Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes 351
cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"
Re:Okay, but... (Score:4, Informative)
History suggests so.
The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.
If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.
This Was Commercial (Score:4, Informative)
I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).
I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.
This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.
Re:Okay, but... (Score:5, Informative)
Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.
* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...
Re:This Was Commercial (Score:5, Informative)
NASA? Pretty much everything they do consists of issuing a design spec and taking bids. Even Apollo and Saturn were actually designed by private companies.
Re:Government! (Score:5, Informative)
The private sector did build the website.
Re:Okay, but... (Score:5, Informative)
A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.
Re:Throw money at it! (Score:4, Informative)
I'm amazed at how poorly government can handle even modest changes in funding... and not just at the federal level. During the financial crisis, our local school system had a 5% cut, and you would have thought the world had ended. They zeroed out maintenance, fired teachers, cut programs, all to preserve a yet-to-be-negotiated pay raise for the staff. Meanwhile, in my job in the private world we all took a 25% reduction in pay for a while when the company's revenue went suddenly to nearly zero, so my sympathy was not exactly running high.
Mind you, cutting 5% returned them to the previous year's levels. No one could answer my question about how they managed to hold it all together the year before if the funding was "so bad".
Re:Okay, but... (Score:5, Informative)
being legally mandated to do something dangerous isn't good.
The worrisome thing is, you don't even need to do anything to be exposed to danger. Your information is already in the system, waiting to be exposed.
Re:This Was Commercial (Score:5, Informative)
They do program management, and that's very important. healthcare.gov would fare much better if it had NASA-style, competent program oversight.
Re:Okay, but... (Score:3, Informative)
Or you could, I dunno actually call up the credit rating agencies and actually describe the problems. Quite often they can actually help you with your problems, though by the time you get to them, you're generally feeling too irate to appreciate it.
I had collections agencies calling me every few weeks asking for 'insert name here' who apparently bought some crap and put my phone number as the contact info. Well, a company generally shops the collections duties out to a bunch of useless leaches that don't give a fuck about annoying the shit out of honest folks. Finally after maybe 2 years of hassle from countless collections leaches, one of the agents finally told me if I really had an issue with it, that I should just go to Transunion/Equifax (at least in Canada) as the contact info was most likely originating from them. I did, and the agent 'corrected' the defect and I haven't heard a peep from a collections agent since. God thank goodness I'm not a delinquent dead beat or else I'd be living a shitty life with those vultures pecking.
If I recall correctly, you can also do other things like flag your personal information, and if anyone attempts to open credit accounts through those credentials, you'll get notified, but I can't remember if that's right or not. If not, it'd be in everyone's benefit to do so if they don't though.
Re:I can almost imagine how it might be done (Score:4, Informative)
Good point. I've always been impressed by how hackers can exploit the information gleaned from a very sample interactions with a system to discern the underlying algorithm behind token choice, etc. I saw a step-by-step presentation recently from DEFCON on how the presenter was able to break into someone's social media account, IIRC by whittling down millions or billions of possible authentication tokens to a very small number by a combination of social engineering and sleuthing using the clock time, host IP, etc. I wish I could find it again and post it here; it was dizzying.
Re:Throw money at it! (Score:4, Informative)
Someone is very confused between sequestration and shutdown.
How did you get +5 insightful?
Re:$700 million - and still insecure!!! (Score:5, Informative)
The commercial company that built this website was let go from their contract, and without that contract there will likely be firings.
But yes, feel free to tell us about all the firings from the major corporate breaches that happened in the last year. Because if you think this doesn't happen all the time, you're living in a fantasy world.
Re: Government! (Score:4, Informative)
You haven't done much contract work, have you? The government illegally exempted this web site from the usual security checks and procedures, and prioritized some aspects of development so it would "meet schedule" with a less-than-fully-working site. They very much did direct the contractors how to spend resources, and security and quality were nowhere near the top of that list.