Cybersecurity expert after finding an easy way to hack HealthCare.Gov: “This seems really sloppy”

posted at 6:01 pm on October 29, 2013 by Erika Johnsen

The many “glitches” still plaguing the ObamaCare website are making it evermore apparent that the many Congressmen, officials and IT experts warning about the potential for major security breaches in the online system were most definitely not just engaging in baseless partisan concern-trolling. If the Obama administration couldn’t even manage to execute a smooth signup process from the get-go, one shudders to think of how much effort they’ve put into safeguarding users’ privacy and security, and CNN reports that one cybersecurity expert already found a way to hack into HealthCare.Gov accounts last week:

The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:

-guessed an existing user name, and the website would have confirmed it exists.
-claimed you forgot your password, and the site would have reset it.
-viewed the site’s unencrypted source code in any browser to find the password reset code.
-plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
-answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted. …

“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.” …

Even just reporting the “glitch” apparently took some doing on his part, although the specific problem Simo points to has since been at least patched up — but it took the Obama administration and their hired guys three weeks after the rollout to finally catch it. It rather readily begs the questions of how many other overlooked security holes are just waiting to be detected by hackers — a lingering question that, on Sunday, Chairman of the House Intelligence Committee Mike Rogers suggested might mean a redesign is in order, via the WFB:

And it was very clear to me in the hearing that they do not have an overarching solid cyber security plan to prevent the loss of private information. I’m even more concerned today than I was even last week. I know that they’ve called in another private entity to try to help with the security of it. The problem is they may have to redesign the entire system. The way the system is designed, it is not secure. It is something called a boundary. Every time one agency goes to another agency with a piece of information, that is called a boundary. That’s the most — that’s the weakest, most vulnerable part of that conversation. It was clear to me they don’t have the boundaries concerned and that’s what I’m concerned about.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

That’s the “Patient Protection” part of the “Affordable Care Act.”

Murphy9 on October 29, 2013 at 6:03 PM

yeah, I’m going to go register on that virus plantation…sure

DanMan on October 29, 2013 at 6:05 PM

404ward

Yeah, I stole it.

antipc on October 29, 2013 at 6:07 PM

Don’t be sipping any soda when you look at this:

http://a.disquscdn.com/uploads/mediaembed/images/675/8469/original.jpg

crrr6 on October 29, 2013 at 6:08 PM

Designed by design. That was no accident.

skeeterbite on October 29, 2013 at 6:09 PM

The good part of this story is that the vast majority of people signing up so far don’t have anything worth stealing.

Like…Chad.

BobMbx on October 29, 2013 at 6:10 PM

Why do you need security when nobody can get in?

faraway on October 29, 2013 at 6:11 PM

Good thing we’re only giving our financial & medical information and social security numbers. Otherwise identity theft might happen.

rbj on October 29, 2013 at 6:11 PM

“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.”

Simo ‘s IRS audit being ordered by the Mooch in 5….4….3…

burrata on October 29, 2013 at 6:12 PM

Even just reporting the “glitch” apparently took some doing on his part, although the specific problem Simo points to has since been at least patched up

It “was patched up” by disabling the functionality. You can’t log in much less get your password reset.

Yesterday I entered “Barack Obama” on the Forgot Your Password page and they said they would send information to my email address to reset his password.

But today you can’t log in at all.

kcewa on October 29, 2013 at 6:12 PM

I hope that anyone who signs up on an exchange has already purchased another form of insurance: identity theft insurance.

besser tot als rot on October 29, 2013 at 6:13 PM

“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.”

Or it is both….

And these are the people who are in the surge to fix this system by the end November…

And this doesn’t violate Einstein’s definition of insanity how?

Athos on October 29, 2013 at 6:13 PM

Lean404ward

Yeah, I stole it.

antipc on October 29, 2013 at 6:07 PM

FI

faraway on October 29, 2013 at 6:13 PM

404ward

Yeah, I stole it.

antipc on October 29, 2013 at 6:07 PM

Awesome.

besser tot als rot on October 29, 2013 at 6:13 PM

The key is to believe really hard that security will be improved.

rogerb on October 29, 2013 at 6:13 PM

The system is down at the moment.
We are experiencing technical difficulties and hope to have them resolved soon. Please try again later.
In a hurry? You might be able to apply faster at our Marketplace call center. Call 1-800-318-2596 to talk with one of our trained representatives about applying over the phone.

kcewa on October 29, 2013 at 6:13 PM

I hope that anyone who signs up on an exchange has already purchased another form of insurance: identity theft insurance.

besser tot als rot on October 29, 2013 at 6:13 PM

I expect Lifelock is going to get it’s own surge of new business….

