Slashdot Mirror
Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
Would a commercial company have done any better with their own website? History suggests not.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The root password is "password1".
> 70,000 Healthcare.Gov Records In 4 Minutes
Lie! There aren't even 70,000 people who have successfully registered yet.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.
Clearly the other readers will be as shocked as I am.
We all know that the private sector could have done better!
.....
Bwahahahahahahahahahahahahahahahaahahahah!
Oh! I shit my pants!
Quick, throw money at it! Hire more smart guys! If they worked at Google or Facebook or Microsoft they must know how to make a website, so keep throwing money at them!
Seriously, this is what you get when lawyers and politicians from on high direct their inefficient bureaucracies to handle a job they've never done before, bypass all Federal Acquisition Regulations to get it running to meet a political deadline, and basically give them a blank check. Forget the military-industrial complex; sequestration is shutting that down. Soon we'll have the government healthcare-internet developer complex to worry about.
Whats this about every US citizen?
What data was he able to access?
Two ends of a possible spectrum I see...
- Being able to tell 70k accounts exist by some numerical ID
- Getting full personal information for 70k accounts including name, address, ssn, payment details
Are you guys ever going to do anything?
If I was a US Citizen I would be on the phone and In my local Mp's Office faster than Slashdots robot voice could finish this article.
Isn't enough, enough! or do you need more convincing that the people you have elected have only their interests at heart and are filling their pockets as fast as they can. /Sigh as a non-US citizen I am slightly scared about what's going to happen every day, at some point I'm sure a breaking point will be reached and as sad as this is the USA still has quite a hold on global markets (not to mention warfare) its generally not as much as they think but a civil war in the USA would be a global problem.
never a better time to consider ourselves in relation to creation & our centerpeace momkind. little miss dna cannot be wrong we are good sports with good spirits who have been bushwhacked etc...
Doesn't it seem like everything done by the Obama administration so far has been a huge disappointment? I was doing much better financially under bush. My insurance premiums are almost double what they were before the ACA. I really wish they would change the name to something more appropriate like the Unaffordable Care Act. My parents are still waiting for the rural broadband Obama promised back in 2008. They are finding it difficult to use the internet on their dialup modem.
If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).
somehow I don't think that a group of people looking for government subsidies for their healthcare represent the best targets for identity fraud.
Average Intelligence is a Scary Thing
Mitnick is no hacker. He's little more than a scammer and a con-man.
Our de-facto national ID, the social security number, will not survive the increasing ubiquity of the Internet and the utter lack of security on behalf of the government.
Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:
1. Create an account on the site. /showUserProfile?userID=70001
2. Log in.
3. Notice that your URL ends in something like
4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.
A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.
Koans and fables for the software engineer
In my last job for fortune 10 company, whole families worked on the projects. Uncle helped hiring niece, her husband, some friends etc.
In USA they call it "networking" - hiring your family, neighbours and school friends.
I would not surprised if similar approach was used here.
No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!
Even worse, after accessing all those records, he logged in again as Bobby Tables and...
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Obama's ACA plan will be hacked and all other plans will point to it.
End result. Obama owes IRS AND a vast assortment of [sarc]Healthcare providers[/sarc] more money than Greece owes the ECB!
No wonder Obama is going to the Vatican to meet Pope Francis! Now, Obama REALLY needs a miracle that even the NSA can't steal.
Ha ha
I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).
I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.
This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.
Mitnick is famous still?
I mean, I'll give him his props. He's developed his security skills since his release, but wasn't Mitnick famous for socially-engineering his way into systems? Yes, this is important, considering various past stories on ./ concerning how useful SE is for exploiting security holes. But aren't the hearings focusing more on the actual code holes that exist?
He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??
I am not surprised, when people scream that the government should do something about an issue they never stop to think about the government and what it really can do.
When there is an issue, the government has three options in it's tool box to fix it.
#1) Make it illegal
#2) Declare war on it
#3) Throw your money at it and hope it goes away.
So, they started subsidizing your healthcare (With your own tax $$). They paid to have an exchange created (With your tax $$). The exchange had security issues. Well they can fix that as well, just through more of your tax $$ at it and hope it will go away.
While all this is going on they are obviously hurting for tax $$ as THEY sent me a letter telling me that my wife and kids do not exist and they are instructing the company I work for to change my W4 to single male and to withhold the maximum amount until I send the IRS PROOF that I have a wife and kids.
Would you please take a crack at Vermont's site - also made by CGI? It is crap and we are getting nothing but a snowjob from the powers-that-be.
See? Not incompetent coding; safeguards! "We mock what we don't understand."
I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?
I saw where this was going about 10 years ago. Since there is no stopping the continuous expansion of government, the only way to minimize the impact of government data collection is to stop signing up for things. Don't put your name on ANYTHING unless you absolutely have to -- and that goes double for anything related to government. Don't get speeding tickets. Don't get parking tickets. Don't go on unemployment. Don't register to vote. Throw away the census papers. I realize that it is impossible to ignore coercive authority, but you can distance yourself from the system as much as possible, which has clearly proven to be unstoppable.
OK, so if the site is so damned vulnerable why hasn't it been cracked by a Black Hat yet? Access to this sort of information is the wet dream of most hackers-for-hire. TFA quotes a Government person saying that the site is secure. The White Hat hackers say it isn't. Unless someone is lying about there having been no break-ins yet, then I have a hard time accepting that the site is a plum waiting to be picked by the next script kiddie that comes along. I could see that there would be a desire to cover up any hack job, but I don't know that a cover-up of something that juicy could hold up for long. Some missing pieces to this story.
The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.
No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.
With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.
A big corp's nusence is a citizen's nightmare and ruin.
NOT The same thing.
could reason be there are so many problems is because priorities of top men in govt/corp is other than healthcare.gov.
mfwright@batnet.com
When you let government control everything, then everything (including data security) is at government standards.
Some people were suggesting that this was one of many reasons that letting government control everything wasn't such a good idea.
But whew, at least we don't have binders full of women, or whatever it was we were supposed to be so worried about instead ...
I don't think so.
He has a history of breaking and entering, burglary, wire fraud, computer fraud, fraudulently trying to acquire identification, and cloning cell phones on top his cracking exploits which include hacking into a credit card processor and putting their credit card database on the internet.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Healthcare.gov
It's not hard to imagine that any new large site has significant security holes. How you avoid that is quite a question.
On the other hand the chief player in this testimony, David Kennedy has a rather checkered past. He was chief security officer at Diebold, famous for highly insecure voting machines.
Isn't it safe to assume it's already been hacked?
"If any question why we died, Tell them because our fathers lied."
I was faster and accessed 100,000 records in 2 minutes..... SO THERE
Now that accenture has taken over...
"If any question why we died, Tell them because our fathers lied."
Hackers can get 70K records in 4 minutes from the healthcare.gov website? Great news! That's the best performance metric the website has had yet!
You criticize Obama, it's probably because you're a racist.
Approval ratings prove it:
http://www.sltrib.com/sltrib/w...
The only reason Obama is hated is because he is a black man.
At least, that's what my television tells me.
Futurist Traditionalism
I presume you're cash only, with no bank account. That's a real bitch when it comes to regular, gainful employment, though.
Is it just my observation, or are there way too many stupid people in the world?
It was never meant to actually work.
It was meant to fail spectacularly in order to clear the way for British-NIH-style single-payer healthcare.
"Jacob Hacker, The Architect of ObamaCare and the Public Option in making his case, admits that this idea is a covert route to a Single Payer System."
http://youtu.be/3sTfZJBYo1I
Just watch. After sufficient public frustration, desperation, & outrage have developed, single-payer will be rolled out as the "fix".
There's a "fix" alright, just that it was "in" before this crapfest was even passed.
Of course, those in Congress and friends of the administration like labor unions won't have to deal with any of this. It's good to be the king, eh?
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Greetings,
This is David Kennedy - I can only tell what I can see - much of the stuff here was indexed by Google and only a certain point I can without doing anything that could be misconstrued as unethical or illegal. I won't go into any specifics since this issue still hasn't been fixed. What I can say is this is one of many issues still on the site and things you could find just by viewing the website through a normal browser and without any authentication. I didn't attempt any registration of user accounts, no vulnerability scans, no port scans, no submission of input fields, no SQLi testing, no manipulation of data, just good old fashion Google and web browsing. I focus on application security as my profession and I have to say that the folks over at HHS are great, but I have to imagine bogged down with politics and other issues that hinder remediation efforts. I don't know the "exact" number of accounts because I didn't cycle through them or extract any data at all. I do hope they focus on the issues and fix them, that's all I've ever wanted with this. It's not hc.gov specific either, its federal wide.. DHS just reported bank theft from one of its sites: http://krebsonsecurity.com/2014/01/dhs-alerts-contractors-to-bank-data-theft/. It's not to say any site isn't "hackable" - but there are things you can do to make it hard and easily detect these types of attacks and stop them in the early stages. Appropriate security integration into the SDLC and formal security testing (source code analysis, dynamic code testing, etc.). The federal government relies heavily on FISMA (enabled in 2002) and NIST 800-53 as a guidelines standard for security. Unfortunately it has become more of a check box inside the federal government and just complying as HIPAA is about skirting around how to protect ePHI (which by the way isn't on the hc.gov website, no PHI at all, just PII). If you have time to read the written testimony I submitted, it's a decent read on how to structure the federal government in a way that focuses more on proactive security: https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/. Needs to be done broadly and hit development processes inside contractors as well as internally.
