Explaining security issues with healthcare.gov

I recently testified in front of Congress last week to the House and Science Committee on the issues still plaguing the website. I first want to say a special thanks for Chairman Smith who did an excellent job mediating what at times became a very hostile environment. I have to say, Chairman Smith is absolutely a stand up individual and someone that I truly respect and admire. On the same term, Congresswoman Edwards was less than pleasing and only seemed to focus less on security and those of politics. It went even as far to thank two members of the panel on their service to this country and conveniently leaving out my several years in Iraq and service under the United States Marine Corps as a direct snub. Regardless, I still respect her opinions and her service to the people she represents, even if I didn’t receive that same.

To clarify for the folks that watched the testimony (http://science.house.gov/hearing/full-committee-hearing-healthcaregov-consequences-stolen-identity), I was asked if I’ve done work for the federal government in the past. The answer to that is absolutely, I have. Without letting me respond, my testimony was recommended to be stricken from the record because I didn’t fill out the appropriate answers on the witness disclosure form, called the “Truth in Testimony”. For a link to my filled out testimony form, click here. Under TrustedSec (whom I disclosed I was representing), we focus in the private sector. We have no federal grants, contracts, or subcontracts – we keep plenty busy working to protect corporations. My answer was simply stating that I have worked with the federal government in the past as a CSO of a Fortune 1000 company as well as in my prior role at a different company after I had left the United States Marine Corps. Never as TrustedSec. Instead of being able to answer, I was cut off and that was it. Thankfully Chairman Smith allowed me to comment eventually and clarify. Again, it went to politics, instead of focusing on the issue at hand and acted as a distraction to fixing the real issue – that of security.

It’s unfortunate that politics are a discussion in a more broader issue around security. The focus shouldn’t be on politics, but fixing the federal governments security issues, and there are many. The federal government has notoriously had poor practices all around and it’s not getting fixed anytime soon. One of the arguments from one of the panel I was on from Waylon Krush is that the federal government exceeds those of the private sector. I have to fundamentally disagree with this. Complying to the Federal Information Security Management Act (FISMA) of 2002 is easier than any other regulatory or compliance standard the private sector has to accomplish. In addition, equating compliance to actual security is another big misnomer. The National Institute of Standards and Technology is by far one of the largest set of guidelines and solid practices on how to implement security. Unfortunately they are guidelines, not rules for adherence. The 800-53 is required, but more of a checkbox on what organizations should do and left for open and complete interpretation. As with any standard, it’s up for interpretation on how deep to go on any assessment.

The healthcare.gov website is an interesting one. I don’t think by any stretch it’s the only website out there with massive flaws or a rocky development process that does not incorporate security into the testing. This spans all of the government both at federal and state levels. It’s apparent there are flaws on the website today, and continue to be new flaws introduced to the site as the website becomes more complex and new features added. I wasn’t alone in this interpretation, several other highly respected security experts including Ed Skoudis, Kevin Mitnick, Chris Gates, Chris Nickerson, Eric Smith, John Strand, and Kevin Johnson also came to the same conclusion. Also a special thanks to the security researcher Bob Rich and his fantastic analysis of healthcare.gov. A copy of their opinions can be downloaded here.

I used the example in my testimony that if I had 14 years of being a mechanic instead of INFOSEC and a car drove past me and the engine was smoking and making clanking sounds, oil was dripping from the exhaust and blue smoke everywhere, as an experienced mechanic, I can make the determination that the car is messed up. Have I seen the engine or even attempted to make a diagnosis of the engine? No. To Waylon Krush’s comment, it is true – it is speculation on how bad the inside is, but as an experienced application security/exploit researcher, I can tell you that it’s not good under the hood. You can tell how a website was designed just by visiting the site and performing no malicious attacks whatsoever.

I want to emphasize this, there was no “hacking” or “cracking” at all on the website. We didn’t test for SQL Injection, run scanners, port scan the website, or even modify input parameters. Anything of that sort is offensive and not within my rights or am allowed to perform. We did no active testing, or attempt to expose sensitive information or bypass any security mechanisms on the site. None at all, end of story. The 70,000 mark of information disclosure being reported was through using a basic Google search terms and browsing through a web browser. There are techniques you can use through Google, such as reconnaissance on the website, and just clicking through links that gave me enough information about how the site was developed and how security was very much an afterthought. It’s bad, and I’m not alone in that determination from the initial launch of the website and continues to be now. In stating all of this, HHS has hired respectable companies to perform testing (way after the launch). The hope is that they given enough time and are allowed to perform full scope assessments including source code analysis, and dynamic testing. To what extent this testing has occurred is an unknown, but the fixes haven’t been put in place from what we can see.

Even taking our research out of the equation, check out the website securityheaders.com (a website that analyzes basic configuration issues):

I quote: “www.healthcare.gov scores worse than approximately 50% of sites out there.”. While this is just a basic snapshot, there are many more that haven’t been disclosed due to the findings still there, there is no doubt in my head as well as others that the website maintains a level of insecurity.

Ethics, truth, and morality are two important pieces on how I run my life and how we do things here at TrustedSec. We would never disclose information that could harm others or do something because it drums popularity in the media. If HHS ever wants help, it’s theirs for free. This also includes without any form of disclosure or talking about it to anyone that we assisted, as always, the highest confidentiality. Our intent is to help others, protect, and make better, not make it worse.

To what extent and how bad, only the folks inside HHS can know that for sure. All I know is that, I would be very concerned about what we found. A much larger picture of this is wide-spread and reaching to all of the federal and state websites and core infrastructure. Only detecting “32″ attacks shows a lack of formal detection capabilities and as of November, didn’t have a dedicated security operations center or the capabilities of detecting attacks (public knowledge). Just on numbers alone and how often any website that we’ve ever encountered gets attacked, they should be seeing thousands. This doesn’t mean that HHS isn’t doing their job, or the folks over there aren’t brilliantly talented or amazing, it simply means that security was not built into the website infrastructure/development practices and continues to not be.

We need to focus on broader laws and an overall governance structure on security within the federal and state levels. A single organization that is responsible for ensuring the security of our government. I hope that instead of politics, there is a focus on being proactive around security and protecting our infrastructure.

Is healthcare.gov “FISMA” compliant? Sure. Does that mean it has any form of real security built into it? No, not at all and not from the beginning. The head of security that had to sign off on the security of the website during its launch wouldn’t, and was forced out the door, just another example.

Lastly, I would like to close with a quote from Alex Hutton that hits home and where we need to be in the federal and state levels:

“Typically, when our government has needed to rely on the practices of the industry to ensure the safety of its citizens, there has been some oversight function. The CDC, NTSB, FDA, EPA, SEC, etc. have all been created to ensure that industry is serving the greater good of the citizens. In many cases, in order to understand the right policy – these organizations have needed to collect data and conduct research.

The time has come for similar oversight in the cyber arena. Much of our critical infrastructures and economy depend on organizations operating safely in cyberspace. As such, the United States Government has the same (if not greater) interest in understanding the outbreaks and causes of incidents in cyberspace as they do for the nature and spread of diseases, food-bourne illness, or the root causes of airline accidents. A National Cyber Safety Center can help business prevent, detect, and respond to serious cyber threats – creating a resilient national infrastructure.” – Alex Hutton

A special thanks to the entire House Committee on Science, Space, and Technology for listening to me for a second time. I thank them for their opinions, perspective, and insight. Also especially to Chairman Smith who has a large focus on working to better INFOSEC in the government, not make it worse.

This blog post was written by David Kennedy – CEO of TrustedSec

Update 1: There’s been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google’s advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We’ve reached out to the news agencies to clarify as these were not our words.

Update 2: The Washington Times – the author of the story responded and is correcting the article to reflect accurately. Special thanks to them and the fast response.

Update 3: Trollers be trolling. Recently an anonymous (not the group) individual called “NoBiasInfoSec” started coming out making claims that I violated something and hacked the site. In conjunction with that, a number of media organizations came out with news articles saying “David Kennedy CRACKS healthcare.gov!” which is not accurate. Not my words or anything related to what was performed and my testimony.

I contacted a number of the media organizations to clarify the terms cracking and hacking and that none of those were involved. Clearly to get the accuracy down of what occurred. It’s purely to clarify what is being said in the media and misunderstanding of information thats being presented. I could have probably explained better. It’s often hard to communicate technical issues, not disclose them, and to the public, and appease everyone on exact clarity. Regardless, here’s the explanation to clear the air.

