problems, though by the time you get to them, you're generally feeling too irate to appreciate it.
I had collections agencies calling me every few weeks asking for 'insert name here' who apparently bought some crap and put my phone number as the contact info. Well, a company generally shops the collections duties out to a bunch of useless leaches that don't give a fuck about annoying the shit out of honest folks. Finally after maybe 2 years of hassle from countless collections leaches, one of the agents finally told me if I really had an issue with it, that I should just go to Transunion/Equifax (at least in Canada) as the contact info was most likely originating from them. I did, and the agent 'corrected' the defect and I haven't heard a peep from a collections agent since. God thank goodness I'm not a delinquent dead beat or else I'd be living a shitty life with those vultures pecking.
If I recall correctly, you can also do other things like flag your personal information, and if anyone attempts to open credit accounts through those credentials, you'll get notified, but I can't remember if that's right or not. If not, it'd be in everyone's benefit to do so if they don't though.
Bye!
BitLocker. Learn it, Love it (not really), USE IT!
Life is not for the lazy.
Healthcare.gov
It's not hard to imagine that any new large site has significant security holes. How you avoid that is quite a question.
On the other hand the chief player in this testimony, David Kennedy has a rather checkered past. He was chief security officer at Diebold, famous for highly insecure voting machines.
At one place I used to work, we had to run our site through an automated testing utility that had over 1000 hack attempts. It found 8 on our site (that had never been hacked to my knowledge). We took care of 6 easily, 1 more without too much effort and finally convinced the powers that be that the 8th one would cost more than they were willing to pay.
Sure, it was a pain, but it really wasn't that hard to secure an additional 7 hack attempts (6 of which I had never heard of, despite all my years in the industry).
It sounds like Healthcare.gov would fail 500 of the 1000.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Isn't it safe to assume it's already been hacked?
"If any question why we died, Tell them because our fathers lied."
Its a false dichotomy because you can never know the inherent security of a company you do business with really. Often these companies are veiled behind the companies you do perform business with anyways, so who's to say that although 'Walmat' may be secure, but maybe their downstream credit merchant bureau has huge leaks, or maybe their third party BI / sales data processing service has some inherent flaw, or ... Security isn't as simple as putting the onus on a very complicated problem and just saying 'sure, I trust Walmat with my credit, address, phone', etc..
Ideally all this 'information' will become a lot less valuable (like making the ability to attain credit a lot more difficult than some data entered into a web page) but that'll happen sooner or later, be assured. The Internet's rather new in this respect, and although safeguards help, they are by no means perfect. You could increase the security (which is always a good idea for items of value), but ideally, we just make a credit card number useless. Who cares. Its a 16 digit number. Its the hundreds / thousands of sites accepting that as 'sufficient' for merchant exchanges that make the number important.
Bye!
I was faster and accessed 100,000 records in 2 minutes..... SO THERE
Now that accenture has taken over...
"If any question why we died, Tell them because our fathers lied."
Hackers can get 70K records in 4 minutes from the healthcare.gov website? Great news! That's the best performance metric the website has had yet!
You criticize Obama, it's probably because you're a racist.
Approval ratings prove it:
http://www.sltrib.com/sltrib/w...
The only reason Obama is hated is because he is a black man.
At least, that's what my television tells me.
Futurist Traditionalism
I counter with, they aren't neatly bundled in one place.
I am Bennett Haselton! I am Bennett Haselton!
At least nothing you are aware of.
As an incident responder who has been called into health-care breaches, the second point is not entirely accurate outside of your environment. It's equally likely to have accounts compromised by spearphishing emails that install keyloggers, or Outlook Web Access accounts with weak passwords.
I can't tell you the number of hospital workstations I've analysed with Koobface trojans.
Are you aware of the context of the current discussion? It is not about encrypting data on your local machine...
I've got bad news for you - all that information you're worried about is kept in private commercial databases, and can and has been leaked by corporate failures.
"SS numbers, addresses, phone numbers, driver's license numbers..." What, exactly, do you think the credit companies use to rate you? That's what was leaked from Target - all your identifying information. If it were just your CC number it would be easy to fix. And Verizon - they had your entire call history stored and available with a simple hack - that's NSA level stuff right there - free for the world to see. Amazon, Google, or even just your CC company have waaaay more personal data on you (like the prescriptions your bought or the doctors and hospitals you've visited and paid for) - and you don't have to even hack their servers. They'll sell your personal information for a few pennies.
