Hackers Break Into HealthCare.gov

← Back to Stories (view on slashdot.org)

Hackers Break Into HealthCare.gov

Posted by samzenpus on Thursday September 4, 2014 @10:23AM from the our-bad dept.

mpicpp is one of many to point out that hackers broke into the HealthCare.gov website in July and uploaded malicious software. "Hackers silently infected a Healthcare.gov computer server this summer. But the malware didn't manage to steal anyone's data, federal officials say. On Thursday, the Health and Human Services Department, which manages the Obamacare website, explained what happened. And officials stressed that personal information was never at risk. "Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," HHS spokesman Kevin Griffis said. But it was a close call, showing just how vulnerable computer systems can be. It all happened because of a series of mistakes. A computer server that routinely tests portions of the website wasn't properly set up. It was never supposed to be connected to the Internet — but someone had accidentally connected it anyway. That left it open to attack, and on July 8, malware slipped past the Obamacare security system, officials said.

31 of 150 comments (clear)

Min score:

Reason:

Sort:

Yep. by ChipMonk · 2014-09-04 10:25 · Score: 2

The country's in the very best of hands.
1. Re:Yep. by Electricity+Likes+Me · 2014-09-04 10:32 · Score: 3, Insightful
  
  Yes I'm sure this has never happened to a private company or multiple major financial institutions, or academic institutions, or security companies or IT companies.
  Oh wait.
2. Re:Yep. by HornWumpus · 2014-09-04 11:17 · Score: 4, Insightful
  
  Confession: I just actually RTFA. Don't ban me.
  Evidence the attack hadn't proceeded? That the 'attack tools' were sitting there, waiting for the command.
  So someone broke in and left a bunch of 'hacker tools' laying around a directory and listening on a port as a service?
  Wouldn't the last step of a successful attack be to clean up all traces, run defrag then perhaps install a fresh copy of BO. Just incase someone changes the password before you come back.
  How would you know the difference between a successful raid and an aborted one? Could you give a quick answer? If you needed to search logs to even start answering but the PHB was breathing down your neck what would you say? What other servers would you even start on? What OSs are they using? What skeletons have they already hidden? Database? Read only? Did anybody 'SELECT * FROM *' lately?
  Just how good can the logging/intrusion detection be? They let a local login loose.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
3. Re:Yep. by trout007 · 2014-09-04 11:28 · Score: 4, Insightful
  
  The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov. It would be the same as if the IRS was hacked.
  
  --
  I love Jesus, except for his foreign policy.
4. Re:Yep. by VTBlue · 2014-09-04 11:53 · Score: 3, Insightful
  
  Federal government isn't spending your money either. Federal government is not revenue constrained.
  "Taxes for revenue is obsolete."
5. Re:Yep. by linuxguy · 2014-09-04 12:46 · Score: 3, Funny
  
  > Please tell me your comment is snark.
  No sir. I am dead serious! Obama is incompetent. Take for example this business with Putin and ISIS and Taliban. It is getting out of control. Not because these are hard problems, but because Obama is a pussy. He wants to keep thinking about it. As GWB would say, time for thinking is over. Its time to kick some ass. If you have seen the Rambo series of movies, you'd know what I am talking about.
  Man, I hope to God Chuck Norris runs for president and wins. I'd like see the expression on Putin's face when that happens.
6. Re:Yep. by cold+fjord · 2014-09-04 12:47 · Score: 3, Insightful
  
  Yes I'm sure this has never happened to a private company or multiple major financial institutions, or academic institutions, or security companies or IT companies.
  Major financial institutions, academic institutions, security companies, and IT companies don't force us under penalty of law to use their wares and put our personal confidential information at risk. Furthermore, few if any of them have managed to create something of such colossal expense, enormous failure, corruption, and risk we see now.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
7. Re: Yep. by MightyYar · 2014-09-04 13:41 · Score: 3, Funny
  
  I'm with linuxguy on this one - what good are nuclear weapons if you don't show people what they can do from time to time? In the 50s we had bomb shelters and duck and cover drills... now we are soft. Sitting on the sidelines applying gentle pressure isn't the American we love - Obama needs to make Mad Max happen NOW.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
8. Re:Yep. by myid · 2014-09-04 14:09 · Score: 3, Informative
  
  On the other hand, I explicitly recall a statement along the lines of "we aren't going to worry about security until after we get it all up and working first" from one the people running the program. I sure wish I had bookmarked it because it is the kind of thing that is too stupid to believe.
  Maybe you're thinking about this: "Among the issues that concerned the government's own technical experts was that security testing could not be completed because the system was undergoing so many last-minute changes."
9. Re:Yep. by ShanghaiBill · 2014-09-04 14:51 · Score: 2
  
  Modern life requires interaction with big careless corporations.
  Sure, but mostly you don't have to interact with a particular corporation. You need to buy groceries, but if you don't like one grocery store, you can shop at another. It is much harder to do that with governments.
10. Re:Yep. by trout007 · 2014-09-05 05:21 · Score: 2
  
  Most of the things you complain about are due to regulations. An airline would be happy to sell you a ticket for cash. A bank would be happy to open a numbered account. As for rentals of course the owner wants to see evidence you are a trustworthy person.
  
  --
  I love Jesus, except for his foreign policy.
Of course not! by Anonymous Coward · 2014-09-04 10:31 · Score: 3, Funny

"the malware didn't manage to steal anyone's data, federal officials say."
Mostly because at the time, no one had yet been able to successfully complete the sign up process.
Jesus wept, will people never learn? by Anonymous Coward · 2014-09-04 10:34 · Score: 5, Insightful

A computer server that routinely tests portions of the website wasn't properly set up. It was never supposed to be connected to the Internet â" but someone had accidentally connected it anyway.
How, in this day and age, does this kind of stupid shit keep happening? How are network admins not creating L2 & L3 separations in the network, with internal firewalls and IDS? How are operations engineers not building local firewalls on machines, and locking down through security policies?

This isn't 1994 any more people. Hand crafted individual artisanal servers, personally wrapped in cotton wool and hand reared by the friendly neckbeard, are not how things should be done at scale in this day and age.
1. Re:Jesus wept, will people never learn? by HornWumpus · 2014-09-04 10:44 · Score: 2
  
  I'm stealing the 'Hand crafted individual artisanal servers...' line. Where did you steal it from?
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Whos data again? by bjwest · 2014-09-04 10:40 · Score: 3, Insightful

FTFA: "Our review indicates that the server did not contain consumer personal information..."
So we're consumers to government services now?
It was bad enough when the corporations changed from using customers to consumers, but no way in hell should the government use that term in reference to its citizens.

--

--- Keep the choice with the user..
1. Re:Whos data again? by HornWumpus · 2014-09-04 10:47 · Score: 2
  
  They exceeded 51% net beneficiaries a while ago. Its all bigger and bigger 'bread and circuses' from here on. Amazing government efficiency or hidden costs?
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
So that brings the successful login count to.... by erp_consultant · 2014-09-04 10:43 · Score: 5, Funny

exactly one :-D
Remember "we don't need security?" by roc97007 · 2014-09-04 10:48 · Score: 2

> It was never supposed to be connected to the Internet — but someone had accidentally connected it anyway.
This is where "we don't need security because the machines will never be connected to the internet" falls apart.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Re:Better hands than GW Bush by zr · 2014-09-04 10:52 · Score: 3, Informative

TFA is on CNN, not on Fox.
Nowhere in the article there's any blame addressed to Obama.
I think maybe you're seeing things brother..
so by geekoid · 2014-09-04 11:07 · Score: 3, Insightful

healthcare.gov was better protected then sony? homedepot? target?
Not too bad.

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Re:I'm not from US. Please define by Tailhook · 2014-09-04 11:25 · Score: 2

We don't know either. It's media speak for some arbitrary subset of data about someone that some administration mouthpiece has fed the stenographe^Hreporters after consulting with some government lawyer somewhere.
Sorry. Can't help you.

--
Maw! Fire up the karma burner!
Great job for the new CTO to fix! by bobbied · 2014-09-04 11:51 · Score: 2

Give the job of fixing this to the newly minted Federal Government CTO announced on SlashDot just today! http://en.wikipedia.org/wiki/M...
Oh wait, problem, that's not her job, that falls under the Secretary of Health and Human Services control... Washington DC is broken, very broken...

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Didn't steal anyones data? by erp_consultant · 2014-09-04 12:07 · Score: 2

Exactly. The original breach was said to have occurred on July 8th. Despite "daily reviews" by the security team it went undetected until August 25th. That's what....6 weeks? I'm envisioning some sort of Falcon and the Snowman atmosphere with paper shredder margaritas for all.
Naturally, the administration is playing this whole thing down as "run-of-the-mill, low-level hacker stuff". Uh huh. Then why did it take 6 fucking weeks to find it? "It wasn't even designed to steal patient data", they claim. And what do you suppose were the intentions of the people behind this? Maybe just come in, take a stroll around and then put everything back nice and neat? No harm no foul.
I smell another cover-up in the making...just watch. All of the system logs and emails are going to disappear a-la the Lois Learner IRS saga. At the end of it all some low level drone will take the fall. Business as usual in the Nation's Capital.
Re:So that brings the successful login count to... by erp_consultant · 2014-09-04 12:36 · Score: 3, Interesting

