No security ever built into Obamacare site: Hacker
Source: CNBC
It could take a year to secure the risk of "high exposures" of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.
"When you develop a website, you develop it with security in mind. And it doesn't appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week. "It's really hard to go back and fix the security around it because security wasn't built into it," said Kennedy, chief executive of TrustedSec. "We're talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."
<snip>
Last month, a Sept. 27 government memorandum surfaced in which two HHS officials said the security of the site had not been properly tested before it opened, creating "a high risk." HHS had explained then that steps were taken to ease security concerns after the memo was written, and that consumer information was secure. Technicians fixed a security bug in the password reset function in late October, the agency said.
But on CNBC, Kennedy disputed those claims, saying vulnerabilities remain on "everything from hacking someone's computer so when you visit the website it actually tries to hack your computer back, all the way to being able to extract email addresses, users namesfirst name, last name[and] locations."
Read more: http://www.cnbc.com/id/101225308
If this is true, it seems probable that someone with a political agenda against ACA will exploit it, and publicize it.
SoapBox
(18,791 posts)to show up on CNBC...and, he testified? Who called him in? Issa?
I would rather hear from somebody else.
CorrectOfCenter
(101 posts)mwrguy
(3,245 posts)He answers to somebody.
Fridays Child
(23,998 posts)Keep people afraid and ignorant. It should be the Republican motto.
mwrguy
(3,245 posts)Mysterysouppe
(68 posts)No matter what he does, or whether his ideas work.
Tunkamerica
(4,444 posts)or should it just get massively hacked before anyone tries to fix it?
NoOneMan
(4,795 posts)He offers services in IT security to businesses
tblue
(16,350 posts)to make the ACA fail? Geez. So much energy wasted bringing it down. Don't they have better things to do?
Granted, the system requires a secure site but, since you no longer have to submit your medical history to get insurance, I'm not as worried.
Can we please just let the thing get its sea legs and before we decide it can never work and demolish it?
Control-Z
(15,682 posts)buying his expert opinion. The real question should be who asked him.
defacto7
(13,485 posts)The guy is a paid con hired to make a speech to titillate the unthinking. I'm sure there are those gullible enough to take it hook line and sinker. I'm also sure there are weak places; there are weak places in most computers on the planet and all the computers in Internet land, but this guy wreaks of payola.
The only people I trust less than Internet crooks are Internet security company front men. BS!
NoOneMan
(4,795 posts)But I know quite a bit about IT security, so I cannot fathom how the premise of this story can simply be bullshit. Web applications with a decade of development history deal with exploits quite commonly.
He posted a screenshot of some python scripts (which could do nothing but echo out content) that supposedly interface with the provider web services to extract user data:
I've mined data off government websites (public data mind you) by coming up with the proper requests and plugging in automatically incrementing id's (instead of hashes) to extract data quickly, up to millions of records. If their webservices did not require authentication and were using SOAP protocol (likely), he could easily have requested info if an increment id was the sole request parameter.
I am also in IT, and agree with this.
Xithras
(16,191 posts)Speaking as someone who spent a large part of his career writing software for the government as a consultant, I've seen some real horror stories. Generally speaking, web services (such as the one this guy is citing) tend to be the biggest problem across the board. I've seen sites that bend over backwards to secure the web frontend site (the part everyone sees), which then leave the backend services clear. I was once called in to rewrite and secure a SOAP architecture that actually allowed anyone to query ANYTHING about a user based on their social security number. A simple script could have iterated through all 1.1 billion social security numbers in only a few days time, extracting everything from tax records to financial data (the site dealt with unemployment insurance, and had all sorts of valuable data in it). There was no authentication for the web service whatsoever, and no encryption on the connection once it was established. The original writers simply assumed that nobody would ever find it.
Part of the problem is that enterprise web technology has fully embraced SOA, and yet a LOT of developers still don't know how to properly secure and authenticate SOAP and REST calls between the presentation layer and the transactional servers. They started programming in a world where you did the processing on your web server directly and security between the layers usually wasn't a consideration. For many of those developers, it's still a bit of an afterthought.
It sounds like the guy in the OP found the Healthcare.Gov site doing the same thing. It's not a slight against this site in particular, but is simply indicative of the kinds of problems we often see in government sites (and hurriedly built SOA sites in general).
Mysterysouppe
(68 posts)And by the way, it's "reeks," not "wreaks."
defacto7
(13,485 posts)Doesn't mean I can't learn something but at this point I stand by my statement. And that's a s far as I'm going with it.
The word is wreaks... as in wreak havoc... I wasn't referring to smells.
PoliticAverse
(26,366 posts)DallasNE
(7,404 posts)Unless he has visited the actual code, especially the claim that the fix of a security bug in the password reset remains vulnerable. Also the source, CNBC, is suspect. Encrypting key data like Social Security number surely wouldn't take anything like a year to fix. Indeed, this kind of security is so obvious I would think it would have been part of what was installed over the last two months. Indeed, I have little use for experts making wild claims without being hands-on. How much did CNBC pay this "expert" to say these things?
SoapBox
(18,791 posts)byronius
(7,410 posts)'My special decoder ring, however, could see right through their sinister machinations.'
Somebody call Buck Rogers! His publicist is on the teevee! Wait, that's him! Only he can help save us from Fu Manbama!
God this shit is boring. Boring Boring Boring BORING. Stupid. Boring.
bigdarryl
(13,190 posts)So I guess this is the next talking point.I've never seen so much interest in a website failing
Scuba
(53,475 posts)cali
(114,904 posts)repukes do.
it's kind of you to attribute it to people merely being naive, but it's pretty clear that that's not it.
Scuba
(53,475 posts)... and I have good reason to believe the private corporation that built the website wanted it to fail.
Paulie
(8,462 posts)He's well known for SET, the Social Engineering Toolkit and a hacker convention called DerbyCon.
But he has a huge blind spot; he leans very right and hates Obama. So that he's hanging out with the Republics and sowing FUD (fear, uncertainty and doubt) is not surprising at all.
He is correct that you want to have security as an overriding design goal, beyond best practices in coding, from day one but that rarely happens from day one in the real world. Especially with a gov contract made up of the lowest bidders.
As of this point I haven't heard any stories of a breech of healthcare.gov or the exchange sites. Given all the attention surely someone on the planet with skills has done a recon and tried....
wiggs
(7,820 posts)Fox began having all kinds of security experts express concern on multiple shows. They are running out of ACA bad news they can sell 24/7, so this is it. This is the current focus.
It may very well be that the website isn't as secure as could be. How many websites are? What kind of information is at risk that isn't already at risk a hundred times over?
Somewhere along the way, I hope more and more people realize that if if it's on FOX it's automatically questionable.
mwooldri
(10,303 posts)IMO all security is breached anyway. Most secure network I know of right now is the sneaker-net. Or paper & ink.
I'm positive that there are security issues with healthcare.gov but there's holes everywhere. The Wordpress site I run has a plugin that alerts me to any possible breaches (usually plugin updates). And that's just my little ol' site!
I and a family member got caught up in the Adobe hack. I'm sure that site was designed "with security in mind." Didn't make a helluva difference.
geek tragedy
(68,868 posts)The OP proves that point.
Psephos
(8,032 posts)customerserviceguy
(25,183 posts)when all of the quick fixes were being made over the last month or so. It takes time to test websites, especially for security.
The thing that would absolutely kill Healthcare.gov is if public trust in it is destroyed. Our reich-wing enemies would celebrate if they saw stories of identity and bank fraud from the ACA website.
quadrature
(2,049 posts)unless you plan to drop dead in the next few months,
I would suggest waiting until
the security issues are investigated.
You can see a lot just by looking.