Security by Obscurity at Healthcare.gov Site

The White House is refusing to release details about the security of healthcare.gov because it might help hackers. What this really means is that the security details would embarrass the White House.

Posted on August 26, 2014 at 6:21 AM • 35 Comments

Comments

KennyAugust 26, 2014 7:10 AM

I expect more from you Bruce. The article is some sort of propaganda piece not focused on security but attempting to cast some ill repute on healthcare.gov . While security through obscurity as a sole mechanism is not recommended, it is a useful layer in defence in depth. Having the potential attackers have to perform reconnaissance is an opportunity for a security mechanism to detect and react to them.

TomAugust 26, 2014 7:29 AM

I don't believe your assertion that failure to release security details automatically means the details are embarrassing.

JeffAugust 26, 2014 7:38 AM

"If they're deploying security right, merely telling the world what they're doing wouldn't increase the risk."

Jakub NarębskiAugust 26, 2014 8:01 AM

Situation with explaining how site security is done is similar to the situation with encryption. What keeps site secure, what keeps encryption secure, is "key" - small bits that are kept secret, and are asy to change if compromised. Without description of general setup, without the name of algorithm, we the people have to trust the operator that the site is secure... which given experience that operators says that the site is secure even though it isn't ("there is padlock icon so it is secure", "passwords are decrypted ony to send them in plain text email, otherwise they are encrypted", etc.)...

The Last Stand of FrejAugust 26, 2014 8:23 AM

I don't know about this assertion. As security practitioners we all know there's no 100% secure system unless its powered off and in a locked safe. Like the Lifelock thing and several other examples since, declaring that you're secure, or publishing your security strategy, only invites more attention from miscreants who'd like to make a name for themselves. I think whitehouse.gov is doing a smart thing here by just not making themselves any more of a target than they presumably already are.

wiredogAugust 26, 2014 9:28 AM

I think you're getting a touch of Obama Derangement Syndrome... Not unlike Bush Derangement Syndrome.

WmAugust 26, 2014 9:42 AM

It is imperative that you consider everyone today in government and corporate business to be pathological liars.

AdamAugust 26, 2014 10:04 AM

Security by obscurity by itself isn't a good way to protect a site. But at the same time, if I were asked how I implemented something by somebody who didn't need to know I wouldn't tell them either. And even if I had to tell someone through some disclosure policy I think I would be suitably vague.

Not to say the health site *is* secure, but no reason to give a potential attacker any help in avoiding detection or knowing of potential weaknesses.

AdamMAugust 26, 2014 10:21 AM

This article is only a couple sentences and its propaganda? He's relaying his opinion.

In this case the ASA is not starting off with a 'trust it until given reason not to mentality'. The site opened rife with security and functionality problems. I think it only fair that the government release some details of what they have done to resolve the issues. If none of the details can be released without compromising the security of the site then I agree with Bruce that it is all a façade and they just did their best to hide existing vulnerabilities instead of fixing them.

BenAugust 26, 2014 10:33 AM

I agree that security by obscurity is unwise in the long run, but the blurb is a bit inaccurate: it was the Centers for Medicare and Medicaid Services that denied the FOIA request.

LisaAugust 26, 2014 10:55 AM

The article references a System Security Plan which should contain the IP addresses of the network devices, including servers, routers, etc. as well as the operating systems, software, how often vulnerabilities are remediated, and other important details. In general, these SSPs are marked FOUO (or CUI - Controlled Unclassifed Information). I would have been surprised if any agency on any system would release an SSP to the public.

mud manAugust 26, 2014 12:06 PM

It's "the techies"? Surely not. It's about paranoia, which implies that it's not about security, it's about control.

anonymousAugust 26, 2014 1:24 PM

Who knows the punch line to the two people being chased by the bear and one stops to put on tennis shoes? Unlisted IP address falls into that category.

AnuraAugust 26, 2014 3:28 PM

My blog has an unlisted IP, and is hosted on an air-gapped network. No one reads it for some reason.

JeffNWVAugust 26, 2014 4:14 PM

Some people are pretty ideologically set against the truth. The public was promised by the White House and the Administration that healthcare.gov was safe. That has been categorically been refuted by various security experts. If the site is still vulnerable to those attacks they are unwilling to share, then the site is not safe for use. Period. Stop drinking the political koolaid and see it for what it is.

Nick PAugust 26, 2014 5:58 PM

"If they're deploying security right, merely telling the world what they're doing wouldn't increase the risk."

That's not true. I've argued for (and successfully used) obfuscation as an extra layer of assurance even for TLA opponents. Actually, it's especially good at those if they're attacking remotely. TLA's use it internally for black projects, too. Those that followed the security communities' recommendation that you tell people what you were using just helped the opponents get the right 0-days. And Five Eyes, Russian, and Chinese hackers tore them up across proprietary and FOSS systems. If that result is doing it "right," then I'd rather let them say I'm wrong while I help them get the malware off their systems with my [still clean] machines. ;)

re Healthcare.gov's situation

In this case, though, I agree with the author. There are many organizations that fail at security so badly that they're almost exclusively depending on obfuscation. This is what we should reserve "security through obscurity" negative label for. The failures of the Healthcare.gov roll out showed plenty of incompetence. The accountability, integration, and even basic functions were all horrible. Security is harder than these, yet a lower priority for them. So, we must expect its users are at risk and they're doing security through obscurity.

Spaceman SpiffAugust 26, 2014 8:43 PM

So, given this:

"Online sources confirmed Wednesday that every piece of 34-year-old Mark O’Connell’s personal data is currently protected by a reference to the third season of long-running NBC political drama The West Wing. Reports indicate that the reference, derived from the name of a guest character in an early-season episode of the Aaron Sorkin drama that went off the air in 2006, is, at present, all that stands in the way of strangers gaining total access to intimate details of the automotive insurance agent’s personal, professional, and financial life. In particular, sources noted that the security of everything from O’Connell’s banking and credit card accounts, to proprietary documents from his work, to his social media profiles, to all of his email correspondence, rests solely on the wry nod to a scene during the Emmy-nominated episode “On The Day Before,” in which the White House staff hosts a dinner for several Nobel laureates while President Bartlet works to veto an estate tax bill. Those close to the situation, however, noted that some of O’Connell’s most sensitive information is safeguarded by a secondary layer of protection in the form of a security question about his favorite character from Sports Night."

Is Mark O'Connell's data secure?

Nick PAugust 26, 2014 9:21 PM

@ Chris Abbott

"No sir you misunderstand our methods. We encrypt all data with one time pads generated by XORSHIFT-128. It's 128-bits provides incredible protection and true randomness. The seeding key is the time of day encrypted with DES + an all zero key to give opponents nothing. The NSA's Red Team said the system was a model for how all Internet services should protect users' data. And, as we all know, their near perfect track record of securing private data makes that a golden recommendation. You'll soon get the benefit as our patent-pending, military-grade protection is being standardized by NIST as I write this."

(source: Healthcare.gov's Chief Information Security Officer on condition of anonymity)

Bruce SchneierAugust 27, 2014 5:37 AM

I don't think this has anything to do with Obama, or his differences from Bush, or health care, or the political debate about government-funded health care. My guess is that this is just a bureaucratic reaction to a request for information about security. Were the information all good, there would be no problem releasing it. The reason not to release it is that it reflects badly on the system. It's no different than the refusal to release details about computerized voting systems.

Bimmy JuffetAugust 27, 2014 10:12 AM

I agree Bruce, this isn't about politics, its about security. Though you seem to have ruffled the feathers of your more liberal audience lol....Personally I'm tired of parrots defending this broken political system

Name (required)August 27, 2014 10:20 AM

@Kenny, @Tom (1st 2 comments): I don't know a great deal about security either. But at least I KNOW I don't know it.

When you don't know much, and wish to speak/comment anyway, try to find uses for question marks. The subsequent effect it would have on you would be noticeably radical, in your humble opinion.

AnuraAugust 27, 2014 12:57 PM

Part of the problem:

http://www.wired.com/2014/08/federal-cybersecurity-director-guilty-child-porn-charges/

If the people we appoint to "Cybersecurity Director" have bad opsec, how can we expect them to secure our systems? I mean, it's good for society that he sucks at opsec, but not really a good sign.


As for whether this indicates a problem with government, I don't think the problem is limited to it. Everywhere I worked had huge holes in security. From credit card numbers in plaintext, a lack of concern for vulnerabilities, to large numbers of contractors that need significant access to systems. I hate to say it, but I think these companies were above par. Security is hard and time consuming, and there is no incentive for most people to spend much time.

When it comes to businesses, there is an old addage: "Do it fast, do it cheap, do it righ; pick two." and many businesses tend to pick the first two. It's not limited to businesses, of course; open source software can be poorly maintained and hacky, and the same exact problems can occur in government.

This is why we need to devote our resources to developing high level toolkits that minimize the surface that the average developer needs to touch. The systems should be idiot resistant to the point where the average developer does not have to be concerned about things like XSS, SQL Injection, or whatnot.

TAugust 27, 2014 5:24 PM

@Kenny

Wow, I'm surprised by your response. I worked for a long time in the Healthcare field and those are the exact words I used many years ago to describe their security:
Security by Obscurity. No Security worth mentioning.

I'm not bad mouthing the field of course. I'm just saying that those who are busy providing healthcare can't always be expected to understand best data security practices. It's when we discover they are willfully avoiding security that we start to get worried.

One time I asked one of my Seniors: why don't we do better security? Aren't we in danger here?
His answer: Well, well, when it comes to healthcare everyone seems to understand that it could be their health condition one day...

Trust is important in every social endeavour, and often Trust works pretty well. It's just not always good enough.

Sigh.
T


TAugust 27, 2014 5:45 PM


Here are just some of the questions I would ask:

1. Are your applications implemented such that EVERYONE in your Support zones must use a ROOT Access on servers? (sub Admin for Root if fools are using Windows servers for that now) Yes, I am Unix/Linux Biased and have no shame about that.

2. Are those Root/Admin account pw's and info available to more people than need them?

3. Are your backups encrypted when they (hopefully) travel to offsite storage?

4. Have you willfully turned off and ignored all access Auditing? If not, does anyone ever study those logs?

5. Is your internet access to all those unprotected Databases done over encrypted channels? How do you plan to keep those access points protected from bad stuff on the internet?

6. Snowden: (whom I don't hate) how do you prevent privileged users from downloading and stealing all that private data?

7. Actual history: Hospitals were off-shoring their pathology analyses to somewhere in India and Pakistan. They didn't know their contractors had subcontractors. The Subcontractors failed to pay at least one analyst, and she hijacked the data and threatened to put it on the internet if she wasn't paid her $500 or so for her months' work. DO YOU CONTRACT OUT HEALTH INFO? Got any idea of chain of custody on that?

I could go on...I just want our health care data to be very very safe and protected. I just want at least one system to work.
T

anonymousAugust 28, 2014 7:04 AM

How do you know what they are not saying is good enough if they are not saying?

anonAugust 31, 2014 8:57 PM

From what I've read about the system, it's quite possible that obscurity is about the only thing left that's actually protecting it.

Nick PSeptember 4, 2014 8:15 PM

@ Dawn

You beat me to it. I think some of the details in that article resolve some of the above discussion about whether the obscurity is to hide their excellent security processes or hide that they had none. No security it is.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.