
No security ever built into Obamacare site: Hacker - 001sky
http://www.cnbc.com/id/101225308
======
tptacek
This sounds like grandstanding horseshit. Fewer than 1 in 10 companies we work
with even attempts to "build security in from the start", and far fewer come
close to succeeding. Any consultant that told a client to "start over from
scratch" after finding little more than _open redirects and username
enumeration_ † would be laughed out of the room. Actually, scratch that: you
can expect to be laughed out of the room for suggesting a rewrite after
finding remote code execution.

Like every other piece of software put on the Internet by the government,
banks, health care consortiums, arms manufacturers, cat sharing startups or
network equipment vendors, Healthcare.gov will achieve some semblance of
security over the long term by having the crap beat out of it in production.
Hopefully by good people first. They won't get there by starting over on the
advice like this.

This story is an embarrassment for my field.

† _I found the "report" to Congress; documented vulnerabilities include
"undisclosed", open redirects, attacker control over the XML output of a
search endpoint, a "test" subdomain on the Internet (no additional findings),
Google search results with the token "test" in them (no additional findings),
publicly indexed profiles on DATA.HEALTHCARE.GOV (the public dataset site),
username enumeration via "this name taken" errors, the fact that they use
Experian, the presence of jquery.fileupload.js, and CORS. I'm not sure any of
these would even be sev:medium in a Matasano report; many would be sev:info,
and a few, like Experian, wouldn't be documented at all._

~~~
andrewflnr
I don't think it's unreasonable to expect that a website which people are
legally obligated to use by a certain deadline, entering very sensitive
information in the process, have a decent standard of security at launch. I
don't see "having the crap beat out it in production" as a good strategy here,
and certainly is worth complaining about, even if not worth re-writing over.
Would you be comfortable entering your SSN at healthcare.gov?

~~~
patio11
Fun fact: You can guess an individual's SSN using information often available
on their Facebook profile and about 100 lines of code. (Someone demonstrated
this to me using a TI-82 program in high school. The result has since been
replicated in more reputable literature.
[http://www.ssnstudy.org/](http://www.ssnstudy.org/))

~~~
borski
Man I remember learning this and having my mind blown. It's scary.

------
danso
In a project this convoluted...not in terms of actual feature complexity, but
the shitwork that was generated by bureaucracy and political infighting...how
could Healthcare.gov _not_ have serious issues with XSS and SQL?

Think back to Egor Homanov's amazing hack of Github using a Rails
vulnerability to well-known to Rails core team that argued it was not an issue
because only fools wouldn't use attr_protected. Github has brilliant
programmers and (one would hope) a well-oiled engineering environment and
still was vulnerable to this fatal flaw.

Now imagine a project with far lesser engineers, highly paid but no real
ownership, controlled by people who care more about political deadlines than
actual functionality. And top it off with what seems like a hodgepdoge of
arcane technology and processes. How could there not be at least a few
catastrophic holes?

On a sidenote...I've seen a few references to "MarkLogic" being the datastore
for Healthcare.gov. It's not open-source and has little adoption in the
developer community:

[http://slashdot.org/story/13/11/24/1437203/nyt-
healthcaregov...](http://slashdot.org/story/13/11/24/1437203/nyt-
healthcaregov-project-chaos-due-partly-to-unorthodox-database-choice)

Whose genius idea was it to use a non-notable proprietary database software
for this? And what was the reasoning? Technical, or political?

------
Amadou
I don't have the reference handy, but I recall an article from this past
Summer that said the designers of the site had put security on the back-
burner. Their plan was to get the system working and worry about security
afterwards.

That really alarmed me. Being more than a little involved with security
implementations over the last decade, the #1 rule is that you can't tack-on
security afterwards. If you try, it will be fragile and ultimately
ineffective. You absolutely must design with security as a major requirement
from the start.

So, I am not surprised to see this report, it lines up exactly with what I've
been expecting since Summer.

~~~
tptacek
Well then the #1 rule is also the most widely violated rule on the Internet.

~~~
Amadou
Yep. Hence the constant stream of security issues.

------
mcphilip
>According to the Department of Health and Human Services, which oversaw the
implementation of the website, the components used to build the site are
compliant with standards set by Federal security authorities.

This sounds similar to saying the steel plating on the Titanic was compliant
with industry standards. All because you have sound components doesn't mean
they will result in a sound product. Unfortunately, I don't expect many people
outside this industry will realize how hollow this statement is.