"Yes - it's a big failure" - Yes, that much we can certainly agree on. Here is a little news flashback for you (I intentionally did not choose a story from Fox News or similar Right-leaning news source) : http://www.huffingtonpost.com/...
Not surprisingly, the administration has quitely stopped releasing signup numbers, despite a promise to do so in the article above: http://hotair.com/archives/201...
The Obama administration continues to play fast and loose with the term "enrollment" and still refuse to tell the public how many people have actually paid for an insurance plan via the Obamacare website.
I'm not suggesting that people should "die" when they get sick. Far from it. I believe that Americans should get the best medical care available.
What I am suggesting is that the implementation of the Affordable Care Act has been a collosal bungle, the likes of which the free world has never seen.
Re: So that brings the successful login count to.. by erp_consultant · 2014-09-04 13:05 · Score: 2

I deliberately chose to post from a left wing site (Huffington) and a right wing site (as you noted, Hot Air). Both articles reach the same conclusion. A fact that you seemingly have failed to grasp. Are you disputing the collective conclusions or are you just pissed off that things didn't work out the way you wanted them to?
Hackers broke into HealthCare.gov? by jamesjw · 2014-09-04 13:08 · Score: 2

In most cases you'd expect hackers to hack in and break the site, in this case they probably felt obligated to fix it knowing that that would annoy far more people than taking it off-line :)

--
-- If at first you don't succeed, lie!
Re:So close by sumdumass · 2014-09-04 13:23 · Score: 3, Insightful

Why does people who do not like the idea of the government collecting and storing personal data (under threat of law in most cases) that until recently was private and confidential on servers accessible by the internet have to be trolls for the Koch brothers?
And why would that be bad?
Here is the problem that maybe you simply do not get. Storing all your information on the internet is not a good thing. We have fought tooth and nail forever trying to get people to understand that and now the government decides it is best practice. So yes, completely make fools of fools might very well be warranted here. Maybe then it would cause people like you to wake up.
Re:Definition of "Lie"? by Tablizer · 2014-09-04 16:22 · Score: 2

"Misstatement of the Year" is not as headline grabby.

--
Table-ized A.I.
Re: So that brings the successful login count to.. by shocking · 2014-09-04 16:37 · Score: 2

The signups have been tracked by one guy - current total is some 9m. Check out http://acasignups.net/
After the startup glitches (your HuffPo link was from last year, and is well out of date) the site seems to be functioning OK.
Re:Definition of "Lie"? by Attila+Dimedici · 2014-09-04 23:29 · Score: 2

No, he was either lying, or he intentionally did not listen to his advisers who were trying to tell him that people would not be able to keep their insurance or their doctors. Well, it is also possible that he assumed that people had voluntarily chosen doctors and insurance they did not like, so would be perfectly happy to give it up for insurance which covered less and cost more and doctors who delivered poorer service (largely because new regulations would require the doctors to spend more time filling out forms for bureaucrats than actually treating their patients).

--
The truth is that all men having power ought to be mistrusted. James Madison
From someone who *was* in healthcare IT by Killer+Instinct · 2014-09-05 02:38 · Score: 2

I am not posting this AC cause I dont care, you need to know..,.I just left the healthcare IT industry after 4 years...because security was a sham. It was up to me, the admin, to go on my own and secure everything. I had to do this after hours, on my on time, cause during the core business hours I had to do releases, stand up more servers, baby sit the dev's, fix customer SSO issues, etc. Developers run the web sites..dont believe me..well try to get Ruby devs to change the code ruby auto generates from "Select * from users" to only select the user. Try to make the DB not return a query formed like that. try to break the tables apart so when the code is trying to verify a user who is loggin in, the same row doesnt contain EVERYTHING about them.The devs shit bricks and bitch they cant meet schedule... cause THATS HOW RUBY WANTS IT (or java to some extent). and these are the devs on US soil. the ones in india dont really care, they get paid by the hour, a low amount, so why not argue over shit like this for weeks and miss schedule and drive up the cost(their income) I have worked for two large healthcare websites, that currently hold around 100+ million US users PHI data, and the systems are not as secure as they should be. If they were targeted, they would fold. I know because for some long periods of time i was the ONLY admin at these sites. when i try to lock some things down, ruby or java broke. The customer wants a new feature, by next week, then we did it. Customers like CVS pharmacy, Cigna, Humana. Not to mention the the majority of US companies are going towards a tele-health option for their employees. So when YOU get that letter in the mail saying you now havea tele-health option, guess what, we already have ALL your personal data, from your employer.. whether you choose to sign up or not. Im not saying telehealth is a bad idea, just that in today's society, profit drives everything, security is way down the list of priorities...and as these breaches continue to happen, remember it is not THE ADMINS fault...we can only do so much. yes this is Obamas fault, he is like the CEO. every CEO i have worked for has been more concerned with profit, schedule, capabilities then securing YOUR data.

--
#include bier;