Athos on October 29, 2013 at 6:14 PM

faraway on October 29, 2013 at 6:13 PM

Beauty :)

antipc on October 29, 2013 at 6:19 PM

I expect Lifelock is going to get it’s own surge of new business….

Athos on October 29, 2013 at 6:14 PM

Dave Ramsey recommends Zander.

besser tot als rot on October 29, 2013 at 6:20 PM

Color me……. shocked.

rightside on October 29, 2013 at 6:21 PM

[3:15:34 pm]: Welcome! You’re now connected to Health Insurance Marketplace Live Chat.

Thanks for contacting us. My name is Landon. To protect your privacy, please don’t provide any personal information, like Social Security Number, or any other sensitive medical or personal information.
[3:16:43 pm]: CALLER
Why does my browser ask me to load unsafe script when I open the chat window?
[3:18:56 pm]: Landon
Are you having problems with the site or your just having problems with the chat?
[3:19:06 pm]: CALLER
the chat
[3:19:45 pm]: Landon
Thank you for your question today. It will take me just a moment to review and respond to your question.
[3:21:45 pm]: Landon
I can answer your questions about the Health Insurance Marketplace as far as technical issues i am unable to assist you with that.

kcewa on October 29, 2013 at 6:23 PM

crrr6 on October 29, 2013 at 6:08 PM

HAHAHHAHAHAHAHAHAHAHAHAH!!!!!!!!!!!!!!!!!!!!!!!

KCB on October 29, 2013 at 6:24 PM

“If you like your privacy, you can keep it.”

Another lie.

MichaelGabriel on October 29, 2013 at 6:26 PM

Obama: “If you like yoh identity, you can keep yoh identity.”

BuckeyeSam on October 29, 2013 at 6:30 PM

MichaelGabriel on October 29, 2013 at 6:26 PM

The time stamp notwithstanding, I swear I didn’t see your comment before hitting submit.

BuckeyeSam on October 29, 2013 at 6:31 PM

One hopefully existing factor: IF this is a plan to force all to a one-payor system, then the single-payor system won’t be any better or we’ve gotten two for the price of one?

Anyone taking a basic MIS course should know far more about preventing a mess like this than others – turns out Sebelius also totally blew computer projects in Kansas. But, I guess those weren’t her fault, either.

IF Soros and company are planning to crash the US, this is only a practice run. Either outstanding idiocy or gross incompetence or one heck of a “new world order” plan.

OOOOOOOOOOOO

MN J on October 29, 2013 at 6:32 PM

Don’t forget to SIGN UP TODAY!

Pork-Chop on October 29, 2013 at 6:35 PM

And no one has been fired because of this…

albill on October 29, 2013 at 6:37 PM

The time stamp notwithstanding, I swear I didn’t see your comment before hitting submit.

BuckeyeSam on October 29, 2013 at 6:31 PM

Has anyone else noticed the refresh feature on HotAir is a little whacked?

You look at an article on the main page and it shows there are 20 comments. Then you click on the article and you see only 10 comments. Then you refresh and there are 30 comments.

Anyway, great minds think alike.

MichaelGabriel on October 29, 2013 at 6:39 PM

A truly epic fustercluck. Could rival Benghazi, but will probably cost more lives in the long run.

merlich on October 29, 2013 at 6:40 PM

Your pre-assigned, non-changeable DeathCare password is “password” and it’s the same for everyone.

Bishop on October 29, 2013 at 6:41 PM

Hackers playground…

right2bright on October 29, 2013 at 6:41 PM

OT: George Will: Obama supporters are pioneering new forms of sophistry…LOL

d1carter on October 29, 2013 at 6:42 PM

First on CNN: Obama administration warned about health care website

Washington (CNN) — The Obama administration was given stark warnings just one month before that the federal healthcare site was not ready to go live, according to a confidential report obtained by CNN.

The caution, from the main contractor CGI, warned of a number of open risks and issues for the HealthCare.gov web site even as company executives were testifying publicly that the project had achieved key milestones.

Resist We Much on October 29, 2013 at 6:43 PM

The forgot-password security question is “month you were born”.