Is it just my observation, or are there way too many stupid people in the world?
I presume you're cash only, with no bank account. That's a real bitch when it comes to regular, gainful employment, though.
Is it just my observation, or are there way too many stupid people in the world?
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
Depends on if you designed it weak in the first place as a tactic to create more legal business.
Sounds corrupt as all hell doesn't it? Well, I am referring to the US Government. #corrupt is their copyrighted, trademarked tagline.
But what is the solution here? Move it to the private sector? You said yourself that the private sector has no experience with that kind of stuff. It's easy to scream .gov sucks, but the private sector will face far bigger problems - including dealing with corporate failure. Will everyone go without insurance just because a corporation failed?
Those who can, do. Those who can't, sue.
Yes it is, read the GP, it said
as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.
It was never meant to actually work.
It was meant to fail spectacularly in order to clear the way for British-NIH-style single-payer healthcare.
"Jacob Hacker, The Architect of ObamaCare and the Public Option in making his case, admits that this idea is a covert route to a Single Payer System."
http://youtu.be/3sTfZJBYo1I
Just watch. After sufficient public frustration, desperation, & outrage have developed, single-payer will be rolled out as the "fix".
There's a "fix" alright, just that it was "in" before this crapfest was even passed.
Of course, those in Congress and friends of the administration like labor unions won't have to deal with any of this. It's good to be the king, eh?
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
...as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive...
Which means that, as far as I know, suggesting a form of local encryption is perfectly relevant.
Bits of code, random ramblings: jakimfett.com
I counter with, they aren't neatly bundled in one place.
True, but their user information overlaps almost in its entirety.
It must have been something you assimilated. . . .
Yeah, probably a vast right-wing conspiracy among all the Republican software developers.
Gimme a fuckin' break.
Obamacare was always a bad idea. That the implementation sucks is secondary to the fact that it was bad law to begin with. But you're on the right track -- find anything and anyone to blame but the Obamessiah. Fucking liberals are going to whine about this for years.
It's like those people who tell us that communism was a great idea, but it just hasn't been implemented right.
That I'm right, and you don't like it, doesn't mean I'm a troll.
I saw that in TFS. Is it true? IS my data on the site even though I am not a customer?
It is, sort of.
But in the context of the law it is irrelevant
We once failed to prove we destroyed 3 drives of a 15 drive RAID array (someone did not take pictures of the drive before shredding) that was encrypted at rest. Did not matter, there was confidential information, so we had to indemnify "potential" identity theft losses for clients that might have been compromised.
So sayth the non-technical government arbitrator, so shall it be done...
Pretty unlikely, but I guess someone could decrypt blocks and those blocks might have PHI on it.
Never answer an anonymous letter. - Yogi Berra
Actually...yes they are.
Individually, they do not have your complete credit history on file. For that, you do have to access each one to pull down all three parts of your complete story. However, individually, all three have at least your Name, Address, Social Security Number, Drivers License, and at least a partial phone history, on file.
tl;dr: Each of the three companies, individually, has enough identifying information to ruin you for life.
You are correct, but the damage is limited to the single customer hacked.
Not our dog, we are not responsible
Because we don't run hospitals, individuals wanting to get in remotely had RSA key fobs to authenticate for exactly the reasons you state.
