Bewitched, Bothered, Bewildered, Hacked?

There are a bunch of reports floating around about a security researcher’s apparent “hack” of healthcare.gov. They all relate back to this post by a researcher at TrustedSec. He claims to have done some kind of Google search that reveals 70,000 pieces of personal data. I read through the post and its four updates and I sure as hell can’t tell what he is claiming to have exposed via Google. It certainly isn’t a “security breach”, he didn’t “hack” anything, and the potential impact of whatever he did is clear as mud. Yet I’m sure it will get plenty of press.

Here’s something that won’t: the Obama Administration, which recently fired CGI Federal, the healthcare.gov contractor, handled the healthcare.gov situation pretty shrewdly last Fall. One alternative would have been to root through CGI’s contract and find every way to charge them back for error and delay. That would have been satisfying in the short term, but it might have ended up like Bixi, the bike sharing service. Bixi just declared bankruptcy, in part because cities where Bixi operates are trying to collect over $16 million from Bixi due to software delays. Hopefully, those cities will still be able to operate their bike sharing services when it warms up, but I doubt it will go smoothly, since I’ll bet that quite a few Bixi software engineers are looking for employment from a company that has a little more rosy future.

Don’t get me wrong: I hope the Obama Administration puts CGI Federal into bankruptcy over healthcare.gov, but only well after the site has been transitioned to the new contractor, Accenture.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Pinterest
Share On Reddit






37 replies
  1. 1
    some guy says:

    MA and VT are already suing those scumbags, so there is still plenty of time for the Feds to pile on.

  2. 2
    mrmcd says:

    So the lesson here is don’t hire Montrealer contractors, apparently.

  3. 3
    Cervantes says:

    Bixi does not exactly operate in Boston but here’s a local report:

    [Bixi, a] Montreal-based equipment and technology supplier for Alta Bicycle Share, the company that manages Boston’s Hubway program, has filed for bankruptcy protection, but Hubway administrators say the bankruptcy will not have an effect on Boston’s bike-sharing program.

    […]

    The company operates Montreal’s bike-share program and provides equipment and software for Alta, the company that manages Hubway and popular bike-sharing programs in New York City; Washington, D.C.; and Chicago. The comany was racked with financial challenges for years and saddled with almost $50 million in debt. Its announcement came as little surprise to Montreal officials, who had long expressed concerns about the company’s future.

    Benjy Kantor, a spokesman for [Boston’s] Hubway, said the challenges facing Bixi are not expected to have an impact on Hubway’s operations.

    “We’re expecting that Hubway will continue to run without interruption, and plans are to expand the current operations once the full system launches in spring,” Kantor said. Since Hubway’s launch in summer 2011, the network of Hubway stations has grown dramatically, extending into Cambridge, Somerville, and Brookline. The bike-sharing network also continues to grow denser. Two stations are scheduled to open in the Seaport District in the spring.

    Last year, bike-sharing administrators announced that the system would provide service through the winter in Cambridge, and would consider bringing year-round service to the rest of the system if the test run in Cambridge is successful.

    As Hubway gets bigger, it will need more equipment, but Alta said that will be possible even without Bixi. Mia Birk, vice president at Alta, said much of the equipment used for bike-sharing systems in North America is produced by subcontractors who will continue to supply the high-handled, heavy bicycles that have become ubiquitous in cities with bike-sharing programs.

  4. 4
    KorbenDallasBathroomPass says:

    I think the point is it isn’t a hack because there is a simple URL you can create that will get the personal information. He’s not revealing the format of the URL to the public (though I hope he has disclosed it to the operators of healthcare.gov) because that would compromise the personal information more readily.

    If you remember this AT&T ‘hack’ my guess it was similar to that. Make a url like http://path/to/private/data?parameter=X where x is just a unique identifier that follows a pattern and you get the private data as a response?

    This is all quick speculation after perusal/reading. Please correct me if I’m wrong.

