Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Healthcare.gov ‘may already have been compromised,’ security expert says
foxnews.com ^ | 11/19/2013

Posted on 11/19/2013 10:56:11 AM PST by RoosterRedux

Not only is healthcare.gov at risk, it may already have been compromised, a security expert testified before the Senate.

“Hackers are definitely after it,” said David Kennedy, CEO of information security firm TrustedSEC before a House Science, Space, and Technology committee hearing on security concerns surrounding the problematic Healthcare.gov website.

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

One key problem facing Healthcare.gov is that security wasn’t built into the site from the very beginning, he said -- an opinion shared by both Kennedy and Fred Chang, the distinguished chair in cyber security at Southern Methodist University.

“There’s not a lot of security built into the site, at least that’s what we can see from a 10,000 foot view,” Kennedy told the committee.

(Excerpt) Read more at foxnews.com ...


TOPICS: News/Current Events
KEYWORDS: fusterclick; healthcaredotgov
Navigation: use the links below to view more comments.
first previous 1-2021-4041-59 last
To: commish
Just from that I can deduce without any tools that there are severe Sql Injection issues, probably XML injection and cross-site scripting vulnerabilities too.

Southack tells me they are now scrubbing input.

Too late, of course.

But I can only believe they are reading our -- and many other -- tech forums, and learning from our horrified comments.

I'm billin' the bastards. They never would have known about SQL inject until I showed them the vulnerability.

41 posted on 11/19/2013 1:05:42 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: RoosterRedux

42 posted on 11/19/2013 1:07:18 PM PST by JPG (Yes We Can morphs into Make It Hurt.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: commish

I mean DAMN guys, don’t you at LEAST do character-limiting to A-Z and 0-9? Not that that would help, anyone can inject something on the raw HTTP response before it sends out. But I mean, just to show the hackers you are AWARE of some EXTREMELY basic security????!?!?


43 posted on 11/19/2013 1:07:37 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Lazamataz

I’m going to register as Bill DropTables. Hey, ya never know.


44 posted on 11/19/2013 1:08:46 PM PST by Billthedrill
[ Post Reply | Private Reply | To 43 | View Replies]

To: Southack
Bet you a dollar I could man-in-the-middle with a link inject and a simple Cross Site Request Forgery. Take control of the session and get everyone's stuff.

Just, damn.

Take my bet? LOL

Nah, I better not. I'd get in trouble.

45 posted on 11/19/2013 1:10:14 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Billthedrill
It would probably be worth more if you went in as Bill ;Select * from Users; Select * from PaymentMethods; Select * from PaymentAccountInfo
46 posted on 11/19/2013 1:11:40 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Billthedrill

Oh, and add — at the end to terminate into a comment. That way it doesn’t fail at the server. LOL


47 posted on 11/19/2013 1:12:40 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Southack
Easy pickings..

This just blows me away. I mean, I've worked in the Fed sector before... and people, WE WERE PRETTY DAMN GOOD.

Nothing like this.

48 posted on 11/19/2013 1:18:10 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Southack

It seems to be whatever was recently entered.


49 posted on 11/19/2013 1:25:19 PM PST by Ray76
[ Post Reply | Private Reply | To 36 | View Replies]

To: RoosterRedux

They just need to apply ComboFix. Idiots


50 posted on 11/19/2013 1:32:05 PM PST by eyedigress ((zOld storm chaser from the west)/ ?s)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lazamataz

#$%^&*()_+!@X

What?


51 posted on 11/19/2013 1:34:08 PM PST by eyedigress ((zOld storm chaser from the west)/ ?s)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Lazamataz
This just blows me away. I mean, I've worked in the Fed sector before... and people, WE WERE PRETTY DAMN GOOD.

Same here. The software we produced HAD to work or airplanes crashed. And everything was tested, retested, tested again, with every change and discrepancy documented thoroughly.

How this piece of crap was let out of the gate prematurely is unfathomable.
52 posted on 11/19/2013 2:54:39 PM PST by yorkiemom
[ Post Reply | Private Reply | To 48 | View Replies]

To: Lazamataz; yorkiemom; Southack; commish; Ray76

You all are way more expert in these (security) matters than I. Should someone like me conclude that anyone whose data has been entered into the site probably has had their info. compromised already?

Do you concur with the testimony that real security is months away at best?

What is the likely status of the STATE exchanges, and do they feed any information into Healthcare.gov?

Do any other parties or agencies feed information to or interact with Healthcare.gov? What about the insurance companies? (I know “interact” is not the right word, but “link” doesn’t seem right, either.)

Did any of you watch Greta’s interview of David Kennedy, and do you have any further reaction?

Thanks!


53 posted on 11/20/2013 1:48:41 AM PST by Paul R. (We are in a break in an Ice Age. A brief break at that...)
[ Post Reply | Private Reply | To 48 | View Replies]

To: Paul R.
Should someone like me conclude that anyone whose data has been entered into the site probably has had their info. compromised already?

Not probably. Definitely.

Do you concur with the testimony that real security is months away at best?

No. I assert that real security will never be attainable.

What is the likely status of the STATE exchanges, and do they feed any information into Healthcare.gov?

I suspect the state exchanges are much better, but since they feed to the national database, the information is still insecure.

Do any other parties or agencies feed information to or interact with Healthcare.gov? What about the insurance companies? (I know “interact” is not the right word, but “link” doesn’t seem right, either.)

Yes. As far as I know, the following agencies/entities interact: IRS, ICE, banks, insurance companies, payment-processing vendors. There may be many more.

Did any of you watch Greta’s interview of David Kennedy, and do you have any further reaction?

No, and N/A.

54 posted on 11/20/2013 3:19:03 AM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 53 | View Replies]

To: Lazamataz; Paul R.

What Laz said, although I would add one thing — security is probably attainable, but only with a complete and total scrap and restart from the beginning with Security being built in from the bottom up.

This is not just a rewrite, at this point we have to assume that all the servers have been compromised and backdoors have been introduced across the spectrum. One has to also assume that all interconnections have similarly been compromised.

At a minimum you are talking 2 to 3 years as they will need to completely redesign the entire system, cleanse the data center, stand up new servers, and THEN they can begin coding a secure solution.

IOW - ain’t gonna happen!


55 posted on 11/20/2013 6:26:52 AM PST by commish (The takers rule. Time to implement the triple G plan - GOD, GUNS, & GOLD)
[ Post Reply | Private Reply | To 54 | View Replies]

To: Lazamataz; Paul R.

To put in succinctly, if I were doing an assessment of this system my recommendation to the Authorizing Official would be as follows:
Recommend denying Authority to Operate. The system has too many vulnerabilities and a risk-based decision should be made to shut down operation immediately. Developers should be ordered to redesign system and assessment should be restarted at RMF Step 1.


56 posted on 11/20/2013 6:33:43 AM PST by commish (The takers rule. Time to implement the triple G plan - GOD, GUNS, & GOLD)
[ Post Reply | Private Reply | To 55 | View Replies]

To: Lazamataz

Thanks for the info.!

I disagree about the N/A, however: It is crucial that this information get out, with explanations like Kennedy’s, to a wider audience. Kennedy and the other witnesses are publicly known experts who carry some actual weight with the public, as opposed to anonymous posters on a conservative forum (which would include me if the subject was in MY areas of expertise.) :-)

That’s not at all to devalue your input! On the contrary, I find it essential to learn as much as I can absorb. However, with regard to Greta, I’m talking about information getting out to and being believed by more of the “general public”. She asks good questions, IMO.


57 posted on 11/20/2013 9:35:58 AM PST by Paul R. (We are in a break in an Ice Age. A brief break at that...)
[ Post Reply | Private Reply | To 54 | View Replies]

To: Paul R.

Yes, everyone need to know so they can protect themselves.

As far as when to expect the site to be secure, FIRST they need to want it to be. Obviously, they don’t care all that much or the site wouldn’t have been up in the first place to allow people’s information to be compromised. (By ‘they’ I mean the administration and the company doing the work and anyone else involved. They all knew and long ago).


58 posted on 11/20/2013 10:47:08 AM PST by yorkiemom
[ Post Reply | Private Reply | To 57 | View Replies]

To: Lazamataz

I mean DAMN guys, don’t you at LEAST do character-limiting to A-Z and 0-9? Not that that would help, anyone can inject something on the raw HTTP response before it sends out. But I mean, just to show the hackers you are AWARE of some EXTREMELY basic security????!?!?


I was not a programmer, but I ran the hardware and OS’s the database prople ran they stuff on and that image you posted made my blood run cold. Thank God I never went anywhere near any of those websites (my state runs its own).

On your “A-Z and 0-9” comment: The geniuses that I worked for let students choose their own usernames (leading to great hilarity for the demented sysadmins!) without checking beyond swear words. One student chose the word “null” for his username. You can imagine...

P.S. Re your sig line: Please accept my sincere condolences on your loss — I know how you feel...


59 posted on 11/20/2013 11:24:04 AM PST by Peet (Oderint dum metuant)
[ Post Reply | Private Reply | To 43 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-59 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson