Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Making waves on Twitter!
From: David Kennedy <davek () derbycon com>
Date: Mon, 27 Jan 2014 09:08:15 +0100

Good points on all of those. I've been trying to keep it on track as a
security issue and I think it is actually getting there. I had a
conversation with the CISO over HHS which just took over the
infrastructure. He seems pretty awesome and wanting to do the right things
to get the things addressed and wants to understand them all. So on that
front, I think it's gotten the light that it's needed to do change. My hope
was that it would be not just hc.gov but the federal government as a whole.
FISMA + 800-53 != security in any shape or form and we're seeing the
ramifications of that now on an entire federal/state level. FISMA has
messed us up for the next 10 years to come. Instead of proactive type
solutions, its how do we get the check box and skirt around the NIST
guidelines - same thing goes for any other regulatory/compliance standard -
SOX/PCI no different.

I may have been too ambitious to think we could change the larger problem
as it become a political show instead of the focus on security. Regardless
- lots of good done on that front and lots of things have changed since the
last testimony.

Regarding the script, its an embarrassing urllib2 request - happy to
release it as soon as its fixed (still open as far as I know). Tickets #'s
have been submitted to the devs.

On the getting blasted front - it's actually been quite light except for
Waylon/NoBiasInfosec crazy talk. For the most part, it's been received well
and seems like a lot of folks interested in addressing it.  To the point "Let's
recap: we can't prove the website is insecure without breaking the law, and
our politichildren are not concerned about proving it is secure."

I agree - I tried using the analogy that if I was a mechanic instead and
had 14 years of working on cars and a car drove past me with the engine
making clanking sounds, blue smoke everywhere and leaking oil, chances are
it's probably got an engine issue, either that or its fine and just a
honeypot. I can't say that the internal guts are insecure, but based on
doing this type of testing for years and years, there's much more
symptomatic problems out under the hood. I could be wrong, but I would be
blown away if everything looked great on the inside.

That's why I grabbed 7 other security folks to provide their opinion on it,
most are application security folks and do this as a profession - same
conclusion. Regardless, I have to say that I'm pretty finished on the
politics stuff - at least for now. I'm not a political person, I stay away
from it as a practice. I was hoping that it would be a focus on bringing
awareness and light to a pretty bad situation. It's such a
hostile environment where folks are more bent on winning their political
views than it is about doing the right thing. Unfortunate but the world we
live in.

All good points Brandon - appreciate the responses.

-Dave




On Sun, Jan 26, 2014 at 11:39 PM, Brandon Perry
<bperry.volatile () gmail com>wrote:

So, here are the problems I have with both sides of this debate right now.
I wouldn't normally play along with politics like this, but it's a nice
Sunday afternoon, and I am feeling saucy.

I post this is an open forum because I believe this debate is useful in an
open forum and I don't believe that Dave should be going up against
polidiots in Congress alone.

Let's think about what is happening. Our claim is that healthcare.gov is
is insecure. We are the ones making that claim, and so the burden of proof
is on us. They have effectively proven that they had some sort of pen tests
done (who knows the scope, or how much risk was simply "accepted").
However, the only way to prove that the website is truly insecure is to
break the law. They know this (and let's not forget there is extreme bias
here). You need to look at this from the point of view of the people you
are trying to convince.

I hate this term "passive reconnoissance" because the people you are
trying to convince have *no* idea what this means. You are either using the
website in the way it was intended or you are not (their POV, not mine).
That paints a black and white picture that could fall under the CFAA. In
fact, passive recon sounds like something the NSA does to collect metadata.
Just saying.

Krush obviously has no idea how software development works. Yes, let's
build honeypots into our extremely time-crunched multi-million dollar web
application instead of actually building security measures in. That makes
perfect sense. However, he is playing the political game that Dave is not.
He knows exactly who is audience is, and plays straight into their hand. He
is telling them anything vaguely technical that backs up the story that
everything is secure. And you can't prove that what he is saying isn't true.

The fact that no "real" data is stored permanently (a point that both the
Congress people and Krush make repeatedly) is no point at all. TJX and
Target both had all their data stolen in transit (memory scanning malware).
Nieman Marcus and Michaels are now likely in that boat as well. This is the
perfect time to refute their point since it is fresh on everyone's mind.
Any data existing on those servers at any given point in time should be
considered at risk.

There needs to be a solid story on the 70,000 number. Is there source code
available for these scripts? Dave is going to get clobbered on this if he
can't show exactly what this means. Anyone that is technical probably
understands what is happening, but to anyone who doesn't know what an HTTP
request is, the explanations are very soft and confusing (most media
outlets?). This doesn't work in favor of the arguments because it makes it
seem like something is being hidden.

In the end, this is a political problem. Not a technical problem. You can
throw out hard numbers (hell, they might even be correct), and they can put
words in your mouth and twist what you say to discredit you and you lose.
Politicking is all about 10 second sound bites. That is their game right
now. Not to prove Dave wrong, but to discredit him.

Let's recap: we can't prove the website is insecure without breaking the
law, and our politichildren are not concerned about proving it is secure.
They probably don't even know what "secure" means when it comes to
technical systems like healthcare.gov. I believe Dave is approaching this
as a technical problem, when this is actually a political problem.

For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are
effectively being told "trust us, it is secure". We should be saying,
"Fine, we trust you. Let us verify". Our tax dollars built the system.
Maybe we should be allowed to view the source code.

I don't really expect any replies, but I love to eat crow. Feel free to
teach me something.

/me grabs some popcorn


[1]. I believe Reagan stole this from the Russians.


On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <davek () derbycon com> wrote:

As long as it involves the death star creation we may have a chance..
On Jan 26, 2014 9:57 PM, "Brandon Perry" <bperry.volatile () gmail com>
wrote:

I think the only way to solve this debate is a Celebrity
Deathmatch-style stand off.

I will get the petition ready on https://wwws.whitehouse.gov/petitions.
Stay tuned.


On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy <davek () derbycon com>wrote:

Yoooo, whats up. This dude is crazy and probably Waylon Krush (can't
confirm that). He's been tweeting each news organization in an attempt to
throw a bunch of crap out there. Make your own determination, but I'm not
the only one that's found it. First it was I absolutely had access to 70k
and I'm the next Weev and should be arrested, now it's I've morphed myself
into a media whore. Regardless, when its fixed, I'll post as I've always
said. Even did a full writeup and updates explaining everything:


https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/

Dude keeps changing and morphing the story into a bunch of different
things and changing the story. Happy to explain whenever and I'm not the
only one who came to the same damn conclusion, 7 others did as well that
were under NDA.

Make your own determination, I've always done things on ethics and
being up front, not hiding in the shadows and claiming insane things behind
cloak and daggers.

-Dave


truthinallthings () hushmail me via lists.grok.org.uk Jan 22 (2 days ago)
to root, full-disclosure This site is making waves on twitter:
http://70000in4mins.wordpress.com/ So what say you? Has our dear sweet
Lord of the SET hacked healthcare.gov? <http://healthcare.gov/?> Or
did he lie about what is really going on to get close to his hero's at Fox
News? Has the spotlight turned him into another Gregory Evans? Desperate
and willing to do anything for his next hit of the spotlight? Or did he
find a way to have Google let him do 70,000 searches in four mins like he
claims?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website




--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]