Forgot your password?
typodupeerror
Security Government Privacy United States

Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes 351

Posted by timothy
from the all-eggs-one-basket dept.
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
This discussion has been archived. No new comments can be posted.

Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes

Comments Filter:
  • by TimMD909 (260285) on Tuesday January 21, 2014 @12:56PM (#46027181) Homepage
    The root password is "password1".
  • by Impy the Impiuos Imp (442658) on Tuesday January 21, 2014 @12:57PM (#46027193) Journal

    > 70,000 Healthcare.Gov Records In 4 Minutes

    Lie! There aren't even 70,000 people who have successfully registered yet.

  • New job for NSA (Score:5, Insightful)

    by Anonymous Coward on Tuesday January 21, 2014 @12:58PM (#46027209)

    Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.

    • by beatle42 (643102)
      They do that. There are 2 sides to the NSA, and one of them does what you suggest, but not only with government. They're the ones that helped produce SE Linux after all.
    • Completely agree. This really would be defending the country. If the NSA didn't spy on citizens they could even have provided assistance to private companies and individuals on computer security. Now though, they have lost all trust (by weakening encryption) so no one will ever trust any of their recommendations on security again.

  • Government! (Score:2, Funny)

    by Anonymous Coward

    We all know that the private sector could have done better!

    .....

    Bwahahahahahahahahahahahahahahahaahahahah!

    Oh! I shit my pants!

    • Re:Government! (Score:5, Informative)

      by TemperedAlchemist (2045966) on Tuesday January 21, 2014 @01:31PM (#46027693)

      The private sector did build the website.

  • Every citizen? (Score:4, Interesting)

    by maharvey (785540) on Tuesday January 21, 2014 @01:02PM (#46027261)
    Whats this about every US citizen?
    • Re:Every citizen? (Score:5, Interesting)

      by Crudely_Indecent (739699) on Tuesday January 21, 2014 @01:06PM (#46027327) Journal

      As I understand it, the system is tied into other federal databases. Just because you haven't signed up, doesn't mean you aren't in one of the other databases that healthcare.gov is connected to.

    • Re:Every citizen? (Score:5, Insightful)

      by SJHillman (1966756) on Tuesday January 21, 2014 @01:09PM (#46027397)

      You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.

  • What data? (Score:4, Insightful)

    by WPIDalamar (122110) on Tuesday January 21, 2014 @01:04PM (#46027299) Homepage

    What data was he able to access?

    Two ends of a possible spectrum I see...
    - Being able to tell 70k accounts exist by some numerical ID
    - Getting full personal information for 70k accounts including name, address, ssn, payment details

  • by kruach aum (1934852) on Tuesday January 21, 2014 @01:08PM (#46027381)

    If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).

  • somehow I don't think that a group of people looking for government subsidies for their healthcare represent the best targets for identity fraud.

  • by QilessQi (2044624) on Tuesday January 21, 2014 @01:14PM (#46027467)

    Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:

    1. Create an account on the site.
    2. Log in.
    3. Notice that your URL ends in something like /showUserProfile?userID=70001
    4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
    5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.

    A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.

    • Yep. I see this all the time. Sometimes it's a little more subtle, though. Like, say, storing that value in a cookie. Most people never look at their cookies, but a web security expert (on either side) is more likely to see the cookies than they are to see the actual site rendering. Or the value might be something that in the abstract is impossible to guess (like 59340341412091985) but if you happen to know your SSN and your birthdate, you might recognize those values in that 17-digit mess (it's even easier if, for example, there's a | character between the parts) and then you can (relatively easily) start guessing other peoples' pairs.

      Sometimes it's even more subtle and requires some actual work to get at it, like storing an ID value concatenated with some other garbage like the date in a cookie encrypted with a static key (this one is actually fairly commonly done as a method of generating a token *identifying* the authenticated session, after all, if you don't have the key you can't generate the authentication token, right?). However, if you can guess which bits of that token are the ID (not hard; they're the ones that are the same whenever a given account signs on, but different for every account) you can twiddle the bits and basically brute-force the search space of valid IDs. There are still many ways to make this at least *somewhat* harder to attack, but a lot of developers won't bother... and there are ways to do it *worse*, too, like using an XOR with a constant mask instead of a merely re-using the key with a real cipher.

