YES WE CAN! (deploy a website without security and expect everyone in the nation to put their personal details into it)
Zep whpcd as Sdefp Ihfctv jfg ti!
Hackers In The House
I sat in horror and increasing rage inside my office watching the live online stream of the House committee’s Science and Technology meeting concerning the security of healthcare.gov. Horror and rage that were fuelled by cogent statements made by a panel of security experts that shown light on the fact that the US government had completely abdicated any responsiblity for security on the healthcare.gov site. My rage came from the responses by house members who for all intents and purposes but by the grace of god have the ability to wipe themselves in the morning after their daily ablutions.
The hackers or more to the point security professionals that included @hackingdave made a reasonable argument that the healthcare site was in fact fundamentally flawed where security was concerned and that it seemed that the government had in fact not considered the security import of the nature of the data they were to traffic in. SQL flaws are abundant on the site and the interconnections to backend databases including places like the IRS will make it the single point of failure for what I am sure will be the worlds largest compromise of PII data on the planet short of the machinations of the NSA.
While I understand that many of the players in the House committee are not technically capable of even programming a blinking VCR properly, I expect that they could actually listen and comprehend the basic fact that identity theft is a large issue today in the world and that this site would be a gold mine to anyone perpetrating such a crime. It seems though from watching many of these dullards questions to the panel this week that most in the halls of power cannot conceive of anything more than what they are going to have for lunch later and what party line they are going to tow.
Healthcare.gov Is A Ticking Time Bomb
To put it plainly the healthcare.gov site is a bomb just waiting to go off. The vulns that were discussed in the hearing and on the blogs thus far are not out of the capabilities of many of the bad guys online today and will be exploited. …That is if they haven’t already. What I heard in this hearing made me cringe due to the ease of the attacks as well as the seeming lack of due diligence on the part of the Canadian firm that made it not to mention the US government’s abdication of controls to be implemented in design.
As the panel pointed out the federal government wants us to not only become accustomed to using all of our PII to log into this shitty site but also that by inference, they don’t give a damn about our privacy never mind out PII or HIPAA data by the size of things. All that really counted in the creation of the healthcare.gov site was the speed at which it could be implemented. Something that as we have seen also caused as another byproduct, a shitty infrastructure that failed to handle the load required. Now ponder the code errors that live within the massive amount of code and your head will explode from the security failure potential here. I am pretty sure that the code has not been vetted properly from a rugged devops standpoint so let’s just assume that it is riddled with bugs.
Lest we not forget too all of the back-end database connections, infrastructure design, and implementation that in all likelihood is greatly flawed as well and one might lose sleep at night. I sat through the committee meeting also wondering about what mitigations that they may have for security on the DMZ/Back-end/internally such as SIEM, Firewalls, and IDS/IPS. Do they have any? A question came up in the meeting that had me even wondering IF they were logging event logs for security at all within this Rube Goldberg device they are calling healthcare.gov as well.
In the end I think the House and the Senate should really look at this whole issue and DEMAND that an accounting be made of the security that may or may not have been built into this site’s code base, the way it is run, and all the connections to the various back-ends in other government facilities and databases BEFORE we start signing up anyone else to it. I don’t give a fuck about the politics of it! They have done a shitty job of protecting the American citizen’s interests here from both parties machinations and it has to stop.
Perhaps “someone” should start a petition on the whitehouse.gov site for an investigation to be carried out?
Just a suggestion…. Or wait.. Is that site down now too?
Oh well it’s not like all this security stuff matters really I guess judging by the response of the media to this story. A day after the hearing only one major news source (ABC) had a story that Google could find. The rest of the media seem to be blind or ignoring the large bag of fail that is the security posture of the healthcare.gov site. Even now days after the fact the news media seem rather tepid on it all. We will I suppose, have to wait until the ultimate compromise happens to a majority of the US citizenry’s PII data and other records to happen before it makes it even to NPR as a story huh?
What makes me wonder though is why none of this seems to be lighting a fire under anyone other than the security community? Is it because as we all well know in the industry that we speak a foreign language than the rest of the world? Is it because we are seen as Cassandra’s or boys crying wolf? I am flummoxed about this really and I could spend time pondering over the psychological aspects of denial and comprehension of security risks but I find of late there just is no point anymore. We are fucked and there is naught we can do about it. I think Dave and the panel could probably attest to that now but probably more so as time passes and nothing is substantively done about the security of this site.
So go get your healthcare people! For every 100th visitor your data gets a free trip to Ukraine!