Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes

Posted by timothy on from the all-eggs-one-basket dept.

cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"

8 of 351 comments (clear)

  1. Re:Okay, but... by Anonymous Coward · · Score: 4, Informative

    History suggests so.

    The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.

    If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.

  2. Re:Okay, but... by cbhacking · · Score: 5, Informative

    Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.

    * Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...

    --
    There's no place I could be, since I've found Serenity...
  3. Re:This Was Commercial by CrimsonAvenger · · Score: 4, Informative

    The government can do great things. Look at NASA.

    NASA? Pretty much everything they do consists of issuing a design spec and taking bids. Even Apollo and Saturn were actually designed by private companies.

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
  4. Re:Government! by TemperedAlchemist · · Score: 4, Informative

    The private sector did build the website.

  5. Re:Okay, but... by Anonymous Coward · · Score: 5, Informative

    A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.

  6. Re:Okay, but... by phantomfive · · Score: 4, Informative

    being legally mandated to do something dangerous isn't good.

    The worrisome thing is, you don't even need to do anything to be exposed to danger. Your information is already in the system, waiting to be exposed.

    --
    "First they came for the slanderers and i said nothing."
  7. Re:This Was Commercial by tibit · · Score: 4, Informative

    They do program management, and that's very important. healthcare.gov would fare much better if it had NASA-style, competent program oversight.

    --
    A successful API design takes a mixture of software design and pedagogy.
  8. Re:$700 million - and still insecure!!! by Tridus · · Score: 4, Informative

    The commercial company that built this website was let go from their contract, and without that contract there will likely be firings.

    But yes, feel free to tell us about all the firings from the major corporate breaches that happened in the last year. Because if you think this doesn't happen all the time, you're living in a fantasy world.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates