Posted on 11/19/2013 10:56:11 AM PST by RoosterRedux
Not only is healthcare.gov at risk, it may already have been compromised, a security expert testified before the Senate.
“Hackers are definitely after it,” said David Kennedy, CEO of information security firm TrustedSEC before a House Science, Space, and Technology committee hearing on security concerns surrounding the problematic Healthcare.gov website.
“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”
One key problem facing Healthcare.gov is that security wasn’t built into the site from the very beginning, he said -- an opinion shared by both Kennedy and Fred Chang, the distinguished chair in cyber security at Southern Methodist University.
“There’s not a lot of security built into the site, at least that’s what we can see from a 10,000 foot view,” Kennedy told the committee.
(Excerpt) Read more at foxnews.com ...
Southack tells me they are now scrubbing input.
Too late, of course.
But I can only believe they are reading our -- and many other -- tech forums, and learning from our horrified comments.
I'm billin' the bastards. They never would have known about SQL inject until I showed them the vulnerability.
I mean DAMN guys, don’t you at LEAST do character-limiting to A-Z and 0-9? Not that that would help, anyone can inject something on the raw HTTP response before it sends out. But I mean, just to show the hackers you are AWARE of some EXTREMELY basic security????!?!?
I’m going to register as Bill DropTables. Hey, ya never know.
Just, damn.
Take my bet? LOL
Nah, I better not. I'd get in trouble.
Oh, and add — at the end to terminate into a comment. That way it doesn’t fail at the server. LOL
This just blows me away. I mean, I've worked in the Fed sector before... and people, WE WERE PRETTY DAMN GOOD.
Nothing like this.
It seems to be whatever was recently entered.
They just need to apply ComboFix. Idiots
#$%^&*()_+!@X
What?
You all are way more expert in these (security) matters than I. Should someone like me conclude that anyone whose data has been entered into the site probably has had their info. compromised already?
Do you concur with the testimony that real security is months away at best?
What is the likely status of the STATE exchanges, and do they feed any information into Healthcare.gov?
Do any other parties or agencies feed information to or interact with Healthcare.gov? What about the insurance companies? (I know “interact” is not the right word, but “link” doesn’t seem right, either.)
Did any of you watch Greta’s interview of David Kennedy, and do you have any further reaction?
Thanks!
Not probably. Definitely.
Do you concur with the testimony that real security is months away at best?
No. I assert that real security will never be attainable.
What is the likely status of the STATE exchanges, and do they feed any information into Healthcare.gov?
I suspect the state exchanges are much better, but since they feed to the national database, the information is still insecure.
Do any other parties or agencies feed information to or interact with Healthcare.gov? What about the insurance companies? (I know “interact” is not the right word, but “link” doesn’t seem right, either.)
Yes. As far as I know, the following agencies/entities interact: IRS, ICE, banks, insurance companies, payment-processing vendors. There may be many more.
Did any of you watch Greta’s interview of David Kennedy, and do you have any further reaction?
No, and N/A.
What Laz said, although I would add one thing — security is probably attainable, but only with a complete and total scrap and restart from the beginning with Security being built in from the bottom up.
This is not just a rewrite, at this point we have to assume that all the servers have been compromised and backdoors have been introduced across the spectrum. One has to also assume that all interconnections have similarly been compromised.
At a minimum you are talking 2 to 3 years as they will need to completely redesign the entire system, cleanse the data center, stand up new servers, and THEN they can begin coding a secure solution.
IOW - ain’t gonna happen!
To put in succinctly, if I were doing an assessment of this system my recommendation to the Authorizing Official would be as follows:
Recommend denying Authority to Operate. The system has too many vulnerabilities and a risk-based decision should be made to shut down operation immediately. Developers should be ordered to redesign system and assessment should be restarted at RMF Step 1.
Thanks for the info.!
I disagree about the N/A, however: It is crucial that this information get out, with explanations like Kennedy’s, to a wider audience. Kennedy and the other witnesses are publicly known experts who carry some actual weight with the public, as opposed to anonymous posters on a conservative forum (which would include me if the subject was in MY areas of expertise.) :-)
That’s not at all to devalue your input! On the contrary, I find it essential to learn as much as I can absorb. However, with regard to Greta, I’m talking about information getting out to and being believed by more of the “general public”. She asks good questions, IMO.
Yes, everyone need to know so they can protect themselves.
As far as when to expect the site to be secure, FIRST they need to want it to be. Obviously, they don’t care all that much or the site wouldn’t have been up in the first place to allow people’s information to be compromised. (By ‘they’ I mean the administration and the company doing the work and anyone else involved. They all knew and long ago).
I mean DAMN guys, don’t you at LEAST do character-limiting to A-Z and 0-9? Not that that would help, anyone can inject something on the raw HTTP response before it sends out. But I mean, just to show the hackers you are AWARE of some EXTREMELY basic security????!?!?
I was not a programmer, but I ran the hardware and OS’s the database prople ran they stuff on and that image you posted made my blood run cold. Thank God I never went anywhere near any of those websites (my state runs its own).
On your “A-Z and 0-9” comment: The geniuses that I worked for let students choose their own usernames (leading to great hilarity for the demented sysadmins!) without checking beyond swear words. One student chose the word “null” for his username. You can imagine...
P.S. Re your sig line: Please accept my sincere condolences on your loss — I know how you feel...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.