[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Making waves on Twitter!
From:       David Kennedy <davek () derbycon ! com>
Date:       2014-01-27 8:08:15
Message-ID: CAKiK1Sio2dbxhSb1_cgnpuYW8hkqsGjwq6oxtgrEDD0eyejnAA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Good points on all of those. I've been trying to keep it on track as a
security issue and I think it is actually getting there. I had a
conversation with the CISO over HHS which just took over the
infrastructure. He seems pretty awesome and wanting to do the right things
to get the things addressed and wants to understand them all. So on that
front, I think it's gotten the light that it's needed to do change. My hope
was that it would be not just hc.gov but the federal government as a whole.
FISMA + 800-53 != security in any shape or form and we're seeing the
ramifications of that now on an entire federal/state level. FISMA has
messed us up for the next 10 years to come. Instead of proactive type
solutions, its how do we get the check box and skirt around the NIST
guidelines - same thing goes for any other regulatory/compliance standard -
SOX/PCI no different.

I may have been too ambitious to think we could change the larger problem
as it become a political show instead of the focus on security. Regardless
- lots of good done on that front and lots of things have changed since the
last testimony.

Regarding the script, its an embarrassing urllib2 request - happy to
release it as soon as its fixed (still open as far as I know). Tickets #'s
have been submitted to the devs.

On the getting blasted front - it's actually been quite light except for
Waylon/NoBiasInfosec crazy talk. For the most part, it's been received well
and seems like a lot of folks interested in addressing it.  To the point "Let's
recap: we can't prove the website is insecure without breaking the law, and
our politichildren are not concerned about proving it is secure."

I agree - I tried using the analogy that if I was a mechanic instead and
had 14 years of working on cars and a car drove past me with the engine
making clanking sounds, blue smoke everywhere and leaking oil, chances are
it's probably got an engine issue, either that or its fine and just a
honeypot. I can't say that the internal guts are insecure, but based on
doing this type of testing for years and years, there's much more
symptomatic problems out under the hood. I could be wrong, but I would be
blown away if everything looked great on the inside.

That's why I grabbed 7 other security folks to provide their opinion on it,
most are application security folks and do this as a profession - same
conclusion. Regardless, I have to say that I'm pretty finished on the
politics stuff - at least for now. I'm not a political person, I stay away
from it as a practice. I was hoping that it would be a focus on bringing
awareness and light to a pretty bad situation. It's such a
hostile environment where folks are more bent on winning their political
views than it is about doing the right thing. Unfortunate but the world we
live in.

All good points Brandon - appreciate the responses.

-Dave




On Sun, Jan 26, 2014 at 11:39 PM, Brandon Perry
<bperry.volatile@gmail.com>wrote:

> So, here are the problems I have with both sides of this debate right now.
> I wouldn't normally play along with politics like this, but it's a nice
> Sunday afternoon, and I am feeling saucy.
>
> I post this is an open forum because I believe this debate is useful in an
> open forum and I don't believe that Dave should be going up against
> polidiots in Congress alone.
>
> Let's think about what is happening. Our claim is that healthcare.gov is
> is insecure. We are the ones making that claim, and so the burden of proof
> is on us. They have effectively proven that they had some sort of pen tests
> done (who knows the scope, or how much risk was simply "accepted").
> However, the only way to prove that the website is truly insecure is to
> break the law. They know this (and let's not forget there is extreme bias
> here). You need to look at this from the point of view of the people you
> are trying to convince.
>
> I hate this term "passive reconnoissance" because the people you are
> trying to convince have *no* idea what this means. You are either using the
> website in the way it was intended or you are not (their POV, not mine).
> That paints a black and white picture that could fall under the CFAA. In
> fact, passive recon sounds like something the NSA does to collect metadata.
> Just saying.
>
> Krush obviously has no idea how software development works. Yes, let's
> build honeypots into our extremely time-crunched multi-million dollar web
> application instead of actually building security measures in. That makes
> perfect sense. However, he is playing the political game that Dave is not.
> He knows exactly who is audience is, and plays straight into their hand. He
> is telling them anything vaguely technical that backs up the story that
> everything is secure. And you can't prove that what he is saying isn't true.
>
> The fact that no "real" data is stored permanently (a point that both the
> Congress people and Krush make repeatedly) is no point at all. TJX and
> Target both had all their data stolen in transit (memory scanning malware).
> Nieman Marcus and Michaels are now likely in that boat as well. This is the
> perfect time to refute their point since it is fresh on everyone's mind.
> Any data existing on those servers at any given point in time should be
> considered at risk.
>
> There needs to be a solid story on the 70,000 number. Is there source code
> available for these scripts? Dave is going to get clobbered on this if he
> can't show exactly what this means. Anyone that is technical probably
> understands what is happening, but to anyone who doesn't know what an HTTP
> request is, the explanations are very soft and confusing (most media
> outlets?). This doesn't work in favor of the arguments because it makes it
> seem like something is being hidden.
>
> In the end, this is a political problem. Not a technical problem. You can
> throw out hard numbers (hell, they might even be correct), and they can put
> words in your mouth and twist what you say to discredit you and you lose.
> Politicking is all about 10 second sound bites. That is their game right
> now. Not to prove Dave wrong, but to discredit him.
>
> Let's recap: we can't prove the website is insecure without breaking the
> law, and our politichildren are not concerned about proving it is secure.
> They probably don't even know what "secure" means when it comes to
> technical systems like healthcare.gov. I believe Dave is approaching this
> as a technical problem, when this is actually a political problem.
>
> For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are
> effectively being told "trust us, it is secure". We should be saying,
> "Fine, we trust you. Let us verify". Our tax dollars built the system.
> Maybe we should be allowed to view the source code.
>
> I don't really expect any replies, but I love to eat crow. Feel free to
> teach me something.
>
> /me grabs some popcorn
>
>
> [1]. I believe Reagan stole this from the Russians.
>
>
> On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <davek@derbycon.com> wrote:
>
>> As long as it involves the death star creation we may have a chance..
>> On Jan 26, 2014 9:57 PM, "Brandon Perry" <bperry.volatile@gmail.com>
>> wrote:
>>
>>> I think the only way to solve this debate is a Celebrity
>>> Deathmatch-style stand off.
>>>
>>> I will get the petition ready on https://wwws.whitehouse.gov/petitions.
>>> Stay tuned.
>>>
>>>
>>> On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy <davek@derbycon.com>wrote:
>>>
>>>> Yoooo, whats up. This dude is crazy and probably Waylon Krush (can't
>>>> confirm that). He's been tweeting each news organization in an attempt to
>>>> throw a bunch of crap out there. Make your own determination, but I'm not
>>>> the only one that's found it. First it was I absolutely had access to 70k
>>>> and I'm the next Weev and should be arrested, now it's I've morphed myself
>>>> into a media whore. Regardless, when its fixed, I'll post as I've always
>>>> said. Even did a full writeup and updates explaining everything:
>>>>
>>>>
>>>> https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/
>>>>
>>>> Dude keeps changing and morphing the story into a bunch of different
>>>> things and changing the story. Happy to explain whenever and I'm not the
>>>> only one who came to the same damn conclusion, 7 others did as well that
>>>> were under NDA.
>>>>
>>>> Make your own determination, I've always done things on ethics and
>>>> being up front, not hiding in the shadows and claiming insane things behind
>>>> cloak and daggers.
>>>>
>>>> -Dave
>>>>
>>>>
>>>> truthinallthings@hushmail.me via lists.grok.org.uk Jan 22 (2 days ago)
>>>> to root, full-disclosure This site is making waves on twitter:
>>>> http://70000in4mins.wordpress.com/ So what say you? Has our dear sweet
>>>> Lord of the SET hacked healthcare.gov? <http://healthcare.gov/?> Or
>>>> did he lie about what is really going on to get close to his hero's at Fox
>>>> News? Has the spotlight turned him into another Gregory Evans? Desperate
>>>> and willing to do anything for his next hit of the spotlight? Or did he
>>>> find a way to have Google let him do 70,000 searches in four mins like he
>>>> claims?
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>