      • by QilessQi (2044624) on Tuesday January 21, 2014 @02:08PM (#46028145)

        Good point. I've always been impressed by how hackers can exploit the information gleaned from a very sample interactions with a system to discern the underlying algorithm behind token choice, etc. I saw a step-by-step presentation recently from DEFCON on how the presenter was able to break into someone's social media account, IIRC by whittling down millions or billions of possible authentication tokens to a very small number by a combination of social engineering and sleuthing using the clock time, host IP, etc. I wish I could find it again and post it here; it was dizzying.

      • I found the DEFCON video that shows the really creative ways that webapps can be attacked, along the lines of what you're talking about:

        https://www.youtube.com/watch?... [youtube.com]

        It's by Samy Kamkar. I strongly recommend it for any developer of public-facing webapps.

  • by Anonymous Coward

    No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!

  • oblig (Score:5, Funny)

    by cellocgw (617879) <cellocgwNO@SPAMgmail.com> on Tuesday January 21, 2014 @01:17PM (#46027507) Journal

    Even worse, after accessing all those records, he logged in again as Bobby Tables and...

  • Big mouth (Score:5, Funny)

    by jargonburn (1950578) on Tuesday January 21, 2014 @01:27PM (#46027615)
    He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??
  • by Cornwallis (1188489) on Tuesday January 21, 2014 @01:30PM (#46027677)

    Would you please take a crack at Vermont's site - also made by CGI? It is crap and we are getting nothing but a snowjob from the powers-that-be.

  • by rebelwarlock (1319465) on Tuesday January 21, 2014 @01:32PM (#46027701)
    I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?
    • by PRMan (959735) on Tuesday January 21, 2014 @02:14PM (#46028211)
      Connections. People don't pay people because they're good. They pay them because they are their friends.
    • by Zontar_Thing_From_Ve (949321) on Tuesday January 21, 2014 @02:24PM (#46028315)

      I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

      My first job out of college was working for the Department of Defense as a civilian programmer (I worked for a specific branch of the US military, but I'd prefer not to name it). I can tell you based on what I saw that the answer to your question is "Get a contract awarded to you." My first job was that I was hired to work with a small team trying to finish up a salvage operation on some old IBM hardware that the contractor never completed the project on. We were finishing up making it work after the contractor gave up and gave us the computers. I can't say this with 100% absolute certainty, but the senior guy on the project insisted that the contract got fully paid and the vendor never was sued for giving up on the project without meeting what the project called for. He said they just turned over the computers and the source code for as far as they had gotten and called it a day with Uncle Sam just shrugging his shoulders about it. I learned while working there that literally anything can be justified if it's on a contract. No cost is so high that it can't be justified if it's on a contract between the DoD and a private company. The right wingers unfortunately help to waste US taxpayer money here by insisting that everything there is can be done "cheaper" (ha ha ha) by any private company. Almost all of my DoD career was spent working on various projects where the government reclaimed them from a contractor (sometimes after completion, sometimes when the contractor just gave up on it) and everything was significantly cheaper for us once we took over the projects. So what happens is that unscrupulous vendors bid cheaply on contracts they can't be sure that they can actually complete because they're rarely sued and they can usually get fully paid or close to it for any half-way attempt they make on the project. Nobody on the right ever questions the wisdom of this process because it is "saving money".

  • OK, so if the site is so damned vulnerable why hasn't it been cracked by a Black Hat yet? Access to this sort of information is the wet dream of most hackers-for-hire. TFA quotes a Government person saying that the site is secure. The White Hat hackers say it isn't. Unless someone is lying about there having been no break-ins yet, then I have a hard time accepting that the site is a plum waiting to be picked by the next script kiddie that comes along. I could see that there would be a desire to cover u

    • by Shatrat (855151) on Tuesday January 21, 2014 @01:51PM (#46027943)

      The whole point is that it probably has, and their security is so bad they can't even detect it, let alone prevent it.

