Healthcare.gov is Hacker-Bait, Say Security Experts

Healthcare.govU.S. GovernmentAs it now exists, Healthcare.gov, the federal exchange for approved health plans, "creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more," Morgan Wright, CEO, Crowd Sourced Investigations, LLC told the House Science, Space, and Technology committee in a hearing held yesterday. He was only one of several cybersecurity experts who testified as to the vulnerabilities of the already infamous Website, launched October 1 as part of the rollout of Obamacare. Perhaps the only saving grace is the frequency with which Healthcare.gov crashes, dissuading people from entering information, or even making use impossible, and so sparing them the high risk of data theft.

In his testimony (PDF), Wright said:

The first major issue is the lack of, and inability to conduct, an end to end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture. 3For a system dealing with what will be one of the largest collections of PII, and certain to be the target of malicious attacks and intrusions, the lack of a clearly defined and qualified security lead is inconsistent with accepted practices.

Wright pointed to a flaw involving the management of names and passwords, discovered by a private security researcher, that would have allowed hackers to take control of people's accounts. That hole has been patched, but others have been assigned a fix date of May 31, 2014—while the Website remains up and running.

This is completely unacceptable from an industry perspective, and is in extreme contravention of security best practices. Only in the government could such a gaping hole be allowed to exist without fear of consequence. This shows a lack of understanding for the consequences to consumers and the protection of also creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more. Much of this is playing out right now.

Avi Rubin, professor of Computer Science at Johns Hopkins University, pointed out (PDF), "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards." He then discussed the challenges faced in necessarily doing exactly that with the federal exchange.

Dr. Frederick R. Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security at Southern Methodist University, was similarly critical (PDF).

The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public. There is the main federal site, individual state sites, as well as legitimate third party sites. As I understand it, there is no official designation or marking that a consumer can use to determine whether they are on the correct site or not. As people seek to register for health care coverage they may find that there are a dizzying array of websites to select from. When it comes to typing in information like a social security number into a web form, many people might be cautious about doing so, but given that it has do with health insurance coverage people might be more inclined to do so (particularly if they think the request is coming from a legitimate website). These two factors could combine to create a ripe circumstance for personal information to get into the wrong hands. It is difficult to estimate how much traffic these fake websites will siphon off, but it could be significant

David Kennedy, CEO and Founder of TrustedSec, cautioned (PDF) that existing reports of hacking attempts on Healthcare.gov are incomplete and that, because of poor security precautions, "in the event that the website is hacked (or already has been), the attacks would go largely unnoticed and the website would remain compromised for a long period of time." He went on to detail a series of vulnerabilities his company discovered on the site, and then alluded to others he said he was unwilling to publicly reveal.

Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and -paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."

Fixing the exisiting site while it's being used would take even longer.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • OldMexican||

    Healthcare.gov is Hacker-Bait, Say Security Experts


    It's a trap!

  • R C Dean||

    Well, yes, but for who?

  • Gleep Glop||

    There seems to be a meme making the rounds that the "right wing" is behind these attacks:

    http://www.examiner.com/articl.....-confirmed

    I'm no expert, but it seems that Google and Amazon can avoid these attacks but HealthCare.gov cannot?

  • Pelosi's Rabbit||

    That's because teabaggers hate government but love corporations.

  • Tonio||

    Your explanation comports perfectly with the conspiracy theory.

    Also, nice handle.

  • Pelosi's Rabbit||

    Politicians and sex toys are all the rage these days.

  • thom||

    That's because teabaggers hate government but love corporations.

    ...and the heads of all the progressives in the room silently nod in agreement.

  • pan fried wylie||

    inconsistent with accepted practices.

    is in extreme contravention of security best practices

    ....are not phrases that come up often at Google and Amazon staff meetings.

  • Michael Price||

    And if they do they're generally followed by "and so you're fired.".

  • Snark Plissken||

    The right is 80% dumb racist rednecks who can barely tie their own shoes and 20% mad hackerz with the skillz to take down a half billion dollar government website.

  • pan fried wylie||

    You jest, but Cletus has m4d ski11z.

  • Snark Plissken||

    "Golly gee, I got me some root access"

  • Loki||

    WRECKERS AND KULAKS!!!!!!11!!!11!!!!!!

  • R C Dean||

    Google and Amazon are attacked, probably hundreds of times a day.

    The difference is, their websites are competently built to handle the attacks.

  • Pelosi's Rabbit||

    They're not attacked by the genius teabag hackers, though.

  • Fist of Etiquette||

    As it now exists, Healthcare.gov, the federal exchange for approved health plans, "creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more..."

    And that's only from Lois Lerner.

  • Fluffy||

    Top. Men.

  • Fluffy||

    Who wants to bet the passwords are unsalted?

  • pan fried wylie||

    Bloomberg will take that bet.

  • SweatingGin||

    I'd probably go in for "hashed with an unsafe algorithm" -- ie, MD5.

    Maybe the no salt bet, too.

  • Killazontherun||

    Correct me if I'm wrong, but MD5 is only useful for computing bit consistency, right?

  • SweatingGin||

    Rainbow tables are all over the place for MD5 -- given a hash, you can probably get it back to a password that will work.

    Salting helps a bit, but I'm pretty sure you could still generate the salted rainbow tables as needed.

  • Marc F Cheney||

    Mmm... salted rainbow trout.

  • Ska||

    Also, fried chicken.

  • playa manhattan||

    I'm going to go with cleartext.

  • pan fried wylie||

    consequences to consumers

    "consumers" implies a voluntary transaction.

  • ||

    "Victims" may be more appropriate.

  • Pro Libertate||

    It's like putting treasure in a cardboard box, taping it shut with old tape, then leaving it on the side of the road with a giant neon billboard above it that says, "Come see the treasure in a cardboard box, sealed with old tape!"

  • pan fried wylie||

    I love awesome loot, but somehow I suspect I would not be as excited to loot it out of cardboard box instead of a proper chest.

  • Pro Libertate||

    Sadly, identity thieves don't care about the challenge.

  • pan fried wylie||

    I suppose the rep and/or xp is meaningless to them as well.

  • Pro Libertate||

    Yes. Thieves just aren't of the same caliber as they used to be.

  • Michael Price||

    Getting a rep is counterproductive to identity theives. The whole point is for people not to have a clue who you are or what you do.

  • Entropy Void||

    Was this effing article hacked? The typos and other obvious mistakes ... makes it look like it was produced by the Administration.

    Also, maybe we can use Sarbanes-Oxley violations to shut the bitch down?


    /Not Pedant

  • pan fried wylie||

    Pointing out a heap of typos is not pedantry. Criticizing nuanced word choices would be an example of proper pedantry.

    /Pedant

  • SweatingGin||

    Privacy laws (HIPAA, probably) are probably a good part of why the exchange had to be run by .gov. If a private company tried to get all of the information together, one little mistake, and they destroy themselves with liability. gov? Might as well just use some prosecutorial discretion again.

  • Lord Humungus||

    OT or semi-related: Angry words of '63 Dallas now part of mainstream

    Now, extreme speech like the kind heard in Dallas 50 years ago has become mainstream – particularly on the right, amplified by social media and encouraged by gridlocked political leaders looking to win the political minute.

    It’s not just about First Amendment rights: Some worry about how well the nation can function when the extremes become the mainstream. Exhibit A: The recent federal government shutdown, which was pushed by the Tea Party Republicans.

    -snip-

    What used to be considered “extreme speech” is now coming from all quarters, including the political establishment.

    Members of Congress – like Tea Party-friendly Reps. Louie Gohmert, R-Texas, and Steve King, R-Iowa – rail against Obamacare as a form of socialism, for example.
  • OldMexican||

    Some worry about how well the nation can function when the extremes become the mainstream.


    "How can we run a nation when people act like people all the time?"

  • wareagle||

    always on the right. When the left calls people terrorists or jihadists, or when it suggests literally shitting on one, that's just dialogue.

  • Killazontherun||

    They never met a useful lie they would ever disregard for being a lie. You tell them the truth and they will call you nihilist for it.

  • Libertarius||

    Everything the leftoids say is a projection--including any instance in which they are so self-unconscious as to call *anyone* a nihilist.

    Look at the toilet culture they are dominating: piles of shit and urine as art, mindless gibberish as philosophy and literature, the desire to destroy man's mind and his existence as the implicit normative goal of their politics.

    The Left went nihilist back in the 60's, after the death of their idealism in 1956 when the atrocities of the USSR were finally revealed to the world.

  • Loki||

    Members of Congress – like Tea Party-friendly Reps. Louie Gohmert, R-Texas, and Steve King, R-Iowa – rail against Obamacare as a form of socialism, for example

    Yeah, it's like those stupid don't even understand the difference between socialism and fascism.

  • SweatingGin||

    The letters that go out saying "your personal information may have been compromised due to a possible breach of the security of some of the systems hosting healthcare.gov" should be a fun little mini-scandal when they happen.

    Of course, it's probably deny-deny-deny until it becomes obvious that there's a healthcare.gov.database_dump.2013.tar.gz file on the warez sites.

  • Pro Libertate||

    Letters? I suggest they lead with that in their Terms of Use.

  • Loki||

    You think they're actually going to bother telling people that their identity has been stolen? That's assuming they can even figure whose PII was stolen and whose wasn't. They won't say a damn thing.

    It'll be reports, initially dismissed as rumors until there's too many to ignore, of an extreme uptick in identity theft. Most people won't even know they're victime until they get denied for a loan and see a bunch of shit on their credit report. And the media still won't connect the dots and anyone pointing out that the uptick coincides with the launch of Obamacare will be dismissed as a racist teabagger.

  • ||

    It possibly won't even be mentioned. You see, we have a decision coming up for the lickspittle media. Turn on the Obama administration over this and join in a growing feeding frenzy as story after story of incompetence, fraud, hacking, identity theft, and more come down the pike. Or bury, bury, bury and try to distract and change the subject.

    I predict that many media outlets, being fundamentally entertainment in nature, will turn on the administration. But the question is, how many will try and spin instead?

  • Anonymous Coward||

    John McAfee calls Obamacare website a hacker's wet dream

    As far as the so-called "right-wing cyberattack" talking point goes:

    The DDOS program, called "Destroy Obama Care," was recently spotted on a "torrent" file sharing web page, and first reported last week on a blog by Arbor Networks, which said it found no evidence the program had actually been launched to attack the troubled federal portal for consumers to shop for health coverage.

    Keep grasping at those straws, Obamatrons.

  • pan fried wylie||

    Newsflash: you can find torrents named ANYTHING. and they do contain malicious software designed to steal your identity....but directly from your keystrokes, not through involvement of any gov't websites.

  • SweatingGin||

    Oh, the "Destroy Obama Care" program was real. Just maybe not effective, maybe it's own trojan, etc.

    That said, though, it's hard to assign political motivations to putting together a DDOS tool like that. Plenty of anonymous types just want to watch the world burn.

  • BakedPenguin||

    Shouldn't competent websites be designed against attacks of all sorts - especially ones meant to have highly personal data of millions of people? If the Obamacare website is fucking up because a few politically motivated shitheels are running a DDOS attack against it, the government should have given that $500 MM to Mike Alissi to build their website.

  • Pro Libertate||

    Your mistake is thinking that government sites are held to the same standards as private ones. They are not.

  • SweatingGin||

    A day or two before the launch, I pointed out to a friend that it was an interesting problem -- be able to handle 50 million hits on day one, and a bunch on day 2 - 7, then after that, just a steady, low rate.

    Of course, there's companies that specialize in just that (cloudflare) and if things were built reasonably from the beginning with that kind of usage pattern in mind, it wouldn't be impossible to do.

    Hell, just build it in Amazon's EC2, and scale it down as you get past the main usage.

    But yea, all that points out that it wasn't competently designed.

  • Killazontherun||

    It never occurs to them that people sincerely hate the goddamned thing for legitimate reasons. Only a nefarious right wing ideologue would want the thing destroyed.

  • Tonio||

    The line I frequently hear is that "[republicans] want to keep poor people from ever seeing a doctor." I don't know whether they actually believe this, but that's the talking point. As another commenter pointed out, those of us who oppose ACA would be well-served to call out every instance of someone saying that.

    Having said that, I'm reluctant to engage people on social media about this . I go on FB for cute pictures of my friends kids/pets/vacations, not to hear their political ramblings.

  • Brian||

    Oh, the "Destroy Obama Care" program was real. Just maybe not effective, maybe it's own trojan, etc.

    Well, it's hard to tell how effective it would be, when the exchange does a great job of DDOSing itself.

  • Loki||

    Well, it's hard to tell how effective it would be, when the exchange does a great job of DDOSing itself.

    ^THIS^ All the traffic on those first few days probably just looked like a DDOS attack. No coordinated shadowy right wing conspiracy needed. But thes people see "right wingers" hiding behind every tree.

  • OldMexican||

    Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and-paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."


    But Jay Carney told me that the site would be ready by November 30!

    At least for 80% of the customers, but still!

  • ChrisO||

    He didn't say November 30 of which year, however.

  • SweatingGin||

    Guess the programmers working on Thanksgiving!

    ... and still not getting it done...

  • Jan S.||

    Oh, no - they'll use the holiday as an excuse for why it's not done.

  • MJGreen||

    Of course. It's why I haven't even visited my exchange and tried the site out of curiosity. I am staying as far away from that centralized collection of personal info as possible.

    (27 y.o. uninsured)

  • Killazontherun||

    President Obama, the biggest jackass, or the biggest jackass ever?

    Obama: 'We're Going to Have to...Re-market and Re-brand' the Affordable Care Act

    http://cnsnews.com/news/articl.....e-care-act


    (CNSNews.com) - President Barack Obama told a gathering of corporate executives Tuesday he's confident that his model of health care will work in the end, but he said he's going to have to "re-brand" it to sell it to a skeptical public.

    He didn't use the word "Obamacare" once on Tuesday in talking about his health care law, but he mentioned the "Affordable Care Act" seven times.

    "So, look, I am confident that the model that we built, which works off of the existing private insurance system, is one that will succeed," Obama told the Wall Street Journal's CEO Council Annual Meeting in Washington, D.C.

    "We are going to have to, (a) fix the website so everybody feels confident about that. We're going to have to, obviously, re-market and re-brand, and that will be challenging in this political environment."

    So, does this mean you take back your apology from last week, jackass?

  • Anonymous Coward||

    "We are going to have to, (a) fix the website so everybody feels confident about that. We're going to have to, obviously, re-market and re-brand, and that will be challenging in this political environment."

    Obama never does anything wrong. It's just that you Rand-loving, Reich-wing, yokeltarians don't appreciate his genius because he's not as skilled at marketing as the EVIL Koch Brothers.

  • Brian||

    Haven't progressives been saying this for three years? Three fucking years?

    It's like they know, somehow, that Obamacare is supposed to be wildly popular (after all, democrats love democracy, and all that), and they just can't figure out what's going on.

    Under normal circumstances, they would defer to the people, out of democracy, but, when the people are thinking so many wrong things, we can't have that, now, can we? So, time for a propaganda campaign. The people aren't correctly informed.

  • Eric Bana||

    In other news, Kathleen Sibelius had a disastrous event trying to show off the navigators in Florida who actually couldn't do anything because the site kept crashing. She was excited that two (that's right T-W-O) people in South Florida successfully enrolled (although they probably didn't even complete the process).

    Also, just for fun: "I don’t think I’m stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opens if I thought that it wasn’t going to work."

  • Tonio||

    She knows that her job is to act as a blame sink for this. I presume she knows that she'll be let go the moment it starts to work so the new HHS secretary can be blameless.

  • itsnotmeitsyou||

    I'm of the mind that she knows too much to ever be fired. At least not in the way we would like.

    If you are correct about her taking the blame, she will "step down" from her position only to be rewarded with a lucrative career somewhere else in healthcare bureaucracy.

  • BakedPenguin||

    She'll get on the board of a couple health insurers who also happened to support Obamacare.

  • DJF||

    Don’t worry the website is protected by a password nobody will be able to crack.

    Its 123456, but don’t tell anyone, its a secret.

  • itsnotmeitsyou||

    Sadly, this wouldn't surprise me. I bet some of these "professionals" that designed the site have the admin/password login on their home routers still.

  • Sevo||

    Gee, I thought it was Apr 2, 1987!

  • BakedPenguin||

    Password... hmm - Guest?

  • Michael Price||

    That's the same number I have on my luggage!

  • Loki||

    The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture.

    Just when I think my lack of respect for these assclowns couldn't get any lower, I read this. Wow, just... wow...

    This shows a lack of understanding for the consequences to consumers

    Oh, they probably understand the consequences perfectly well. They just don't give a shit. It's more important for president shithead to get his shiny new toy than to protect potential consumer's PII.

    Seriously, fuck these morons.

  • Dave Krueger||

    Sure. Of course it's not secure. But it's not like that will ever affect anyone in Congress because, as you know, if Congress likes its current health care plan, they can keep it. Period.

  • Michael Price||

    "if Congress likes its current health care plan, they can keep it. Period."
    +1

  • Sevo||

    "Healthcare.gov is Hacker-Bait, Say Security Experts"
    Yeah, and now the screw ups will be blamed on hackers, not the idjits who designed the thing so poorly that it begs to be hacked.
    Oh, well, it doesn't carry really important info, just your medical history, your financial history, your S/S number...
    Just the little stuff.

  • R C Dean||

    And when massive identity theft happens, what will our masters do?

    Why, pass a draconian law against identity theft, of course! Probably one that tries to open up the entire internet to surveillance. Never let a good crisis go to waste, you know.

  • johnl||

    This is a strange criticism:
    """
    The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public.
    """
    A shopper might prefer to look for plans on company websites rather than the exchange. Maybe because he knows which plans his doctor is going to be taking, or maybe because the exchange isn't working. Choice can be a good thing.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Video Game Nation: How gaming is making America freer – and more fun.
  • Matt Welch: How the left turned against free speech.
  • Nothing Left to Cut? Congress can’t live within their means.
  • And much more.

SUBSCRIBE

advertisement