The truth is the sheer amount of whats exposed is purely hypothetical and not an actual. What I can say as being a developer, programmer, and assessing websites for the largest companies in the world is if you see problematic areas just from pure passive analysis, there are much larger problems underneath the hoods. Again, purely hypothetical, but based on experience and judgement. I used the example when I testified in front of Congress of instead of being someone in INFOSEC and and having 14 years of being a mechanic and a car drives past me with blue smoke, engine making clanking sounds, and oil dripping everywhere, I can as a mechanic make an assumption that somethings wrong with the engine. I'm 100 percent confident in this based on my experience, but again - just my experience as a penetration tester / application security guy.
It sucks that this has turned political, as it should be how we fix security issues moving forward. I hope that something comes of it and willing to help wherever I can.
Thanks,
Dave
I heard this guy over the radio. He was saying "S-Q-L Injection" instead of "Seaquel Injection", so I can't trust his expert opinion.
hahaha hahahah ahahahahaa
I found the DEFCON video that shows the really creative ways that webapps can be attacked, along the lines of what you're talking about:
https://www.youtube.com/watch?...
It's by Samy Kamkar. I strongly recommend it for any developer of public-facing webapps.
Koans and fables for the software engineer
the only way to minimize the impact of government data collection is to stop signing up for things.
My take is the opposite. Give them more, and more, and more data until they simply cannot process it. That's just about what happened with the healthcare.gov rollout.
And all of the data you feed them does not have to be accurate...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If a government website exposes thousands of citizens to high levels of danger, it has to be shut down and not taken back online until it works. He does have the power to take the site off line. Sure, he is not the one coding it, but it's not exactly NORAD. It's a highly broken shopping site. What level of incompetence would he have to display before his supporters would finally agree that he is, in fact, just an empty suit? I want to know where that line is that he cannot cross as far as his supporters are concerned. This is the guy who sold guns to drug dealers to whom the gun dealers wouldn't sell guns because he wanted to create the perception that guns are dangerous (and no, you silly, Bush didn't do the same thing -- Bush considered it and then decided it was a dumb idea and shelved it). Don't even start with "he didn't do it personally". He did -- by the virtue of the fact that his political appointees did it and weren't even fired for it. What is the line he cannot cross? I just want to know what to expect. Or should just settle in and enjoy the surprises?
Any guest worker system is indistinguishable from indentured servitude.
The HHS is a public agency and as such it is not covered by the HIPAA. In any case, considering HHS is tasked with enforcing the HIPAA....
I expect there are other laws that do apply. There are lots of laws governing how federal agencies and their contractors handle sensitive information.
http://www.hhs.gov/ocr/privacy...
I do not block ads. I do block third party scripts.
A guy saws the legs off the table as he heads out the door. New guy comes in as the table crashes to the ground, and booger-eating morons like you start screaming "look what the new guy did!"
he is a mediocre programmer and computer intrusion guy. he is a superior con and social engineering guy.
Breaking in to secured systems is multi-part. 133T Sk1llz is only a small part of that. Do you really need to know every byte of the kernel on every version of the OS if you can talk the executive assistant out of a C-level login and password?
In the end it is all about results, not who has the biggest E-penis.
http://www.healthcare.gov/logi... - Access Denied
http://www.healthcare.gov/aww!...? -Access Granted
Well, I guess that it's a good thing that hardly anybody has signed up!
I've found problems with my bank's web site, with ADP's 401K site, and a couple weeks ago with Ebay's account login and Change Email (just try it and look at the confirmation email you get back to see for yourself) but getting any of the front-line minimum-wage people in place to deal with you to forward it to someone with a clue is virtually impossible.
In my experience, the only way to get a corporation to acknowledge and fix a problem - even the ones that maintain a specific place to report those problems - is to use social media.
Make no mistake, the security issues are very serious, but it sounds like the claim about accessing 70,000 records was misunderstood.
I stole this Sig
Mitnick isn't a whitehat hacker, he's an asshole living off the fame he made as a criminal.
Having the likes of him on may panel immediately discredits the panel.
But I guess the /. editors are still jerking off to his photograph.
What's even more appalling is that we ourselves are responsible for electing the asshats responsible for creating and managing this project. We could have done something simple and sane and had a straightforward, easy to implement, and societally beneficial single payer system, but no, we voted for a bunch of stonewalling lunatics so stupid I'd be surprised if they could find their own butts with their own two hands.
I would call this a phone book hack. Pulling peoples names out of a database is like opening a phonebook and saying you have everybodys home address and phone number.
I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.
Spec? What spec? They were making changes two weeks before launch. From the congressional testimony, http://www.cnn.com/2013/10/24/...:
... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."
... It appears that politicians were in control.
"In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch
"... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."
The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready
> There are 2 sides to the NSA [...]
Wait -- what? Good NSA, Bad NSA?
What if Bad NSA has infiltrated Good NSA? What would cold_fjord say to this?
Um, no. You're falling into exactly the kind of stupid traps of "doing this better" that I described above. The whole idea is terrible and should never be attempted.
When the user signs in, generate a cryptographically strong random identifier to use as a session token. 128 bits is pretty much standard here (practically speaking, brute-forcing even 64 bits online is quite impractical, but the birthday paradox means you may hit *somebody* by accident much faster than seems possible). Store, on the server side, the mapping of that identifier to that user. When the user signs out or their session expires, delete that mapping and the identifier. If the user already has an identifier when they make a request, but it's not currently in the mapping dictionary, ignore/delete it. Don't ever re-use the mapping; make it different any time any user logs in.
Yes, this is more expensive for a server cluster than decrypting a cookie, assuming there are lots of concurrent users. However, it's got a critically important advantage: there is literally no possible way for an attacker to forge a session cookie. No information about the web app that they could have, save for the state of the server's /dev/urandom or its cache of logged-in users, could aid them. The best they could possibly hope for is to steal or to stumble upon one while it is in use. Given reasonable protections on the token and a short expiry period, this should be practically impossible barring client-side malware (in which case that particular client is already hosed, since the malware can just steal their credentials as they are typed in, and everything else of value on their computer to boot).
Even then, there's a ton of other vulnerabilities that must be avoided. For example, protecting that token is of course vitally important. The Secure and HttpOnly flags are a good start, although Client Security Policy is even better than HttpOnly (on clients which support it). Make the whole site accessible only over HTTPS, of course, and use HTTP Strict Transport Security to require that (compliant) user-agents never visit the site over HTTP. Permit only the most recent versions of TLS (1.0 may be permitted for legacy browsers; anything older is a bad idea) and only use strong cipher suites (ideally with Perfect Forward Secrecy). Include protections against Cross-Site Request Forgery in the form of an anti-CSRF token that is, at a minimum, unique per-user (and not based on or derivable from any value stored in a cookie or any user information). If you want to be really paranoid, you can do things like include the user's IP address in their token mapping, so that if their IP changes their token gets invalidated immediately and they must log in again (this will occasionally annoy legit users, but a site like this will have a very short session timeout anyhow).
There's a ton more than that (protecting the credentials is an area I haven't even touched on, aside from the crypto). It's a hard space, and even the experts miss things sometimes. Assuming you have the answers (or worse, can figure them out) is a dangerous hole to fall into! This is why companies like mine exist...
There's no place I could be, since I've found Serenity...
Ruining the medical institution is the goal so why should they care about this .. just helps their agenda along.
I actually hope the leftards responsible get everything thats coming to them for their fraud negligence and outright treason.
All the morons who voted for this fraud-in-chief will have their faces pushed into their own stupidity and gullibility.
Wow, 70,000 people have managed to get on HealthCare.gov already?
Just sayin.
Really, go to his website, and read it.
https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/
Short version from the bottom of the page;
Update 1: There’s been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google’s advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We’ve reached out to the news agencies to clarify as these were not our words.
as it happens in all governments everywhere. IT work is contracted out to make government look smaller (less salary). They have to follow procurement that awards to lowest bidder. Lowest bidder had exclusions built into contract. Government in general either due to politics or whatever make about a million change orders to the initial project contract. Contractor happily charges government for each change until all the project money is gone. Contractor walks away when money dries up, blames (rightly or not) government for bungled project. Having no other choice government then dumps the steaming pile of garbage on what few overworked underpaid IT staff they have to try fix it (with a budget of exactly zero).
Anyway this has been reality for as long as I have been around.
When they first setup the site the web developers forgot to change the favicon and left it as the generic drupal icon so we know it is a drupla based system. Any plugins or extensions that they use will become vulnerable