FHIR Chat · WITM · Security and Privacy

Stream: Security and Privacy

Topic: WITM

view this post on Zulip Grahame Grieve (Oct 12 2021 at 02:46):

Beware of Woman-In-The-Middle.

view this post on Zulip David Pyke (Oct 12 2021 at 12:45):

We're just going to have to rename it Person-In -The-Middle.

view this post on Zulip Grahame Grieve (Oct 13 2021 at 21:37):

and the woman in the middle is Alissa - see https://approov.io/for/playing-with-fhir/ and https://www.scmagazine.com/analysis/application-security/critical-flaws-found-in-interoperability-backbone-fhir-apis-vulnerable-to-abuse. Discussion here, if you want.

view this post on Zulip John Moehrke (Oct 13 2021 at 21:57):

Everything she found is very disappointing, as it is simply good Web API security. Nothing FHIR or Healthcare specific.

view this post on Zulip Grahame Grieve (Oct 13 2021 at 21:58):

right. All OWASP top ten stuff. one day, we might get the subtle stuff we worry about in the FHIR space

view this post on Zulip Grahame Grieve (Oct 13 2021 at 22:27):

http://www.healthintersections.com.au/?p=3068

view this post on Zulip John Moehrke (Oct 13 2021 at 22:49):

Lets get #WITM trending

view this post on Zulip John Moehrke (Oct 13 2021 at 23:25):

I can see a few things we can improve on the security checklist http://hl7.org/fhir/security.html

view this post on Zulip John Moehrke (Oct 13 2021 at 23:26):

I had not expected to need to explain that: services should not provide data to a patient that is NOT that patients data; or downloading the whole population data to a patient app is a bad idea.

view this post on Zulip John Moehrke (Oct 13 2021 at 23:26):

Or that Patients should not be allowed to change prescribed medications... of ANOTHER PATIENT!

view this post on Zulip Alexander Mense (Oct 13 2021 at 23:30):

:see_no_evil:

view this post on Zulip Paul Church (Oct 13 2021 at 23:35):

At Google, we recommend best practices like authentication AND authorization.

view this post on Zulip Grahame Grieve (Oct 13 2021 at 23:43):

well, personally, i recommend best practices like having some security

view this post on Zulip Hussain Chinoy (Oct 14 2021 at 01:12):

Grahame and John, you two are so calm and cool under the fud and very patient. Thank you!

view this post on Zulip Grahame Grieve (Oct 14 2021 at 01:39):

you know, I live in a country where the government 'signs' covid vaccination certificates by putting a 'hologram' on them. That is, a background gif that's opacity changes as the phone orientation is changed.

It's awesome, and took someone ages to work out.

So no way anyone could copy it....

view this post on Zulip Grahame Grieve (Oct 14 2021 at 01:39):

so actually having a hacking report sponsored by someone.... seems like a paradise to me

view this post on Zulip John Keyes (Oct 14 2021 at 13:11):

As an independent mobile health app developer (and patient), I greatly appreciate the work the researcher has done here, and the vulnerabilities that she is highlighting. I think that people involved in all parts of the FHIR ecosystem can likely learn lessons from this and elevate the security in their applications and platforms. I know that I will look for ways to do that.

I do wish that the report had provided a less muddled (and more detailed, less repetitive) view of the the issues that were found; I fear it will lead to unnecessary misunderstandings as to where the issues lie.

view this post on Zulip John Moehrke (Oct 14 2021 at 18:07):

yes @David Hay you must put in a corporate email to get the report. This is the organization that funded the research, so they are trying to recoup some costs by getting a mailing list that they can sell their API security solution to.

view this post on Zulip Grahame Grieve (Oct 14 2021 at 19:21):

there's a degree of irony there. And clearly the report was written to create waves, for the sponsor

view this post on Zulip David Pyke (Oct 14 2021 at 19:35):

Maybe but if nothing else, it's worth it for the artwork...

view this post on Zulip John Moehrke (Oct 14 2021 at 19:50):

the artwork is her creation. --- actually not.

view this post on Zulip Paul Church (Oct 14 2021 at 19:58):

The artwork is spectacular. So good it's kind of a distraction from the content!

view this post on Zulip John Moehrke (Oct 14 2021 at 20:00):

come to find out that artwork is one of the things that have caused such a negative stir... fire burning things...

view this post on Zulip John Keyes (Oct 14 2021 at 21:06):

I think the artwork is beautiful, but it does make the PDF more sluggish to read on some devices.

view this post on Zulip John Moehrke (Oct 14 2021 at 22:38):

On this Monday's FHIR-Security call, we will be discussing Alissa Knight's report. With @Alissa Knight as a guest speaker -- Ask Her Anything.

https://confluence.hl7.org/display/SEC/2021-10-18+FHIR-Security+Meeting+Agenda

view this post on Zulip Grahame Grieve (Oct 15 2021 at 00:43):

talking to @Mario Hyland - should we consider upgrades to test script to allow hacking products for security issues? I see an attraction to the idea, but I feel as though automating owasp type checks in TestScript is the wrong way to do things, and we should continue deferring to owasp on this

view this post on Zulip John Moehrke (Oct 15 2021 at 13:14):

Grahame Grieve said:

talking to Mario Hyland - should we consider upgrades to test script to allow hacking products for security issues? I see an attraction to the idea, but I feel as though automating owasp type checks in TestScript is the wrong way to do things, and we should continue deferring to owasp on this

yes, there are already plenty of tools that can test API security. You do need to "teach" them the url pattern and data pattern. Fuzzing is even more simple, although also benefits from teaching them the url and data pattern

view this post on Zulip Grahame Grieve (Oct 15 2021 at 19:47):

what does it mean to teach them this? Does OWASP have a test script set up we should work with them on?

view this post on Zulip Michael Lawley (Oct 16 2021 at 06:47):

https://owasp.org/www-project-apicheck/ looks like a starting point

view this post on Zulip Alissa Knight (Oct 19 2021 at 08:32):

Agreed. I would recommend you take a look at Kite Runner, it's my favorite fuzzer when testing APIs

view this post on Zulip Alissa Knight (Oct 19 2021 at 08:36):

John Keyes said:

As an independent mobile health app developer (and patient), I greatly appreciate the work the researcher has done here, and the vulnerabilities that she is highlighting. I think that people involved in all parts of the FHIR ecosystem can likely learn lessons from this and elevate the security in their applications and platforms. I know that I will look for ways to do that.

I do wish that the report had provided a less muddled (and more detailed, less repetitive) view of the the issues that were found; I fear it will lead to unnecessary misunderstandings as to where the issues lie.

Thanks John. I appreciate the approbation and feedback. Hopefully V2 of my report that takes in input from Keith (@motorcycle_guy) did a better job at tightening up a lot of that ambiguity and langauge

view this post on Zulip Alissa Knight (Oct 19 2021 at 08:38):

If all of you are looking for suggestions on a technology stack for penetration testing APIs, happy to do a small lunch-and-learn or presentation on my attack lab (tactics, techniques, and tools)

view this post on Zulip Alissa Knight (Oct 19 2021 at 08:40):

John Moehrke said:

On this Monday's FHIR-Security call, we will be discussing Alissa Knight's report. With Alissa Knight as a guest speaker -- Ask Her Anything.

https://confluence.hl7.org/display/SEC/2021-10-18+FHIR-Security+Meeting+Agenda

Sorry again everyone for missing today's meeting. I unfortunately didn't have it on my calendar. I believe the plan is that I'll attend a Thursday meeting that @ePatientDave mentioned John but unsure right now of specifics.

view this post on Zulip John Moehrke (Oct 25 2021 at 13:22):

some useful tweets from this weekend when I asked what HL7 might do.

view this post on Zulip John Moehrke (Oct 25 2021 at 13:23):

https://twitter.com/k8em0/status/1452398275563192326
Defining Vulnerability Disclosure vs Pen Testing vs Bug Bounty

view this post on Zulip John Moehrke (Oct 25 2021 at 13:26):

I got many others explain that HL7 should not run a bug bounty program. All people I know in the cyberSecurity space and for which I have a personal and trusted relationship. --- This conclusion is not absolute into the future, just that there are more useful things to do now and jumping to Bug Bounty is too soon. -- Note that everyone encourages all vendors/services/providers to publish a method for bugs to be reported, which is the first step.

view this post on Zulip Andrea Downing (Oct 25 2021 at 20:13):

Now connecting w/ NIST and CERT, who can work with @Alissa Knight on coordinating larger scale disclosure. I'm not sure wants to be involved in that discussion. I shared this on another thread but also here. https://csrc.nist.gov/CSRC/media/Presentations/industry-bug-bounty-implementations-lessons/images-media/Industry%20Bug%20Bounty%20Implementations%20Lessons.pdf

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -