As a student of cyber security, I am very interested in the
confidentiality, integrity, and availability of information in computer
networks and cyberspace. It has been my
practice for many years that when introduced to a new website, I first question
the validity of the site’s internal security and go to extreme measure of
running various browser plug-ins to disable scripts that may be malicious. I also use disposable email accounts to
protect my identity and privacy.
Even with a .gov domain, HealthCare.gov
has a serious back-end flaw that has resulted in an entire site wide crash last
Sunday. It has been no surprise to me that
security experts have discovered numerous security vulnerabilities on the
besieged online health insurance exchange website. Some of these
vulnerabilities are so critical that hackers could expose the personally
identifiable information of applicants. These security flaws are due to
long-delayed security testing of the entire integrated exchange system which
was put off as last-minute development work that was done to ready the site for
launch on October 1. Most of the site’s vulnerabilities were identified by Ben
Simo an independent researcher that found personally identifiable information
embedded both in Web addresses and third-party sites not directly involved in
the health insurance certification process. He found that the website also
pushes personal data having nothing to do with site functionality back to
browsers. This data was in the format of a JSON file that includes most
of a user’s personal information for their account, including various unique
user IDs and their name, address, date of birth, phone number, and e-mail
address, password reset code, and social security number. Even though this data
is encrypted over TLS (Transport Layer Secure) it is still vulnerable to cross
side scripting attacks essentially allowing attackers to leave behind exploits
on the site that would target HealthCare.gov
users. Prior to October 1st,the legislated mandatory go-live date,
Medicare Health Plan Operations James Kerr submitted a statement, noting “From
a security perspective, the aspects of the system that were not tested due to
the ongoing development exposed a level of uncertainty that can be deemed as a
high risk… Although throughout the three rounds of SCA testing all of the
security controls has been tested on different versions of the system, the
security contractor has not been able to test all of the security controls in
one complete version of the system.” Based on a Kerr statement, the Chief Operating
Officer Michelle Snyder signed off on his recommendations, acknowledging the
elevated security risk. Despite Michelle Snyder acknowledgement, it is obvious
that she did not understand where these security flaws may lead or what it
could expose. According to Ben Simo “I get the impression they weren't thinking
about security as they designed these pieces of the site.” From my perspective,
all initial designs must first begin with security at its core to insure a
sound and strong design so that it is robust against most attackers. This hasn’t been done for Healthcare.gov.
No comments:
Post a Comment