Thursday, May 14, 2009

A little knowledge is a dangerous thing

Last week the Washington Post reported that a web site belonging to the Virginia Department of Health Professions was broken into, and that millions of records regarding use of controlled drugs had been at least potentially accessed by an attacker. The attacker claims to have encrypted the records with a key only s/he knows, and will not release the key without being paid a ransom.

Clearly this was a bad thing.

But here's where we get into "a little knowledge". The Washington Post reports that "Del. Joe May, an electrical engineer by profession and the House's resident expert on technology issues, wanted to know what security measures the hacker had to overcome to access the records." So far, so good. They then quote May as saying "It doesn't sound like the proper firewalls, the proper backing up, the proper security measures were in place, ... and the question is why didn't we go ahead and have VITA do it."

Unfortunately, the problem almost certainly wasn't an issue of firewalls or similar security measures - it's much more subtle than that, probably an application security flaw.

I served with Del May on a state commission on electronic voting issues some years ago, and learned that he's got a great understanding of the big picture, but doesn't understand the details. As an example, he insisted that it was impossible for someone to break into a voting machine because there's no source code that's publicly available. I'm sure that will come as a great surprise to the black hats who routinely reverse engineer products to find vulnerabilities and develop attacks, to the white hats at companies like Symantec and McAfee who reverse engineer the attacks to come up with protections, and the hundreds of millions of users who have to install patches to protect against the vulnerabilities that, in Del May's mind, cannot exist.

It's great that the legislature has technical members - this is very much in keeping with Thomas Jefferson's view of a citizen legislature. However, those members need to be aware enough of their breadth of knowledge to understand when it's time to call an expert. You don't ask an oncologist for an expert opinion on brain surgery, or vice versa. Del. May and the legislature need to ask for help when they need it.

Ironically, the article concludes "Paquette [the state technology director] said DHP had one of the most secure systems in state government, and that firewall systems and backups were operational at the time of the attack". If this is one of the "most secure" systems, I'd hate to see the others....


Blogger Travel Security Truth said...

Great work on this, Jeremy! You have an awesome blog here, so we at TST wanted to invite you & your readers over to our blog, where we are already beating the TSA on their coverage of aviation security stories.

Keep up the great work!

6:25 PM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home