Never answer an anonymous letter. - Yogi Berra
Greetings,
This is David Kennedy - I can only tell what I can see - much of the stuff here was indexed by Google and only a certain point I can without doing anything that could be misconstrued as unethical or illegal. I won't go into any specifics since this issue still hasn't been fixed. What I can say is this is one of many issues still on the site and things you could find just by viewing the website through a normal browser and without any authentication. I didn't attempt any registration of user accounts, no vulnerability scans, no port scans, no submission of input fields, no SQLi testing, no manipulation of data, just good old fashion Google and web browsing. I focus on application security as my profession and I have to say that the folks over at HHS are great, but I have to imagine bogged down with politics and other issues that hinder remediation efforts. I don't know the "exact" number of accounts because I didn't cycle through them or extract any data at all. I do hope they focus on the issues and fix them, that's all I've ever wanted with this. It's not hc.gov specific either, its federal wide.. DHS just reported bank theft from one of its sites: http://krebsonsecurity.com/2014/01/dhs-alerts-contractors-to-bank-data-theft/. It's not to say any site isn't "hackable" - but there are things you can do to make it hard and easily detect these types of attacks and stop them in the early stages. Appropriate security integration into the SDLC and formal security testing (source code analysis, dynamic code testing, etc.). The federal government relies heavily on FISMA (enabled in 2002) and NIST 800-53 as a guidelines standard for security. Unfortunately it has become more of a check box inside the federal government and just complying as HIPAA is about skirting around how to protect ePHI (which by the way isn't on the hc.gov website, no PHI at all, just PII). If you have time to read the written testimony I submitted, it's a decent read on how to structure the federal government in a way that focuses more on proactive security: https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/. Needs to be done broadly and hit development processes inside contractors as well as internally.
The truth is the sheer amount of whats exposed is purely hypothetical and not an actual. What I can say as being a developer, programmer, and assessing websites for the largest companies in the world is if you see problematic areas just from pure passive analysis, there are much larger problems underneath the hoods. Again, purely hypothetical, but based on experience and judgement. I used the example when I testified in front of Congress of instead of being someone in INFOSEC and and having 14 years of being a mechanic and a car drives past me with blue smoke, engine making clanking sounds, and oil dripping everywhere, I can as a mechanic make an assumption that somethings wrong with the engine. I'm 100 percent confident in this based on my experience, but again - just my experience as a penetration tester / application security guy.
It sucks that this has turned political, as it should be how we fix security issues moving forward. I hope that something comes of it and willing to help wherever I can.
Thanks,
Dave
I heard this guy over the radio. He was saying "S-Q-L Injection" instead of "Seaquel Injection", so I can't trust his expert opinion.
Agreed,
but we had pretty good defenses, and were of course DOSed many times.
But taking of data? Not that we could ever detect, which is not the same as "never happened"
Never answer an anonymous letter. - Yogi Berra
Your data is on the IRS's system, which this system accesses to determine the subsidies you may (or may not) be eligible for.
"I do not agree with what you say, but I will defend to the death your right to say it"
Most of the time the drives are encrypted, however if the drive is lost, it still has to be reported under the assumption that it was compromised.
AJ Henderson
My experience with some of those Indian consulting firms is that if you deal directly with them, you can actually get quite good outcomes - because you're directly involved with the quality control, and they do like repeat business so they try make a good impression. The only catch is that you can't go for the cheapest - it's still cheaper than hiring locally, but if you pay a few cents, expect a few cents worth of work.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
The data is accessible through the site. I don't think any hacker has figured out how to get through to it yet, though but IMO it's only a matter of time before those vulnerabilities are found that allow it.
"First they came for the slanderers and i said nothing."
hahaha hahahah ahahahahaa
According to HIPPA, a lost record is a lost record. Encryption does not soften the blow.
Maybe, if they got their website on the cheap. If they paid 5 or 6 figures they probably got a secure site, not necessarily invulnerable but quality work. The thing is, in the real world there is no such thing as $500m+ websites. The government is the only organization who will routinely pay 8 or 9 figures for a website, and on top if it they have no expectation of quality.
I found the DEFCON video that shows the really creative ways that webapps can be attacked, along the lines of what you're talking about:
https://www.youtube.com/watch?...
It's by Samy Kamkar. I strongly recommend it for any developer of public-facing webapps.
Koans and fables for the software engineer
Some security would be nice.
Why is it so hard to only have politicians for a few years, then have them go away?
the only way to minimize the impact of government data collection is to stop signing up for things.
My take is the opposite. Give them more, and more, and more data until they simply cannot process it. That's just about what happened with the healthcare.gov rollout.
And all of the data you feed them does not have to be accurate...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
These were private companies that did the work, so your question is not relevant. Did you mean to ask a different question? It also seems like you are defending what is in place with a big fat red herring. You should be more specific, lest you appear to simply be a sock-puppet account like so many other pro government shill accounts.
