Healthcare.gov hacked in 4 minutes

White Wizard

"The man who appeared before Congress last week to explain the security pitfalls of HealthCare.gov took to Fox News on Sunday to explain just how easy it is to penetrate the website.

Hacking expert David Kennedy told Fox’s Chris Wallace that he determined he could gain access to 70,000 personal records of Obamacare enrollees via HealthCare.gov within about 4 minutes — and it required nothing more than a standard browser, the Daily Caller reported."

Hacking expert David Kennedy says he cracked HealthCare.gov in 4 minutes - Washington Times

W Stewart

Healthcare.gov is a pretty big target to have not been hacked already if it was that vulnerable. The guy says 7 other independent researchers came to the same conclusion but I just wonder why I haven't heard much about this. If any of this is true then I think it may just lead to the inevitable collapse of this law. Despite the fact that the website itself isn't the law, people are going to associate it with the law and they're only going to be thinking about how a health care mandate caused their personal information to be compromised and poor implementation of it led to identity theft.

SephStorm

No, I dont see that happening. Remember whats at the heart of this, the millions of people who now have healthcare.

W Stewart

Idk. The law might be hear to stay but there may be some more chipping away at the law or at least more delays of penalties and mandates before it's all said and done. People are pretty pissed off about the way a lot of this law has been going but hearing that the majority of uninsured people were basically forced into identity theft just looks pretty bad on a large scale.

W Stewart

No, hackers didn’t steal 70,000 records from HealthCare.gov

Looks like the initial report might have been misinterpreted. There's still no details on what the 70000 number was supposed to represent though.

SephStorm

The first article was clear that the "attack" was done by a security researcher, not a malicious hacker, so IDK where people are getting that from, or the risk of ID theft. That being said, I wish someone had asked a basic question in all those congressional hearings. "Have you had independent security researchers do penetration tests to validate the security of the website?" I really cant see why government is so resistant to deal with issues that are going to make them look bad in the future.

cyberguypr

SephStorm wrote: »

I really cant see why government is so resistant to deal with issues that are going to make them look bad in the future.

Easy, they have no friggin idea what's involved and what they are talking about. Someone becomes an expert overnight and they take their word as gospel. Same thing that happens with so called "assault" weapons. The Kevin de Leon "ghost gun" fiasco is a perfect example of this.

networker050184

Ok guys, we aren't going to discuss politics here. Talk about the tech side of this or nothing at all.

lsud00d

In my experience (high level/big project state government), the Security team ran an automated OWASP tool, poked around here and there, and that was it. I can see this happening at the federal level as well.

RobertKaucher

SephStorm wrote: »

The first article was clear that the "attack" was done by a security researcher, not a malicious hacker, so IDK where people are getting that from, or the risk of ID theft. That being said, I wish someone had asked a basic question in all those congressional hearings. "Have you had independent security researchers do penetration tests to validate the security of the website?" I really cant see why government is so resistant to deal with issues that are going to make them look bad in the future.

First they would have to be aware that the question could even be asked. If you think about the average person and their technical knowledge, it's easy to understand. It's not an unwillingness to deal with issues that will make them look bad in the future, it's an inability to actually understand the subjects that they are making high-impact decisions on. And what is more important, they are so ill-informed that they are unable to even evaluate the worth of someone to advise them on the topic.

We all know that when it comes to politics it is quite literally all about who you know and if you are able to verbally reproduce the correct phrases that are known to reassure a large number of people who will be voting for you without tweeting pictures of your junk.

I for one, will welcome our robot overlords.

networker050184 wrote: »

Ok guys, we aren't going to discuss politics here. Talk about the tech side of this or nothing at all.

I don't really even think the interesting part is political. I really think that it comes down to can anyone really expect to have the required knowledge to make these kind of choices for such large (geographically) populations of people? I kind of wonder if when it comes to any sort of government, the "singularity" isn't kind of already here.

it_consultant

My IT director has some connections in the federal contracting world. Besides hiring someone a bit incompetent at web design and having to integrate with vastly different systems (Social Security Database, VA, etc) which is a challenge in of itself; one of the big things they have had to deal with is near constant penetration attempts. They don't publicize it because no one except people like us really understand but that website, maybe a little messed up on rollout, has a huge focus on security.

phoeneous

So does anyone know what the vulnerability of the site is? Just curious.

tpatt100

Yeah it's a big target that was established with a big bureaucratic project management from hell at the head of it. DHS got hacked also

DHS Alerts Contractors to Bank Data Theft — Krebs on Security

security breach at a Web portal for the U.S. Department of Homeland Security has exposed private documents and some financial information belonging to at least 114 organizations that bid on a contract at the agency last year.

dhsletter“This letter is to inform you that your company’s bank account information may have been improperly accessed because of this incident,” reads a letter sent to affected organizations earlier this month by DHS privacy officer Christopher Lee. “The incident appears to have occurred sometime over the prior four months.”

--chris--

phoeneous wrote: »

So does anyone know what the vulnerability of the site is? Just curious.

I'm new to this, but its my understanding there is a rather small pool of attacks that can be utilized via browsers at this point in time. Of course, assuming the site is using up to date coding/software...right? An injection or scripting attack most likely (I think).

lsud00d

--chris-- wrote: »

I'm new to this, but its my understanding there is a rather small pool of attacks that can be utilized via browsers at this point in time. Of course, assuming the site is using up to date coding/software...right? An injection or scripting attack most likely (I think).

This is accurate--injections, xss, xsrf, all that jazz...there's not a single vulnerability

Here's a good reference to view the attacks identified by OWASP

https://www.owasp.org/index.php/Category:Attack

--chris--

lsud00d wrote: »

This is accurate--injections, xss, xsrf, all that jazz...there's not a single vulnerability

Here's a good reference to view the attacks identified by OWASP

https://www.owasp.org/index.php/Category:Attack

Great link, thanks...I figured there had to be something like that just didn't know where it was.