Security Researcher Demonstrates Healthcare.gov Vulnerabilities

Dave Kennedy Healthcaredotgov hearing

A select panel of experts met to discuss the security issues with Obama’s Healthcare.gov website. But only one of them demonstrated vulnerabilities live.

TrustedSEC CEO (and creator of the Social Engineering Toolkit) hit the ball out of the park yesterday at the Congressional Committee Hearing on the Affordable Healthcare Act – Healthcare.gov website security issues.

According to the opening statements by Chairman Lamar Smith, Healthcare.gov is “One of the largest collections of personal data in the world“. The site contains data from 7 different agencies, and includes personal information such as citizen’s birthdays and social security numbers.

According to the President, the website was safe, secure and open for business. But the administration has cut corners with the website that leaves the site open to hackers.

At the hearing, Kennedy said that through passive reconnaissance his company had discovered 17 different direct exposures which they reported. He would not talk about all of them, because as of the time of the hearing not all of them had been fixed. He then went on to actually demonstrate several possible ways that hackers could target the site.

David does not talk about all of the issues that they discovered, but their full report(PDF) that was submitted to congress is very interesting.

The report shows several issues that include:

  • Open Redirection (where a malicious re-direct link could be inserted into a Healthcare.gov link)
  • XML injection
  • JQuery File Upload
  • Exposed User Profiles!

But that is not all, there are also remnant website “test” links:

healthcare security issues

The Congressional Hearing and TrustedSEC’s report are both well worth your time.

Kudos to Dave, he did a phenomenal job, and as always, both expertly and professionally represented the white hat security field.

Advertisements

With Government Spying is the US Becoming a Police State?

PRISM_Collection_Details

News of the US PRISM government spying program was made public by whistle blower Edward Snowden. Yesterday the House voted to reject an amendment that would remove the authority for the government to collect phone use records of US citizens. With all of this monitoring and spying on its civilians, one would have to wonder, is the US becoming a police state?

According to information leaked by Snowden, which included 41 PowerPoint slides, industry leaders who participated in the program included Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, AOL, Skype and Apple. The government program that, “extracts e-mail, audio, video, photos, documents, search history and logs” was started as early as 2007.

AlexanderPortraitOn Tuesday, General Keith Alexander, head of the NSA, urged Capitol Hill lawmakers to oppose the amendment that would defund the NSA phone collection program.

“We oppose the current effort in the House to hastily dismantle one of our Intelligence Community’s counterterrorism tools,” White House press secretary Jay Carney said in a late-night statement. “This blunt approach is not the product of an informed, open or deliberative process.”

Republicans and Democrats were divided amongst themselves on the issue. Some thinking the program necessary while others thought it a violation of constitutional rights.

“Have 12 years gone by and our memories faded so badly that we forgot what happened on Sept. 11?” said Rep. Mike Rogers (R-Mich.) chairman of the Intelligence committee.

Rep. Justin Amash, R-Mich., founder of the bill amendment, “told the House that his effort was to defend the Constitution and ‘defend the privacy of every American.'”

I find it odd that WH Press secretary would complain about the move to “hastily dismantle” part of the NSA’s data collection program, and that it was a “blunt approach” that was not “informed, open or deliberative.”

Many NY citizens were enraged over these same issues when in a secretive and hurried over-night session, NY Gov. Andrew Cuomo signed into law the NY SAFE act. One of the toughest gun control programs in the US. A law that is still opposed by many Upstate NY citizens and law enforcement officials as being unconstitutional.

Privacy and Civil Rights groups were also upset about how the citizens of Boston were treated when Law Enforcement groups were looking for the two Boston Bombers. Images of heavily armed military looking police units flooding the streets and performing mandatory door to door searches caused quite a stir.

Some think the searches were illegal, though there is an exception to the rule, exigent circumstances:

“An exigent circumstance, in the American law of criminal procedure, allows law enforcement to enter a structure without a search warrant, or if they have a “knock and announce” warrant, without knocking and waiting for refusal under certain circumstances. It must be a situation where people are in imminent danger, evidence faces imminent destruction, or a suspect will escape.”

Courts look at it differently when there’s a threat of public safety than if the police just want to search,” said Carol Rose, executive director of the ACLU of Massachusetts, in a phone interview with The Atlantic Wire.

Many seem to think that the monitoring of US citizens is necessary to prevent another 9/11 type terrorist attack. Many too are very upset and concerned about the erosion of American’s constitutional rights and privacy, with some thinking that the US is heading very rapidly to becoming a police state.

What do you think?

Moxie Marlinspike on Internet Anonymity

ITWeb had an article earlier this month on Moxie Marlinspike’s keynote address at the ITWeb Security Summit in the Sandton Convention Centre. Moxie is a computer security expert well known for showing the world how insecure SSL communication and certificates can be. He is also known for his campaign for internet anonymity and privacy in the digital age.

Thus was the topic of his speech at the ITWeb Security Summit:

Marlinspike asked the audience how many of them would be happy to carry a government tracking device. No one raised their hand. But when asked how many in the audience carried a cellphone, the results were the opposite. There is not much of a difference, he opined. “A cellphone has real-time positioning and cellular companies are required by law to supply this information to governments. The difference lies in choice. People choose to carry cellphones.”

Moxie also talked about Google, and its tendency to save all of your search criteria, choices, maps, directions, etc:

In addition, Google claims to ‘anonymise’ users’ data after nine months. “Anonymise means drop the last octet of an IP address,” he explained. “Cookies are simply translated. It also says it takes privacy seriously, putting it under the user’s control, but in fact only shows the user some of the information they are most obviously capable of connecting to you. In addition, it requires that the user has an account, remains logged in while using services, and maintains a consistent cookie in order to participate.”

The scope of the ‘Google choice’ has become quite large, he added. “We need some innovation that allows us to reject this type of false choice while still maintaining anonymity. We need anonymous access to Google services that is fast and reliable.

To this end, Moxie created “Google Sharing”, Basically, a Firefox plugin that connects your browser to a proxy server run by Moxie that offers anonymous use of Google services.

*NOTE – as always, it is a security risk to connect to a proxy server that you have no control over.

Unfortunately, with all the scare of terrorism, cybercrime and state backed cyber espionage we live in a world where the bad guys mascaraed as good. In trying to ferret out these threats, personal privacy and anonymity is taking a back burner. For the full article see “Privacy Dies Off”.