Saturday, November 16, 2013

Healthcare.gov should be shuttered

Or at least until they fix the security problems that may or may not be there are resolved. I don't care where you sit in the Obamacare debate.  Whether you think it's a good idea or a bad idea doesn't matter.  If you're an infosec professional and you aren't talking about the security of healthcare.gov to your friends and business associates, you're falling down on the job.  Who, you? Yeah, I'm talking to you.  As an infosec professional, you have unique insight into security problems that the standard public doesn't have.

Can the US Government procure IT security successfully?
In a speech today, the president admitted that "one of the things [the US government] does not do well is information technology procurement."  Having worked around government IT for years, I think that's a gross understatement.  But okay, so at least he knows we suck at IT procurement.  Surely we do a better job at information security, right?  I mean, security is probably separate from "IT procurement" in the president's mind.  So I'm sure they've got the security of healthcare.gov worked out.

Or maybe not…
Earlier in the week HHS sources noted that public and private sector workers were operating 24/7 to get the site fully functional.  Certainly they're following best coding practices while working 24/7.  I'm sure there's a project plan, complete with regression tests so nothing bites us from a security perspective.  After all, when was the last time re-coding something introduced a bug?  But the interesting part is that for all the talk of fixing the site to ensure that it is available, I rarely hear people talk about security (or how security can be ensured in such a rapidly changing code base).

But that’s not the worst of it!
The person at HHS responsible for deploying healthcare.gov didn’t know that end to end security testing hadn’t been completed when the site when live on October 1st.  He testified to congress that details of existing security problems had been hidden from him (literally claiming that he didn’t get the memo).  This points to a clear failure in the security of the site when the person making go/nogo decisions isn’t “in the know” on critical security issues.  When asked if he thought that healthcare.gov was as secure as his bank website, he refused to answer and said instead that it “complies with all federally mandated security standards.”  Whoa! WTF??? Hold the phone… you want me to put my personal data on the site when you have no confidence in it? Yeah, that’s pretty much insane.  Based on this alone, healthcare.gov should be taken offline.  That is until such a time as government officials can answer under oath that it is as secure as my online banking site (which I think, by the way, is a pretty low bar).

But are there really critical security issues?
I’m guessing that there are.  The site is vast, complex, and there have already been hushed reports of information disclosure vulnerabilities.  The fact that vulnerabilities were discussed in closed sessions in congress tells me that there is something to hide.  I’m guessing that “something” is huge.  I’ve performed security testing on similar sites of lower complexity and found serious vulnerabilities.  If you’re thinking that the government contractor who developed healthcare.gov is better than those I’ve had the privilege to test, just remember that the same contractor can’t keep the site online under even moderate load.  How sure are you that their security engineering is better than their availability engineering?  Remember, this question isn’t rhetorical: you’re literally betting the confidentiality of your private information on the answer.

Call to arms
Hopefully this has given you some food for thought.  I’d like to point out that I haven’t performed any security testing on healthcare.gov (I don’t have a CFAA letter and I’m too pretty for jail).  However, if this has gotten you thinking, then spread the word to those who will be using the site.  Better yet, call your congressman and demand independent end to end security testing of the site.  The fact that the site went live without it is a huge failure, and it’s one we can’t afford to continue.

Wednesday, November 13, 2013

Infosec Community Support

This is a non-technical post and doesn't have anything to do with security (other than the people involved).  Last night I got off the plane in SLC to speak at the Paraben Forensics Conference.  My twitter feed was blowing up with the hashtag #ada.  A great guy in the infosec community, @erratadave, was losing a family member to a long fight with kidney failure.  She's only four years old.  Her remaining kidney finally kicked out and they didn't expect her to make it through the night.  She apparently wanted to see her name in lights, trending on twitter. 

To see the outpouring of support from the infosec community, check this twitter link.  The outpouring was unreal. I couldn't believe how many people, and how many big names (Dan Kaminsky, RSA, etc.) came through and tweeted out support for this little girl.  I don't think the tag ever trended, but the support was absolutely inspiring.

Seeing this level of support was just awesome.  If you are part of this community, give yourself a pat on the back. We may have our disagreements, but we do a great job of supporting when it's really on the line.  If you're successful in this field, you're probably a type A+ personality.  I'm not proud of it, but I've sacrificed family time for work too many times to remember.  So take a minute today (if you happen to actually be at home) and hug your spouse, your kids. Tell them how much you appreciate their support.  Thanks for being a part of this community. You make it great.

Friday, November 1, 2013

Fake Affordable Care Act Websites

I saw this story about fake Affordable Care Act (ACA) sites that came through my news feed today.  I love this story. I actually tried to find a few fake sites using Google searches, but I didn't find sites immediately (and I'm lazy, so I just started writing this instead).

I've been using fake insurance/health benefits sites in my social engineering attacks for years.  It's one of my "go to" techniques.  But of course, here the attackers are taking advantage of the fact that everyone has seen information about the ACA in the news.  I'll be starting a new SE engagement this month and you can bet I'll be mentioning the ACA in my emails and phone calls (I'm opportunistic like that...).

But if you missed the story before (or thought it was hogwash), pay heed.  Real attackers (you know, guys without a CFAA letter) are using this.  If you run a security program, now might be the time to let your employees know to be on the lookout for this specific attack.  You might think that a gentle reminder about generic security and social engineering threats would be more effective than honing in on a specific attack.  I'm here to tell you that's not the case.  It's been my experience that warning about specific attack scenarios has a much higher (short term) rate of return.

Do your users a favor, tell them to be suspicious if contacted about ACA related issues, particularly if not being directed to a .gov website.  Tell users not to rely on seeing their company name in a URL.  I regularly create subdomains in my SE sites, so users will click on http://companyname.evilsite.com.  I find the warnings telling users to check for "secure" sites to be relatively hilarious.  It takes less than nothing to get an SSL cert for your site.  Any attacker worth their salt has purchased a certificate, so this isn't a reliable check either.  Bottom line: your users need to know what's currently being used in attacks.  Yes, they should be always vigilant.  But I view these warnings like knowing where the local speed traps are.  You should always drive the speed limit, but knowing where the speed traps are will help you avoid getting a ticket even if you do live on the edge.