Posting anonymous to spend mod points. s.petry
No, Obamacare was designed to fail by the Democrats, who want a single-payer system put in place after Obamacare fails.
Exactly. They don't realize that pendulums swing both ways. Drunk on their success, just like Republicans.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
What - you mean the data brokers that gobble up personal info (PII) and aren't restricted as to how they use, interpret, buy or sell, or otherwise disseminate data?
Could it be true?
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
How many commercial companies do not practice security? Ask Target. Ask Barclays Bank. Ask Chase...shall I go on? Commercial companies practice no more security than is cheap.
If a government website exposes thousands of citizens to high levels of danger, it has to be shut down and not taken back online until it works. He does have the power to take the site off line. Sure, he is not the one coding it, but it's not exactly NORAD. It's a highly broken shopping site. What level of incompetence would he have to display before his supporters would finally agree that he is, in fact, just an empty suit? I want to know where that line is that he cannot cross as far as his supporters are concerned. This is the guy who sold guns to drug dealers to whom the gun dealers wouldn't sell guns because he wanted to create the perception that guns are dangerous (and no, you silly, Bush didn't do the same thing -- Bush considered it and then decided it was a dumb idea and shelved it). Don't even start with "he didn't do it personally". He did -- by the virtue of the fact that his political appointees did it and weren't even fired for it. What is the line he cannot cross? I just want to know what to expect. Or should just settle in and enjoy the surprises?
Any guest worker system is indistinguishable from indentured servitude.
What testing utility did you use?
The HHS is a public agency and as such it is not covered by the HIPAA. In any case, considering HHS is tasked with enforcing the HIPAA....
I expect there are other laws that do apply. There are lots of laws governing how federal agencies and their contractors handle sensitive information.
http://www.hhs.gov/ocr/privacy...
I do not block ads. I do block third party scripts.
A guy saws the legs off the table as he heads out the door. New guy comes in as the table crashes to the ground, and booger-eating morons like you start screaming "look what the new guy did!"
he is a mediocre programmer and computer intrusion guy. he is a superior con and social engineering guy.
Breaking in to secured systems is multi-part. 133T Sk1llz is only a small part of that. Do you really need to know every byte of the kernel on every version of the OS if you can talk the executive assistant out of a C-level login and password?
In the end it is all about results, not who has the biggest E-penis.
http://www.healthcare.gov/logi... - Access Denied
http://www.healthcare.gov/aww!...? -Access Granted
And these are the companies that healthcare.gov (well at least the New York one) are using to validate customer's data. I'm surprised no one has brought this up yet.
My UID is prime!
Well, I guess that it's a good thing that hardly anybody has signed up!
I've found problems with my bank's web site, with ADP's 401K site, and a couple weeks ago with Ebay's account login and Change Email (just try it and look at the confirmation email you get back to see for yourself) but getting any of the front-line minimum-wage people in place to deal with you to forward it to someone with a clue is virtually impossible.
In my experience, the only way to get a corporation to acknowledge and fix a problem - even the ones that maintain a specific place to report those problems - is to use social media.
what hacks do you actually have to worry about on healthcare.gov if it was designed reasonably?
A person with an account sends you information (encrypt it on the way there). You insert that information into a database and it can be called back by the user with the right username and password. No other access of information should be possible and most half decent websites do this. Hell, banks are 100x better in that there is a lot of information you CAN'T recall from the website and must phone in to modify or authenticate.
Then all healthcare.gov has to do is do a quick query as to what subsidies you qualify for (basic, trivial test of your expected AGI) and display from a public database all the insurance schemes you qualify for with the prices modified by your discount. All that needs to pass from the IRS servers to the website are the expected subsidies, no other data is required.
I can imagine a pretty trivial implementation with no front end holes to it (and it sounds like most of these holes are in the front end). Then if you were reasonably smart and standardized the format for customer data to go to the insurance companies, you just request new public keys from them each week and send them the encrypted file. What hacks are you open to? When I went to the website (I'm american but live abroad) I found the entire thing clunky. Hell,when I was inputting personal information it seemed to load data to the database every time I switched fields rather than me typing in 25 things and hitting "upload" once. It was bad enough I never did get around to comparing health insurance costs in different locales.