      • by jasnw (1913892)

        Granted, but I would have expected that this flood of hacked information would be showing up in the black markets somewhere. As I recall, the way we first learned of the Target hack job was because the stolen information was showing up in these markets and was being used. Is there any evidence that this is the case for this treasure trove of information?

    • by DarkOx (621550)

      why hasn't it been cracked by a Black Hat yet?

      Why do you assume it has not been? What makes you think adequate detective controls are in place to even determine if it has or has not? Why do think the Obama administration would tell you if they knew it had, especially if there was not fix in place yet?

    • You are making an rather huge assumption when you state it hasn't been cracked by a Black Hat. You expect press releases from someone who has taken all the information for their own uses?
      You are also assuming that anyone incompetent enough to create that abomination is competent enough to notice if they have been hacked.

    • by cbhacking (979169)

      How do you know it hasn't been? It's not like some Chinese black hat would issue a press release claiming what had been done in that case. Instead, the information would be sat on for a while to distance its release from the slight bump in traffic when the actual breach occurred. Then it would be farmed out, quietly, to third parties looking to engage in identity theft and such. They in turn would probably take it slow; too big a glut of that kind of activity is not only sure to be noticed, it drives down p

  • could reason be there are so many problems is because priorities of top men in govt/corp is other than healthcare.gov.
  • When you let government control everything, then everything (including data security) is at government standards.

    Some people were suggesting that this was one of many reasons that letting government control everything wasn't such a good idea.

    But whew, at least we don't have binders full of women, or whatever it was we were supposed to be so worried about instead ...

  • It's not hard to imagine that any new large site has significant security holes. How you avoid that is quite a question.

    On the other hand the chief player in this testimony, David Kennedy has a rather checkered past. He was chief security officer at Diebold, famous for highly insecure voting machines.

  • by TheMadTopher (1020341) on Tuesday January 21, 2014 @02:21PM (#46028275)
    Hackers can get 70K records in 4 minutes from the healthcare.gov website? Great news! That's the best performance metric the website has had yet!
  • by BlueStrat (756137) on Tuesday January 21, 2014 @02:59PM (#46028675)

    It was never meant to actually work.

    It was meant to fail spectacularly in order to clear the way for British-NIH-style single-payer healthcare.

    "Jacob Hacker, The Architect of ObamaCare and the Public Option in making his case, admits that this idea is a covert route to a Single Payer System."

    http://youtu.be/3sTfZJBYo1I [youtu.be]

    Just watch. After sufficient public frustration, desperation, & outrage have developed, single-payer will be rolled out as the "fix".

    There's a "fix" alright, just that it was "in" before this crapfest was even passed.

    Of course, those in Congress and friends of the administration like labor unions won't have to deal with any of this. It's good to be the king, eh?

    Strat

  • by superwiz (655733) on Tuesday January 21, 2014 @04:30PM (#46029607) Journal
    If a government website exposes thousands of citizens to high levels of danger, it has to be shut down and not taken back online until it works. He does have the power to take the site off line. Sure, he is not the one coding it, but it's not exactly NORAD. It's a highly broken shopping site. What level of incompetence would he have to display before his supporters would finally agree that he is, in fact, just an empty suit? I want to know where that line is that he cannot cross as far as his supporters are concerned. This is the guy who sold guns to drug dealers to whom the gun dealers wouldn't sell guns because he wanted to create the perception that guns are dangerous (and no, you silly, Bush didn't do the same thing -- Bush considered it and then decided it was a dumb idea and shelved it). Don't even start with "he didn't do it personally". He did -- by the virtue of the fact that his political appointees did it and weren't even fired for it. What is the line he cannot cross? I just want to know what to expect. Or should just settle in and enjoy the surprises?

No man is an island if he's on at least one mailing list.

Working...