Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

Open-source Software Advocates To Government: Let Us Help You Fix Healthcare.gov

Open-source software projects need to improve vulnerability-handling practices, researchers say

user avatar Theres a line of thought among some users that open-source software is more secure than commercial software because there are more people looking at the source code and providing feedback or because open-source projects can patch issues faster. Rapid7 worked with Brandon Perry, an application security engineer and regular contributor to the Metasploit penetration testing framework, to test that theory, said Christian Kirsch, product marketing manager at Rapid7, in an interview Wednesday at the RSA Europe security conference in Amsterdam. At the beginning of August, Perry selected seven of the most popular open-source web applications hosted on SourceForge.net and started looking for vulnerabilities in them. Within two weeks he found security flaws in all of them, Kirsch said. The researcher found an issue that could allow remote-authenticated attackers to execute commands on the underlying operating system in six applications: Moodle, a web-based learning/course management system that has been downloaded over 4.7 million times from SourceForge; vTiger, a Web-based customer-relationship-management system with over 3.6 million downloads; Zabbiz, a software product for monitoring network and application performance in enterprises with almost 3 million downloads; ISPConfig, a web-hosting control panel for Linux servers with 1.5 million downloads; OpenMediaVault, an OS distribution based on Debian Linux for network-attached storage servers with over 700,000 downloads; and NAS4Free, a network-attached-storage server OS based on FreeBSD with over 600,000 downloads. Perry also found an XXE (XML eXternal Entity) vulnerability in Openbravo ERP, an open-source enterprise resource planning (ERP) product with 2.1 million downloads on SourceForge, that could allow an attacker to read arbitrary files from the file system with the permissions of the user running the application. The researcher and Rapid7 then alerted the developers and worked with the Computer Emergency Response Team Coordination Center (CERT/CC) to coordinate the disclosures. They also developed Metasploit exploit modules for the vulnerabilities and released them on Wednesday. Patches, anyone? Only three of the seven software projects, Openbravo ERP, vTiger CRM, and ISPConfig, patched the issues reported to them. Three projects said that they wont fix the authenticated remote command execution issue because they believe its by design, and one project did not communicate its plans, Kirsch said. The post-authentication command execution issue is not a vulnerability per se, but it is an exposure with security implications, Kirsch said. The developers assumed that the persons who install their applications also administer the entire servers, which is not always true, especially in shared hosting environments or in organizations where separate teams oversee the infrastructure and applications, he said. This issue can also be used to bypass strong authentication requirements configured on some operating systems to prevent people from easily gaining root access. If the application running on such a system only requires a username and password for authentication and then allows authenticated command execution on the OS, then the stricter controls are bypassed, Kirsch said. In the process of disclosing the identified security http://www.new-venturist.com/open-source-digital-signage-preferred-means-advertising/ issues to the relevant software projects, Rapid7 found that many of them did not follow common industry practices when it came to handling vulnerability reports and working with security researchers. Across these seven projects, I found there were at least seven different approaches to handling incoming vulnerability reports, Tod Beardsley, the engineering manager for Metasploit, said Wednesday in a blog post . I wont mention which project representative asked for a password-protected zip file of the disclosure, while another filed the issue on a public bug tracker which promptly emailed it back in cleartext, but the level of preparedness I ran into was pretty troubling, he said.

CGI Federal declined to comment to NBC News, and a request to QSSI for comment went unanswered. HHS also didn't respond to requests for comment. It is well established that the government's website, which is critical to getting consumers to sign up for Obamacare, has been plagued with usability problems since it went live. It also has suffered outages that continued this week, including a failure Tuesday night at a Verizon Terramark data center that persisted into Wednesday and provided an embarrassing moment for Health and Human Services Secretary Kathleen Sebelius when she testified before the House Energy and Commerce Committee. Last Friday, White House economic adviser Jeff Zients, who has been tasked with fixing the site, said that QSSI would oversee the job. "We are confident that by the end of the November, healthcare.gov will be smooth for the vast majority of users," he said. Since then, HHS has held daily briefings for reporters and listed improvements on a blog. Reed, however, said he has already produced a simpler, cleaner version of the software that could run on the desktop of consumers' personal computers, allowing them to create accounts, browse insurance plans and sign up for coverage all without many of the headaches that have been plaguing the government's site. Among the changes Reed said he has made to his version of the site: Repairing an error-ridden section listing state codes, which produced errors, used valuable computing resources and would have hampered residents of Wyoming trying to sign up for coverage because developers failed to account for the presence of the District of Columbia when they capped the number of states at 50. Using a process known as "minifying" to collapse individual JavaScript commands into more sophisticated but less resource-intensive operations. The original code, as other analyses have pointed out, resulted in a huge drain on users' computer resources and long load times on the site. Removing Latin phrasing left amid the code as dummy text, including some phrases that actually appeared in error messages generated by healthcare.gov. Reed noted that programmers working to fix healthcare.gov have addressed some of the same issues he has found. Peter Durham, a software architect at NBC News, reviewed Reed's work on GitHub and agreed that the changes would make the site run faster on computers with slower connections, although the difference would not be as apparent with faster connections. He also pointed out that Reed's version must still communicate with the same servers at various government agencies and contractors that the real healthcare.gov accesses, so it would still be susceptible to outages like the one at Terramark. Other independent efforts have focused on security issues. Ben Simo, a software tester based in Phoenix and a past president of the Association of Software Testers, said his involvement stemmed from trying to retrieve his own password on healthcare.gov.

Don't be the product, buy the product!