From: Henry, Erika (NIH/NCI) [C] Sent: Thursday, February 26, 2015 9:40 AM To: Do, David (NIH/NCI) [C] Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C]; Kline, Robert (NCI) Subject: RE: Remediate: Poor Password on CDR servers Thanks, David! I will put improving the interface in our backlog for consideration in future releases, but will not be making changes in the next several months as we are focused on other high priority projects. Thank you, Erika From: Do, David (NIH/NCI) [C] Sent: Thursday, February 26, 2015 9:25 AM To: Henry, Erika (NIH/NCI) [C] Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C]; Kline, Robert (NCI) Subject: RE: Remediate: Poor Password on CDR servers Erika, The security team is not disagreeing about it being a false positive, but they are just anticipating for question if someone asks them. Thanks, David From: Henry, Erika (NIH/NCI) [C] Sent: Wednesday, February 25, 2015 4:17 PM To: Do, David (NIH/NCI) [C] Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C]; Kline, Robert (NCI) Subject: RE: Remediate: Poor Password on CDR servers Hi David, We can certainly “fix” the interface so that it does not do this, but would prefer to plan it into a schedule future release (will not be in the next 30 days). Is the security team asking us to fix this within the 30 days? Even if it is a false positive… or are they disagreeing that it is a false positive? Thank you, Erika ___________________________________ Erika (Cheng) Henry NCI OCPL – Office of Communications & Public Liaison Contractor: Sapient Government Services NCI: 240.276.6548 | Mobile: 571.969.2338 From: Do, David (NIH/NCI) [C] Sent: Wednesday, February 25, 2015 4:13 PM To: Henry, Erika (NIH/NCI) [C]; Kline, Robert (NCI) Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: RE: Remediate: Poor Password on CDR servers Bob, Would you please provide an answer for the following question from the security team? Is it possible to turn off the ability for any username/password combination to be put into these sites to be able to see even guest level information? Thanks, David From: Do, David (NIH/NCI) [C] Sent: Monday, February 23, 2015 4:54 PM To: Henry, Erika (NIH/NCI) [C]; Kline, Robert (NCI) Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: RE: Remediate: Poor Password on CDR servers I see. I will forward the ticket back to the security team with your explanation. Thanks, David From: Henry, Erika (NIH/NCI) [C] Sent: Monday, February 23, 2015 4:15 PM To: Do, David (NIH/NCI) [C]; Kline, Robert (NCI) Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: RE: Remediate: Poor Password on CDR servers David, Actually, I think this is a false positive. What Bob is saying is that you aren’t actually logging in as an administrator. Any username/password combination will not log you in as an admin, but instead take you to a guest interface. Thanks, Erika ___________________________________ Erika (Cheng) Henry NCI OCPL – Office of Communications & Public Liaison Contractor: Sapient Government Services NCI: 240.276.6548 | Mobile: 571.969.2338 From: Do, David (NIH/NCI) [C] Sent: Monday, February 23, 2015 4:14 PM To: Kline, Robert (NCI) Cc: Henry, Erika (NIH/NCI) [C]; Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: RE: Remediate: Poor Password on CDR servers Below is the comment from security team. So yes, we have to work out a solution for this vulnerability soon. If you need any input/assistance for this task, please let me know. High vulnerabilities should be remediated within 30 days. Please return this ticket to NCI Security -- Engineering when this is complete. Please contact the NCI CBIIT Security Team with any questions. Thanks, David From: Kline, Robert (NCI) Sent: Monday, February 23, 2015 4:07 PM To: Do, David (NIH/NCI) [C] Cc: Henry, Erika (NIH/NCI) [C]; Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: Re: Remediate: Poor Password on CDR servers What actually happens is that the user is dropped onto the guest page, which seems appropriate. If CBIIT wants us to eliminate guest access, we'll discuss the impact with the users. Thanks, Bob On Mon, Feb 23, 2015 at 3:33 PM, Do, David (NIH/NCI) [C] wrote: When users open up https://cdr.cancer.gov or https://cdr-stage.cancer.gov, it will direct them to the CDR logon page. If users use username: admin and password: xxxx (a very insecure password), they will be able to login. Please correct me if I am wrong but I believe this logon page is managed at the application level. Thanks, David From: Henry, Erika (NIH/NCI) [C] Sent: Monday, February 23, 2015 1:58 PM To: Do, David (NIH/NCI) [C] Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C]; Alden, Christine (NIH/NCI) [C]; Pizzillo, Bryan (NIH/NCI) [C]; Kline, Robert (NCI); Broun, Kevin (NIH/NCI) [E]; Ho, Yuen-Mien (NIH/NCI) [C]; Dugan, Amy (NIH/NCI) [C] Subject: RE: Remediate: Poor Password on CDR servers I mean, is there anything for OCPL to do if it looks like these are CBIIT-managed admin accounts? David, Based on Bob’s explanation, please let us know if you need our support. Otherwise I assume CBIIT will take care of the issue. That being said, please let us know with ample time if you have to reboot prod or something so that we can notify users as needed. ___________________________________ Erika (Cheng) Henry NCI OCPL – Office of Communications & Public Liaison Contractor: Sapient Government Services NCI: 240.276.6548 | Mobile: 571.969.2338 From: Kline, Robert (NCI) Sent: Monday, February 23, 2015 11:01 AM To: Do, David (NIH/NCI) [C]; Henry, Erika (NIH/NCI) [C] Cc: Englisch, Volker (NIH/NCI) [C]; Meyer, Alan (NIH/NCI) [C] Subject: Re: Remediate: Poor Password on CDR servers David: What kind of password are we talking about? The CDR itself has no accounts named "admin" so I'm going to guess you're referring to a Windows local account (presumably NIH would prevent a domain account from being created with a weak password). If so, I believe the passwords for the servers which CBIIT set up when we migrated to CBIIT hosting were selected by CBIIT, and CBIIT is probably in a better position to know what would break (and what their process is for "remediating the vulnerability"). Erika: This seems like a discussion which should be taking place at a higher level than with just developers. Would that be right? Thanks, Bob On Mon, Feb 23, 2015 at 10:40 AM, Do, David (NIH/NCI) [C] wrote: The security team has created several tickets (Inc1690041, Inc1692128, Inc1692140, Inc1692144) indicating that the “admin” account on the CDR server on prod and stage has weak password. What is your recommended method and process to remediate the vulnerability? Do we have to do this remediation after hour? If you have some time today, I think it is best that we have a quick chat to make sure the remediation has no effect on the production environment. Thanks, David Do (Contractor) SRA International National Cancer Institute Center for Biomedical Informatics & Information Technology 9609 Medical Center Drive, 1W418 Rockville, MD 20850 -- Bob Kline http://www.rksystems.com mailto:bkline@rksystems.com -- Bob Kline http://www.rksystems.com mailto:bkline@rksystems.com