Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

'White hat hacker': Why HealthCare.gov isn't secure
Fox News ^ | 11/19/13 | Greta Van Susteren

Posted on 11/19/2013 11:06:25 PM PST by Paul R.

Security expert who testified before Congress explains why your information on the federal ObamaCare site is not secure and how it is a gold mine for criminal hackers. More...

(Excerpt) Read more at video.foxnews.com ...


TOPICS: News/Current Events
KEYWORDS: healthcare; lifelock; obamacare; security
This segment from Greta's show is truly excellent, and should be seen by all, regardless of where they stand on ObamaCare. First shown are the 4 cyber-security experts' testimonies B4 Congress, where they all unanimously and emphatically agree that the healthcare.gov website is not secure, and isn't going to be for anywhere from an "unknown" period of months to "a long time", depending on the expert asked. Then the 4th expert, one David Kennedy, is interviewed by Greta, and it gets even worse, with Kennedy explaining that apparently the Administration doesn't even detect most of the hacking, some of which may well be successful already, and concluding unequivocably "absolutely not" and "no chance" he would sign up. There is also some great explanation of the structure and vulnerabilities, from Kennedy, in language most non-geeks can understand.

Once this gets out, all while Sebelius and the other minions continue to assure us that the site is secure... No one in their right mind will sign up, even if they like the Affordable Care Act. That's going to put a serious dent in ObamaCare, at least for a while, and the Administration's "trust" poll numbers will sink even lower.

The other problem I see is that while being a U.S. gov't website might deter some U.S. hackers, you just know that this has to be the biggest, juciest low hanging fruit ever, for hoardes of hackers in Russia, China, you name it...

1 posted on 11/19/2013 11:06:26 PM PST by Paul R.
[ Post Reply | Private Reply | View Replies]

To: Paul R.

Save


2 posted on 11/19/2013 11:15:25 PM PST by Eagles6 (Valley Forge Redux)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Paul R.

I wouldn’t apply by phone or paper either. The same site is used to input the data on your application.


3 posted on 11/19/2013 11:17:40 PM PST by fatnotlazy
[ Post Reply | Private Reply | To 1 | View Replies]

To: fatnotlazy
I wouldn’t apply by phone or paper either. The same site is used to input the data on your application.

That's a VERY good point!!! Perhaps a number of us should point it out to Rush, Greta, and others.

I wonder if anyone has investigated the security of the states' exchanges, also.

4 posted on 11/20/2013 12:04:36 AM PST by Paul R. (We are in a break in an Ice Age. A brief break at that...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Paul R.

This is an utterly insecure website. It is already compromised. Anyone who has entered their information should change their identity to avoid any problems.


5 posted on 11/20/2013 3:13:04 AM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lazamataz

“Anyone who has entered their information should change their identity to avoid any problems.”

I think I will identify as a poached egg and go look for a piece of toast to sit on. (Courtesy of P.G. Wodehouse)


6 posted on 11/20/2013 4:23:21 AM PST by Cap Huff
[ Post Reply | Private Reply | To 5 | View Replies]

To: Paul R.

The problems with Obamacare are approaching biblical proportions. They remind me of the plagues against the pharaoh of Egypt in the Old Testament.


7 posted on 11/20/2013 4:27:45 AM PST by MulberryDraw (That which cannot be paid, won't be paid.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Paul R.

Alinsky Rules - the Zero admin, DU, DailyKos, WaPo, and all the other jackals to attack everyone of the technical experts who testified that the website isn’t secure.


8 posted on 11/20/2013 4:28:21 AM PST by Hardastarboard (You can keep your doctor - if you lock him in your basement.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Paul R.

—— No one in their right mind will sign up,——

Well, it depends on what the definition of right mind is.

If you have no assets to steal, you will be left alone.


9 posted on 11/20/2013 4:28:36 AM PST by bert ((K.E. N.P. N.C. +12 ..... Travon... Felony assault and battery hate crime)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Paul R.

The security expert, Dave Kennedy, is the real deal. The primary tool any white hat hacker would use is called Metasploit.

http://en.wikipedia.org/wiki/Metasploit_Project

And Dave just so happens to be the primary author of the book “Metasploit: The Penetration Tester’s Guide”, which is considered the top book on Metasploit, and includes a forward by the tool’s creator, HD Moore.

When he said he could break into the site in a few hours, he wasn’t kidding. Check out this video of him on Katie Couric (sorry to make you watch Katie) but it’s quite eye opening to watch this audience member’s shock as he compromised her laptop and took control of her entire computer, including webcam.

http://vimeo.com/77102165


10 posted on 11/20/2013 4:36:39 AM PST by Tekgeek
[ Post Reply | Private Reply | To 1 | View Replies]

To: Cap Huff; Lazamataz

While Laz is known for his sarcastic, snarky, and witty remarks, he is being dead serious in this regard.

The site was so insecure until this week that it didn’t require what would normally be thought of as hacking, but more akin to report running. As I understand it has now Improved to ‘minor effort’ to gain access to what should be secured information.


11 posted on 11/20/2013 4:59:40 AM PST by lepton ("It is useless to attempt to reason a man out of a thing he was never reasoned into"--Jonathan Swift)
[ Post Reply | Private Reply | To 6 | View Replies]

To: bert

An identity with a SSN is an asset of value.


12 posted on 11/20/2013 5:00:29 AM PST by lepton ("It is useless to attempt to reason a man out of a thing he was never reasoned into"--Jonathan Swift)
[ Post Reply | Private Reply | To 9 | View Replies]

To: lepton; Lazamataz
"...While Laz is known for his sarcastic, snarky, and witty remarks..."

Which is why why we value Lazamataz so highly on Free Republic...

(That and his innate ability to define the guiltyness or innocence of members of the opposite sex...:)

13 posted on 11/20/2013 5:10:20 AM PST by rlmorel ("A nation, despicable by its weakness, forfeits even the privilege of being neutral." A. Hamilton)
[ Post Reply | Private Reply | To 11 | View Replies]

To: bert
"...Well, it depends on what the definition of right mind is..."

I think the person in the car in front of me with the "I (Heart) Obamacare" sticker on their car might be of the "right mind".

I almost wanted to pull up next to them and ask in a concerned voice "Are you okay?"

14 posted on 11/20/2013 5:14:47 AM PST by rlmorel ("A nation, despicable by its weakness, forfeits even the privilege of being neutral." A. Hamilton)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Lazamataz

Hey, he promised transparency and that’s what we got.


15 posted on 11/20/2013 5:18:10 AM PST by Ken H (What happens on the internet, stays on the internet.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Paul R.

Posted to Facebook


16 posted on 11/20/2013 5:24:48 AM PST by madmominct
[ Post Reply | Private Reply | To 1 | View Replies]

To: Paul R.

Someone yesterday posted what happens when you put a semicolon in the login box-

the first three suggestions were SQL injection attacks.

I think I’d like to add:
“;””drop table users”

(I broke it up JUST in case)


17 posted on 11/20/2013 5:28:27 AM PST by MrB (The difference between a Humanist and a Satanist - the latter admits whom he's working for)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lazamataz
This is an utterly insecure website. It is already compromised. Anyone who has entered their information should change their identity to avoid any problems.

You have been on top of this as FR's "white hat techie" ... hacked already ... Programmers will have an OMG moment ... as well as presenting how it could have been done without the FUSTERCLICK (c).

18 posted on 11/20/2013 5:30:30 AM PST by Servant of the Cross (the Truth will set you free)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Eagles6

They should have hired the hackers, who apparently know more about computers than MOOCH’s friend’s company does.


19 posted on 11/20/2013 5:58:42 AM PST by GailA (THOSE WHO DON'T KEEP PROMISES TO THE MILITARY, WON'T KEEP THEM TO U!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: lepton; Lazamataz

Yes, I realize that Laz has really been serious about the lack of security on the site. I have been following his posts on this topic and I realize that he knows what he is talking about, and has expressed the implications in no uncertain terms.

In a sense the seriousness of it is reflected in the sentence that I quoted from Laz’s post. Normally we think of people who have gone into a witness protection program who have a complete identity change to give some protection. If someone has tried to set up an account on the site, he might as well become a whole new person to avoid the consequences.


20 posted on 11/20/2013 6:27:29 AM PST by Cap Huff
[ Post Reply | Private Reply | To 11 | View Replies]

To: Lazamataz
I assume it is operating off databases, is one’s information in there, even if you have not gone to the site?

Is everyone (or at least taxpayers) susceptible?

21 posted on 11/20/2013 7:12:54 AM PST by VA40
[ Post Reply | Private Reply | To 5 | View Replies]

To: VA40
I assume it is operating off databases, is one’s information in there, even if you have not gone to the site? Is everyone (or at least taxpayers) susceptible?

Not to my knowledge.

22 posted on 11/20/2013 7:24:42 AM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Servant of the Cross; Cap Huff; Paul R.; Southack; commish; Ray76; FreedomPoster; Billthedrill; ...
To confirm that I was on-point on this, I was informed by my roommate, who watches the hearings like a hawk, that the white hat techie (the actual professional term is "Ethical Hacker") actually identified the item I identified the day before (with the revelation of the screen by SecondAmendment): The search-field SQL command display upon entry of a semicolon, as a possible indicator of very poor security.

Once again, Free Republic is a day ahead of the rest of the world.

23 posted on 11/20/2013 7:47:59 AM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: Lazamataz

I noticed that and was going to ask you whether you had discover that by yourself or had come across it and brought it to our attention. Congrats either way, but double congratulations for doing primary research. :)


24 posted on 11/20/2013 8:09:09 AM PST by lepton ("It is useless to attempt to reason a man out of a thing he was never reasoned into"--Jonathan Swift)
[ Post Reply | Private Reply | To 23 | View Replies]

To: madmominct

Thanks. I don’t “do” Facebook, but my wife does and I’ll have her post links there too. I think she has about 10 million family members & friends... (kidding)


25 posted on 11/20/2013 8:30:04 AM PST by Paul R. (We are in a break in an Ice Age. A brief break at that...)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Tekgeek

Heh - a long time ago my wife made me put tape over the webcam in the laptop that is usually in our bedroom. :-)


26 posted on 11/20/2013 8:39:35 AM PST by Paul R. (We are in a break in an Ice Age. A brief break at that...)
[ Post Reply | Private Reply | To 10 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson