Security Expert Hacks Obamacare Website In 4 Minutes; Accesses 70,000 Records

Zero Hedge ^ | January 20, 2014 | Michael Krieger

[Zakeet]

The hits just keep on coming for ObamaCare. It was less than two weeks ago that I highlighted the potential premium rate death spiral that ObamaCare faces due to the fact that only old and sick people are signing up for the program. Now it seems there are further security related concerns plaguing the site, as cyber-security expert David Kennedy recently claimed that “gaining access to 70,000 personal records of Obamacare enrollees via HealthCare.gov took about 4 minutes.”

It’s actually hard to be this incompetent if you tried. More from the Washington Times:

The man who appeared before Congress last week to explain the security pitfalls of HealthCare.gov took to Fox News on Sunday to explain just how easy it was to penetrate the website.

Hacking expert David Kennedy told Fox’s Chris Wallace that gaining access to 70,000 personal records of Obamacare enrollees via HealthCare.gov took about 4 minutes and required nothing more than a standard browser, the Daily Caller reported.

“And 70,000 was just one of the numbers that I was able to go up to and I stopped after that,” he said. “You know, I’m sure it’s hundreds of thousands, if not more, and it was done within about a 4 minute timeframe. So, it’s just wide open.”

“You can literally just open up your browser, go to this, and extract all this information without actually having to hack the website itself,” he said.

Mr. Kennedy testified before Congress Thursday that HealthCare.gov was “100 percent” insecure, Washington Free Beaconreported.

For some context on this very important issue, check out the video below:

[Video embedded in article]

Full article here.

[Zakeet]

It’s actually hard to be this incompetent if you tried ...

[LukeL]

This hacker is obviously racist.

[Republican1795.]

Obamacare is just about over.

[bigbob]

I call BS!

Everyone knows there aren’t 70,000 records there!

[bigbob]

Or, maybe he better check to see what’s in those records...I’d predict he got 70,000 versions of:

“Access Denied. 404. Server timeout. Abort/retry/fail?”

[is_is]

wanna bet?

[spokeshave]

Or, maybe he better check to see what’s in those records...I’d predict he got 70,000 versions of:

all the various combinations and permutations of Obama's

1. Names

2. Nationality

3. Birth dates

4 Hospital of birth

5. Fathers name

6. Fathers nationality

7. Social security numbers

8. Residences

9. Sexual orientation

10. Other....

[OneWingedShark]

Everyone knows there aren’t 70,000 records there!

That depends; given the underlying database-structure a single person's data could be spread across multiple database tables (not a bad thing*), each of which is a distinct record.

* You can use this to group data together, or to "compress" common data -- like storing 1..50 for each of the several states and using that number to reference the state rather than the full name or two-letter postal code.

[ntnychik]

0 only found out when he saw it on TV, like the rest of us.

[12th_Monkey]

It’s patriotic to lose your personal info, right Joe?

[Myrddin]

A SQL injection attack against the username field is a common technique that yields massive exposure for little effort. The typical naive backend SQL script will directly substitute a browser field into a SQL "where" clause e.g. select ssn where username = '$username'; You fill in the username field with the value ' or '1' -- which changes the substituted value to select ssn where username where username = '' or '1' -- That yields a wildcard match on all usernames and spews all the ssn fields. The actual values will differ, but that is the gist of a SQL injection attack.

See SQL Injection attack

[BAW]

But, hey, look over there at Chris Christie . . .

[TChad]

Everyone knows there aren’t 70,000 records there!

65,000 of those records were put there by other hackers.

[eartick]

That is exactly why the process control industry uses so many layers of protection to it’s servers running SQL servers process layer servers.

That and of course Windows OS running on the servers.

Also most of this is edicts sent down from above by boards that have direct ties to Federal Government Security Regs for Process Control. Oh, that is right, that only goes BOOM not someones life savings

[Republican1795.]

Well it is hard to believe the thing is even sustainable at this point.

[Eleutheria5]

How reassuring.

[Lockbox]

Maybe he can tell us how many successfully enrolled and how many paid. Seems the government is unable to determine these numbers.

[kinsman redeemer]

SQL Injection Marker

[liberalh8ter]

My local news reported that 2 women were found at the Mexican border with credit cards that were created as a result of the Target security breach. I'm starting to wonder if all of these security breaches aren't just more punishment to the ‘colonialists’ and a direct means to redistribute the wealth that ‘somebody else made happen’.

[ResisTyr]

Sounds about right, Bob :)