U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

After I wrote yesterday's article "The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website", I received an email from a well-respected employee of a large government agency who had read TrustedSec's report on the Healthcare.gov website. This employee has asked me if I would publish the content of that email on my blog. Here it is with some minor formatting changes.

-------------------

So let's put aside the isc2 ethics violation by TrustedSec that this "report" is and instead focus upon its content."

The report is split into two parts, one based upon public open source intel gathering, and on upon actual "analysis". Contrary to what Goebbels might say, repeating a lie does not make it true. The first half of the "analysis" consists of misquotes and out of context statements about news reports, blog postings and the Heritage foundation (an anti-Affordable Care Act org). 

They extrapolate from news articles and jump to conclusions that would be laughed out of a Bsides conference, let alone a court of law. Most of the "observations" are generic in nature with no supporting detail. Everything is anecdotal. Everything is hearsay. There is no direct observation of any vulnerability, and only "potential risks". 

Many of the articles highlight pre-launch issues that have since been resolved, and others are issues common to most web application (hello, user enumeration? Seriously? Any site with a unique user account has this issue).

This lack of substance extends to the second part of the "analysis" which shows a lack of understanding of both what healthcare.gov is and what security is. 

In the professional world of cyber security there are two concept at the heart of computer forensics; peer review and reproducibility. Professionals understand that their word is not enough and they actually have to show something that the community and their peers can reproduce. None of their findings are "reproducible" vulnerabilities. They are all vague possible-maybe-there-could-be risks, or worse yet, a gross misunderstanding of what they are "analyzing."

They raise issues with things like the Terms of Service (TOS).

They raise issues with data.healthcare.gov.

Healthcare.gov is not just a website, it is a complex node in a web of Federal, State, and private systems that interconnect to produce the healthcare.gov site. The data in it comes from state exchanges, medicare, the IRS, SSA, and other Federal/state agencies, plus private insurers. It's not just a webserver/webapp with a back end database like something circa 2003.

They raise an issue that data will be shared with outside agencies which shows they don't understand what healthcare.gov is. Then they raise another issue about public profiles on the data.healthcare.gov site. The fact is that Data.healthcare.gov is an open data initiative based on the data gathered from insurers. Public profiles are a feature, not a bug, of that SEPARATE platform.

These two examples show the lack of due care conducted on this analysis. Please take a moment to read the "results" [CARR: A link to TrustedSec's report is provided below]. The level of writing and actual deliverable are so laughable that if a contractor had produced this for my agency I would have terminated their contract on the spot. (The report shows) no due diligence, sloppy work, and worst of all it is wrong in its "conclusions". 

Determinations need proof beyond media quotes and theoretical issues. They need to be based in fact.

------------------------

Here's a link to TrustedSec's public report (.pdf) for those readers who wish to review it and assess the above criticism for themselves. Comments are open.

UPDATE (12/13/13): "On December 11, in order to address ongoing questions, Committee members and staff received a classified briefing from Dr. Kevin Charest, the HHS Chief Information Security
Officer, and Ned Holland, HHS Assistant Secretary for Administration. Portions of this briefing
were classified to protect information relevant to national security. This memo contains a summary of the unclassified portion of the briefing."

Add to Cart View detail

The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website

Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov's website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security "expert".

While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform any type of security testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.

Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

In my opinion, this raises serious ethical questions. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to "out" the vulnerabilities found on a client's website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined "passive" vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he'd be sued.

In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:

“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”

What a concept. Do a proper investigation and then provide an informed opinion based upon facts.

UPDATE: David Kennedy has posted his response to this article in the comments section. I encourage readers to read the comments in their entirety and join in the debate if you so choose.

UPDATE #2 (11/21/13): David Kennedy has maintained that neither he nor his company did anything unethical. I'm not saying that they did. I'm arguing that what was done by Kennedy and his firm raises questions in my mind about what is currently considered to be ethical in the security field, and that those standards need to be challenged, discussed and debated. That's what I'm trying to do with this article.

Related:

U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

Congressional briefing on Healthcare.gov Security Issues - Unclassified Summary of findings

Add to Cart View detail