Security pros: If hasn’t been hacked already, it will be soon

Security pros: If hasn't been hacked already, it will be soon logoFour cyber security experts have delivered to the US Congress a unanimous opinion: Americans shouldn’t use, given its security issues.

David Kennedy, CEO of information security firm TrustedSEC and former CSO of Diebold, was one of those who testified on Tuesday before a House Science, Space, and Technology committee hearing on security concerns surrounding the woebegone, very large attack target that is the government’s new healthcare website.

The committee wanted answers to this question: “Is my data on secure?”

As reported, Kennedy testified that the answer is No, given that the site’s pwnage is inevitable:

Hackers are definitely after it. ... And if I had to guess, based on what I can see ... I would say the website is either hacked already or will be soon.

Kennedy told that his firm has detected a large number of SQL injection attacks against the site, which indicates “a large amount” of hacking attempts:

Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures, if a hacker wanted access to the site or sensitive information, they could get it.

Also testifying was Fred Chang, a computer science professor at Southern Methodist University and former research director for the NSA; Avi Rubin, a computer science professor at Johns Hopkins University; and Morgan Wright, CEO of Crowd Sourced Investigations, cybersecurity analyst for Fox News and Fox Business, and a former senior law enforcement advisor to the Republican National Convention.

Three of the four testified that they believe it’s best to shut down completely.

The lone voice of dissent on that point was Rubin, who said he doesn’t have enough information to decide, but that a security review of the site is definitely in order.

From Network World’s coverage:

I would need to know whether there are inherent flaws vs. superficial problems that can be fixed. If they can be fixed, that’s better than shutting it down.

Kennedy said that given what he’s been able to suss out from public record and reconnaissance of the site, he could break into its data stores within two days and steal the personal information of people who’ve used the site.

As Network World’s Tim Greene reports, Kennedy demonstrated that he could redirect people trying to access the site to a lookalike site that could push malware that would allow attackers to hijack people’s devices.

Kennedy’s explanation, via ABC News:

We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords. ... Anything that they do on their computer we now have full access to.

CBS News reports that Henry Chao, the project manager responsible for building, gave 9 hours of closed-door testimony to the House Oversight Committee in advance of this week’s hearing.

A CBS News video clip put up by shows the heavily redacted security report that Chao claims he never saw.

Chao told the House Oversight Committee that his team told him that “there were no ‘high’ findings” – “high” referring to government classification of “high risk”, which designates that a vulnerability can be expected to have severe or catastrophic adverse effects on organisational operations, assets or individuals.

Vulnerabilities rated “high risk” could lead to identity theft, unauthorized access, and misrouted data.

It was Chao who recommended it was safe to launch the site at the start of October.

When asked if he found it surprising that he hadn’t seen the memo advising about high-risk vulnerabilities on – a highly redacted version of which was shown on CBS News’s report – he said that yes, of course he was surprised:

Wouldn't you be surprised, if you were me?