Huh. Imagine that.
Yeah, yeah, I know; a test server for Healthcare.Gov was successfully hacked into recently; no sensitive data was stolen, but Security was Breached, etc etc etc.
No, I'm not shrugging the incident off. I'm the one who called Hawaii's state exchange website out for taking over a week to resolve their own Heartbleed SSL vulnerability last spring. Yes, security is very important, especially with personal financial, medical and citizenship data. Hopefully the HHS techies are eliminating vulnerabilities, beefing up security and so forth.
I'm swamped with my day job at the moment, so I don't have a whole lot to add to the discussion at the moment...
HOWEVER, this line from GOP Rep. Diane Black in Avik Roy's latest ACA attack at Forbes.com literally made me laugh out loud:
Rep. Diane Black (R., Tenn.), who has been on top of this problem for a long time, warned in January in these pages that “the dangerous reality is that when it comes to protecting Americans’ personal information from data breaches and hacks, the federal exchange is not playing by the same rules as private businesses.”
I was going to run a bunch of Google searches to bring up a list of private business data breaches and hacks of Americans' personal information, but thankfully, an enterprising journalist has already done so for me.
In fact, they did this just 2 days ago.
In fact, they posted the list...at Forbes.com:
Headline: "Critical Flaw at HC.gov!!" Article: "Blocked by System Defenses"
Pop Quiz: You're writing (or editing) a news story about a GAO report regarding the security situation at Healthcare.Gov. Which of these passages from the article do you choose for your big, bold-faced headline?
- A: "The hackers from the inspector general's office found one "critical" vulnerability during their security scans of the website, described as a flaw that would enable an attacker take over the system and execute commands, or download and modify information."
- B: "So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses."
- C: "The inspector general found that the administration "has taken actions to lower the security risks associated with HealthCare.gov systems and consumer (personal information)."
- D: "the office said that when its technical experts attempted to mimic what a malicious hacker might try next, they were blocked by the system's defenses.
- F: "Specific descriptions of the flaws were not released, but apparently none has been exploited by hackers. "Not all vulnerabilities lead to security breaches," the report said."
- F: "We have not had any malicious attacks on the site that have resulted in personal identification being stolen," Tavenner told Congress last week."
If you chose A), congratulations!
OK, seriously, the article itself is actually reasonably even-handed, reporting both the security concerns as well as the strengths, but the headline still reads simply ""Critical" flaw found in HealthCare.gov security.
How many people do you think will read the actual article instead of just the headline?
AP's NEW "HC.gov Security Flaws" story attacks problems FIXED UP TO A YEAR AGO.
Last night I posted what seemed, at first, to be a merely-amusing (if a bit depressing) story about a Florida news station website accidentally (?)reposting a year-old AP newswire story about potential security vulnerabilities at Healthcare.Gov:
...Yep, as it turned out, WTSP in Florida messed up by reposting a year-old story (and yes, it's still posted as of 2:30pm Friday afternoon), but not an earth-shattering development.
As I noted in an update, it turns out the reason why WTSP probably posted this story is because of a different, brand-new AP newswire story, also about security issues at Healthcare.Gov reported by the Inspector General,which was just posted yesterday. Presumably a WTSP staffer confused the year-old story for the new one and republished the wrong one.
HOWEVER, as Martin brought to my attention, it turns out that the new AP story is still about the exact same 2014 report...regarding potential security flaws/issues which appear to have been resolved MONTHS ago.
...So, to review:
- 1. In August 2014, the IG begins an audit/security testing of Healthcare.Gov
- 2. In September 2014, the IG reports their initial list of security concerns/recommendations to the CMS division.
- 3. The AP runs a story on the initial (draft) IG report, with a highly misleading "Critical Flaw!!" headline which doesn't match the actual story content (blocked by system defenses).
- 4. CMS resolves the more serious problems reported by the IG within 1 week of the draft report (no later than September 30th, 2014).
- 5. The IG continues to run their audit until December 2014. Meanwhile, CMS continues to implement the rest of the IG's lower-priority recommendations.
- 6. The IG confirms that CMS has indeed implemented every one of their recommendations.
- 7. One year later, in September 2015, the IG finally issues their final report...which clearly states that the audit in the report was conducted from August - December 2014, and which also clearly states that every one of the issues they reported had since been rectified, with the serious ones having been fixed nearly a year earlier.
