Sophos Cloud Optix
Four cyber security experts have delivered to the US Congress a unanimous opinion: Americans shouldn’t use HealthCare.gov, given its security issues.
David Kennedy, CEO of information security firm TrustedSEC and former CSO of Diebold, was one of those who testified on Tuesday before a House Science, Space, and Technology committee hearing on security concerns surrounding the woebegone, very large attack target that is the government’s new healthcare website.
The committee wanted answers to this question: “Is my data on HealthCare.gov secure?”
As FoxNews.com reported, Kennedy testified that the answer is No, given that the site’s pwnage is inevitable:
Hackers are definitely after it. ... And if I had to guess, based on what I can see ... I would say the website is either hacked already or will be soon.
Kennedy told FoxNews.com that his firm has detected a large number of SQL injection attacks against the site, which indicates “a large amount” of hacking attempts:
Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures, if a hacker wanted access to the site or sensitive information, they could get it.
Also testifying was Fred Chang, a computer science professor at Southern Methodist University and former research director for the NSA; Avi Rubin, a computer science professor at Johns Hopkins University; and Morgan Wright, CEO of Crowd Sourced Investigations, cybersecurity analyst for Fox News and Fox Business, and a former senior law enforcement advisor to the Republican National Convention.
Three of the four testified that they believe it’s best to shut HealthCare.gov down completely.
The lone voice of dissent on that point was Rubin, who said he doesn’t have enough information to decide, but that a security review of the site is definitely in order.
From Network World’s coverage:
I would need to know whether there are inherent flaws vs. superficial problems that can be fixed. If they can be fixed, that’s better than shutting it down.
Kennedy said that given what he’s been able to suss out from public record and reconnaissance of the site, he could break into its data stores within two days and steal the personal information of people who’ve used the site.
As Network World’s Tim Greene reports, Kennedy demonstrated that he could redirect people trying to access the site to a lookalike site that could push malware that would allow attackers to hijack people’s devices.
Kennedy’s explanation, via ABC News:
We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords. ... Anything that they do on their computer we now have full access to.
CBS News reports that Henry Chao, the project manager responsible for building HealthCare.gov, gave 9 hours of closed-door testimony to the House Oversight Committee in advance of this week’s hearing.
A CBS News video clip put up by Townhall.gov shows the heavily redacted security report that Chao claims he never saw.
Chao told the House Oversight Committee that his team told him that “there were no ‘high’ findings” – “high” referring to government classification of “high risk”, which designates that a vulnerability can be expected to have severe or catastrophic adverse effects on organisational operations, assets or individuals.
Vulnerabilities rated “high risk” could lead to identity theft, unauthorized access, and misrouted data.
It was Chao who recommended it was safe to launch the site at the start of October.
When asked if he found it surprising that he hadn’t seen the memo advising about high-risk vulnerabilities on HealthCare.gov – a highly redacted version of which was shown on CBS News’s report – he said that yes, of course he was surprised:
Wouldn't you be surprised, if you were me?
“American’s shouldn’t use …”
Unnecessary apostrophes? :o)
Typo. Thanks for pointing out 🙂
If they did shut it down, they’d have to do it smartly, putting up a message that is easy to understand. Otherwise, visitors will assume they’re doing something wrong and will try harder, maybe ending up on one of the lookalike scam sites instead.
Paragraph one: It is “Americans” not “American’s” – plural not possessive.
Thanks – typo is now fixed.
Simply amazing. (almost)… I’ll be re-writing this one for my readers and sending them here for the full story, per my Sophos guidelines. I’ll get the word to my followers at twitter as well.
Keep up the good work!
As someone who sits in SOC and watches traffic for multiple large and small clients, unless they have some good captures showing very targeted and customized attempts, a lot of that ‘SQL attack’ is just the usual collection of scanners and automated probing that hits the worlds websites every day.
That said, yeah its a great target and it will be hit likely thousands of times a day. Eventually someone is going to get through. I’d be interested in what are they doing to both monitor and detect things beyond the front door ?
This is what happens when you give a big project like this to a friend of the first lady instead of hiring the best company for the job. Can you believe they didn’t even take multiple bids? They gave the job to a Canadian company. They got to make the only bid. That alone seems criminal.
You’re seriously going to repost stuff from FOX News like this is an unbiased representation of the facts? Do you understand that saying that a guy connected with Diebold, a guy connected with Southern Methodist, and a guy connected with FOX News say that the site should be shut down is no more insightful than saying that the extreme right-wing in the United States don’t want public health care.
Lisa is reporting what those people said to congress, she offered no opinion or comment on the veracity of their opinions.
Can you supply other sources besides the very biased Fox News? Also, excuse my ignorance but what credentials do these security pros have? What are their political leanings?
These are not claims made by Fox news, they are claims made by the individuals mentioned in the article to a congressional committee and they’re a matter of public record.
Hey Mark… here you go, and this is also a matter of public record, as it is also in the article.
“Morgan Wright, CEO of Crowd Sourced Investigations, cybersecurity analyst for Fox News and Fox Business, and a former senior law enforcement advisor to the Republican National Convention.”
So with credentials like that, do you think he’s NEVER been on Fox to rant about how bad this situation is… not even once?
Are you Obama? Why are you so upset? They’re expert enough they got to talk to Congress. Go ask the US Congress your questions.
Wow – let’s see… Reports from Fox News and Townhall (both conservative propaganda media machines) make unsubstantiated claims against a website made for a law they adamantly oppose… Citing boasts from a former exec of Diebold (a company that has plenty of security issues on it’s own). Yeah, sorry – the lack of credibility here doesn’t impress.
” Citing boasts from a former exec of Diebold (a company that has plenty of security issues on it’s own).” You forgot to add the “Security” (laughingly) before company.
Fox News was only one link here. If you don’t like it, look at one of the other sources, or go straight to David Kennedy’s report:
https://www.trustedsec.com/files/CONGRESS_Hearing_HealthCareSEC_FINAL_v1.1.pdf
Hmmm… that’s funny, because I thought every website is just a hack away from being on the 10:00 News… some more important that this, like maybe a nuclear power generation plant or that foul smelling raw sewage treatment plant down the street… oh yeah, I forgot this website is for “OBAMACare”…
I think you are overestimating the importance of a nuclear power station websites to the operation of power stations and underestimating the importance of a website to the operation of a web-based healthcare marketplace.
Nope… just stating a fact of how easy it is to access one from the Internet… in case you haven’t heard, whether it’s important or not people will tend to “freakout” over something like that… do you think?
If the site is half as bad as the claims we keep hearing… those must be the lame-est non-affiliated “hackers” in the world.
Speaking of biased comments, some of you fail to notice how biased your own comments are. You just wiped out your own credibility.
Someone even asked about political affiliations… do you question anything coming from the White House because there is a political affiliation?
Good grief.
They must be liberals or really like the new healthcare system. There’s no reason for their attacks. This article was just reporting what happened in Congress this week.
Sorry but INFOSEC is as much a corporate welfare boondoggle in DC as anything. It appears that Akamai is handling the web portion of the site and I would think that they would set up an APP Firewall to block the SQL Injections. Also, there is a process to make a site public in the Federal Government that includes vulnerability scans. I agree the site is a great target for hackers to put a feather in their cap but the fact is, there are two types of systems in IT. Compromised and about-to-get-compromised. I have no doubt that the healthcare.gov site could be compromised but there should be processes and procedures for detection of such attacks. I do get concerned with the high number of partners the site interacts with as they are only as secure as their partners are.
INFOSEC is a concern but having worked as a Federal IT Contractor and Employee I would be surprised to see these were not planned for or mitigated prior to ATO. If this was rushed, then it could be a catastrophe. .
While their concerns are legit, wading through the FUD in the INFOSEC world can be exasperating, hopefully if there are real concerns, they are being dealt with now.
John Smith
A very depressing part of this whole story is that the feds think they’ve only been attacked sixteen times since the site went live. Maybe sixteen times an hour, 24×7 for real attacks and not just probing. But certainly not a total of sixteen times. Not very much real-world awareness of the threats there.
The only thing that is more depressing than that is the sniping going on here rather than discussing the facts.
And if automated probes can populate the search engine field, then it certainly is not getting dropped prior to hitting the application, which is a significant issue.