[Attachment #5 (text/html)]

<div dir="ltr">Good points on all of those. I&#39;ve been trying to keep it on track as a \
security issue and I think it is actually getting there. I had a conversation with the CISO \
over HHS which just took over the infrastructure. He seems pretty awesome and wanting to do the \
right things to get the things addressed and wants to understand them all. So on that front, I \
think it&#39;s gotten the light that it&#39;s needed to do change. My hope was that it would be \
not just <a href="http://hc.gov" target="_blank">hc.gov</a> but the federal government as a \
whole. FISMA + 800-53 != security in any shape or form and we&#39;re seeing the ramifications \
of that now on an entire federal/state level. FISMA has messed us up for the next 10 years to \
come. Instead of proactive type solutions, its how do we get the check box and skirt around the \
NIST guidelines - same thing goes for any other regulatory/compliance standard - SOX/PCI no \
different. <div>


<br></div><div>I may have been too ambitious to think we could change the larger problem as it \
become a political show instead of the focus on security. Regardless - lots of good done on \
that front and lots of things have changed since the last testimony.<div>


<br></div><div>Regarding the script, its an embarrassing urllib2 request - happy to release it \
as soon as its fixed (still open as far as I know). Tickets #&#39;s have been submitted to the \
devs.</div>

<div><br></div><div>On the getting blasted front - it&#39;s actually been quite light except \
for Waylon/NoBiasInfosec crazy talk. For the most part, it&#39;s been received well and seems \
like a lot of folks interested in addressing it.  To the point &quot;<span \
style="font-size:13px;font-family:arial,sans-serif">Let&#39;s recap: we can&#39;t prove the \
website is insecure without breaking the law, and our politichildren are not concerned about \
proving it is secure.&quot; </span></div>


<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span \
style="font-family:arial,sans-serif;font-size:13px">I agree - I tried using the analogy that if \
I was a mechanic instead and had 14 years of working on cars and a car drove past me with the \
engine making clanking sounds, blue smoke everywhere and leaking oil, chances are it&#39;s \
probably got an engine issue, either that or its fine and just a honeypot. I can&#39;t say that \
the internal guts are insecure, but based on doing this type of testing for years and years, \
there&#39;s much more symptomatic problems out under the hood. I could be wrong, but I would be \
blown away if everything looked great on the inside.</span></div>


<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><font \
face="arial, sans-serif">That&#39;s why I grabbed 7 other security folks to provide their \
opinion on it, most are application security folks and do this as a profession - same \
conclusion. Regardless, I have to say that I&#39;m pretty finished on the politics stuff - at \
least for now. I&#39;m not a political person, I stay away from it as a practice. I was hoping \
that it would be a focus on bringing awareness and light to a pretty bad situation. It&#39;s \
such a hostile environment where folks are more bent on winning their political views than it \
is about doing the right thing. Unfortunate but the world we live in.</font></div>

<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">All \
good points Brandon - appreciate the responses.</font></div> <div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, sans-serif">-Dave</font></div><div><span \
style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span \
style="font-family:arial,sans-serif;font-size:13px"><br>


</span></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan \
26, 2014 at 11:39 PM, Brandon Perry <span dir="ltr">&lt;<a \
href="mailto:bperry.volatile@gmail.com" \
target="_blank">bperry.volatile@gmail.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">So, here are the problems I have with both sides of this debate right now. I \
wouldn&#39;t normally play along with politics like this, but it&#39;s a nice Sunday afternoon, \
and I am feeling saucy.<div> <br></div>
<div>I post this is an open forum because I believe this debate is useful in an open forum and \
I don&#39;t believe that Dave should be going up against polidiots in Congress \
alone.<br><div><br></div></div><div>Let&#39;s think about what is happening. Our claim is that \
<a href="http://healthcare.gov" target="_blank">healthcare.gov</a> is is insecure. We are the \
ones making that claim, and so the burden of proof is on us. They have effectively proven that \
they had some sort of pen tests done (who knows the scope, or how much risk was simply \
&quot;accepted&quot;). However, the only way to prove that the website is truly insecure is to \
break the law. They know this (and let&#39;s not forget there is extreme bias here). You need \
to look at this from the point of view of the people you are trying to convince.</div>

<div><br></div><div>I hate this term &quot;passive reconnoissance&quot; because the people you \
are trying to convince have *no* idea what this means. You are either using the website in the \
way it was intended or you are not (their POV, not mine). That paints a black and white picture \
that could fall under the CFAA. In fact, passive recon sounds like something the NSA does to \
collect metadata. Just saying.</div>

<div><br></div><div>Krush obviously has no idea how software development works. Yes, let&#39;s \
build honeypots into our extremely time-crunched multi-million dollar web application instead \
of actually building security measures in. That makes perfect sense. However, he is playing the \
political game that Dave is not. He knows exactly who is audience is, and plays straight into \
their hand. He is telling them anything vaguely technical that backs up the story that \
everything is secure. And you can&#39;t prove that what he is saying isn&#39;t true.</div>

<div><br></div><div>The fact that no &quot;real&quot; data is stored permanently (a point that \
both the Congress people and Krush make repeatedly) is no point at all. TJX and Target both had \
all their data stolen in transit (memory scanning malware). Nieman Marcus and Michaels are now \
likely in that boat as well. This is the perfect time to refute their point since it is fresh \
on everyone&#39;s mind. Any data existing on those servers at any given point in time should be \
considered at risk.</div>

<div><br></div><div>There needs to be a solid story on the 70,000 number. Is there source code \
available for these scripts? Dave is going to get clobbered on this if he can&#39;t show \
exactly what this means. Anyone that is technical probably understands what is happening, but \
to anyone who doesn&#39;t know what an HTTP request is, the explanations are very soft and \
confusing (most media outlets?). This doesn&#39;t work in favor of the arguments because it \
makes it seem like something is being hidden.</div>

<div><br></div><div>In the end, this is a political problem. Not a technical problem. You can \
throw out hard numbers (hell, they might even be correct), and they can put words in your mouth \
and twist what you say to discredit you and you lose. Politicking is all about 10 second sound \
bites. That is their game right now. Not to prove Dave wrong, but to discredit him.</div>

<div><br></div><div>Let&#39;s recap: we can&#39;t prove the website is insecure without \
breaking the law, and our politichildren are not concerned about proving it is secure. They \
probably don&#39;t even know what &quot;secure&quot; means when it comes to technical systems \
like <a href="http://healthcare.gov" target="_blank">healthcare.gov</a>. I believe Dave is \
approaching this as a technical problem, when this is actually a political problem.</div>

<div><br></div><div>For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are \
effectively being told &quot;trust us, it is secure&quot;. We should be saying, &quot;Fine, we \
trust you. Let us verify&quot;. Our tax dollars built the system. Maybe we should be allowed to \
view the source code.</div>

<div><br></div><div>I don&#39;t really expect any replies, but I love to eat crow. Feel free to \
teach me something.</div><div><br></div><div>/me grabs some \
popcorn</div><div><br></div><div><br></div><div>[1]. I believe Reagan stole this from the \
Russians. </div>

</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div \
class="gmail_quote">On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <span dir="ltr">&lt;<a \
href="mailto:davek@derbycon.com" target="_blank">davek@derbycon.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><p dir="ltr">As long as it involves the death star creation we may have \
a chance.. </p><div><div>

<div class="gmail_quote">On Jan 26, 2014 9:57 PM, &quot;Brandon Perry&quot; &lt;<a \
href="mailto:bperry.volatile@gmail.com" target="_blank">bperry.volatile@gmail.com</a>&gt; \
wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">


<div dir="ltr">I think the only way to solve this debate is a Celebrity Deathmatch-style stand \
off.<div><br></div><div>I will get the petition ready on <a \
href="https://wwws.whitehouse.gov/petitions" \
target="_blank">https://wwws.whitehouse.gov/petitions</a>. Stay tuned.</div>



</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 24, 2014 at 9:05 \
AM, David Kennedy <span dir="ltr">&lt;<a href="mailto:davek@derbycon.com" \
target="_blank">davek@derbycon.com</a>&gt;</span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Yoooo, whats up. This dude is crazy and probably \
Waylon Krush (can&#39;t confirm that). He&#39;s been tweeting each news organization in an \
attempt to throw a bunch of crap out there. Make your own determination, but I&#39;m not the \
only one that&#39;s found it. First it was I absolutely had access to 70k and I&#39;m the next \
Weev and should be arrested, now it&#39;s I&#39;ve morphed myself into a media whore. \
Regardless, when its fixed, I&#39;ll post as I&#39;ve always said. Even did a full writeup and \
updates explaining everything:<br>




</div><div><br></div><div><a \
href="https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/" \
target="_blank">https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/</a><br>




</div><div><br>
Dude keeps changing and morphing the story into a bunch of different things and changing the \
story. Happy to explain whenever and I&#39;m not the only one who came to the same damn \
conclusion, 7 others did as well that were under NDA.</div>




<div><br></div><div>Make your own determination, I&#39;ve always done things on ethics and \
being up front, not hiding in the shadows and claiming insane things behind cloak and \
daggers.</div><div><br></div><div>-Dave</div>




<div><br></div><span style="color:rgb(62,69,76);font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)"><div>





<span style="color:rgb(62,69,76);font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)"><br></span></div>





<a href="mailto:truthinallthings@hushmail.me" target="_blank">truthinallthings@hushmail.me</a> \
via <a href="http://lists.grok.org.uk" target="_blank">lists.grok.org.uk</a>  Jan 22 (2 days \
ago)

to root, full-disclosure 
This site is making waves on twitter: </span><a href="http://70000in4mins.wordpress.com/" \
rel="nofollow" style="color:rgb(59,89,152);text-decoration:none;padding:1px \
0px;font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)" \
target="_blank">http://70000in4mins.wordpress.com/</a><span \
style="color:rgb(62,69,76);font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)">


So what say you? Has our dear sweet Lord of the SET hacked </span><a \
href="http://healthcare.gov/?" rel="nofollow" \
style="color:rgb(59,89,152);text-decoration:none;padding:1px 0px;font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)" \
target="_blank">healthcare.gov?</a><span style="color:rgb(62,69,76);font-family:&#39;lucida \
grande&#39;,tahoma,verdana,arial,sans-serif;font-size:11px;line-height:14.079999923706055px;white-space:pre-wrap;background-color:rgb(247,247,247)"> \
Or did he lie about what is really going on to get close to his hero&#39;s at Fox News? Has the \
spotlight turned him into another Gregory Evans? Desperate and willing to do anything for his \
next hit of the spotlight? Or did he find a way to have Google let him do 70,000 searches in \
four mins like he claims?</span><br>




</div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div><br><br \
clear="all"><div><br></div>-- <br><a href="http://volatile-minds.blogspot.com" \
target="_blank">http://volatile-minds.blogspot.com</a> -- blog<br>



<a href="http://www.volatileminds.net" target="_blank">http://www.volatileminds.net</a> -- \
website </div>
</blockquote></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><a \
href="http://volatile-minds.blogspot.com" \
target="_blank">http://volatile-minds.blogspot.com</a> -- blog<br><a \
href="http://www.volatileminds.net" target="_blank">http://www.volatileminds.net</a> -- website \
</div> </div></div></blockquote></div><br></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic