Slashdot Mirror
Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
The root password is "password1".
> 70,000 Healthcare.Gov Records In 4 Minutes
Lie! There aren't even 70,000 people who have successfully registered yet.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.
We all know that the private sector could have done better!
.....
Bwahahahahahahahahahahahahahahahaahahahah!
Oh! I shit my pants!
Whats this about every US citizen?
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
What data was he able to access?
Two ends of a possible spectrum I see...
- Being able to tell 70k accounts exist by some numerical ID
- Getting full personal information for 70k accounts including name, address, ssn, payment details
..... will be as shocked as I am.
Your winnings sir...
While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.
It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
> Forget the military-industrial complex; sequestration is shutting that down.
ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?
Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.
I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.
The military industrial complex is alive and well.
"I opened my eyes, and everything went dark again"
If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).
Commericial company who did Healthcare.gov
And my 'favorite' - Oregon's botched by Oracle
It wouldn't be politically correct, but they could have had the work done much cheaper by cutting out the middle man and just hire Indians or an Indian firm directly.
Instead, they hired Indian developer resalers. Yep, that's all N. American companies - especially US companies - are: resalers of Indian and other Third World development talent.
Why spend the money on flashy suits with Rolex watches? Go direct! Go Indian!
somehow I don't think that a group of people looking for government subsidies for their healthcare represent the best targets for identity fraud.
Average Intelligence is a Scary Thing
History suggests so.
The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.
If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.
Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!
Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.
To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.
There's no place I could be, since I've found Serenity...
Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:
1. Create an account on the site. /showUserProfile?userID=70001
2. Log in.
3. Notice that your URL ends in something like
4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.
A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.
Koans and fables for the software engineer
No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!
Even worse, after accessing all those records, he logged in again as Bobby Tables and...
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.
Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).
"I do not agree with what you say, but I will defend to the death your right to say it"
I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).
I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.
This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.
He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??
Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.
* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...
There's no place I could be, since I've found Serenity...
Hence the reason why decoupling your insurance from your employer is a great idea.
The worst thing is, you don't even have to sign up for them to get that information.
"First they came for the slanderers and i said nothing."
Would you please take a crack at Vermont's site - also made by CGI? It is crap and we are getting nothing but a snowjob from the powers-that-be.
I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?
A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.
But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.
I'm amazed at how poorly government can handle even modest changes in funding... and not just at the federal level. During the financial crisis, our local school system had a 5% cut, and you would have thought the world had ended. They zeroed out maintenance, fired teachers, cut programs, all to preserve a yet-to-be-negotiated pay raise for the staff. Meanwhile, in my job in the private world we all took a 25% reduction in pay for a while when the company's revenue went suddenly to nearly zero, so my sympathy was not exactly running high.
Mind you, cutting 5% returned them to the previous year's levels. No one could answer my question about how they managed to hold it all together the year before if the funding was "so bad".
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.
No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.
With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.
A big corp's nusence is a citizen's nightmare and ruin.
NOT The same thing.
I'm not sure why healthcare.gov needs drivers license numbers, but those others are true of private healthcare companies, who appear to have more leaks than the government at least on this graph.
I'm not saying government is more secure, I'm just saying the dangers aren't unique to healthcare.gov.
From the misery of this site it looks as if it was specifically designed to kill Obamacare.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Two things:
According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"
Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.
Never answer an anonymous letter. - Yogi Berra
The whole point is that it probably has, and their security is so bad they can't even detect it, let alone prevent it.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
How many commercial companies would have this much customer data at risk?
Well.. I can name at least three: Equifax, Experian, and TransUnion.
It must have been something you assimilated. . . .
being legally mandated to do something dangerous isn't good.
The worrisome thing is, you don't even need to do anything to be exposed to danger. Your information is already in the system, waiting to be exposed.
"First they came for the slanderers and i said nothing."
We have representatives
Coulda fooled me...
You are making an rather huge assumption when you state it hasn't been cracked by a Black Hat. You expect press releases from someone who has taken all the information for their own uses?
You are also assuming that anyone incompetent enough to create that abomination is competent enough to notice if they have been hacked.
Or you could, I dunno actually call up the credit rating agencies and actually describe the problems. Quite often they can actually help you with your problems, though by the time you get to them, you're generally feeling too irate to appreciate it.
I had collections agencies calling me every few weeks asking for 'insert name here' who apparently bought some crap and put my phone number as the contact info. Well, a company generally shops the collections duties out to a bunch of useless leaches that don't give a fuck about annoying the shit out of honest folks. Finally after maybe 2 years of hassle from countless collections leaches, one of the agents finally told me if I really had an issue with it, that I should just go to Transunion/Equifax (at least in Canada) as the contact info was most likely originating from them. I did, and the agent 'corrected' the defect and I haven't heard a peep from a collections agent since. God thank goodness I'm not a delinquent dead beat or else I'd be living a shitty life with those vultures pecking.
If I recall correctly, you can also do other things like flag your personal information, and if anyone attempts to open credit accounts through those credentials, you'll get notified, but I can't remember if that's right or not. If not, it'd be in everyone's benefit to do so if they don't though.
Bye!
You're a fool and clearly never worked in Defense Contracting. I have, at one of the big six, and I can assure sequestration was quite damaging. Layoffs at most industrial centers, cancelations of contracts which led to increased overhead, running up the costs of certain programs and turning them unprofitable, etc.
I worked in the industrial side, building ships. The Navy had to delay several ship procurements, which led to a lack of economies of scale and efficient manufacturing methodology which icnreased cost; our bids were based on a set schedule of production and the delays ramped that up. Other guys building vehicles had programs cut, which lowered the numbers of the base contract subsequently increasing the unit cost of each vehicle, as you have fewer to spread your fixed overhead and industrial manufacturing requires a lot of fixed overhead. Same thing on the aircraft side, and the cutbacks flow down through their subcontractors, laying people off. I have several PhD friends working as civilian researchers for the DoD; their budget was bigger than NASA's entire budget. Most of their programs got cut back, and suddenly a bunch of PhDs were sitting around twiddling their thumbs doing paperwork instead of researching new materials and communications systems; most left for the private sector. Sequestration was a serious blow.
Politically I'm happy it hit; there was too much expansion of the DoD under the last two wars and it needed to be paired back. But with a scalpel, not with the battle-axe that sequestration was.
And even after reading your whole comment, we repeat... AND NOBODY NOTICED.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Its a false dichotomy because you can never know the inherent security of a company you do business with really. Often these companies are veiled behind the companies you do perform business with anyways, so who's to say that although 'Walmat' may be secure, but maybe their downstream credit merchant bureau has huge leaks, or maybe their third party BI / sales data processing service has some inherent flaw, or ... Security isn't as simple as putting the onus on a very complicated problem and just saying 'sure, I trust Walmat with my credit, address, phone', etc..
Ideally all this 'information' will become a lot less valuable (like making the ability to attain credit a lot more difficult than some data entered into a web page) but that'll happen sooner or later, be assured. The Internet's rather new in this respect, and although safeguards help, they are by no means perfect. You could increase the security (which is always a good idea for items of value), but ideally, we just make a credit card number useless. Who cares. Its a 16 digit number. Its the hundreds / thousands of sites accepting that as 'sufficient' for merchant exchanges that make the number important.
Bye!
And he hasn't done any of that for over 10 years. Jeez, Javert, he went to prison and served his time. He's trying to turn his life around and be a good guy. Cut him a break.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Hackers can get 70K records in 4 minutes from the healthcare.gov website? Great news! That's the best performance metric the website has had yet!
Someone is very confused between sequestration and shutdown.
How did you get +5 insightful?
> You're a fool and clearly never worked in Defense Contracting.
Fool must mean, person with a conscience.
I certainly hope your post is accurate, its the best news I have heard about the sequesters yet.
The offence (calling it Defence is bordering on Orwellian and has been for generations now) industry could stand some deep cuts. Mortal blows even.
"I opened my eyes, and everything went dark again"
Congress is currently among the most incompetent and ineffective governining bodies on the planet. It's filled with people in safe seats (no particular effort required to win) and corporate shills who are open about it. The place needs a total purging, but that would require voters to do something other than vote for the same party every single time.
And if you expect anything out of voters these days, good luck with that.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
People who aren't into computer security know his name, which means he can get in to talk to Congress. When you're dealing with politicians, being famous certainly helps you.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
But what is the solution here? Move it to the private sector? You said yourself that the private sector has no experience with that kind of stuff. It's easy to scream .gov sucks, but the private sector will face far bigger problems - including dealing with corporate failure. Will everyone go without insurance just because a corporation failed?
Those who can, do. Those who can't, sue.
It was never meant to actually work.
It was meant to fail spectacularly in order to clear the way for British-NIH-style single-payer healthcare.
"Jacob Hacker, The Architect of ObamaCare and the Public Option in making his case, admits that this idea is a covert route to a Single Payer System."
http://youtu.be/3sTfZJBYo1I
Just watch. After sufficient public frustration, desperation, & outrage have developed, single-payer will be rolled out as the "fix".
There's a "fix" alright, just that it was "in" before this crapfest was even passed.
Of course, those in Congress and friends of the administration like labor unions won't have to deal with any of this. It's good to be the king, eh?
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
I heard this guy over the radio. He was saying "S-Q-L Injection" instead of "Seaquel Injection", so I can't trust his expert opinion.
I found the DEFCON video that shows the really creative ways that webapps can be attacked, along the lines of what you're talking about:
https://www.youtube.com/watch?...
It's by Samy Kamkar. I strongly recommend it for any developer of public-facing webapps.
Koans and fables for the software engineer
If a government website exposes thousands of citizens to high levels of danger, it has to be shut down and not taken back online until it works. He does have the power to take the site off line. Sure, he is not the one coding it, but it's not exactly NORAD. It's a highly broken shopping site. What level of incompetence would he have to display before his supporters would finally agree that he is, in fact, just an empty suit? I want to know where that line is that he cannot cross as far as his supporters are concerned. This is the guy who sold guns to drug dealers to whom the gun dealers wouldn't sell guns because he wanted to create the perception that guns are dangerous (and no, you silly, Bush didn't do the same thing -- Bush considered it and then decided it was a dumb idea and shelved it). Don't even start with "he didn't do it personally". He did -- by the virtue of the fact that his political appointees did it and weren't even fired for it. What is the line he cannot cross? I just want to know what to expect. Or should just settle in and enjoy the surprises?
Any guest worker system is indistinguishable from indentured servitude.
What testing utility did you use?
I saw nothing in the linked article that indicated 'what' information was pulled for these 70,000 'records'. It could be something as simple as IP information. Simply claiming you hacked a site without providing specifics at to what was extracted isn't all that useful. It makes for good headlines and 'clicks', but not much else.
This is what passes for reporting these days?
Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”
Kennedy also told Fox News Sunday, “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.”
The sequester cuts were long over by the time you submitted your form in October. The government shutdown is also long over. The IRS is not "being forced to cut service" by the sequester or anything else.
The problem with white hat hacking is that the sentence is as long as black hat. Likely the details are deliberately vague to maintain some denyability. And nobody official is acknowledging any weaknesses, let alone detailing what could be lost in a breach. Am I at risk? If so, what of me is?
Learn to love Alaska
I'm pretty sure that "it shouldn't work and should be easily hackable" were not in the spec. This is just another example of the quality of work you get when governments contract out to private companies.
Spec? What spec? They were making changes two weeks before launch. From the congressional testimony, http://www.cnn.com/2013/10/24/...:
... an end-to-end test conducted within two weeks of the launch caused the system to crash. She said it was up to CMS to decide on proceeding with the rollout."
... It appears that politicians were in control.
"In the first detailed account of what happened, officials of four contractors involved in the website creation described a convoluted system of multiple companies operating separately under the oversight of CMS, a part of the Department of Health and Human Services. Each said their individual components generally performed as planned after internal testing, but all conceded that CMS failed to conduct sufficient "end-to-end" testing of the entire system before the launch
"... blamed a decision by CMS within two weeks of the launch to require users to fully register in order to browse for health insurance products, instead of being able to get information anonymously, as originally planned."
The preceding should not be interpreted to mean that the contractor did good work. They may have been a problem as well. My point is that government officials were basically sabotaging their project through mismanagement. Inadequate integration testing, last minute changes, launching despite testing showing they were not ready
You won't like this answer. An awful lot of them, and most of them you've never heard of. There is an entire industry revolving around background checks and investigative resources.
I've personally worked with some of these companies, so I have first hand knowledge, not just rumors. We literally had all the PII on 99% of the US population, age 18 and up.
Any company that has any worthwhile information has "credit headers". Basically, name (first/last/middle), SSN, DOB, and a list of addresses and phone numbers.
Depending on the company, they can have more. Some aggregate information from surveys. Some associate people who have lived at the same address as potential relatives. Some provide details on you, your family (frequently guessed), and even neighbors.
Some have information on your shopping habits. Some get them from surveys. Others directly from places like Walmart/Target/K-mart. Others from branded credit cards. And plenty of information is gathered from store loyalty cards.
Some information is gathered directly from credit card processors. So Visa, or your bank don't hand off that information. That doesn't mean the 3rd parties you'll never know about don't collect and aggregate the information.
A lot of the information out there wasn't legally gathered. For example, if I got a sysadmin at say Verizon Wireless to dump their database of users, with name, address, cell phone, I could pay him say $20K for it. It would be worth it, since I'd make more than that selling the information by individual search. I could also resell the list as much as I want for $20K+ each.
Companies buy and sell these lists all the time.
Some companies sell totally bogus lists. I used myself and aliases I've used to validate their data. I've seen my alias show up with other information I've never used.
Some companies sell the data as "new" or "fresh", while it's ancient. One had car registrations, and "my" newest vehicle I hadn't owned for over 10 years, but failed to have any of my current vehicles.
There's nothing illegal about it either. Mostly they're breaches of contract. If you're using a database that I bought, you aren't licensed for it. There are frequently seeded entries. By themselves, they look normal. Like, I may add a fake record, John Wayne Smythe at 14 Main St, SSN 135-63-2399 (just random numbers), so if I run a search against their database and see it, I know it's stolen.
Lots of information out there was gleaned from government web interfaces, before they started restricting PII, including DOB and SSN. Unfortunately, those pieces rarely change, so John Wayne Smythe's DOB and SSN will be the same until he finally ends up on the SSA Death Index. Some conveniently ignore that index too, so they may be stuffed full of real people who are already dead. Sometimes that's useful. If you're searching for JW Smythe, and find out that he died in 1996, any current activity is a fraudulent identity.
Working in that industry, I've learned that I love aliases, and use them everywhere. There's no reason that I should use my real name here, it's just another forum. The same with every forum I visit.
Serious? Seriousness is well above my pay grade.