Category: breach analysis

Security Lessons from Healthcare.gov

There’s a great “long read” at CIO, “6 Software Development Lessons From Healthcare.gov’s Failed Launch.” It opens:

This article tries to go further than the typical coverage of Healthcare.gov. The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is coming out. Writing this piece requires some archeology: Going over facts and looking for inconsistencies to assemble the best information about what’s happened and pinpoint six lessons we might learn from it.

There’s a lot there, and I liked it even before lesson 6 (“Threat Modeling Matters”). Open analysis is generally better.

There’s a question of why this has to be done by someone like Matthew Heusser. No disrespect is intended, but why isn’t Healthcare.gov performing these analyses and sharing them? Part of the problem is that we live in an “outrage world” where it’s easier to point fingers and giggle in 140 characters and hurt people’s lives or careers than it is to make a positive contribution.

It would be great to see project analyses and attempts to learn from more projects that go sideways. But it would also be great to see these for security failures. As I asked in “What Happened At OPM,” we have these major hacks, and we learn nothing at all from them. (Or worse, we learn bad lessons, such as “don’t go looking for breaches.”)

The definition of insanity is doing the same thing over and over and hoping for different results. (Which may includes asking the same question or writing the same blog post over and over, which is why I’m starting a company to improve security effectiveness.)

What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances must be feeling. The form is designed as an (inverted) roadmap to suborning people, and now all that data is in the hands of a foreign intelligence service.

The National Journal published A Timeline of Government Data Breaches:
OPM Data Breach

I asked after the root cause, and Rich Bejtlich responded “The root cause is a focus on locking doors and windows while intruders are still in the house” with a pointer to his “Continuous Diagnostic Monitoring Does Not Detect Hackers.”

And while I agree with Richard’s point in that post, I don’t think that’s the root cause. When I think about root cause, I think about approaches like Five Whys or Ishikawa. If we apply this sort of approach then we can ask, “Why were foreigners able to download the OPM database?” There are numerous paths that we might take, for example:

  1. Because of a lack of two-factor authentication (2FA)
  2. Why? Because some critical systems at OPM don’t support 2FA.
  3. Why? Because of a lack of budget for upgrades & testing (etc)

Alternately, we might go down a variety of paths based on the Inspector General Report. We might consider Richard’s point:

  1. A focus on locking doors and windows while intruders are still in the house.
  2. Why? Because someone there knows how to lock doors and windows.
  3. Why? Because lots of organizations hire out of government agencies.
  4. Why? Because they pay better
  5. [Alternate] Employees don’t like the clearance process

But we can go down alternate paths:

  1. A focus on locking doors and windows while intruders are still in the house.
  2. Why? Because finding intruders in the house is hard, and people often miss those stealthy attackers.
  3. Why? Because networks are chaotic and change frequently
  4. [Alternate] Because not enough people publish lists of IoCs, so defenders don’t know what to look for.

What I’d really like to see are specific technical facts laid out. (Or heck, if the facts are unknowable because logs rotated or attackers deleted them, or we don’t even know why we can’t know, let’s talk about that, and learn from it.)

OPM and Katherine Archuleta have already been penalized. Let’s learn things beyond dates. Let’s put the facts out there, or, as I quoted in my last post we “should declare the causes which impel them to the separation”, or “let Facts be submitted to a candid world.” Once we have facts about the causes, we can perform deeper root cause analysis.

I don’t think that the OIG report contains those causes. Each of those audit failings might play one of several roles. The failing might have been causal, and fixing it would have stopped the attack. The failing might have been casual and the attacker would have worked around it. The failing might be irrelevant (for example, I’ve rarely seen an authorization to operate prevent an attack, unless you fold it up very small and glue it into a USB port). The failings might even have been distracting, taking attention away from other work that might have prevented the attack.

A collection of public facts would enable us to have a discussion about those possibilities. We could have a meta-conversation about those categorizations of failings, and if there’s other ones which make more sense.

Alternately, we can keep going the way we’re going.

So. What happened at OPM?

California gets a strengthened Breach Notification Law

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger.

As described[.DOC] by its sponsor’s office, this law:

  • Establishes standard, core content — such as the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies — for security breach notices in California;
  • Requires public agencies, businesses, and persons subject to California’s security breach notification law, if more than 500 California residents are affected by a single breach, to send an electronic copy of the breach notification to the Attorney General; and,
  • Requires public agencies, businesses and persons subject to California’s security breach notification law, if they are utilizing the substitute notice provisions in current law, to also provide that notification to the Office of Information Security or the Office of Privacy Protection, as applicable.

    • senatorsimitian.com

    This makes California the fifteenth (!) state with a central notification provision on the books, the others being: Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming. Puerto Rico also has such a requirement. Ibid.

    I’m looking forward to the resulting information, and I hope California’s Attorney General has the good sense to post all received notification letters. This will undoubtedly be easier for the state than dealing with the inevitable FOIA requests, and serves the public interest by increasing transparency.

    J.C. Penny knew best

    JC Penney, Wet Seal: Gonzalez Mystery Merchants

    JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JCPenney chain was one of Gonzalez’s victims, even though JCPenney’s media representatives were denying it.

    and

    [The judge said] both retailers should have announced their involvement from the start, that consumers had the right to know. He said he would not provide the companies “insulation from transparency.” The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.”

    Wired picked up the story and wrote:

    It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.

    Biggest Breach Ever

    Precision blogging gets the scoop:

    You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source of the leak is unclear. It may have come from a renegade reindeer, or it could be the work of a clever programmer in the Ukraine. Either way, it’s a terrible black eye for Santa. Arweena promised that in the future, access to this database would be restricted on a “need to know” basis. And you know who that means!

    Let’s see if customers really change their behavior. I know which way I’m betting.

    Connecticut Attorney General On The March

    It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut.

    Connecticut’s attorney general said Monday that he’s investigating insurer Blue Cross Blue Shield’s loss of confidential information about health care providers, which was on an employee’s stolen laptop computer.
    Richard Blumenthal said Monday that the company and its affiliates may have broken state law by losing the information and taking too long to notify doctors.

    And if that wasn’t enough, Health Net lost Information for 450,000 Connecticut residents.

    Blumenthal said he’s “outraged” that the company never told customers or police and only told the AG on Wednesday.
    Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.

    I wonder how many other State AGs are investigating Health Net at this point. There were a total of 1.5 million records lost at least count.
    At bare minimum Arizona’s AG is also investigating.

    Health Net officials said they were not able to determine which information was on the disk, so they investigated and learned the information was saved in an image format that cannot be read without special software.

    So anyone have any clue what this supposed image format is? And what makes them think that someone who was smart enough to grab that drive wasn’t smart enough to grab a copy of the software? Assuming of course that wasn’t just all in pdf…

    New on SSRN

    There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33.

    Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,”

    Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.

    Michael Froomkin has posted a draft of “Government Data Breaches.”

    This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.

    Social Security Numbers are Worthless as Authenticators

    The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

    The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.

    “My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”

    So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”

    We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.

    My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”

    For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.

    Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.

    The Punch Line Goes at the End

    The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. Risky.biz gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the style of a slot machine.

    According to reports, the manufacturer of the ATM pressured Jack’s employer, Juniper, to pressure him to withdraw the talk.

    I certainly roll my eyes at this. It doesn’t do a lot of good to pressure someone to withdraw their talk.

    But even more so, if you’re giving a talk, it behooves you to save the showmanship for the stage. I mean, come on.

    Last year, the big cancellation was the team of MIT students who broke the Boston MBTA Charlie Card system. There was a legal injunction put against them that spoilt their presentation. The fault, in my opinion went to them for naming their talk, “How To Get Free Subway Rides For Life.”

    Imagine that you are a judge who is interrupted from an otherwise pleasant Saturday by panicky people who want an injunction against a talk with such a dramatic name, you’ll at least listen to them. You decide that sure, no harm to society will come from an injunction from Saturday ’til Monday, and you’d be right. No harm came to society, DefCon was merely a little less interesting.

    Now imagine that you are the same judge and you’re asked for an injunction against the talk, “A Practical Cryptanalysis of the Mifare Chip as Implemented in the MBTA.” That one can wait until Monday, and the talk goes on.

    In a similar gedanken experiment, imagine that you are the VP of Corporate Communications for the XYZ ATM Corp. You learn that in a few weeks, someone is going to do “ATM Jackpot” with one of your ATMs in some show in Vegas. Despite the fact that someone else in the company approved it, what do you? You pressure them to cancel. Duh. If you don’t, then you’re going to spend most of August reassuring people about your products, your boss is going to be really ticked at you (after all, isn’t it the job of Corporate Communications to control these things?), and it’s just going to be no fun. This is also why you’re paid the big bucks, to make embarrassments go away.

    This is why if you are a researcher, you do not name your talk, “ATM Jackpot” you name it “Penetration Testing of Standalone Financial Services Systems.” It is only on stage that you fire up the flashing lights and clanging bells and make the ATM spit out C-notes for minutes on end. That would get you all the publicity for your talk that you want, and you actually get to give it.

    Remember, do as I say, not as I do. If you have a flashy Black Hat talk, put the punch line at the end of the joke.

    "No Evidence" and Breach Notice

    According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

    Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.

    and

    We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

    I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

    As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.