~~~
elwell
You'd think by now someone would have done a weekend project open-source
version of this site. I wonder if the specs are available (I have no idea how
involved the site actually is, but surely it's not 500M LOC worth.).

~~~
patio11
I think you may have misunderestimated the scope of this "site." To be fair,
you'd be in pretty good company with many people in the Administration.

The following would not be easy to complete during your weekend:

1) HIPAA compliance

2) Verifying income against IRS records to determine eligibility for
subsidies.

3) Automatically forwarding gathered information to insurers, in a patchwork
quilt of formats, many of which are under-specified

I believe one could get to at least two dozen requirements which are similar
in complexity to the above three without breaking a sweat.

~~~
jonknee
Also verifying citizenship with DHS, verifying no benefits are currently being
received by Medicare, Medicaid or through Veterans Affairs. I'm sure a lot
more.

It's a nightmare combination of legacy DB integration where if you make one
mistake that ends up in an illegal immigrant getting healthcare your ass will
be hauled into Congress to testify.

------
plcancel
The bit about the federal government not being required to alert users to any
security breaches is alarming as well.

I guess that's not surprising. But, "monitor your own credit" isn't a risk I'm
willing to take just to use a barely functioning website.

------
wdewind
This guy claims SQL injection and XSS.

~~~
tptacek
Where did you see those claims? I would not be amazed to learn that there was
SQLI on the site, but I don't see it in his report.

Are you talking about his report to the press earlier in November? He appeared
to have been referring to cached search autocomplete terms with SQL syntax in
them, evidence of people attempting SQL injection against the site. Which, of
course, people would do whether the site was Healthcare.gov or CatBnb.com.

~~~
wdewind
Maybe he didn't, I tried to guess what he meant when he says,

> "Everything from hacking someone's computer so when you visit a website it
> tries your computer back to being able to extract first names, last names,
> locations"

at 0:24 and guessed XSS + SQLI but I could be wrong about the SQLI now that
I'm paying closer attention to how he phrased it.

------
rdtsc
"Poking and prodding" can get them in legal hot water. I understand (and
please correct me if I am wrong) Only NSA legally, are allowed to "poke and
prod sites". Well, and I guess by legally you can interpret that as "they are
legally allowed to" or "nobody is really prepared to tell them no".

Anyway, a lot of anti-hacking laws are written that "poking and prodding is
not benign" admitting to too many details of that on national media might be a
case of bad judgement.

~~~
theboss
You are very wrong. Poking and proding is completely legal and isn't going to
send anyone to jail.

He's not performing a full pen-test on the site. He's not looking to get a
shell. He's just checking out best practices. Is there an HSTS header? Is my
input validated? etcetc.

The main hacking law that applies here is the CFAA and Dave definitely isn't
violating it. To violate it you have to access something you're not allowed
to. Nobody will EVER go to jail for an XSS or the types of things he's poking
around for. This is because the computer the code is running on is his own....

~~~
tptacek
Reflected XSS testing can easily end up disrupting the whole site for every
user; all it takes is for input to some endpoint to get stored and replayed
across the site. Relying on the idea that any kind of active testing against a
site you don't own is safe, technically or legally, is a bad idea.

~~~
theboss
Reflected XSS? Do you mean stored? If Dave is testing for reflected XSS he's
going to be alert(1)'ing or using img tag....Which is not a persistent xss...

For reflected xss to affect every user on the site he's going to have to use
his own toolkit to send a malicious link to every user on the site....

~~~
tptacek
I mean _reflected_. The kind you _don 't_ expect to get stored. If that's a
surprise to you, you might not test a lot of websites, because this comes up
somewhat regularly.

By the way, the XSS payload has nothing to do with the persistence of the
attack. You alert() stored XSS in testing too.

~~~
theboss
I do test a lot of websites actually but I mis-understood what you meant.

Like the other guy said this area is grey. If he accidentally finds a stored
xss of the magnitude you suggest I'm 100% sure he still wouldn't go to jail.
Who tests with a malicious payload? There would be no malicious intent in the
situation and no unauthorized access...still.

~~~
tptacek
You didn't say this was a grey area. You said "Nobody will EVER go to jail for
an XSS" and then cited the CFAA as evidence of that fact, suggesting that you
might have some minor gaps on how XSS works and that you _definitely_ have
major gaps on how CFAA works.

Pro-tip: avoid stringing "Nobody will EVER go to jail for" and "CFAA" together
in the same paragraph.

~~~
theboss
Let me rephrase. Nobody will go to jail for the level of poking and prodding I
expect Dave is trying. I'm 100% sure the CFAA won't send anyone to jail for
alert(1)

My 100% is a gut feeling. I'll quit computers if I'm wrong

~~~
tptacek
I doubt anyone is going to get in trouble over the PDF report I read about
Healthcare.gov, but that's not why I'm commenting.

------
sehrope
This'd be a great use case for a bug bounty. It's a situation where you have
tons of bugs[1] and tons of cash to pay out a bounty. It'd probably be cheaper
to open source all the code and hire one full time person to manage the bounty
program then whatever they're trying out right now.

[1]: Pure speculation as I have neither used the site or looked at the code
but I'm assuming most people will agree with me

------
lettergram
I'm sure by putting that message out there, we are about to see HealthCare.gov
be put to the test...

~~~
darkstar999
It has been and will be put to the test by all hat colors regardless of press.

------
espeed
David Kennedy's Bio: [https://www.trustedsec.com/about-
us/leadership/](https://www.trustedsec.com/about-us/leadership/)

~~~
tptacek
His bio said he spoke at Black Hat. I can't find anything listed by him except
for an "Arsenal" talk, which is a lightning talk people can give about open-
source tools they've written. Can someone find a real BH talk this guy has
given?

~~~
espeed
Under his site's "Presentations" section
([https://www.trustedsec.com/downloads/presentations/](https://www.trustedsec.com/downloads/presentations/)),
it lists this talk...

"July 2010 – Blackhat and Defcon Presentation on PowerShell"
([http://www.trustedsec.com/files/PowerShell_Defcon.pdf](http://www.trustedsec.com/files/PowerShell_Defcon.pdf))

~~~
tptacek
Thanks. Yep, that counts.

~~~
hellokitteh
The guy co-authored Metasploit: The Penetration Testers Guide book. Doesn't
the fact that you're unaware of this prominent person call into question your
own credibility?

~~~
tptacek
Exactly why would I be impressed by someone writing a trade press book about a
tool someone else wrote?

I know who HD Moore is. I know who Matt Miller is. They started the Metasploit
project. Most people in my field know those people. They're famous. HD Moore
has, last I checked, a special Metasploit Porsche. It says Metasploit on it,
in neon or some shit. (No disrespect to the Metasploitmobile, whatever it is).

Similarly: I know who Gordon Lyon is; he wrote nmap. Everyone knows him.

Who the hell knows the authors of _Nmap In The Enterprise: Your Guide To
Network Scanning_? Nobody.

The author of "Metasploit: The Penetration Testers Guide" does not drive a
special Metasploit: The Penetration Testers Guide Porsche.

------
kevin818
This is what happens when you build a website with contractors from several
different places. Things slip through the cracks, in this case security was
one of those things.

------
wavesounds
Does anyone in California know if you can get a discount on private health
insurance if you're currently unemployed (healthy non-smoker) trying to start
a business and don't want to sign up for Medi-Cal because the only doctors are
far away and crowded?

Also the Covered CA site has an expired security certificate.

------
Kilo-byte
sensationalist headline with little content to back it up

------
infra178
Smart power ™

------
hackinthebochs
I see a whole lot of blowhards running their mouths about _potential_ security
problems with the site. I've heard of one actual password-reset vulnerability.
If the site were completely full of holes like people claim, there would be
scores of "security research companies" clamoring to be the first to name
them. Yet we're not seeing that. I'm really not buying it.

~~~
borski
That's not quite right.

The site does have issues. Naming the vulnerabilities is subject to
responsible disclosure. Hypothetically, were Tinfoil Security to find any
issues, we would disclose them to the feds and give them ample time to fix the
issues (which, for the government, would potentially be months) before we went
out publicly to name what the issues were.

~~~
tptacek
Post a SHA1 hash or two, here or on Twitter. I believe you, but let's keep it
concrete.

~~~
borski
I hear you, but I can't. I considered not even posting that comment at all,
but thought the greater point deserved to be aired.

