HealthCare.gov's Lack of Security Is Still a Disgrace, As Is the Press's Failure to Recognize It
On Thursday, Stephanie Condon at CBS News reported ("Security chief: HealthCare.gov has passed security testing") that Teresa Fryer, who had recommended against allowing HealthCare.gov going live before its October launch but was overruled, "told Congress ... that the Obamacare website passed security testing in December, and she would recommend that its official Authority to Operate (ATO) be extended when the current ATO expires in March."
On Friday at the Associated Press, aka the Administration's Press, Ricardo Alonso-Zaldivar, in an otherwise keister-covering dispatch apparently designed to show that Health and Human Services Secretary Kathleen Sebelius was really, really unaware of the web site's prelaunch security problems, claimed without qualification that "There have been no successful attacks on the site" — even though by law the government "need never notify customers that their personal information has been hacked or possibly compromised."
It would appear that Condon and Alonso-Zaldivar deliberately chose to ignore something else which occurred during Thursday's congressional hearings. Kevin Mitnick, one of the world's most infamous hackers, "submitted a scathing criticism to a House panel Thursday of ObamaCare's Healthcare.gov website." Additionally, on Fox News Sunday, "white hat" hacker David Kennedy contradicted Alonso-Zaldivar's "no successful attacks" claim by asserting that that the government doesn't even possess the ability to detect them.
In the video (transcript follows), Kennedy explained that he had carried out a "passive reconnaissance" attack (what follows is lengthy, but needs full exposure; posted transcript has been slightly edited to better conform to what was actually said; bolds are mine):
CHRIS WALLACE: ... personal information of ObamaCare consumers may be at risk. One of those experts is David Kennedy, founder of security firm TrustedSec. Before that he worked for the NSA and the Marines.
Mr. Kennedy, you testified before Congress in November and you said that the website was very vulnerable to potential hackers. Now after it is supposedly new and improved, you testified once again this past week before Congress and you said the situation is even worse. Explain.
DAVID KENNEDY, CEO, TRUSTEDSEC: Well, when we testified in front of Congress in November, Chris, what we learned was that, you know, they had rushed through what we call the software development life cycle where they actually build the application. And, so when you do that, security doesn't really get integrated into it. And what happened with the rocky launch in October, is they slapped a bunch of servers in trying to fix the website just to keep it up and running so that people could actually go and use it. But the problem is they still didn't embed any security into it. So when you have another, you know, few hundred developers actually running code to try to keep the site up and running, you know, and you increase the line count of code, it increases more and more exposures. And that's what we saw here over the period of time. And that's what we testified on. It's much worse than what we saw back in November.
WALLACE: Well, I'm going to ask you about that and how you know that. Because you say you did not hack the site and, yet, you say you could access 70,000 records of various people who have signed up for health care under -- at the website within four minutes. How do you know that if you haven't hacked the site?
KENNEDY: That's a great question. There is a technique called -- what we call passive reconnaissance, which allows us to query and look at how the website operates and performs. And these type of attacks that, you know, I'm mentioning here in the 70,000 that you're referencing is very easy to do. It's a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system. Think of it this way. Think of something where you have a car and the car doors are open and the windows are open, you can see inside of it. That's basically what they allow you to do. And there is no real sophistication level here. It is just really wide open. So, there is no hacking actually involved. And 70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.
WALLACE: Let's talk about the information you say that you could access if you were to actually hack the site. Names, addresses, Social Security numbers, birth dates. And you also say that because healthcare.gov is linked to the IRS and to the Department of Homeland Security, you could also get in and see what they had to say about the individual person who was signed up. How do you know that? Again, how do you know that you can get this and even get into IRS and get into DHS, and if, in fact, that is the case, what could a hacker do with what seems like an awful lot of private information?
KENNEDY: And that's a great question. You know, what you look at for when you assess a website, and I've been doing website, you know, security for a number of years. We basically break into websites all the time. And this is my area of expertise. And what we do is we look at, you know, problematic areas around the website. And if you're seeing these type of exposures just on the website, just by looking at it, there is a much more larger problem on the inside. And it's 100 percent certainty because of how the website was designed and how it was architected and how it was sped along. There are problematic areas. I used the example in Congress, if a car is driving by and I've been a mechanic for 14 years instead of security, and the engine is making clanking sounds, there's blue smoke puffing everywhere and there's, you know, oil leaking, you probably have a good understanding that the engine itself is bad. And that's what's happening here in the healthcare.gov infrastructure. And you have all these different companies. It's not just CGI, and it's not just, you know, HHS and CMS, it's a number of different companies. It all came together to kind of mash this thing up to make it what it is today. And you're seeing that, you know, happening right now.
So underneath it, now, the problem is if you look at the integration between the IRS, DHS, third party credit verification processes, you have all of these different organizations that feed into this data hub for the healthcare.gov infrastructure to provide all that information and validate everything. And so when attacker gets access to that, they basically have full access into your entire online identity, everything that you do from taxes to, you know, what you pay, what you make, what DHS has on you from a tracking perspective as well as obviously, you know, what we call personal identifiable information which attacker would use to take a line of credit out from your account. It's really damaging. And I think it's one of the largest websites in history that we have that has this type of level of access into our personal lives.
WALLACE: Now, Mr. Kennedy, the Obama administration is not happy with your testimony and, in fact, they're pushing back very hard on it. The chief security officer for the website who herself was the very concerned about vulnerabilities back in October when the website was launched. Now says that it's been fully tested and that it is secure. This is what she said when testifying before Congress.
(BEGIN VIDEO CLIP)
TERESA FRYER, CMS INFORMATION SECURITY OFFICER: This security control assessment met all industry standards, was an end to end test and was conducted in a stable environment and allowed for testing to be completed in the allotted time.
(END VIDEO CLIP)
WALLACE: Miss Fryer now calls for full certification of the site. She says it's secure, sir.
KENNEDY: I have to completely disagree with her. And it's not just myself that is just saying this website is insecure, it is also seven other independent security researchers that also looked at all of the research that I've done and came to the exact same conclusion. And these are folks that work really well in the industry. And they're highly respected, have an extensive experience of working for the government. And, you know, if you read the testimony and you read what she had actually said, she said that it's done end to end security testing. They don't say what type of testing that is. It could have been an audit that just looks at paperwork. It could have been, you know, really rudimentary testing that looks for just basic things. But what is pretty evident right now is that the site itself is not secure.
WALLACE: All right.
KENNEDY: It's much worse off.
WALLACE: All right. Well, let me talk about another complaint. Because another government official from HHS says that for all your claims of vulnerabilities, there have been no successful hacks of the website so far. Here he is.
(BEGIN VIDEO CLIP)
GARY COHEN, OVERSEES FED ONLINE MARKETPLACE: No, there have been no successful attempts of what anyone has been able to attack the system and penetrate it.
(END VIDEO CLIP)
WALLACE: Question, if there are so many gaps and if the site has been up since October First, why hasn't anybody exploited them?
KENNEDY: And that's great. This is one of my favorite ones out of the whole testimony. And so they (inaudible) that there has been no successful hacks that they've been able to detect. If you look at -- there's November testimony by Congress that basically said that a third party company was contracted to build out what we call the security operations center, which is what would actually detect these types of attacks. As of November, it hadn't even been started yet. So, if you look at how long these security operations centers take to put into play, it takes several months, if not years to actually implement and fully build the attacks out there. So, as of November we have no modern detection. And that, from my understanding, it's still not happening to this date. So they're accurate in their statement. They haven't detected any attacks on the website, because they don't have the capability to detect them. And just to throw it in comparison, they said that they only experienced 32 actual attacks on the website. They don't say what those cause for alarms are. But just a pure statistic, if you have a website that faces the Internet, just purely, you know, not popular, especially not as popular as healthcare.gov, you're going to exhibit over 200 attacks per week on that website just based on sheer volume alone. So, the 32 mark just shows another capability they don't have, unfortunately, on the healthcare.gov website.
WALLACE: All right. You talked about the fact that a lot of independent cybersecurity experts side with you about how vulnerable the site is. While the administration talks about an independent cyber security expert who says unless you have personally hacked the site yourself and you say you haven't, you can't possibly know basically what you claim. Here he is.
(BEGIN VIDEO CLIP)
WAYLON KRUSH, CEO AND CO-FOUNDER, LUNARLINE INC.: If none of us here built healthcare.gov, if we're not actively doing not a passive vulnerability assessment, but an active vulnerability assessment and doing penetrations on running that exploitable code on healthcare.gov, we can only speculate whether or not those attacks will work.
(END VIDEO CLIP)
WALLACE: Mr. Kennedy, the administration says that your testimony is based on assumptions, not facts.
KENNEDY: And I have to disagree. And the other seven security researchers would also disagree as well. Unfortunately, Mr. Krush is not a web application security person. He focuses more on higher level security audits than anything else. And it's not to, you know, throw into question Mr. Krush's experience. He does some great stuff with veterans, for security training and things like that. But he doesn't focus on application security. And that is absolutely false. You can definitely tell how secure a website is without actually penetrating into it and hacking the website. And I wasn't the only one that agreed on the panel. There are three other gentlemen as well on the panel that agreed my assessment as well.
WALLACE: I want to ask you, and I need a ten second answer here. Since you have testified, has the government gotten in touch with you and said here, come on in and show us how weak our website is?
KENNEDY: Absolutely not. They haven't. And it's been offered. And we would do it for free to help out. Unfortunately, there's been no contact from them.
WALLACE: Mr. Kennedy, thank you. Thanks so much for joining us today.
Will Ricardo Alonso-Zaldivar and the rest of the establishment press now quit blindly claiming "no successful attacks" when, as shown above, they cannot possibly know it to be a fact?
Separately, if they recognize Kennedy's work at all, will they in essence try to claim that what he carried out was not a "real" attack and that didn't prove anything, even though he was clearly one click away from obtaining real personal information?
Chances are that they'll continue to pretend that "All is well."
It really is hard to decide between the governmnet and its enablers in the lapdog press whose behavior is more disgraceful. It seems that if the government thought that the press would fully expose it, it would never have dared to launch HealthCare.gov in the first place, or would have pulled the plug on it within just a few days.
Cross-posted at BizzyBlog.com.