Bishop on October 29, 2013 at 6:46 PM

The BarkyCare website is totally secure. People can’t register or logon so there’s no data to steal, no matter how easy it would be to steal the data if people were actually able to enter their information. Primo security. You can’t steal what’s not there!

ThePrimordialOrderedPair on October 29, 2013 at 6:50 PM

The forgot-password security question is “month you were born”.

Bishop on October 29, 2013 at 6:46 PM

“What kind of fruit can you find on a cherry tree?”

ThePrimordialOrderedPair on October 29, 2013 at 6:52 PM

Anyway, the Obamacare web site is low hanging fruit for hackers, and not that lucrative, considering that most people signing up are Medicaid enrollees.

The real money to be made will come from the electronic medical records mandate.

Hack into that and you’ll have access to the medical info on celebrities like Sean Penn or Lady Gaga. That info is worth more than some 60 year old Medicaid applicant signing up for Obamacare.

Also this summer, Massachusetts reported that 60 percent of doctors could not meet the EMR mandate and face potential loss of their licenses in 2015.

http://frontpagemag.com/2013/michellemalkin/obamacares-electronic-medical-records-wreck/

MichaelGabriel on October 29, 2013 at 6:54 PM

Resist We Much on October 29, 2013 at 6:43 PM

Uh oh…the leaking begins. The night before Sebelius lies…

d1carter on October 29, 2013 at 6:58 PM

Don’t be sipping any soda when you look at this:

http://a.disquscdn.com/uploads/mediaembed/images/675/8469/original.jpg

crrr6 on October 29, 2013 at 6:08 PM

Barackquah, his long lost sister.

slickwillie2001 on October 29, 2013 at 7:07 PM

Everytime I try to log on to the ACA site, my garage door opens. Actually works better than the remote. So its got that goin’ for it.

onomo on October 29, 2013 at 7:20 PM

Where’s the surprise? It’s not called “the most corrupt and incompetent administration, evah!” for nothing.

No wonder Jimmah Carter is smiling all the time now.

GarandFan on October 29, 2013 at 7:23 PM

Has anyone tried to register as Mickey Mouse or Vladimir Putin yet? I just knew SOMEONE was going to try that and get accepted.

UnderstandingisPower on October 29, 2013 at 7:33 PM

crrr6 on October 29, 2013 at 6:08 PM

HAHAHHAHAHAHAHAHAHAHAHAH!!!!!!!!!!!!!!!!!!!!!!!

KCB on October 29, 2013 at 6:24 PM

….I didn’t have a drink….and shit came out of my nose!

KOOLAID2 on October 29, 2013 at 8:03 PM

▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄

T A K E

Y O U R

P I C K :

▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄

Pretending

People

Are

Cared

About

______________________________________________________________
▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄

Pretty

Poor

At

Computer

Access

__________________________________________________________________
▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄

Piss

Poor

And

Completely

Asinine

__________________________________________________________________
▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄

hillbillyjim on October 29, 2013 at 8:25 PM

A retest of the home page today using the W3C HTML verification tool shows that the page FLUNKS basic web page validity big time!!

This means that your results depend on the specific browser and OS version you use…and some perfectly normal, common combinations may produce strange results and/or not work at all!!! Errors at this level open up the connection to all kinds of attacks.

landlines on October 29, 2013 at 9:22 PM

Can’t the NSA just autocomplete the forms for us?

TexasDan on October 29, 2013 at 11:40 PM

The truth is revealed at last: Obamacare is one part of a world-wide conspiracy of the IT profession to ensure full employment forever by building government systems (and rebuilding and rebuilding and rebuilding …).

AesopFan on October 30, 2013 at 12:43 AM

The BarkyCare website is totally secure. People can’t register or logon so there’s no data to steal, no matter how easy it would be to steal the data if people were actually able to enter their information. Primo security. You can’t steal what’s not there!

ThePrimordialOrderedPair on October 29, 2013 at 6:50 PM

NOT QUITE TRUE:

The healthcare.gov web site also, because of its pathetic total lack of security, also functions as a hacker superhighway into every data base it is connected to!!

So your IRS Tax Records, Medicare Info, etc. are potentially compromised because Obamacare throws the back door wide open for dozens of huge databases containing your data: even if you personally NEVER USE healthcare.gov!

landlines on October 30, 2013 at 2:41 PM