Slashdot Mirror
Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
> 70,000 Healthcare.Gov Records In 4 Minutes
Lie! There aren't even 70,000 people who have successfully registered yet.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.
How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.
As I understand it, the system is tied into other federal databases. Just because you haven't signed up, doesn't mean you aren't in one of the other databases that healthcare.gov is connected to.
"Lame" - Galaxar
While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.
It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
> Forget the military-industrial complex; sequestration is shutting that down.
ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?
Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.
I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.
The military industrial complex is alive and well.
"I opened my eyes, and everything went dark again"
If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).
Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:
1. Create an account on the site. /showUserProfile?userID=70001
2. Log in.
3. Notice that your URL ends in something like
4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.
A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.
Koans and fables for the software engineer
Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.
Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).
"I do not agree with what you say, but I will defend to the death your right to say it"
Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.
* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...
There's no place I could be, since I've found Serenity...
A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.
Two things:
According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"
Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.
Never answer an anonymous letter. - Yogi Berra
I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?
My first job out of college was working for the Department of Defense as a civilian programmer (I worked for a specific branch of the US military, but I'd prefer not to name it). I can tell you based on what I saw that the answer to your question is "Get a contract awarded to you." My first job was that I was hired to work with a small team trying to finish up a salvage operation on some old IBM hardware that the contractor never completed the project on. We were finishing up making it work after the contractor gave up and gave us the computers. I can't say this with 100% absolute certainty, but the senior guy on the project insisted that the contract got fully paid and the vendor never was sued for giving up on the project without meeting what the project called for. He said they just turned over the computers and the source code for as far as they had gotten and called it a day with Uncle Sam just shrugging his shoulders about it. I learned while working there that literally anything can be justified if it's on a contract. No cost is so high that it can't be justified if it's on a contract between the DoD and a private company. The right wingers unfortunately help to waste US taxpayer money here by insisting that everything there is can be done "cheaper" (ha ha ha) by any private company. Almost all of my DoD career was spent working on various projects where the government reclaimed them from a contractor (sometimes after completion, sometimes when the contractor just gave up on it) and everything was significantly cheaper for us once we took over the projects. So what happens is that unscrupulous vendors bid cheaply on contracts they can't be sure that they can actually complete because they're rarely sued and they can usually get fully paid or close to it for any half-way attempt they make on the project. Nobody on the right ever questions the wisdom of this process because it is "saving money".