- 8. The AP runs a new story with another Scary, Misleading Headline, claiming "Slipshod Cybersecurity at Healthcare.Gov"
- 9. FOX News and other right-wing propaganda outfits pounce all over the "new" story just 5 weeks before Open Enrollment 2016 kicks off.
(Oh, and by the way, the WTSP website still has the same completely flawed, misleading article posted on their site as of today, 9 months later)
OK, so why am I bringing all of this up today? Check this out:
Audit Finds Consumer Services Websites Have Best Security and Privacy Policies
Tue, Jun 14, 2016
Twitter and HealthCare.gov score highest in OTA’s analysis of 1,000 consumer websites
BELLEVUE, Wash. – The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, announced today the results of its 2016 Online Trust Audit & Honor Roll—the de facto standard for recognizing excellence in consumer protection, data security and responsible privacy practices for the world’s top companies.
OTA’s 8th annual Online Trust Audit & Honor Roll of approximately 1,000 consumer-facing websites revealed that 50 percent of analyzed websites qualified for the Honor Roll, a six percent improvement over 2015. The consumer services category scored the highest with 72 percent earning an Honor Roll designation. OTA considers consumer services any website that requires consumers to create an online account such as social media, file sharing or dating. The news & media category scored lowest with 23 percent making the Honor Roll, although this is a 300 percent improvement over their score in 2015.
“OTA congratulates all Honor Roll recipients who have demonstrated excellence and leadership in consumer protection,” said Craig Spiezle, executive director of the Online Trust Alliance. “It’s evident that many companies have moved beyond compliance, and are adopting meaningful self-regulation and data-stewardship practices. However, it is imperative that organizations double-down on security and privacy measures in this age of high-profile data breaches in order to maintain consumer trust and confidence.”
2016 Online Trust Audit Virtual Press Room
Top Ten Scoring Websites in Consumer Protection, Data Security & Privacy
The ten highest-scoring sites cover a wide range of industries from social media to online services, government and retail. They are:
- Twitter (twitter.com)
- HealthCare.gov (healthcare.gov)
- Pinterest (pinterest.com)
- The White House (whitehouse.gov)
- Dropbox (dropbox.com)
- FileYourTaxes (fileyourtaxes.com)
- LifeLock (lifelock.com)
- Instagram (instagram.com)
- 1040.com (1040.com)
- The Gap (gap.com)
“Security and privacy remain the bedrock of consumer trust. As the overall top scorer in OTA’s Online Trust Audit & Honor Roll, Twitter is honored to be recognized for our efforts,” said Twitter Trust & Information Security Officer, Michael Coates. “These best practices of our users’ data are critical for the long-term health and future innovation of the Internet. We are committed to build on our collaboration between the public and sectors in driving their adoption.”
Arranged in descending order from best to worst performing industries:
...Government: 46 percent of audited U.S. federal government sites made the Honor Roll. Most failures in this category were due to inadequate adoption of email authentication standards. The top scorers were: 1) HealthCare.gov, 2) the White House, 3) the Federal Trade Commission, 4) the Social Security Administration, 5) the U.S. Postal Service.
To qualify for Honor Roll status, an organization must receive a composite score of 80 percent or better and a score of at least 55 percent in each category. Failing any one category will automatically cause a company to fail overall.
That's right--according to the Online Trust Alliance, HealthCare.Gov is actually the 2nd most secure major online consumer service website in the country...more secure than then Dropbox or, amusingly, LifeLock.com.
Of course, as Adam Cancryn just noted, the irony here is that just a week or so ago, it was reported that up to 32 million Twitter accounts had been hacked...although Ars Technica questions whether that's the case or not:
...The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."
Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.
Eliminating the possibility that Twitter's network has been hacked, LeakedSource speculated that tens of millions of people were infected by malware that sent every username and password saved in the victims' browser to servers under the attackers' control. This scenario is possible, but it still seems unlikely that all 32 million of the passwords in the dump are valid.
...But unless more details become available in the coming hours, Twitter users need not change their passwords. That said, anyone who hasn't signed up for two-factor authentication on the service should strongly consider doing so now.
The point here isn't to either bash or defend Twitter in particular. Security breaches are always a threat to any website, and as I noted in the first story I linked to in this post, private and public websites which contain sensitive financial or personal data are both likely targets for hackers. HC.gov can't rest on their laurels; constant vigilance is always necessary. However, for all the hand-wringing over the security of the personal data at HealthCare.Gov in the ugly early days, it sounds like they're doing pretty damned well on that front these days.