  5. 5
    Professor says:

    Do you realise that Accenture grew out of Arthur Anderson Accountancy of Enron fame?

  6. 6
    Cervantes says:

    There are a bunch of reports floating around about a security researcher’s apparent “hack” of healthcare.gov. They all relate back to this post by a researcher at TrustedSec.

    David Kennedy used to work for the NSA — a fact he does not mention in the article despite telling us about a “less than pleasing” Congresswoman who failed to thank him for his service as a Marine.

  7. 7
    ericblair says:

    He claims to have done some kind of Google search that reveals 70,000 pieces of personal data. I read through the post and its four updates and I sure as hell can’t tell what he is claiming to have exposed via Google. It certainly isn’t a “security breach”, he didn’t “hack” anything, and the potential impact of whatever he did is clear as mud.

    I’m a federal IT expert and it’s still as clear as mud to me. He doesn’t say anything concrete, but doesn’t like the HTTP headers and then speculates there must be a bunch of security flaws although denies that he tested it (which he correctly says would be illegal without authorization). He blows off federal security standards and guidelines like NIST 800-53, saying that they’re “open to interpretation”, but duh, so is pretty much everything, and fails to state what exactly is wrong with the standards.

    Also, he shows his analysis tool’s results, which report 2 “happy findings” and 8 “not as happy findings”, which IMO kind of doesn’t sound like a real enterprise security package.

    @Professor:

    Do you realise that Accenture grew out of Arthur Anderson Accountancy of Enron fame?

    They split off right before Arthur Andersen blew up, and I’m sure they’re extremely happy about that. They’re also responsible for building Covered California which to my knowledge has been a success, so I’m sure that’s why they got the gig.

  8. 8
    lol says:

    I thought part of the design of hc.gov was that it wasn’t storing much PII – most was stored locally in a cookie and the rest was just sent directly to the insurance companies?

  9. 9
    MattF says:

    I wouldn’t be surprised if there’s some unauthorized way to poke into healthcare.gov’s data, and I wouldn’t be surprised if someone found it. That’s just life on the Intertoobz. The reality here is that the poop-flingers are getting rather desperate– we’re at the point where Murphy’s Law is all Obama’s fault.

  10. 10
    cleek says:

    well, there was no “hack”.

    FTA:

    There’s been a few stories running around in the media around accessing 70,000 records on the healthcare.gov website. Just to note on this, we never accessed 70,000 records nor is it directly on the healthcare.gov website (a sub-site for the infrastructure). The number 70,000 was a number that was tested for as an example through utilizing Google’s advanced search functionality as well as normally browsing the website. No dumping of data, malicious intent, hacking, or even viewing of the information was done. We do not support the statements from the news organizations. From a previous blog post, the information shown in the python script was sanitized and not used through Google scraping (urllib2 python module). We’ve reached out to the news agencies to clarify as these were not our words.

    they … Googled.

  11. 11
    Omnes Omnibus says:

    @Professor: Accenture, formerly the consultancy side of AA, split off from AA before the Enron mess. It then lost a lawsuit over the name Arthur Andersen name and became Accenture. There is no reason to connect Accenture with Enron.

  12. 12
    Gene108 says:

    I do not wish bankruptcy on any company. The lay-offs, especially in this job market, suck for those involved.

    *************

    I remember Accenture lost a law suit, shortly after they were spun off from Arthur Andersen, about keeping their old name Arthur Andersen Consulting, but Arthur Andersen LP won and the consulting branch changed its name to Accenture.

    A little while later Enron blew up and the old consulting arm was glad they lost, so they did not have the name Arthur Andersen on the new independent business.

  13. 13
    Tommy says:

    @Professor: I sure do. Worked with them back in the doc com days when it was all the rave to hire them for management consulting. Honestly working with them is where buzz word bingo came from. A lot of words came out of their mouths but they didn’t say much.

