Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Government Medicine Privacy United States

Hackers Break Into HealthCare.gov 150

mpicpp is one of many to point out that hackers broke into the HealthCare.gov website in July and uploaded malicious software. "Hackers silently infected a Healthcare.gov computer server this summer. But the malware didn't manage to steal anyone's data, federal officials say. On Thursday, the Health and Human Services Department, which manages the Obamacare website, explained what happened. And officials stressed that personal information was never at risk. "Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," HHS spokesman Kevin Griffis said. But it was a close call, showing just how vulnerable computer systems can be. It all happened because of a series of mistakes. A computer server that routinely tests portions of the website wasn't properly set up. It was never supposed to be connected to the Internet — but someone had accidentally connected it anyway. That left it open to attack, and on July 8, malware slipped past the Obamacare security system, officials said.
This discussion has been archived. No new comments can be posted.

Hackers Break Into HealthCare.gov

Comments Filter:
  • by ChipMonk ( 711367 ) on Thursday September 04, 2014 @05:25PM (#47830537) Journal
    The country's in the very best of hands.
    • Or I'm thinking these hackers were blond and Polish! LOL! Caveat - I'm Polish and Jewish.
    • Re:Yep. (Score:4, Insightful)

      by Electricity Likes Me ( 1098643 ) on Thursday September 04, 2014 @05:32PM (#47830587)

      Yes I'm sure this has never happened to a private company or multiple major financial institutions [theinquirer.net], or academic institutions [abc7news.com], or security companies [arstechnica.com] or IT companies [time.com].

      Oh wait.

      • It's like that old saying:

        You'll probably get fired for going Oracle.

      • Re:Yep. (Score:5, Insightful)

        by trout007 ( 975317 ) on Thursday September 04, 2014 @06:28PM (#47830923)

        The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov. It would be the same as if the IRS was hacked.

        • Anythings found ?
        • by cyn1c77 ( 928549 )

          The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov. It would be the same as if the IRS was hacked.

          Well, you aren't forced to! You could just not have healthcare, be financially penalized for not having healthcare, and then die prematurely.

          Plus, like all of the academic, financial, security, and IT institutions, the government is really sorry that your personal identity was compromised, but it was an accident OK? So let's not get too upset... they are doing the best that they can! (The hackers are just doing better!)

          Plus, I am sure that they will give you one whole free year of credit monitoring to ma

          • The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov. It would be the same as if the IRS was hacked.

            Well, you aren't forced to! You could just not have healthcare, be financially penalized for not having healthcare, and then die prematurely.

            Actually, the financial penalty is for not paying a private company for an insurance policy. It doesn't matter if you receive health care or not.

          • And if you don't pay the penalty?

        • by Kijori ( 897770 )

          The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov.

          So?

          Consumer choice makes a difference where the consumer could have avoided the problem if they had had a choice. But that's not the case here. How secure the back-office systems of a company are is almost completely opaque to a consumer, so they cannot make an informed choice, and the institutions being hacked are banks, credit checking agencies, health insurance companies, security companies - you can't realistically avoid doing business with them.

        • The difference is people voluntarily give data to these companies where as you are forced to give information to Healthcare.gov. It would be the same as if the IRS was hacked.

          Wow, a completely factually incorrect complaint about "Obamacare." Modded up as Insightful as well, how suprising.

          There are absolutely no requirements to use any of the echanges in the ACA. The exchanges are provided as a convenience. You are perfectly free to get your healthcare through your employer if you want. Or, you can
      • they're not spending MY money.
      • Re:Yep. (Score:4, Insightful)

        by cold fjord ( 826450 ) on Thursday September 04, 2014 @07:47PM (#47831375)

        Yes I'm sure this has never happened to a private company or multiple major financial institutions [theinquirer.net], or academic institutions [abc7news.com], or security companies [arstechnica.com] or IT companies [time.com].

        Major financial institutions, academic institutions, security companies, and IT companies don't force us under penalty of law to use their wares and put our personal confidential information at risk. Furthermore, few if any of them have managed to create something of such colossal expense, enormous failure, corruption, and risk we see now.

    • Obamamancer.

    • Re: (Score:2, Insightful)

      by linuxguy ( 98493 )

      > Yep. The country's in the very best of hands.

      Damn straight, this is Obama's fault.

      Some low level govt. employee accidentally connected a computer to the Internet and exposed it to malware. If that isn't the reason to impeach Obama then I don't know what is.

      • Please tell me your comment is snark.
        • Re:Yep. (Score:4, Funny)

          by linuxguy ( 98493 ) on Thursday September 04, 2014 @07:46PM (#47831371) Homepage

          > Please tell me your comment is snark.

          No sir. I am dead serious! Obama is incompetent. Take for example this business with Putin and ISIS and Taliban. It is getting out of control. Not because these are hard problems, but because Obama is a pussy. He wants to keep thinking about it. As GWB would say, time for thinking is over. Its time to kick some ass. If you have seen the Rambo series of movies, you'd know what I am talking about.

          Man, I hope to God Chuck Norris runs for president and wins. I'd like see the expression on Putin's face when that happens.

          • by cyn1c77 ( 928549 )

            > Please tell me your comment is snark.

            No sir. I am dead serious! Obama is incompetent. Take for example this business with Putin and ISIS and Taliban. It is getting out of control. Not because these are hard problems, but because Obama is a pussy. He wants to keep thinking about it. As GWB would say, time for thinking is over. Its time to kick some ass. If you have seen the Rambo series of movies, you'd know what I am talking about.

            Man, I hope to God Chuck Norris runs for president and wins. I'd like see the expression on Putin's face when that happens.

            Why is the parent modded as funny?

            I mean, the post is funny, but I think he was also serious! It should be "insightful!!!"

            Even if you voted for Obama twice, you have got to admit (by now) that he does do a lot more thinking and talking than taking action.

            Of course, with politicians, less action is often preferable!

      • Re: (Score:2, Insightful)

        by Ol Olsoc ( 1175323 )

        > Yep. The country's in the very best of hands.

        Damn straight, this is Obama's fault.

        Some low level govt. employee accidentally connected a computer to the Internet and exposed it to malware. If that isn't the reason to impeach Obama then I don't know what is.

        Fox News reports that 8 out of 10 Republicans believe this unbelievably incompetent security breach has replaced BENGHAZI! as the worst thing that ever happened in American History.

        The other two are too busy trying to find a loophole in Ted Cruz's ability to run for president. They think it will work out if we declare war on Canada.

    • Re:Yep. (Score:5, Insightful)

      by HornWumpus ( 783565 ) on Thursday September 04, 2014 @06:17PM (#47830851)

      Confession: I just actually RTFA. Don't ban me.

      Evidence the attack hadn't proceeded? That the 'attack tools' were sitting there, waiting for the command.

      So someone broke in and left a bunch of 'hacker tools' laying around a directory and listening on a port as a service?

      Wouldn't the last step of a successful attack be to clean up all traces, run defrag then perhaps install a fresh copy of BO. Just incase someone changes the password before you come back.

      How would you know the difference between a successful raid and an aborted one? Could you give a quick answer? If you needed to search logs to even start answering but the PHB was breathing down your neck what would you say? What other servers would you even start on? What OSs are they using? What skeletons have they already hidden? Database? Read only? Did anybody 'SELECT * FROM *' lately?

      Just how good can the logging/intrusion detection be? They let a local login loose.

    • Re: (Score:2, Interesting)

      by Ol Olsoc ( 1175323 )

      The country's in the very best of hands.

      This is the very first time a computer has ever been hacked! What the hell is going on! I mean, I thought coomputers were completely safe and secure, and no look. It only figures our goddamned Government would be where this would start.

      The only cure is the invisible hand of the free market.

      Never been compromised, and never will be. For the free marketeers strengths are as the strength of ten men each, because their hearts are pure, above reproach, and never - mind you, NEVER to fail.p> See, I can sp

  • by Anonymous Coward on Thursday September 04, 2014 @05:31PM (#47830581)

    "the malware didn't manage to steal anyone's data, federal officials say."
    Mostly because at the time, no one had yet been able to successfully complete the sign up process.

  • 4chan is approaching AARP eligibility.
  • Is it just me, or does anyone seem to not really care about this (regarding the seriousness of 'getting hacked' that is)? For some reason, I'd like to see obamacare's 'computer servers' all get waxed. Maybe if that happens they won't have to deliberate further about the legality of requiring citizens to put such data on a 'computer server'.
  • by Anonymous Coward on Thursday September 04, 2014 @05:34PM (#47830601)

    A computer server that routinely tests portions of the website wasn't properly set up. It was never supposed to be connected to the Internet â" but someone had accidentally connected it anyway.

    How, in this day and age, does this kind of stupid shit keep happening? How are network admins not creating L2 & L3 separations in the network, with internal firewalls and IDS? How are operations engineers not building local firewalls on machines, and locking down through security policies?

    This isn't 1994 any more people. Hand crafted individual artisanal servers, personally wrapped in cotton wool and hand reared by the friendly neckbeard, are not how things should be done at scale in this day and age.

    • I'm stealing the 'Hand crafted individual artisanal servers...' line. Where did you steal it from?

    • by Builder ( 103701 )

      The network admins will have all of that. But they'll be a shared resource covering thousands of ports across hundreds of services. And if you raise a request saying that I need on the internet accessible network, chances are, you'll get it. Because of how we structure our SLAs, performance reviews and outsourcing contracts, more often than not, the job of the network admin (or server admin, or proxy admin, etc.) is to carry out the instructions in the ticket. If an approved ticket requests something, the

    • Easy, because one of 3 things:
      1. It is too expensive and no one wants to budget for it.
      2. I.T. is severely understaffed and forced to work in reactive mode, not proactive mode.
      3. They have the security in place, but it is so complex and covering such a large architecture, it is not well-monitored nor maintained for fear of breaking something.
      This being the US federal government, there are probably about 100 different contracted companies for all the various parts of and pieces, with no federal IT employees

    • ... but someone had accidentally connected it anyway.

      How, in this day and age, does this kind of stupid shit keep happening? How are network admins not creating L2 & L3 separations in the network, with internal firewalls and IDS? How are operations engineers not building local firewalls on machines, and locking down through security policies? ...

      They did not hire anyone who could do that sort of thing, obviously.

  • Whos data again? (Score:4, Insightful)

    by bjwest ( 14070 ) on Thursday September 04, 2014 @05:40PM (#47830641)

    FTFA: "Our review indicates that the server did not contain consumer personal information..."

    So we're consumers to government services now?

    It was bad enough when the corporations changed from using customers to consumers, but no way in hell should the government use that term in reference to its citizens.

    • They exceeded 51% net beneficiaries a while ago. Its all bigger and bigger 'bread and circuses' from here on. Amazing government efficiency or hidden costs?

  • by erp_consultant ( 2614861 ) on Thursday September 04, 2014 @05:43PM (#47830661)

    exactly one :-D

  • by roc97007 ( 608802 ) on Thursday September 04, 2014 @05:48PM (#47830691) Journal

    > It was never supposed to be connected to the Internet — but someone had accidentally connected it anyway.

    This is where "we don't need security because the machines will never be connected to the internet" falls apart.

  • so (Score:4, Insightful)

    by geekoid ( 135745 ) <{moc.oohay} {ta} {dnaltropnidad}> on Thursday September 04, 2014 @06:07PM (#47830775) Homepage Journal

    healthcare.gov was better protected then sony? homedepot? target?
    Not too bad.

    • At last. Someone with a brain and a sense of humor. Thank you.
    • Well, at least that is what the government officials are claiming, but these are from the government officials who answer to people who were telling us a few years ago that the VA was the model of ideal healthcare delivery.
      • by Jeremi ( 14640 )

        these are from the government officials who answer to people who were telling us a few years ago that the VA was the model of ideal healthcare delivery

        The problem with the VA is that it had to handle a large influx of veterans returning from Iraq and Afghanistan, and there was no corresponding influx of resources to handle them. I don't know if the VA model was 'ideal' or not, but any system will hit the wall at some point if you keep increasing the load factor and never increase its resources.

        • by Straif ( 172656 )

          Only 2 problems with your claims,

          1) The VA has received one of the largest increases in funding of all government departments and it's been a bipartisan effort to increase available funds for a while now. Their 2003 budget was $50 billion; the 2015 budget is $170 billion and that increase was not all at once but continually over those 12 years.

          2) In that same time period patient case loads have only increased about 30% and the majority of those cases are not vets from Iraq and Afghanistan but older vets.

        • As someone else pointed out, your answer sounds oh so logical, but suffers from the problem of being false. The VA received a much lager increase in resources than it did patients.
          So, explain to me again why I should believe this Administration official when they claim that no private personal information was stolen during this breach? Bear in mind that this official answers to the same people as the IRS officials who claimed that Lois Lerner's emails had been lost due to a hard drive crash, only to admit
  • LOL does anyone believe this? Do you remember security people warning just exactly how easy it was to infiltrate and get the data? It was even done as proof of concept.
    Believe me someone has gotten in and stolen something.

    • The only way they can definitively state that no data was stolen is if there is better auditing capability at Healthcare.gov than there seems to be at the NSA (who apparently can't audit what was "stolen"). This seems sad to me on SO MANY levels.
    • Exactly. The original breach was said to have occurred on July 8th. Despite "daily reviews" by the security team it went undetected until August 25th. That's what....6 weeks? I'm envisioning some sort of Falcon and the Snowman atmosphere with paper shredder margaritas for all.

      Naturally, the administration is playing this whole thing down as "run-of-the-mill, low-level hacker stuff". Uh huh. Then why did it take 6 fucking weeks to find it? "It wasn't even designed to steal patient data", they claim. And what

      • by koan ( 80826 )

        Yep and the nude hacker story, the news keeps talking about the "poor celebs" who got violated, the real story is a script kiddie hacked Apples iCloud, that's the story.
        I wonder how much Apple is paying them not to talk about it.

  • Most naive headline evar.

    The news isn't that someone broke in. They've been in since before it went live. The news is that someone noticed.

    • Actually, the NEWS is that it was reported. We all knew this site was messed up functionally as well as insecure as a bare NT box running IIS from 1995.

      • Actually, the NEWS is that it was reported. We all knew this site was messed up functionally as well as insecure as a bare NT box running IIS from 1995.

        Wait a sec. What are you implying about my company's servers?

  • by Anonymous Coward

    I find that when tackling a problem, it's often much more effective to tackle the correct side of it. For example: when a vessel is leaking, putting a plug in the side with LOWER pressure is far less effective than, if it can be done, putting the plug in the side with HIGHER pressure. Prosecuting people who manufacture, transport, distribute, and SELL drugs is infinitely less effective than prosecuting the people who USE them (and yes, I'm getting to my point here, in a second,) and the fact that in the U

    • I started reading that rant thinking.. OK, they are nuts for sure... BUT

      I think you are on to something here. Now I don't agree with your examples for drug use, nor do I think we should just go after users, traffickers should be targets of prosecutions too, your ideas on personal ID have merit.

      Actually, this is the kind of thing the credit watching companies do but I like your idea of making it a legal responsibility of the credit issuer to prove they are dealing with the person in question or be unable

  • by bobbied ( 2522392 ) on Thursday September 04, 2014 @06:51PM (#47831067)

    Give the job of fixing this to the newly minted Federal Government CTO announced on SlashDot just today! http://en.wikipedia.org/wiki/M... [wikipedia.org]

    Oh wait, problem, that's not her job, that falls under the Secretary of Health and Human Services control... Washington DC is broken, very broken...

  • by jamesjw ( 213986 ) on Thursday September 04, 2014 @08:08PM (#47831515) Homepage

    In most cases you'd expect hackers to hack in and break the site, in this case they probably felt obligated to fix it knowing that that would annoy far more people than taking it off-line :)

  • by Anonymous Coward

    Any conclusion based on malware found is ridiculous. You are basing a conclusion on false pretense and incomplete information.

    A real investigator concludes loss of data or other impact based on actual evidence to show those effects. The presence or non-presence of malware is not evidence of such activity. Its only evidence of that malware.

    Also, malware does not "slip" around. That is a patently false statement, proving the ongoing poor comprehension of what computer security is all about, and an attempt to

  • Those damned republicans probably denied the funding they needed to also make it secure.
  • No doubt it was a Windows machine, and the poor bastard who hooked it up to the internet probably used Internet Exploder 7.

  • I am not posting this AC cause I dont care, you need to know..,.I just left the healthcare IT industry after 4 years...because security was a sham. It was up to me, the admin, to go on my own and secure everything. I had to do this after hours, on my on time, cause during the core business hours I had to do releases, stand up more servers, baby sit the dev's, fix customer SSO issues, etc. Developers run the web sites..dont believe me..well try to get Ruby devs to change the code ruby auto generates from "
    • BTW, one of the sites i worked for was located in the same terremark data center, in culpepper virginia, as healthcare.gov was hosted in. I was able to get it moved to a different host finally. But terremark, i believe, still hosts healthcare.gov...security as tight as a whales ass..bunch of old web applicances tied together with yarn and chicken wire....assume everything you type into healthcare.gov is being sent directly to ISIS and you probably wont be to disappointed when only a few script kiddies and t

You are always doing something marginal when the boss drops by your desk.

Working...