I saw nothing in the linked article that indicated 'what' information was pulled for these 70,000 'records'. It could be something as simple as IP information. Simply claiming you hacked a site without providing specifics at to what was extracted isn't all that useful. It makes for good headlines and 'clicks', but not much else.
This is what passes for reporting these days?
Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”
Kennedy also told Fox News Sunday, “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.”
Ooops. I skipped over it... damn. Reading. A good skill to have.
However, I'll say this, not *EVERY* "hack" was the result of a loss of laptop or hard drive. There were some due to the websites. Just saying.
[I have a guy tracking all these hacks for a monthly report we send upstairs]
communism was a great idea, but it just hasn't been widely implemented yet
FTFY. See FSF & al.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
The problem with white hat hacking is that the sentence is as long as black hat. Likely the details are deliberately vague to maintain some denyability. And nobody official is acknowledging any weaknesses, let alone detailing what could be lost in a breach. Am I at risk? If so, what of me is?
Learn to love Alaska
Make no mistake, the security issues are very serious, but it sounds like the claim about accessing 70,000 records was misunderstood.
I stole this Sig
I disagree. They could have stated the nature of the data without being specific.
Non-identifiable (anonymized), or semi-public (phone, name, address)' or sensitive/private.
"I could access 70000 records in 4 minutes (if I chose to, but I chose not to)" is different from "I did access 70000 records, and got name, address and SSN". One is a boast (not actionable in court) the other is a public confession to a federal felony. A white hat announcing the second would likely see jail. So it is normal to see the announcements be completely devoid of details, as they could be used against you in court.
Learn to love Alaska
Or you could, I dunno actually call up the credit rating agencies and actually describe the problems. Quite often they can actually help you with your problems, though by the time you get to them, you're generally feeling too irate to appreciate it.
I have. Their response was essentially "Fuck you. You can sue us, and if you win, you'll have spent $10,000 to take down a $300 item, or you could just pay it and have it removed. We don't have to validate the claim, we just have to ask the person that filed it if they think it is valid, and they said yes, though were unable to provide any evidence."
If I recall correctly, you can also do other things like flag your personal information, and if anyone attempts to open credit accounts through those credentials, you'll get notified, but I can't remember if that's right or not. If not, it'd be in everyone's benefit to do so if they don't though.
They charge for that. Like the guy that published his SSN as a stunt for his security company. He did have fraud committed in his name, soon enough. They'll take your money then fail to provide the service they claim.
Learn to love Alaska
OK, I'll bite. How do I stop Experian from holding information about me? File a DMCA takedown against them?
Learn to love Alaska
No, government contractors aren't "private". They are publicly funded and free from prosecution (when's the last time you heard of an overrun being negotiated out in court?). That makes them a government company, like the USPS. Even if the profits are privatized, the company isn't.
the problem is from the government's special treatment of contactors. They should be sued for breaches. And they should lose the right to bid as punishmnet for more mundane errors. But they aren't. They are rewarded for incompetence.
Learn to love Alaska
Mitnick isn't a whitehat hacker, he's an asshole living off the fame he made as a criminal.
Having the likes of him on may panel immediately discredits the panel.
But I guess the /. editors are still jerking off to his photograph.
What's even more appalling is that we ourselves are responsible for electing the asshats responsible for creating and managing this project. We could have done something simple and sane and had a straightforward, easy to implement, and societally beneficial single payer system, but no, we voted for a bunch of stonewalling lunatics so stupid I'd be surprised if they could find their own butts with their own two hands.
I would call this a phone book hack. Pulling peoples names out of a database is like opening a phonebook and saying you have everybodys home address and phone number.
I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.
Spec? What spec? They were making changes two weeks before launch. From the congressional testimony, http://www.cnn.com/2013/10/24/...:
... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."
... It appears that politicians were in control.
"In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch
"... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."
The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready
You won't like this answer. An awful lot of them, and most of them you've never heard of. There is an entire industry revolving around background checks and investigative resources.
I've personally worked with some of these companies, so I have first hand knowledge, not just rumors. We literally had all the PII on 99% of the US population, age 18 and up.
Any company that has any worthwhile information has "credit headers". Basically, name (first/last/middle), SSN, DOB, and a list of addresses and phone numbers.
Depending on the company, they can have more. Some aggregate information from surveys. Some associate people who have lived at the same address as potential relatives. Some provide details on you, your family (frequently guessed), and even neighbors.
Some have information on your shopping habits. Some get them from surveys. Others directly from places like Walmart/Target/K-mart. Others from branded credit cards. And plenty of information is gathered from store loyalty cards.
Some information is gathered directly from credit card processors. So Visa, or your bank don't hand off that information. That doesn't mean the 3rd parties you'll never know about don't collect and aggregate the information.
A lot of the information out there wasn't legally gathered. For example, if I got a sysadmin at say Verizon Wireless to dump their database of users, with name, address, cell phone, I could pay him say $20K for it. It would be worth it, since I'd make more than that selling the information by individual search. I could also resell the list as much as I want for $20K+ each.
Companies buy and sell these lists all the time.
Some companies sell totally bogus lists. I used myself and aliases I've used to validate their data. I've seen my alias show up with other information I've never used.
Some companies sell the data as "new" or "fresh", while it's ancient. One had car registrations, and "my" newest vehicle I hadn't owned for over 10 years, but failed to have any of my current vehicles.
There's nothing illegal about it either. Mostly they're breaches of contract. If you're using a database that I bought, you aren't licensed for it. There are frequently seeded entries. By themselves, they look normal. Like, I may add a fake record, John Wayne Smythe at 14 Main St, SSN 135-63-2399 (just random numbers), so if I run a search against their database and see it, I know it's stolen.
Lots of information out there was gleaned from government web interfaces, before they started restricting PII, including DOB and SSN. Unfortunately, those pieces rarely change, so John Wayne Smythe's DOB and SSN will be the same until he finally ends up on the SSA Death Index. Some conveniently ignore that index too, so they may be stuffed full of real people who are already dead. Sometimes that's useful. If you're searching for JW Smythe, and find out that he died in 1996, any current activity is a fraudulent identity.
Working in that industry, I've learned that I love aliases, and use them everywhere. There's no reason that I should use my real name here, it's just another forum. The same with every forum I visit.
Serious? Seriousness is well above my pay grade.
> There are 2 sides to the NSA [...]
Wait -- what? Good NSA, Bad NSA?
What if Bad NSA has infiltrated Good NSA? What would cold_fjord say to this?
Um, no. You're falling into exactly the kind of stupid traps of "doing this better" that I described above. The whole idea is terrible and should never be attempted.
When the user signs in, generate a cryptographically strong random identifier to use as a session token. 128 bits is pretty much standard here (practically speaking, brute-forcing even 64 bits online is quite impractical, but the birthday paradox means you may hit *somebody* by accident much faster than seems possible). Store, on the server side, the mapping of that identifier to that user. When the user signs out or their session expires, delete that mapping and the identifier. If the user already has an identifier when they make a request, but it's not currently in the mapping dictionary, ignore/delete it. Don't ever re-use the mapping; make it different any time any user logs in.
Yes, this is more expensive for a server cluster than decrypting a cookie, assuming there are lots of concurrent users. However, it's got a critically important advantage: there is literally no possible way for an attacker to forge a session cookie. No information about the web app that they could have, save for the state of the server's /dev/urandom or its cache of logged-in users, could aid them. The best they could possibly hope for is to steal or to stumble upon one while it is in use. Given reasonable protections on the token and a short expiry period, this should be practically impossible barring client-side malware (in which case that particular client is already hosed, since the malware can just steal their credentials as they are typed in, and everything else of value on their computer to boot).
Even then, there's a ton of other vulnerabilities that must be avoided. For example, protecting that token is of course vitally important. The Secure and HttpOnly flags are a good start, although Client Security Policy is even better than HttpOnly (on clients which support it). Make the whole site accessible only over HTTPS, of course, and use HTTP Strict Transport Security to require that (compliant) user-agents never visit the site over HTTP. Permit only the most recent versions of TLS (1.0 may be permitted for legacy browsers; anything older is a bad idea) and only use strong cipher suites (ideally with Perfect Forward Secrecy). Include protections against Cross-Site Request Forgery in the form of an anti-CSRF token that is, at a minimum, unique per-user (and not based on or derivable from any value stored in a cookie or any user information). If you want to be really paranoid, you can do things like include the user's IP address in their token mapping, so that if their IP changes their token gets invalidated immediately and they must log in again (this will occasionally annoy legit users, but a site like this will have a very short session timeout anyhow).
There's a ton more than that (protecting the credentials is an area I haven't even touched on, aside from the crypto). It's a hard space, and even the experts miss things sometimes. Assuming you have the answers (or worse, can figure them out) is a dangerous hole to fall into! This is why companies like mine exist...
There's no place I could be, since I've found Serenity...
However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life.
While the security problems are inexcusable, frankly so is the fact that your life can be ruined simply because somebody knows some information about you. Information that is shared with anybody at all is almost impossible to keep completely secure, and the numbers you list above are shared with a LOT of organizations. If you want to authenticate a connection to a server you don't ask it for its IP address or the name of its CEO's mother - you ask it to decode a hash you encrypted using its published public key.
If it didn't cause so much chaos for the people involved I'd half-wish that somebody would just get it over with and publish the complete credit histories of every American on a website somewhere so that it becomes completely impossible to authenticate anybody using the current schemes. Instead the problem is just big enough to cause incredible hardship for an unlucky few while society just plows ahead oblivious to their plight.
While that is true, customers have the choice to not work with companies that have shown poor security practices.
Sounds great - tell me how to opt-out of Experian, Equifax, and TransUnion? I imagine 98% of the US population would be interested in joining me.
Sure, it was a pain, but it really wasn't that hard to secure an additional 7 hack attempts (6 of which I had never heard of, despite all my years in the industry).
A chain is as weak as its weakest link - how is it useful to secure against an additional 7 attack vectors, when you know about an 8th that is still open and apparently automatable? And that says nothing about unknown vulnerabilities. Unless the 8th vector was purely hypothetical and you have good reason to believe it would not be possible in practice, you're not really secure. Even if you fixed it you can't be sure you're secure.
Security is very hard. Just look at the unknown list of zero-days it sounds like the NSA is sitting on and ask yourself who else has a list like that?
Ruining the medical institution is the goal so why should they care about this .. just helps their agenda along.
I actually hope the leftards responsible get everything thats coming to them for their fraud negligence and outright treason.
All the morons who voted for this fraud-in-chief will have their faces pushed into their own stupidity and gullibility.
You consider SSN to be non-specific? He doesn't need to boast specifics or self incriminate, but broad claims aren't particularly useful when they entirely lack any detail at all. This entire story could be that he accessed the web server access logs and pulled date/time access stamps for 70,000 accounts for all we know, or that he accessed information that could be used for identity theft. I agree with the parent. It's a fluff piece with absolutely no meat behind it, and extremely poor reporting.
Wow, 70,000 people have managed to get on HealthCare.gov already?
Just sayin.
Really, go to his website, and read it.
https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/
Short version from the bottom of the page;
Update 1: There’s been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google’s advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We’ve reached out to the news agencies to clarify as these were not our words.
Don't worry...Accenture to the rescue!
That doesn't make sense.
as it happens in all governments everywhere. IT work is contracted out to make government look smaller (less salary). They have to follow procurement that awards to lowest bidder. Lowest bidder had exclusions built into contract. Government in general either due to politics or whatever make about a million change orders to the initial project contract. Contractor happily charges government for each change until all the project money is gone. Contractor walks away when money dries up, blames (rightly or not) government for bungled project. Having no other choice government then dumps the steaming pile of garbage on what few overworked underpaid IT staff they have to try fix it (with a budget of exactly zero).
Anyway this has been reality for as long as I have been around.
Assuming all 15 drives were part of a RAID 5 (or 6) array, having only lost 3 is no nothing to sweat about. More so if the the data inside the RAID container was encrypted in the first place. Essentially, looking at the data on those missing drives would be tantamount to looking at white noise. There would be nothing to make of the random bits.
Life is not for the lazy.
When they first setup the site the web developers forgot to change the favicon and left it as the generic drupal icon so we know it is a drupla based system. Any plugins or extensions that they use will become vulnerable