Healthcare.gov is Hacker-Bait, Say Security Experts

J.D. Tuccille | 11.20.2013 10:56 AM

As it now exists, Healthcare.gov, the federal exchange for approved health plans, "creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more," Morgan Wright, CEO, Crowd Sourced Investigations, LLC told the House Science, Space, and Technology committee in a hearing held yesterday. He was only one of several cybersecurity experts who testified as to the vulnerabilities of the already infamous Website, launched October 1 as part of the rollout of Obamacare. Perhaps the only saving grace is the frequency with which Healthcare.gov crashes, dissuading people from entering information, or even making use impossible, and so sparing them the high risk of data theft.

In his testimony (PDF), Wright said:

The first major issue is the lack of, and inability to conduct, an end to end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture. 3For a system dealing with what will be one of the largest collections of PII, and certain to be the target of malicious attacks and intrusions, the lack of a clearly defined and qualified security lead is inconsistent with accepted practices.

Wright pointed to a flaw involving the management of names and passwords, discovered by a private security researcher, that would have allowed hackers to take control of people's accounts. That hole has been patched, but others have been assigned a fix date of May 31, 2014—while the Website remains up and running.

This is completely unacceptable from an industry perspective, and is in extreme contravention of security best practices. Only in the government could such a gaping hole be allowed to exist without fear of consequence. This shows a lack of understanding for the consequences to consumers and the protection of also creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more. Much of this is playing out right now.

Avi Rubin, professor of Computer Science at Johns Hopkins University, pointed out (PDF), "One cannot build a system and add security later any more than you can construct a building and then add the plumbing and duct work afterwards." He then discussed the challenges faced in necessarily doing exactly that with the federal exchange.

Dr. Frederick R. Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security at Southern Methodist University, was similarly critical (PDF).

The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public. There is the main federal site, individual state sites, as well as legitimate third party sites. As I understand it, there is no official designation or marking that a consumer can use to determine whether they are on the correct site or not. As people seek to register for health care coverage they may find that there are a dizzying array of websites to select from. When it comes to typing in information like a social security number into a web form, many people might be cautious about doing so, but given that it has do with health insurance coverage people might be more inclined to do so (particularly if they think the request is coming from a legitimate website). These two factors could combine to create a ripe circumstance for personal information to get into the wrong hands. It is difficult to estimate how much traffic these fake websites will siphon off, but it could be significant

David Kennedy, CEO and Founder of TrustedSec, cautioned (PDF) that existing reports of hacking attempts on Healthcare.gov are incomplete and that, because of poor security precautions, "in the event that the website is hacked (or already has been), the attacks would go largely unnoticed and the website would remain compromised for a long period of time." He went on to detail a series of vulnerabilities his company discovered on the site, and then alluded to others he said he was unwilling to publicly reveal.

Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and -paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."

Fixing the exisiting site while it's being used would take even longer.

The Rattler is a weekly newsletter from J.D. Tuccille. If you care about government overreach and tangible threats to everyday liberty, this is for you.

NEXT: Would You Like to Give Your Blood and Saliva to a Nameless Official for No Apparent Reason?

Hide Comments (79)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

OldMexican 11 years ago

Healthcare.gov is Hacker-Bait, Say Security Experts

It's a trap!
1. R C Dean 11 years ago
  
  Well, yes, but for who?
Gleep Glop 11 years ago

There seems to be a meme making the rounds that the "right wing" is behind these attacks:

http://www.examiner.com/articl.....-confirmed

I'm no expert, but it seems that Google and Amazon can avoid these attacks but HealthCare.gov cannot?
1. Pelosi's Rabbit 11 years ago
  
  That's because teabaggers hate government but love corporations.
  1. Tonio 11 years ago
    
    Your explanation comports perfectly with the conspiracy theory.
    
    Also, nice handle.
    1. Pelosi's Rabbit 11 years ago
      
      Politicians and sex toys are all the rage these days.
  2. thom 11 years ago
    
    That's because teabaggers hate government but love corporations.
    
    ...and the heads of all the progressives in the room silently nod in agreement.
2. pan fried wylie 11 years ago
  
  inconsistent with accepted practices.
  
  is in extreme contravention of security best practices
  
  ....are not phrases that come up often at Google and Amazon staff meetings.
  1. Michael Price 11 years ago
    
    And if they do they're generally followed by "and so you're fired.".
3. Snark Plissken 11 years ago
  
  The right is 80% dumb racist rednecks who can barely tie their own shoes and 20% mad hackerz with the skillz to take down a half billion dollar government website.
  1. pan fried wylie 11 years ago
    
    You jest, but Cletus has m4d ski11z.
    1. Snark Plissken 11 years ago
      
      "Golly gee, I got me some root access"
4. Loki 11 years ago
  
  WRECKERS AND KULAKS!!!!!!11!!!11!!!!!!
5. R C Dean 11 years ago
  
  Google and Amazon are attacked, probably hundreds of times a day.
  
  The difference is, their websites are competently built to handle the attacks.
  1. Pelosi's Rabbit 11 years ago
    
    They're not attacked by the genius teabag hackers, though.
Fist of Etiquette 11 years ago

As it now exists, Healthcare.gov, the federal exchange for approved health plans, "creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more..."

And that's only from Lois Lerner.
Fluffy 11 years ago

Top. Men.
Fluffy 11 years ago

Who wants to bet the passwords are unsalted?
1. pan fried wylie 11 years ago
  
  Bloomberg will take that bet.
2. SweatingGin 11 years ago
  
  I'd probably go in for "hashed with an unsafe algorithm" -- ie, MD5.
  
  Maybe the no salt bet, too.
  1. Killazontherun 11 years ago
    
    Correct me if I'm wrong, but MD5 is only useful for computing bit consistency, right?
    1. SweatingGin 11 years ago
      
      Rainbow tables are all over the place for MD5 -- given a hash, you can probably get it back to a password that will work.
      
      Salting helps a bit, but I'm pretty sure you could still generate the salted rainbow tables as needed.
      1. Marc F Cheney 11 years ago
        
        Mmm... salted rainbow trout.
        
        Ska 11 years ago
        
        Also, fried chicken.
3. playa manhattan 11 years ago
  
  I'm going to go with cleartext.
pan fried wylie 11 years ago

consequences to consumers

"consumers" implies a voluntary transaction.
1. PM 11 years ago
  
  "Victims" may be more appropriate.
Pro Libertate 11 years ago

It's like putting treasure in a cardboard box, taping it shut with old tape, then leaving it on the side of the road with a giant neon billboard above it that says, "Come see the treasure in a cardboard box, sealed with old tape!"
1. pan fried wylie 11 years ago
  
  I love awesome loot, but somehow I suspect I would not be as excited to loot it out of cardboard box instead of a proper chest.
  1. Pro Libertate 11 years ago
    
    Sadly, identity thieves don't care about the challenge.
    1. pan fried wylie 11 years ago
      
      I suppose the rep and/or xp is meaningless to them as well.
      1. Pro Libertate 11 years ago
        
        Yes. Thieves just aren't of the same caliber as they used to be.
      2. Michael Price 11 years ago
        
        Getting a rep is counterproductive to identity theives. The whole point is for people not to have a clue who you are or what you do.
Entropy Void 11 years ago

Was this effing article hacked? The typos and other obvious mistakes ... makes it look like it was produced by the Administration.

Also, maybe we can use Sarbanes-Oxley violations to shut the bitch down?

/Not Pedant
1. pan fried wylie 11 years ago
  
  Pointing out a heap of typos is not pedantry. Criticizing nuanced word choices would be an example of proper pedantry.
  
  /Pedant
2. SweatingGin 11 years ago
  
  Privacy laws (HIPAA, probably) are probably a good part of why the exchange had to be run by .gov. If a private company tried to get all of the information together, one little mistake, and they destroy themselves with liability. gov? Might as well just use some prosecutorial discretion again.
Lord Humungus 11 years ago

OT or semi-related: Angry words of '63 Dallas now part of mainstream

Now, extreme speech like the kind heard in Dallas 50 years ago has become mainstream ? particularly on the right, amplified by social media and encouraged by gridlocked political leaders looking to win the political minute.

It's not just about First Amendment rights: Some worry about how well the nation can function when the extremes become the mainstream. Exhibit A: The recent federal government shutdown, which was pushed by the Tea Party Republicans.

-snip-

What used to be considered "extreme speech" is now coming from all quarters, including the political establishment.

Members of Congress ? like Tea Party-friendly Reps. Louie Gohmert, R-Texas, and Steve King, R-Iowa ? rail against Obamacare as a form of socialism, for example.
1. OldMexican 11 years ago
  
  Some worry about how well the nation can function when the extremes become the mainstream.
  
  "How can we run a nation when people act like people all the time?"
2. wareagle 11 years ago
  
  always on the right. When the left calls people terrorists or jihadists, or when it suggests literally shitting on one, that's just dialogue.
3. Killazontherun 11 years ago
  
  They never met a useful lie they would ever disregard for being a lie. You tell them the truth and they will call you nihilist for it.
  1. Libertarius 11 years ago
    
    Everything the leftoids say is a projection--including any instance in which they are so self-unconscious as to call *anyone* a nihilist.
    
    Look at the toilet culture they are dominating: piles of shit and urine as art, mindless gibberish as philosophy and literature, the desire to destroy man's mind and his existence as the implicit normative goal of their politics.
    
    The Left went nihilist back in the 60's, after the death of their idealism in 1956 when the atrocities of the USSR were finally revealed to the world.
4. Loki 11 years ago
  
  Members of Congress ? like Tea Party-friendly Reps. Louie Gohmert, R-Texas, and Steve King, R-Iowa ? rail against Obamacare as a form of socialism, for example
  
  Yeah, it's like those stupid don't even understand the difference between socialism and fascism.
SweatingGin 11 years ago

The letters that go out saying "your personal information may have been compromised due to a possible breach of the security of some of the systems hosting healthcare.gov" should be a fun little mini-scandal when they happen.

Of course, it's probably deny-deny-deny until it becomes obvious that there's a healthcare.gov.database_dump.2013.tar.gz file on the warez sites.
1. Pro Libertate 11 years ago
  
  Letters? I suggest they lead with that in their Terms of Use.
2. Loki 11 years ago
  
  You think they're actually going to bother telling people that their identity has been stolen? That's assuming they can even figure whose PII was stolen and whose wasn't. They won't say a damn thing.
  
  It'll be reports, initially dismissed as rumors until there's too many to ignore, of an extreme uptick in identity theft. Most people won't even know they're victime until they get denied for a loan and see a bunch of shit on their credit report. And the media still won't connect the dots and anyone pointing out that the uptick coincides with the launch of Obamacare will be dismissed as a racist teabagger.
3. Episiarch 11 years ago
  
  It possibly won't even be mentioned. You see, we have a decision coming up for the lickspittle media. Turn on the Obama administration over this and join in a growing feeding frenzy as story after story of incompetence, fraud, hacking, identity theft, and more come down the pike. Or bury, bury, bury and try to distract and change the subject.
  
  I predict that many media outlets, being fundamentally entertainment in nature, will turn on the administration. But the question is, how many will try and spin instead?
Anonymous Coward 11 years ago

John McAfee calls Obamacare website a hacker's wet dream

As far as the so-called "right-wing cyberattack" talking point goes:

The DDOS program, called "Destroy Obama Care," was recently spotted on a "torrent" file sharing web page, and first reported last week on a blog by Arbor Networks, which said it found no evidence the program had actually been launched to attack the troubled federal portal for consumers to shop for health coverage.

Keep grasping at those straws, Obamatrons.
1. pan fried wylie 11 years ago
  
  Newsflash: you can find torrents named ANYTHING. and they do contain malicious software designed to steal your identity....but directly from your keystrokes, not through involvement of any gov't websites.
  1. SweatingGin 11 years ago
    
    Oh, the "Destroy Obama Care" program was real. Just maybe not effective, maybe it's own trojan, etc.
    
    That said, though, it's hard to assign political motivations to putting together a DDOS tool like that. Plenty of anonymous types just want to watch the world burn.
    1. BakedPenguin 11 years ago
      
      Shouldn't competent websites be designed against attacks of all sorts - especially ones meant to have highly personal data of millions of people? If the Obamacare website is fucking up because a few politically motivated shitheels are running a DDOS attack against it, the government should have given that $500 MM to Mike Alissi to build their website.
      1. Pro Libertate 11 years ago
        
        Your mistake is thinking that government sites are held to the same standards as private ones. They are not.
      2. SweatingGin 11 years ago
        
        A day or two before the launch, I pointed out to a friend that it was an interesting problem -- be able to handle 50 million hits on day one, and a bunch on day 2 - 7, then after that, just a steady, low rate.
        
        Of course, there's companies that specialize in just that (cloudflare) and if things were built reasonably from the beginning with that kind of usage pattern in mind, it wouldn't be impossible to do.
        
        Hell, just build it in Amazon's EC2, and scale it down as you get past the main usage.
        
        But yea, all that points out that it wasn't competently designed.
    2. Killazontherun 11 years ago
      
      It never occurs to them that people sincerely hate the goddamned thing for legitimate reasons. Only a nefarious right wing ideologue would want the thing destroyed.
      1. Tonio 11 years ago
        
        The line I frequently hear is that "[republicans] want to keep poor people from ever seeing a doctor." I don't know whether they actually believe this, but that's the talking point. As another commenter pointed out, those of us who oppose ACA would be well-served to call out every instance of someone saying that.
        
        Having said that, I'm reluctant to engage people on social media about this . I go on FB for cute pictures of my friends kids/pets/vacations, not to hear their political ramblings.
    3. Brian 11 years ago
      
      Oh, the "Destroy Obama Care" program was real. Just maybe not effective, maybe it's own trojan, etc.
      
      Well, it's hard to tell how effective it would be, when the exchange does a great job of DDOSing itself.
      1. Loki 11 years ago
        
        Well, it's hard to tell how effective it would be, when the exchange does a great job of DDOSing itself.
        
        ^THIS^ All the traffic on those first few days probably just looked like a DDOS attack. No coordinated shadowy right wing conspiracy needed. But thes people see "right wingers" hiding behind every tree.
OldMexican 11 years ago

Kennedy recommended building an entirely new Healthcare.gov website while the first one is up and running (including its flaws) and replacing the existing one when it's ready. If, instead, the already bought-and-paid-for site is taken down for a full fix, "the remediation process will span seven to twelve months at a minimum."

But Jay Carney told me that the site would be ready by November 30!

At least for 80% of the customers, but still!
1. ChrisO 11 years ago
  
  He didn't say November 30 of which year, however.
2. SweatingGin 11 years ago
  
  Guess the programmers working on Thanksgiving!
  
  ... and still not getting it done...
  1. Jan S. 11 years ago
    
    Oh, no - they'll use the holiday as an excuse for why it's not done.
MJGreen 11 years ago

Of course. It's why I haven't even visited my exchange and tried the site out of curiosity. I am staying as far away from that centralized collection of personal info as possible.

(27 y.o. uninsured)
Killazontherun 11 years ago

President Obama, the biggest jackass, or the biggest jackass ever?

Obama: 'We're Going to Have to...Re-market and Re-brand' the Affordable Care Act

http://cnsnews.com/news/articl.....e-care-act

(CNSNews.com) - President Barack Obama told a gathering of corporate executives Tuesday he's confident that his model of health care will work in the end, but he said he's going to have to "re-brand" it to sell it to a skeptical public.

He didn't use the word "Obamacare" once on Tuesday in talking about his health care law, but he mentioned the "Affordable Care Act" seven times.

"So, look, I am confident that the model that we built, which works off of the existing private insurance system, is one that will succeed," Obama told the Wall Street Journal's CEO Council Annual Meeting in Washington, D.C.

"We are going to have to, (a) fix the website so everybody feels confident about that. We're going to have to, obviously, re-market and re-brand, and that will be challenging in this political environment."

So, does this mean you take back your apology from last week, jackass?
Anonymous Coward 11 years ago

"We are going to have to, (a) fix the website so everybody feels confident about that. We're going to have to, obviously, re-market and re-brand, and that will be challenging in this political environment."

Obama never does anything wrong. It's just that you Rand-loving, Reich-wing, yokeltarians don't appreciate his genius because he's not as skilled at marketing as the EVIL Koch Brothers.
1. Brian 11 years ago
  
  Haven't progressives been saying this for three years? Three fucking years?
  
  It's like they know, somehow, that Obamacare is supposed to be wildly popular (after all, democrats love democracy, and all that), and they just can't figure out what's going on.
  
  Under normal circumstances, they would defer to the people, out of democracy, but, when the people are thinking so many wrong things, we can't have that, now, can we? So, time for a propaganda campaign. The people aren't correctly informed.
Eric Bana 11 years ago

In other news, Kathleen Sibelius had a disastrous event trying to show off the navigators in Florida who actually couldn't do anything because the site kept crashing. She was excited that two (that's right T-W-O) people in South Florida successfully enrolled (although they probably didn't even complete the process).

Also, just for fun: "I don't think I'm stupid enough to go around saying this is going to be like shopping on Amazon or Travelocity a week before the website opens if I thought that it wasn't going to work."
1. Tonio 11 years ago
  
  She knows that her job is to act as a blame sink for this. I presume she knows that she'll be let go the moment it starts to work so the new HHS secretary can be blameless.
  1. itsnotmeitsyou 11 years ago
    
    I'm of the mind that she knows too much to ever be fired. At least not in the way we would like.
    
    If you are correct about her taking the blame, she will "step down" from her position only to be rewarded with a lucrative career somewhere else in healthcare bureaucracy.
    1. BakedPenguin 11 years ago
      
      She'll get on the board of a couple health insurers who also happened to support Obamacare.
DJF 11 years ago

Don't worry the website is protected by a password nobody will be able to crack.

Its 123456, but don't tell anyone, its a secret.
1. itsnotmeitsyou 11 years ago
  
  Sadly, this wouldn't surprise me. I bet some of these "professionals" that designed the site have the admin/password login on their home routers still.
2. Sevo 11 years ago
  
  Gee, I thought it was Apr 2, 1987!
3. BakedPenguin 11 years ago
  
  Password... hmm - Guest?
4. Michael Price 11 years ago
  
  That's the same number I have on my luggage!
Loki 11 years ago

The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture.

Just when I think my lack of respect for these assclowns couldn't get any lower, I read this. Wow, just... wow...

This shows a lack of understanding for the consequences to consumers

Oh, they probably understand the consequences perfectly well. They just don't give a shit. It's more important for president shithead to get his shiny new toy than to protect potential consumer's PII.

Seriously, fuck these morons.
Dave Krueger 11 years ago

Sure. Of course it's not secure. But it's not like that will ever affect anyone in Congress because, as you know, if Congress likes its current health care plan, they can keep it. Period.
1. Michael Price 11 years ago
  
  "if Congress likes its current health care plan, they can keep it. Period."
  +1
Sevo 11 years ago

"Healthcare.gov is Hacker-Bait, Say Security Experts"
Yeah, and now the screw ups will be blamed on hackers, not the idjits who designed the thing so poorly that it begs to be hacked.
Oh, well, it doesn't carry really important info, just your medical history, your financial history, your S/S number...
Just the little stuff.
R C Dean 11 years ago

And when massive identity theft happens, what will our masters do?

Why, pass a draconian law against identity theft, of course! Probably one that tries to open up the entire internet to surveillance. Never let a good crisis go to waste, you know.
johnl 11 years ago

This is a strange criticism:
"""
The fact that there is not one single place to sign up for health care coverage will lead to confusion by the public.
"""
A shopper might prefer to look for plans on company websites rather than the exchange. Maybe because he knows which plans his doctor is going to be taking, or maybe because the exchange isn't working. Choice can be a good thing.

Please log in to post comments

Healthcare.gov is Hacker-Bait, Say Security Experts

Latest

Tariffs Raise Prices, Spark Conflicts, and Make Everyone Poorer

Dumping Environmental Justice From the EPA Is a Good Step. Now Dump the EPA.

Review: Charting the Rise of Anti-Lockdown Activism

Review: D.C. Museum Exhibit Illuminates the Brutalities of Slavery

Brickbat: Burn, Baby, Burn

Recommended

Login Form