Security expert: Hackers could upload code to Healthcare.gov to take control of users’ computers

posted at 11:21 am on January 16, 2014 by Allahpundit

If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October. Including one, allegedly, that would let hackers remotely access people’s computers by uploading some sort of worm to the server.

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out. We don’t even have to draw an inference from the overall half-assed execution of Healthcare.gov as of October 1st; remember, HHS’s own security people were waving red flags before launch day. And yet, despite endless stories about the site’s vulnerabilities and high-profile testimony by security experts before Congress in November about just how bad things are, there have been no major breaches to date.

That we know of.

Hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site, according to Kennedy, who is scheduled to describe his security concerns in testimony on Thursday before the House Science, Space and Technology Committee…

Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation…

“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals…

“We don’t know how bad it is because they don’t have to tell us,” Strand said.

A contractor who’s worked with HHS counters that you can’t know how vulnerable the site is unless you’ve hacked into it, which Kennedy et al. haven’t done. Kennedy did, however, write a short bit of code to see if he could harvest any personal information about users from the site. He collected 70,000 names and e-mail addresses in … four minutes. (He didn’t hack Healthcare.gov, he claims; the information was accessible on the Internet somehow and his code accessed it.) So how do we reconcile all of this? Three possibilities. One: The security pros are simply wrong. Why they would all be wrong, though, I have no idea. Clearly the site appears to the trained eye to be susceptible to major hacking, even though there’s no hard proof. I suppose that, in the mad rush in November to patch its problems, HHS closed the security holes without cleaning up all of the code, leaving it looking somehow like the site is vulnerable when it really isn’t. Anyone buy that? Me neither.

Two: The security pros are right but hackers, for whatever reason, have laid off Healthcare.gov. Maybe it’s because they don’t want to mess with the feds on a matter so visible, knowing that a highly public hack of the government’s new health-care showpiece would bring down the wrath of the DOJ upon them. Or maybe they’re just too kind-hearted to mess with a site that’s all about helping people get medical coverage. Hackers take legal risks all the time, though. And if anything, the public prominence of Healthcare.gov just makes it a juicier (and conveniently low-hanging) fruit to pick, I’d imagine. Even if most hackers are inclined to lay off, the basic dynamics of bad apples and bunches suggest that there’s at least one person out there who couldn’t resist screwing with it.

Three: The site’s been hacked and we just don’t know about it. The feds are keeping that info verrrry close to the vest, knowing that the last thing the big O-Care rollout needs after the big “it’s fixed!” publicity for Healthcare.gov in December is news of a massive security breach. They need people to keep enrolling to get anywhere close to their target by March 31st. A scare story about vulnerabilities being exploited to steal people’s data would bring things to a screeching halt, maybe even to the point of congressional Democrats peeling off lest they take any more political uppercuts from O-Care. But if that’s what happened here, where’s the evidence? There couldn’t be a huge hack of a site like this without someone, either on the inside or outside, finding out about it and leaking it, right? The hacker himself might brag about it somewhere online, unable to resist showing off his trophy. And yet, as far as I know, nothing like that has happened. No one’s offered any evidence of a wide-scale malicious security breach.

Just as I’m writing this, I see the AP has a story on the wires about one of the CMS officials who waved a red flag before launch now pronouncing the site safe. Apparently, it passed a security test just recently — and yet here’s Kennedy and crew telling Reuters it’s a disaster. What’s going on here?


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

DO NOT COMPLY!!!

Schadenfreude on January 16, 2014 at 11:22 AM

I will not comply because I am a free citizen of the United States, not a subject of its government. I consider non-compliance with this monstrosity and the tens of thousands of pages of regulations that are to be enforced by an unelected bureaucracy, and that have left a gigantic carbon footprint on our environment and the United States Constitution, a duty.

Non-compliance is my executive order
, and that order reads in part that I do not recognize any government’s claim on my action or inaction in the marketplace, nor upon any personal information I am unwilling to divulge.

Schadenfreude on January 16, 2014 at 11:23 AM

Lies, lies and more damned lies…

OmahaConservative on January 16, 2014 at 11:28 AM

Just as I’m writing this, I see the AP has a story on the wires about one of the CMS officials who waved a red flag before launch now pronouncing the site safe. Apparently, it passed a security test just recently — and yet here’s Kennedy and crew telling Reuters it’s a disaster. What’s going on here?

By all means, let’s have a thorough public discussion of the weaknesses of the website’s security. It can save hackers oodles of time!

That being said, CMS officials also declared the website fully functional in October. They have a record of lying.

Happy Nomad on January 16, 2014 at 11:28 AM

If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October.

“Daddy, have you plugged the 20+ security holes yet?”

VegasRick on January 16, 2014 at 11:34 AM

Of COURSE the site’s been hacked! The answer to Allah’s question is that the hackers have laid it bare to the bone, and are keeping quiet because 1) why speak up and get the hole fixed? 2) Think of how many millions of people’s data is still flowing in that is still flowing to the hacker–why not just sit back and harvest?
And most likely 3) one of the hackers is the Democratic party itself. Probably not really a hacker, they are just getting the data illegally. If the gubmint revealed it, though, the party would be in danger, so mum’s the word.

Vanceone on January 16, 2014 at 11:36 AM

That’s a nice little security consulting firm you have there…it’d be a shame if something happened to it… – Feds to Obamacare Security Critics

workingclass artist on January 16, 2014 at 11:37 AM

A SMART hacker would take the personal info and sell it to identity thieves. He wouldn’t tell them where he got it. Nor would they care as long as the info was valid.

As for HHS, when the hell have they told the truth about anything?

GarandFan on January 16, 2014 at 11:38 AM

NSA and the IRS were there first…

albill on January 16, 2014 at 11:39 AM

Sorry for the OT Folks, ignore. This is for the freak.

gryphon202 on January 16, 2014 at 9:54 AM

Creepy fixation.

Look. You’re not a person to have a serious political debate with. Your mind seems a bit fractured in the extremes you vacillate in between. In one comment, you lose control and say the most insulting things …

hawkdriver on January 16, 2014 at 9:29 AM
You’re not fit to shine Marcus Lattrell’s shoes, chump.

gryphon202 on January 16, 2014 at 9:35 AM

And then invite me here to this thread for more of your nonsense as if we were thick as thieves.

Hey Hawky. I thought you might find this interesting.

gryphon202 on January 16, 2014 at 9:55 AM

Oh, I’m responsible for your inability to maintain your composure? Got it.

Let’s at least be adult and move this ridiculous exchange off a thread like this.

hawkdriver on January 16, 2014 at 9:51 AM
Sure thing. Check out that link I posted in my post above this one.

gryphon202 on January 16, 2014 at 9:55 AM

I’d never advocate banning anyone who is simply expressing their opinion. You have more lofty goals than that with your “contributions” here. You obviously think you can drive Conservative voters completely away from the GOP. It’s what you do. I’d just advice folks to take 100 percent of anything you say with a grain of salt. That would include the out of the blue responses you give that are rife with profanity and insults.

hawkdriver on January 16, 2014 at 11:39 AM

And the reprobates behind passing the law?

They aren’t taking control over “users” lives?

Murphy9 on January 16, 2014 at 11:40 AM

“Daddy, have you plugged the 20+ security holes yet?”

VegasRick on January 16, 2014 at 11:34 AM

Unfortunately, he doesn’t know whose ass to kick. And nobody is madder than Obama.

Happy Nomad on January 16, 2014 at 11:40 AM

What’s going on here?

Sheer idiocy and incompetence is my guess.

pookysgirl on January 16, 2014 at 11:41 AM

ok, just spitballing here, but what if part of the overall plan was the reverse- to get as many citizens to log directly onto a gubmint server and then said server uploads a worm to unsuspecting but compliant joe citizen… stuxnet anyone?

whatabunchoflosers on January 16, 2014 at 11:41 AM

there have been no major breaches to date.

It’s a government site, maybe the hackers had all their tools and programs screwed up by Obama malware.

BL@KBIRD on January 16, 2014 at 11:42 AM

What we need is more peni$ pumps…..

That should fix the holes….

Electrongod on January 16, 2014 at 11:44 AM

Unfortunately, he doesn’t know whose ass to kick. And nobody is madder than Obama.

Happy Nomad on January 16, 2014 at 11:40 AM

He’ll read about it in the newspaper of Friday and be really pissed!

VegasRick on January 16, 2014 at 11:48 AM

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out.

Allah,

Among the services I provide my clients is security audits, including penetration testing. If Johnson made those quoted remarks, the situation is, in reality, worse. If black hats can get in, they probably have gotten in.

I am not just referring to local black hats. We are engaged in cyber warfare with other countries. Don’t you think they would salivate over the intel they could collect?

By the way, I read yesterday that a new company has been awarded another no bid contract for the ZeroCare™ website development.

dogsoldier on January 16, 2014 at 11:50 AM

Just like amazon and kayak. Yep.

Christien on January 16, 2014 at 11:52 AM

The site is being hacked all day every day. It’s being hacked right now. You can bet on it.

Youngs98 on January 16, 2014 at 11:55 AM

Is there any chance “damaging the infrastructure of the site” could be an improvement? If not, I say go for it. Bring it down.

COgirl on January 16, 2014 at 11:57 AM

The same bunch of clowns who foisted 0bamacare on the American public is now calling for hearings into the data breach at Target stores? Oh, the irony.

http://www.reuters.com/article/2014/01/14/us-target-databreach-congress-idUSBREA0C1FE20140114

UltimateBob on January 16, 2014 at 11:58 AM

Is there any chance “damaging the infrastructure of the site” could be an improvement? If not, I say go for it. Bring it down.

COgirl on January 16, 2014 at 11:57 AM

A little shot of STUXNET will fix that for ya. :-)

UltimateBob on January 16, 2014 at 11:59 AM

Rep. Kerry Bentivolio is trying to build a movement to fix this stuff. It’s been picking up steam.

http://bentivolio.house.gov/media-center/press-releases/sixty-members-cosponsor-healthcaregov-security-bill

cpaulus on January 16, 2014 at 12:00 PM

Obama’s got a pen. What’s he waiting for? Ban cars, ditches, and Slurpees.

Christien on January 16, 2014 at 12:01 PM

Just like amazon and kayak. Yep.

Christien on January 16, 2014 at 11:52 AM

Say, who wants to talk about some lane closures that happened three months ago?

The fact that the Oprah’s racist movie didn’t get an Oscar nomination?

American Idol?

In other words, release the squirrels!

Happy Nomad on January 16, 2014 at 12:02 PM

How can the Government initiate non-compliance charges to a site that is known to have such security problems?
Just wait for the first IRS enforcement action to wind up in court. This will be the action to shut down PPACA..
Stay away from this site. It is very dangerous. You can still get insurance else where it is only a government setup.

jpcpt03 on January 16, 2014 at 12:03 PM

A contractor who’s worked with HHS counters that you can’t know how vulnerable the site is unless you’ve hacked into it,

Some claims are almost too silly to be quoted, let alone pass without contest: The extent of insecurity is always unproven until exploited, which does not mean we leave our doors unlocked and open to see how much trouble that could cause.

Unlike many measurable things in society, if we can measure security failure, security has already broken down at our expense. What we want to know is whether security can be broken, even if that would take extraordinary effort. Extrapolating from known attacks may be the best we can hope for.

Even a major effort at finding weakness would not prove strength by not succeeding.

PseudoRandom on January 16, 2014 at 12:04 PM

What’s going on here?

Chicago on the Potomac…

JohnGalt23 on January 16, 2014 at 12:06 PM

And don’t forget the Dems recently blocked a GOP bill that would require the HHS to notify the public in the event of data theft.

Why would that be?

BacaDog on January 16, 2014 at 12:08 PM

Three: The site’s been hacked and we just don’t know about it.

If you’re taking votes I pick this one. Since day one this entire regime has been built on a foundation of lies and opacity. Plus even though all authoritarians want to control the masses, deep down they do fear the masses as well. I think for the average IT criminal the healthcare site is a smorgasbord of information with which to cause major inconvenience to a lot of innocent people.

DaveDief on January 16, 2014 at 12:15 PM

Sorry. But if any of you visited the site even just to look at it, by definition, you’re stupid.

Lanceman on January 16, 2014 at 12:16 PM

In other words, release the squirrels!

Happy Nomad on January 16, 2014 at 12:02 PM

You really can find anything on the internet…
Dancing Squirrels Released!

nextgen_repub on January 16, 2014 at 12:28 PM

…TARGET!

KOOLAID2 on January 16, 2014 at 12:31 PM

If you believe the various security professionals who spoke to Reuters, and why wouldn’t you, HHS has done next to nothing to plug the 20+ security holes they’ve been warned about since October. Including one, allegedly, that would let hackers remotely access people’s computers by uploading some sort of worm to the server.

I honestly don’t know what to believe. There’s no reason to doubt the security pros and every reason in the world to doubt that HHS equipped the site with sturdy security before rolling it out. We don’t even have to draw an inference from the overall half-assed execution of Healthcare.gov as of October 1st; remember, HHS’s own security people were waving red flags before launch day. And yet, despite endless stories about the site’s vulnerabilities and high-profile testimony by security experts before Congress in November about just how bad things are, there have been no major breaches to date.

That we know of.

Is the security problem highly visible?

No.

Therefore, with all the embarrassing and highly visible problems that web site has, it would be foolish to expect it to be fixed any sooner than 1 year from now — with the transition to a new company maintaining the web site, probably more like 2 years.

There Goes the Neighborhood on January 16, 2014 at 12:34 PM

Hackers preying upon Obamacare enrollees got me thinking….

China owns a significant amount of our nation’s debt…and they are also creidted with an enormous amount of the hacking in government, military, & commercial/civilian computers, with stealing enormous amounts of government & commercial secrets, of stealing an incredible amount of patents/ignoring patents & copying a massive amount of technology/products…making an enormous amount of money from doing so….

So why don’t we just declare to China, since you have illegally done all of this, refuse to stop, and will continue to do so…

Our debt to you is PAID IN FULL. We don’t owe you a dime!

easyt65 on January 16, 2014 at 12:34 PM

“what’s going on”, you ask?

Why, we have always been at war with Eastasia. Is there some confusion about that?

MTF on January 16, 2014 at 12:38 PM

Fortunately, no one has been fired over this. That would be outrageous.

Christien on January 16, 2014 at 12:44 PM

What’s going on here?

Techies can be talking heads too.

The HHS guy is right; the only way to determine how vulnerable a site is to hacking is to hack it. That’s why most sites go through some sort of penetration tests. The tests do exactly that. They attempt to identify vulnerabilities, and they then try to exploit those vulnerabilities.

If the suspected vulnerabilities can be exploited, the test passes and your site fails. If the suspected vulnerabilities cannot be exploited, it wasn’t a vulnerability. It’s that simply.

You simply can’t identify how vulnerable a site is without hacking it.

segasagez on January 16, 2014 at 12:44 PM

This is going to make the Target hacking look like a day at the beach. Here, the hackers get social security numbers, not to mention medical history, which could be used in all manner of nefarious ways. Makes paying the fines a lot more appealing than it was.

TXUS on January 16, 2014 at 12:46 PM

Some claims are almost too silly to be quoted, let alone pass without contest: The extent of insecurity is always unproven until exploited,

It’s not an insecurity unless it’s proven to be an insecurity. An open window does not make a house insecure if you have an M60 facing it.

segasagez on January 16, 2014 at 12:47 PM

Fortunately, no one has been fired over this. That would be outrageous.

Christien on January 16, 2014 at 12:44 PM

They fired the whole development team.

segasagez on January 16, 2014 at 12:48 PM

Four: The site’s been hacked and they don’t even know it.

The professional hackers, the ones who do the most harm, work hard to hack a system without being spotted. They sit there draining off bits of information over an extended period of time without the victim ever knowing.

If the site is as poorly designed as some say, and security wasn’t designed into the system right from the start, it may be impossible to know with much certainty if the site’s been hacked or not.

taznar on January 16, 2014 at 12:49 PM

So why don’t we just declare to China, since you have illegally done all of this, refuse to stop, and will continue to do so…

Our debt to you is PAID IN FULL. We don’t owe you a dime!

easyt65 on January 16, 2014 at 12:34 PM

Sadly, their next action would be to zero out everyone’s online bank account and flip us the bird.

freedomfirst on January 16, 2014 at 12:55 PM

segasagez on January 16, 2014 at 12:48 PM

I know. Has anyone who hired the people who hired the development team been fired? If you catch my drift…

Christien on January 16, 2014 at 12:57 PM

Experts: Obamacare Website Security Getting Worse

DAVID KENNEDY: Healthcare.gov is not secure today. And nothing’s really changed since the November 19th testimony. In fact, from November 19th testimony it’s even worse. Additional security researchers have come into play, providing additional research, additional findings, that we can definitely tell that the website is not getting any better.

Murphy9 on January 16, 2014 at 12:59 PM

They fired the whole development team.

segasagez on January 16, 2014 at 12:48 PM

Not exactly. They took the contract from CGI and just handed it over to a different company. The developers may be retained. It would be unwise to ditch them until they can be debriefed. No one at CGI has been fired that we know of.

700 million down the drain and counting. I wonder what the value of millions of hacked PCs is. This disaster is just getting started.

dogsoldier on January 16, 2014 at 1:02 PM

It’s better to rob the bank when the vaults full rather than empty. Of course the hackers are waiting until it’s worth their time. But since Obamacare is for the lower income isn’t hacking it like hacking the welfare rolls? You are not going to get rich quick that way.

meci on January 16, 2014 at 1:03 PM

To put it another way, what they’re saying is like someone telling you that could walk into your house and steal your things. Why could they walk into your house and steal your things? Because you have a door that could be unlocked. That door could be a vulnerability.

The only way way to confirm if that door is a vulnerability is to walk up to it and jiggle the handle.

segasagez on January 16, 2014 at 1:03 PM

Not exactly. They took the contract from CGI and just handed it over to a different company. The developers may be retained. It would be unwise to ditch them until they can be debriefed. No one at CGI has been fired that we know of.

700 million down the drain and counting. I wonder what the value of millions of hacked PCs is. This disaster is just getting started.

dogsoldier on January 16, 2014 at 1:02 PM

How is that not firing the development team? If you contract a company to do your roof, and then hand that contract to a different company to do your roof, you’ve fired the first company.

What debriefing? This isn’t spec ops. It’s software development. When you fire a developer(or a team of developers), that’s it. You hope that the documentation they created is enough.

segasagez on January 16, 2014 at 1:06 PM

taznar on January 16, 2014 at 12:49 PM

It’s been hacked. As soon as it deployed, various entities began to probe it for exploits. They found exploits and used them. Hacker from all over the world knew the site was coming.

If you have any doubt it’s been hacked, please give it up.

Sorry. But if any of you visited the site even just to look at it, by definition, you’re stupid.

Lanceman on January 16, 2014 at 12:16 PM

Absolutely 100% spot on.

dogsoldier on January 16, 2014 at 1:07 PM

segasagez on January 16, 2014 at 1:06 PM

I’ve worked in software development for almost 30 years. Removing CGI is not firing the development team unless they all got laid off and weren’t picked up by the new company. Transfer of engineers from one company to another often happens and may not even require them to leave their cubes.

You haven’t worked in high tech much have you? Pretty much everything you wrote is not correct. Even if they planned to lay off all the developers, they would still spend time with the new team transferring information.

We have seen no reports that CGI is firing anyone.

dogsoldier on January 16, 2014 at 1:11 PM

What do you think the odds are of, at an opportune time, Putin declaring that Russian investigators have uncovered a ring of hackers in, say, Moscow, who have gotten into Healthcare.gov?

Of course, he couldn’t say right off what exactly was found, just that the hackers had exploited a breach.

questionmark on January 16, 2014 at 1:12 PM

Don’t assume there has not been any breach. Remember HHS does not have to notify users when their site has been hacked.

jangle on January 16, 2014 at 1:14 PM

The only way way to confirm if that door is a vulnerability is to walk up to it and jiggle the handle.

segasagez on January 16, 2014 at 1:03 PM

That is not correct either. If you walk past a house with no locks on the doors, you know that’s an invitation to a break in.

dogsoldier on January 16, 2014 at 1:14 PM

Of course, he couldn’t say right off what exactly was found, just that the hackers had exploited a breach.

questionmark on January 16, 2014 at 1:12 PM

Wouldn’t he want to continue to collect information as long as possible? Would he not want the website to torture users as much as possible to cause Zero as much humiliation as possible?

dogsoldier on January 16, 2014 at 1:17 PM

I’ve worked in software development for almost 30 years. Removing CGI is not firing the development team unless they all got laid off and weren’t picked up by the new company. Transfer of engineers from one company to another often happens and may not even require them to leave their cubes.

You haven’t worked in high tech much have you? Pretty much everything you wrote is not correct. Even if they planned to lay off all the developers, they would still spend time with the new team transferring information.

We have seen no reports that CGI is firing anyone.

dogsoldier on January 16, 2014 at 1:11 PM

That’s a pretty liberal definition of having a job. You have a cube, but you don’t have any work to do and you’re not getting paid because you don’t have a contract.

Hey construction worker, you’re not fired. We’re just not paying you anymore. See you on Monday!

segasagez on January 16, 2014 at 1:26 PM

That is not correct either. If you walk past a house with no locks on the doors, you know that’s an invitation to a break in.

dogsoldier on January 16, 2014 at 1:14 PM

No, because the door could be welded shut. Or the door could have big bar across the back. Or there could be a big big wall behind it.

All you know about a house that has no locks on the door is that the house has no locks on the door.

segasagez on January 16, 2014 at 1:27 PM

They fired the whole development team.

segasagez on January 16, 2014 at 12:48 PM

As always, you are a joke. Michelle’s pockets have not been emptied…the CGI contract was given to her friend from college…meh, all a hued cabal.

Schadenfreude on January 16, 2014 at 1:32 PM

Accenture hire mainly H1 visa and illegal developers and they will keep most of the CGI staff. The transfer, for a year, was for show and to cover up the fiasco.

Schadenfreude on January 16, 2014 at 1:34 PM

Hold on…Phil Robertson was fired?

tlynch001 on January 16, 2014 at 1:37 PM

segasagez on January 16, 2014 at 1:26 PM

Ok, I see what you are now.

Schadenfreude on January 16, 2014 at 1:34 PM

Yep. The CGI developers have not been fired and Moochie’s pals got their money.

dogsoldier on January 16, 2014 at 1:53 PM

In related news, no one knows how many are enrolled-enrolled.

http://www.weeklystandard.com/blogs/official-no-one-knows-how-many-people-have-actually-paid-obamacare_774743.html

EPICCLUSTERFARCNADO™

dogsoldier on January 16, 2014 at 1:55 PM

dogsoldier on January 16, 2014 at 1:53 PM

As an IT professional, can you identify a vulnerability without testing for it?

segasagez on January 16, 2014 at 1:58 PM

Two: The security pros are right but hackers, for whatever reason, have laid off Healthcare.gov.

Honor among thieves?

PatMac on January 16, 2014 at 1:59 PM

As an IT professional, can you identify a vulnerability without testing for it?

segasagez on January 16, 2014 at 1:58 PM

Yes, some of them. I can visually examine the environment and see some obvious things. For example a login screen not using SSL.

That’s the doors without locks analogy I mentioned earlier.

dogsoldier on January 16, 2014 at 2:04 PM

HHS’s own security people Morton Thiokol o-ring engineers were waving red flags before launch day.

Tsar of Earth on January 16, 2014 at 2:05 PM

It’s been hacked. The reason we haven’t heard about it from the inside is the lying administration covering it up; the reason we haven’t heard about it from the outside is that the handful of poor, sick people that have been swept up to date isn’t anything to brag about.

cthulhu on January 16, 2014 at 2:13 PM

Yes, some of them. I can visually examine the environment and see some obvious things. For example a login screen not using SSL.

That’s the doors without locks analogy I mentioned earlier.

dogsoldier on January 16, 2014 at 2:04 PM

That’s actual a great example, because if you were to do a visual test, you’d be completely rusting the browser, which is actually doing the test. The only way to do that test with certainty would be to test the traffic to and from the server to see if its encrypted.

In other words, I could hack your browser to show the SSL lock or to show https in the address bar, even though the traffic is being sent in clear text. Another simpler way would be to add an iframe on a ssl page that points to non-ssl traffic.

As an IT professional, you know im right about this. Hacking is successful often times because things look secure but arent. The inverse is also true. The only way to know is to test.

segasagez on January 16, 2014 at 2:15 PM

The inverse is also true.
segasagez on January 16, 2014 at 2:15 PM

No, that is incorrect. Lets focus on just the absence of SSL first, to avoid confusion. Obviously a problem. So yes, one can see obvious problems without testing.

One doesn’t assume a site is secure by virtue of indicators in or on a browser.

One can examine the network and observe there no firewall in the rack. Obviously, a problem. One can look at the server to see if anti mal-ware and anti virus software is installed and running correctly.

That’s the “inspection” part of a security audit, which consists of a long list of items to check. Testing in its various forms is another part of the audit.

dogsoldier on January 16, 2014 at 2:33 PM

Wouldn’t he want to continue to collect information as long as possible? Would he not want the website to torture users as much as possible to cause Zero as much humiliation as possible?

dogsoldier on January 16, 2014 at 1:17 PM

I think throwing out to the press how un-secure the site is would be the first/best step toward humiliating Obama.

He could keep collecting info by only letting us know as much as he wants about the breach.

If I were Putin I would certainly be looking for a way to rub something in O’s face.

questionmark on January 16, 2014 at 2:42 PM

What’s going on here?”

Simple … they want our information out there allover, causing a situation where it will be “necessary” for us to get National ID to prove we are who we say we are!

deafy on January 16, 2014 at 2:44 PM

questionmark on January 16, 2014 at 2:42 PM

Good points, and perhaps exposing the vulnerabilities wouldn’t necessarily dry up the flow of intel right away, since they don’t seem able to secure it.

I find myself wondering if hackers could use the open door of the HealthCare.gov site to get deeper access to the government’s networks. This situation is probably much worse than we know.

If I’m hacking the site, all yours data is belong to me. Yeah ok, good stuff, but what I want is the real meat and potatoes. Can I get into the servers in the White house, Pentagon, or the NSA from there? Oh baby, I could sure have some fun with that stuff.

dogsoldier on January 16, 2014 at 2:50 PM

dogsoldier on January 16, 2014 at 2:33 PM

You are just wrong.

You can have a iframe that points to an ssl page. That iframe can reside on a page that isnt ssl. If that iframe contains the log in boxes, that log in information is being encrypted. The only way to confirm that would be to inspect the network traffic.

Visual tests arent even part of a pen test. If you’re charging you’re customers for that, you are seriously defrauding them. That’s pretty unethical.

I cant see how you can defend people who are saying that they can upload code through the website to a users computer, but havent tried it. Are you really putting politics in front of your professional integrity?

segasagez on January 16, 2014 at 2:50 PM

segasagez on January 16, 2014 at 2:50 PM

You apparently cannot read or have reading comprehension issues. I addressed one part of your nonsense.

How many security audits have you performed?

dogsoldier on January 16, 2014 at 2:54 PM

I’m in the middle of a $30,000 pen test right now for a SharePoint environment that we’re upgrading.

I challenge you to post your testing parameters or testing contract.

You’re either lying or incompetent.

segasagez on January 16, 2014 at 3:02 PM

segasagez on January 16, 2014 at 3:02 PM

Says the other verbie of HA

Schadenfreude on January 16, 2014 at 3:11 PM

In related news: http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1

segasagez on January 16, 2014 at 3:02 PM

Doubtful, since you don’t know what a security audit is.

Schadenfreude on January 16, 2014 at 3:11 PM

I had hopes, but you’re right.

dogsoldier on January 16, 2014 at 3:15 PM

Time to change yout username. The one you’re currently using has been exposed as a fraud. Maybe you can be in the military next or a biologist or some third thing you read something about on Wikipedia.

segasagez on January 16, 2014 at 3:22 PM

I’m in the middle of a $30,000 pen test

segasagez on January 16, 2014 at 3:02 PM

RUN! He’s got a pen, and he’s not afraid to use it!

Christien on January 16, 2014 at 3:26 PM

segasagez on January 16, 2014 at 3:22 PM

Anyone who attempts to define a security audit as just a pen test is severely lacking in credibility, and it’s amazing you can’t see something so obvious. You’re the only fraud here chum.

Go troll somewhere else. I won’t respond to you further.

dogsoldier on January 16, 2014 at 3:28 PM

Christien on January 16, 2014 at 3:26 PM

LOL!

dogsoldier on January 16, 2014 at 3:29 PM

There are many possibilities, each encompassing the ones before:

- That the site is hackable
- That the site has been hacked
- That they know the site has been hacked
- That they tell us the site has been hacked

It’s not surprising that the last and least likely of these hasn’t (yet) occurred, but that doesn’t mean that ones before it haven’t.

Remember, most security breaks don’t get revealed to the public the way the Target one was. And HHS has every reason to hide any that occur in this case, even more so than credit card companies and retailers do.

calbear on January 16, 2014 at 4:25 PM

I’m in the middle of a $30,000 pen test

segasagez on January 16, 2014 at 3:02 PM

Schadenfreude on January 16, 2014 at 5:19 PM

No one’s offered any evidence of a wide-scale malicious security breach.

Not yet, but if the site has been hacked, and it eventually becomes public knowledge, will Obama/HHS attempt to use Issa/Republicans as the cause? Cummings is already claiming a “lack of policy on securing sensitive information in committee’s possession” and “lack of information about outside individuals given access to sensitive information”. And the administration did of course tell Issa he could not have physical copies of the MITRE documents saying that because of Issa’s history of selective leaks to the media, he can’t be trusted with the materials.

 Since Issa needed to use subpoena power, the administration says it’s concerned about the MITRE documents leaking because they “include software code and other technical information that is highly sensitive” and could give hackers “a roadmap to compromise the security of the website and the personal information of American citizens.”

Nah, they wouldn’t do that.

lynncgb on January 16, 2014 at 11:31 PM