First, this individual NoBiasInfosec is nuts and solely dedicated in spreading misinformation based on a subject he or she has very little experience in. A blog post was created here: http://70000in4mins.wordpress.com/ that goes purely based on speculation and the sheer lack of any technical prowess at understanding the basic concepts of security or even read any of my testimony from earlier times. There’s a reference of a tool that he claims is the smoking gun on how this isn’t accurate and that my Google search terms don’t show up (had to laugh at this one because he directly took the tool output and Googled it – lol). If he or she had even read my written testimony in November, he or she would have seen section 3.5 which shows the initial profile links on Google and the dork which was the Google aspect discussed. The second is a web browser piece which I can’t disclose the details of that as it’s still there. Happy to release when its fixed. The Python script you see is nothing fancy, it uses urllib2 to emulate reading a browser and the specific screenshot (picture here: https://www.trustedsec.com/files/healthcaregov_secure_4.png.

Note that this was created to show both party members of Congress a demonstration which was requested. There was a pre-briefing before the hearing (approx an hour or two before the actual testimony in November) where both sides were in a room and we discussed the issues. Additionally, the exposure was communicated to prior to the briefing. I was asked back in November, how many users, I picked a number 70,000 to identify if it went that high and it did. Could it go higher? Absolutely and not sure how high it goes. The 4 minute comment? How long it took me to write the 11 lines of code that you see in the sanitized image which is a urllib2 request. Didn’t cycle through the 70,000 or dump any data, just saw the numbers represented back on the sanitized display that you see there. Again, all through pure website browsing that you can do in your Internet Explorer, or Chrome. All parties were briefed well prior to any of this and members tasked with fixing the site which also included submitting bug ticket numbers to the development team on addressing these issues.

The individual hides behind being staying anonymous and hiding in the shadows. Instead of hiding, come out and explain your experience and why you believe so passionately about and your experience instead of throwing things out there to get recognition for whatever motives you have. I have a feeling that’s not going to happen. Anyways, I’ve explained myself, judge with that whatever you will – all parties are aware and know the exact exposure identified and were briefed in the November testimony.

Haven’t disclosed the web browsing stuff as that would put the information at risk. My purpose has never been to point fingers on where the process broke down and the issues that arose from the site – just that we need to work broadly in the federal government to fix all sites including healthcare.gov. FISMA shouldn’t be the standard we hold up as a flag on security. The stories you read in the media are overblown and without any basis from me. I’ve gotten some good kicks from this one individual for a bit. It’s progressed to a minor annoyance now which is the reason for this post. Trollers be trolling. I expect this type of stuff from folks, it’s the nature of dealing with a highly political topic and one that I had hoped would stay on a discussion around security versus anything else.

Update 4: To clarify the comment “We do not support the statements from the news organizations.” was a direct reference to websites that the healthcare.gov website was hacked or cracked. Not an accurate statement. The 70,000 plus pieces of personal information is still exposed to this day and affects the infrastructure of healthcare.gov.

Chris Wallace did an excellent job on the interview and accurately portrayed the questions spot on. Same for Jim Finkle from Reuters, accurate reporting and interviewed me directly. The site is vulnerable today and this is one of many exposures that are still present on the website. A recent MSNBC story couldn’t even get the word passive reconnaissance or querying correct (passer reconnaissance and ‘queering’).

Comment from Chris Wallace: You say you did not hack the site and, yet, you say you could access 70,000 records of various people who have signed up for health care under – at the website within four minutes. How do you know that if you haven’t hacked the site?

My response: That’s a great question. There is a technique called – what we call passive reconnaissance, which allows us to query and look at how the website operates and performs. And these type of attacks that, you know, I’m mentioning here in the 70,000 that you’re referencing is very easy to do.

Statement is accurate that there is an exposure today that allows you to see a significant amount of information (70,000+) about individuals that have registered for the site. The website still continues to have issues today and that hasn’t changed. As soon as the website is fixed and this exposure is no longer there, I would be happy to share the details (responsible disclosure). To the MSNBC report that there is no patient healthcare data on the website, it’s interesting as I’m not aware that it has ever been an argument for either political party. It’s been clear from day one that no PHI data is stored however the major concern was identity theft from your personal information as well as the integration into multiple government agencies including the IRS and DHS. That is the major concern. Losing your identity is significantly worse than losing a medical record. Having the ability to perform medical fraud, is much worse than having access to what medical procedures or ailments you have.