  14. 14
    Cervantes says:

    @ericblair:

    He doesn’t say anything concrete

    Well, to be fair, he does give Lamar Smith (R.-TX21) a solid endorsement for doing …

    … an excellent job mediating what at times became a very hostile environment. I have to say, Chairman Smith is absolutely a stand up individual and someone that I truly respect and admire.

    So there’s that.

  15. 15
    Schlemizel says:

    We had some assclown ‘hack’ the MNsure web site. He performed a man-in-the-middle attack by connecting to the site via an insecure wireless network that allowed him to capture his data as he transmitted it across the air. If you surf at Starbucks there is a chance someone could listen in but that is hardly the web sites fault.

    Sadly he got a lot of media attention for this bullshit & even the folks at MPR refer it it officially as “The Troubled MNsure site”

  16. 16
    Cervantes says:

    @MattF: If Murphy’s Law can go wrong, it will.

  17. 17
    balconesfault says:

    So how much private information are people disclosing through healthcare.gov that is actually that sensitive? I haven’t checked it out, but I’m wondering if there’s really that much there that isn’t a lot easier for some hacker to access in a myriad of other places on the web?

    I’ve been wondering if the right method for Healthcare.gov wouldn’t have been just to have engaged the free market – the Federal Government could have set up criteria for what qualifying Obamacare gateways needed to have in place, and paid a bounty for every website registration of an individual buying into a policy or using the gateway to access Medicaid.

    Then not only would have you had multiple developers creating their own gateways, each with a goal of faster/easier, but they’d all be saturating the airwaves and bandwidth right now trying to get people to use THEIR gateway to buy a policy. HHS could just sit back and monitor compliance.

  18. 18
    Tommy says:

    @MattF: exactly. Did some work with the top It security folks and they all said the same thing. Everybody has been hacked. Period. The public just doesn’t hear about it. They would also note most hacks are not even hacks. Called social engineering.

  19. 19
    Tommy says:

    @balconesfault: more then you might think. When I signed up they pulled my credit report and asked me to verify who I was. But from a medical policy almost nothing. Just my age, sex, and do I smoke.

  20. 20
    balconesfault says:

    @Schlemizel:

    Sadly he got a lot of media attention for this bullshit

    Given all the money the Kochs have been spending on things like advertising aimed at 20-somethings telling them that they’re all fools if they consider doing something so stupid as buying government-subsidized insurance because of course they’re 20-something and nothing bad is going to happen to them for another 30 years …. I have to think they’re also funding a lot of hackers out there.

  21. 21
    Schlemizel says:

    @Professor:

    I don’t remember the details but I think the split was either mandated or part of an agreement to avoid prosecution. They split the consulting biz from the accounting biz because of the conflict of interest it caused.

    My experience with them is all bad the best example was at large electronic retailer where Accenture ran their IT. They brought in completely unqualified people to fill some important positions but that was not the worst. The head of the network department sat in a sales pitch of a set of tools that would allow him to manage his network with fewer people and to have level 1 stuff handled by lower level people. The manager stopped the sales guy right there and said, “You have to remember I do’t work for , I work for Accenture. My pay and bonus is based on the number of hours we bill and the level of employees I have, why would I want fewer and lower level?”

    Accenture is scum.

  22. 22
    Ben Franklin says:

    OT; Learn the Devil’s Tango or the Fukushima dance and sign up for email alerts, or………………..get involved.

    http://fukushimaresponse.org/Home.html

  23. 23
    Tommy says:

    @Schlemizel: my ad agency was about to launch a huge national ad campaign. Our tech client had brought them in.

    I recall in one meeting, the owner a 65 year old woman at one point stood up and said how many fucking national ad campaigns have you launch? I’ve done hundreds and the advice you are giving our client is like something you learn in ad 101 at a bad community college. We never met with again.

  24. 24
    Tommy says:

    @balconesfault: The Koch connection is a scary idea. Spent a lot of time around hackers and it is a fine line between white hats and black hats.

    And generally speaking most of these folks tend to fall on the libertarian part of the political spectrum. Not all of course, but it always seemed like a large number.

    Could see how many might buy into the Koch mindset.

  25. 25
    C.V. Danes says:

    I seem to remember a few years back when CGI was brought in to clean up after a multi-million dollar boondoggle that Andersen Consulting had inflicted on NYS, that was so bad that the company had to change its name to…wait for it…Accenture.

    Nothing changes except the names.

  26. 26
    Schlemizel says:

    @Tommy:

    We are all zebras on the plains. Its best not to attract the attention of the lions because they can take you any time they want. The “Russian mobs” (not all are Russian, Belarus and Ukraine and several others hide under that umbrella) are only interested in bulk financial data, credit card numbers etc that have an immediate cash pay off. They are very good and inventing ways past security that work for a period of time and once discovered are replaced by something else.

    I have no idea what the US can do but China is inside out networks in ways that are both complete and relatively permanent. They are not in it for immediate cash money. They get inside and gather industrial information. Say you have discovered a new process to increase the efficiency of your solar panels. Your Chinese competitors will suddenly discover the exact same process even though the do not have a research department. Then you respond to an RFQ for a large number of panels only to find that your Chinese competitor has come in under your bid no matter how low you went. This is devastating Western industry & we are losing this race.

    I have a work friend who discovered one of his companies machines communicating with a known Chinese command and control computer (an intermediate that has been hacked & now serves as a place to attack from & get information sent to for later collection). It was a virtual server so they were able to take the software into the lab & discover the files that were the source of the infection. After they cleaned it up they kept an eye on the system & saw the infection rebuild its capabilities from a different set of files. They cleaned those up and watched it rebuild itself from a third set of files! These guy are really good.

    It a long read and a bit techie but if you are interested in the work of the Chinese government this is worth your time:
    http://intelreport.mandiant.co.....Report.pdf

  27. 27
    The Other Chuck says:

    @Schlemizel:

    I don’t remember the details but I think the split was either mandated or part of an agreement to avoid prosecution. They split the consulting biz from the accounting biz because of the conflict of interest it caused.

    Or you could just look up their Wikipedia page: http://en.wikipedia.org/wiki/Andersen_Consulting

    They are scum, but they’re at least reasonably competent scum.

  28. 28
    Tommy says:

    My name is in my email address I use here. Folks that know I am a tech geek wonder why would I do that. I explain if somebody wanted to hack me they could and would.

    Or I just don’t worry about it much. I do Web sites for a living. Most take no personal info. But they tend to read one article and think they know everything.

  29. 29
    Schlemizel says:

    @The Other Chuck:

    My experience would contraindicate a diagnosis of ‘competent’

  30. 30
    Schlemizel says:

    @Tommy:

    I have 4 online identities that I worked very hard to keep separate. Part of it was to keep my political life away from my consulting life so as to not turn client off, part of it was to avoid some of the personal tracking done by companies. Google has managed to link these, at least at some level. Google is very good at that & they really are evil despte their motto.

  31. 31
    sharl says:

    OT, listening to Ken Ward Jr. of the Charleston (WV) Gazette – a pretty good reporter IMO (recent article) – on the Diane Rehm Show, talking about the Elk River spill of Crude MCHM. He’s a lifelong resident of WV and has been working the Charleston and mine safety news beats for many years. He said he’s fascinated by the coal industry lobbyists, lawyers and other industry functionaries who live in the Charleston area complaining about this outrageous and inconvenient health risk. Ward noted that these very same folks are quite dismissive of similar incidents when they occur out in the faraway counties where the coal mining actually takes place.

    No surprises here, just found Ward’s fascination with this grimly entertaining. It’s like he’s a social scientist observing human dynamics among the privileged at their most hypocritical. [Wonder what kind of harumph’ing and spinning he’ll get from these industry flacks in response to his observation?]

  32. 32
    C.V. Danes says:

    @Schlemizel:

    My experience with them is all bad the best example was at large electronic retailer where Accenture ran their IT. They brought in completely unqualified people to fill some important positions but that was not the worst….

    One of the reasons that Andersen Consulting was kicked off the NYS project I noted above was that they were staffing literally dozens of people on the project who were only there as warm bodies so that they could bilk the contract for millions of dollars in additional staffing costs.

    There are many good consulting firms out there. Its the companies like these that give consulting a bad name, and all they do when they get caught is change their name and start the bilking cycle all over again.

  33. 33
    C.V. Danes says:

    @sharl:

    Ward noted that these very same folks are quite dismissive of similar incidents when they occur out in the faraway counties where the coal mining actually takes place.

    There’s a term for that behavior. It’s spelled:

    h-y-p-o-c-r-i-s-y

  34. 34
    mk3872 says:

    @Professor: Accenture is the IT technology branch of the former Arthur Anderson, not at all related to the criminal activities of the accounting consultancy portion that you are speaking of.

  35. 35
    danimal says:

    @The Other Chuck: Agreed. Accenture is filled with money-grubbing corporate double-talkers, but they’ll do a reasonably decent job running the health care website. They’ve learned to take the time to ask the right questions, and when they get things wrong, they learn from the experience.

    FWIW–When I’m not loafing on BJ, I’m a CA public employee who interacts with Accenture on a daily basis.

  36. 36
    Another Botsplainer says:

    This is interesting. Recently a teenager was visited by LE because he found a security problem with a corporate website and disclosed it to said corporation. Also, the guys that outed the rapists in Ohio are in for more jail time than the rapists. So, why is this jack off not in jail yet ?

  37. 37
    DavidTC says:

    As someone who actually deals with website security, I feel I must point out that many of securityheaders.com’s recommendations are *completely useless*.

    Nosniff and Content Security Policy are useless for HTTPS sites (Which healthcare.gov is), because they *require someone being able to insert content*. If someone can insert content into healthcaregov and get it to send that to other people, uh, that would be a pretty serious security issue in itself. That’s the sort of stuff you use on a discussion board to stop people from embedding Javascript links.

    Cross Domain Meta Policy is idiotic and pointless, a way to stop frickin *Adobe* software from showing your pages. (And who the hell cares if someone is nonsensically using Adobe Reader as a web browser? Even if someone sends some sort of attack PDF to someone to do that and forward credentials, the idiot would *have to log into healthcare.gov inside Adobe Reader*…and if you can get idiots to do that, you can probably just fake the entire site in a PDF and get them to log into that instead.)

    Strict-Transport-Security is also pointless and has no advantage over what they’re doing, which is a server redirect to HTTPS. (*Neither* of those actually solve the security problem of ‘Hijacking the connection to healthcare.gov, hoping users first go there not over HTTPS, and then simply not redirecting them to the secure site’…but that’s a problem with the internet at large. That can’t be solved at the web level, it will have to be solved at DNS, and the solution does not exist yet.)

    X-XSS-Protection is a dumbass thing that only works on IE.

    Access Control Allow Origin is set to *, which, despite what securityheaders.com seems to think, is completely safe, because if you do that the other site doesn’t understand cookies, which means if some other website tries to read your healthcare.gov session, when they retrieve a page they will see that page as if they aren’t logged in. (I *suspect this is what the original post is trying to allude to, not understanding that just having a damn URL does you no good if you aren’t logged in.)

    Server Information and X-Powered-By are not being set, as the site recommends. (Setting those would not actually be security issues, security by obscurity doesn’t work. But there’s no sense in *helping* attackers by advertising the software you’re using.)

    X-Frame-Options is set correctly.

    So, basically, healthcare.gov is doing the *actually* important things to sotp cross-site scripting with Access Control Allow Origin and X-Frame-Options, and not bothering with all the nonsense that securityheaders.com blurts out to justify its own existence. Just because there is a tool to check something on the internet does not mean that thing is *actually important*.

Comments are closed.