Forgot your password?
typodupeerror

+ - Insecure healthcare.gov Allowed Hacker To Access 70,000 Records In 4 Minutes-> 3

Submitted by cold fjord
cold fjord (826450) writes "Computerworld reports, "... white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent." Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly “fixed,” he told Congress it was even more vulnerable to hacking and privacy breaches. ... “Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.” ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity. ... Mitnick, the 'world's most famous hacker' testified:"... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices ... """
Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Insecure healthcare.gov Allowed Hacker To Access 70,000 Records In 4 Minutes

Comments Filter:
  • >> Kennedy said he was able to access 70,000 records within four minutes

    Several people have already been arrested/punished while whitehat hacking government computers, some as a result of telling the government about their own vulnerabilities. The US government have already made it clear that even if you're a whitehat with purely good intentions, it is no defence for hacking government computers. Any/all hacking of governemt computers is illegal and will be prosecuted.

    So why hasn't this guy been arre

    • by schwit1 (797399)

      Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”

      • by JustNiz (692889)

        ITs all semantics. At what point do you say you're in the system?
        Unless its a man-in-the-middle, (which people on normal internet connections aren't really in the position to implement), I dont even slightly buy that he didn't at least do SQL inejction,

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...