In what federal officials believe is the first successful compromise of the HealthCare.gov insurance enrollment site, a hacker broke into the system and uploaded malicious software to the part of the site used for testing code. While the fallout is minimal in this case, the fact that it happened at all should be considered chilling, researchers said.
According to reports, the compromise happened in July, but the Department of Health and Human Services just discovered the attack last week.
Americans have been buying insurance through the site since last year under the 2010 Affordable Care Act, but so far, it would appear that no sensitive patient information was accessed. HHS officials said that’s because areas of the site housing private or sensitive information have tighter security controls than the test site, which was actually protected with only a default password.
While the fact that the hacker was essentially quarantined in a non-impactful area of the network is positive news and would seem to be a validation of the security in place on the server, security experts told us that the ease of access to any part of the site is cause for concern: Hackers often break into a weaker level of system security and then pivot to a higher level in a network.
“Depending on the usage of this server, it could have potentially contained passwords of administrators that could have been reused elsewhere (email, other servers, VPN connections, etc.),” said Mark Stanislav, security evangelist at Duo Security, in an email. “Further, since this test server was noted to have software uploaded to it by the attackers, it's possible that a developer could have visited the site and been compromised through a client-side exploit like a browser plugin vulnerability.”
Also, test servers are often given more network privileges in many cases that could have been used as a foothold to compromise other infrastructure.
Some noted that the default password in use on the test server points out poor security hygiene overall.
“If you build a high-profile, complex, central system that holds a lot of very sensitive data, it’s going to be a target. There’s no getting around that,” said Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security, in a note to Infosecurity. “When you’re a known target, you can’t afford to ignore anything on your network. It’s surprising that a high-profile organization with the resources necessary to continuously monitor these systems could miss a problem like this.”
And while the hacked site wasn’t connected to the open internet, the protection veil is very thin. “There is little that separates test machines from production servers and even DMZ (demilitarized zone or perimeter network) environments for that matter, especially in virtualized and cloud environments said Eric Chiu, president and co-founder of HyTrust, in an emailed comment. A simple click of the button can connect the wrong system to the internet exposing potentially sensitive data to the outside world. In today's dynamic world, policy-based administrative controls become critical to ensuring the safety of our data.”
Bottom line? HealthCare.gov got lucky, consensus says.
“The hack at the Healthcare.gov site constitutes a chilling near miss,” said Mike Lloyd, CTO at RedSeal Networks. “While it appears that no critical data was stolen, this is a bit like having a meteor hit your back garden, narrowly avoiding your house and everyone inside it. What the incident shows is the impossibility of having everyone inside an organization know the consequences of everything they do – a well-meaning action left a test server, with bad configuration, exposed to the Internet. No simple mistake like this goes unpunished – generally, the time to first attack of a newly exposed server is in the low numbers of minutes, due to the vast scale of automation of attack tools. The main challenge in modern security is perfectly illustrated here – simple human error, where an administrator didn’t see all the various interactions that could be possible. This is why the industry is moving to defensive automation – using computer-based analytics to find exposure that humans routinely miss.”