Cyber security expert: Healthcare.gov “much worse off” now

posted at 9:01 am on January 20, 2014 by Ed Morrissey

David Kennedy has been sounding this alarm for months. The former Marine Corps cyberwarfare expert and now a private-sector entrepreneur in cyber security testified before Congress to the huge gaps in data security in Healthcare.gov, the Obama administration’s web portal for ObamaCare. After a large amount of frantic reprogramming in November, Kennedy thought the problems would worsen. After doing his own research into the web portal, Kennedy says he has confirmed that the site is now “much worse off” (via Daniel Halper at TWS):

KENNEDY: I have to completely disagree with her. And it’s not just myself that is just saying this website is insecure, it is also seven other independent security researchers that also looked at all of the research that I’ve done and came to the exact same conclusion. And these are folks that work really well in the industry. And they’re highly respected, have an extensive experience of working for the government. And, you know, if you read the testimony and you read what she had actually said, she said that it’s done end to end security testing. They don’t say what type of testing that is. It could have been an audit that just looks at paperwork. It could have been, you know, really rudimentary testing that looks for just basic things. But what is pretty evident right now is that the site itself is not secure.

WALLACE: All right.

KENNEDY: It’s much worse off.

Chris Wallace then asked Kennedy why, if the site is so vulnerable, there haven’t been any hacks against it. That was the question asked by Gary Cohen, the HHS manager overseeing Healthcare.gov, claiming that “there have been no successful attempts of what anyone has been able to attack the system and penetrate it.” Kennedy declared this defense of Healthcare.gov to be “one of my favorites,” and says … how do they know it hasn’t been hacked? Emphases mine:

KENNEDY: And that’s great. This is one of my favorite ones out of the whole testimony. And so they (inaudible) that there has been no successful hacks that they’ve been able to detect. If you look at — there’s November testimony by Congress that basically said that a third party company was contracted to build out what we call the security operations center, which is what would actually detect these types of attacks. As of November, it hadn’t even been started yet. So, if you look at how long these security operations centers take to put into play, it takes several months, if not years to actually implement and fully build the attacks out there. So, as of November we have no modern detection. And that, from my understanding, it’s still not happening to this date. So they’re accurate in their statement. They haven’t detected any attacks on the website, because they don’t have the capability to detect them.

So how does Kennedy know that the website is vulnerable? He’s glad you asked:

KENNEDY: That’s a great question. There is a technique called — what we call passer reconnaissance, which allows us to query — look at how the website operates and performs. And these type of attacks that, you know, I’m mentioning here in the 70,000 that you’re referencing is very easy to do. It’s a rudimentary type attack that doesn’t actually attack the website itself, it extracts information from it without actually having to go into the system. Think of it this way. Think of something where you have a car and the car doors are open and the windows are open, you can see inside of it. That’s basically what they allow you to do. And there is no real sophistication level here. It is just really wide open. So, there is no hacking actually involved. And 70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I’m sure it’s hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it’s just wide open. You can literally just open up your browser, go to this and extract all this information. Not actually having to hack the website itself.

You don’t need to hack the website. The data is right out there for anyone to gather, apparently.

The full interview is below, and well worth watching:

Update: It’s David Kennedy, not Doug Kennedy (an author). My apologies to both men for the confusion.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

Are there any walls in America?

Murphy9 on January 20, 2014 at 9:05 AM

You don’t need to hack the website. The data is right out there for anyone to gather, apparently.

Awesome. Right now there is a Russian crime syndicate vacuuming up everything they can and soon there will be a spree of identity and electronic fund theft on a scale never before seen.

But hey, the Best and Brightest, that’s what we were told in 2008 and 2012; thank Gaia we got that stupid-head Dubya out of office.

Bishop on January 20, 2014 at 9:06 AM

thank Gaia we got that stupid-head Dubya out of office.

Bishop on January 20, 2014 at 9:06 AM

… who was leaving anyway.

Ed Morrissey on January 20, 2014 at 9:09 AM

Sort of like the claim that they’ve detected no voter fraud.

And the cop sitting in the donut shop says he hasn’t seen any drug dealers on the street corners.

notropis on January 20, 2014 at 9:11 AM

What should happen is that Congress should hire a “Red Team” to hack into healthcare.gov and expose this farce for what it is…a farce.

If the insecurities are there, the team will eat the site’s breakfast, lunch, and dinner.

Then maybe the WH will take notice.

NavyMustang on January 20, 2014 at 9:14 AM

Even if they did know about breaches, they’d lie about it.

forest on January 20, 2014 at 9:19 AM

thank Gaia we got that stupid-head Dubya out of office.

Bishop on January 20, 2014 at 9:06 AM

Bishop:)

A Globalist Warmist Mother Earth type eh!!!!!

(kidding)

canopfor on January 20, 2014 at 9:19 AM

cripe….

cmsinaz on January 20, 2014 at 9:24 AM

MeanWhile, ..this tidbit has slipped through the New Knots:
===========================================================

HopeyCare InJustice Equalizer EnForcement:
******************************************

Reuters Politics ‏@ReutersPolitics 9h

Obamacare rules on equal coverage delayed: NY Times http://reut.rs/Ly79F8
Expand
=========

Obamacare rules on equal coverage delayed: NY Times
WASHINGTON Sat Jan 18, 2014 5:12pm EST
**************************************

(Reuters) -

The Obama administration is delaying enforcement of a provision of the new healthcare law

that prohibits employers

from providing better health benefits

to top executives

than to other employees, the New York Times reported on Saturday.

Tax officials said they would not enforce the provision this year because they had yet to issue regulations for employers to follow, according to the Times.(More…)
================================

http://www.reuters.com/article/2014/01/18/us-usa-healthcare-executives-idUSBREA0H0JZ20140118?feedType=RSS&feedName=politicsNews&utm_source=dlvr.it&utm_medium=twitter&dlvrit=574655

Rules for Equal Coverage by Employers Remain Elusive Under Health Law
By ROBERT PEARJAN. 18, 2014
***************************

http://www.nytimes.com/2014/01/19/us/rules-for-equal-coverage-by-employers-remain-elusive-under-health-law.html?_r=0

canopfor on January 19, 2014 at 3:22 AM

canopfor on January 19, 2014 at 11:51 PM

canopfor on January 20, 2014 at 9:25 AM

Ugh,..thats News Knots,..not (New Knots).

canopfor on January 20, 2014 at 9:27 AM

************** The SCROTCHING Of ACA **************************!!

canopfor on January 20, 2014 at 9:29 AM

How about an on-camera debate between Kennedy and the Turkey Neck Twins (Sebelius & Tavenner)?

jangle12 on January 20, 2014 at 9:30 AM

canopfor on January 20, 2014 at 9:25 AM

I’m starting to wonder how many groups that DON’T have exemptions are left!!!!!

NavyMustang on January 20, 2014 at 9:31 AM

Results for #Obamacare
**********************

https://twitter.com/search?q=%23Obamacare&src=hash

canopfor on January 20, 2014 at 9:32 AM

If the insecurities are there, the team will eat the site’s breakfast, lunch, and dinner.

Then maybe the WH will take notice.

NavyMustang on January 20, 2014 at 9:14 AM

They’ll take notice, and charge that team with “cyber crimes”. They’ll also conveniently find “porn” on their computers and maybe a few congressional computers too (SEC agents to provide a hand with that investigation).

“there have been no successful attempts of what anyone has been able to attack the system and penetrate it.”

Says the gov stooge. Its not like the Fed Gov has ever lied about anything, ever. “If you like your plan…”

Whats been going on with Target and other retailers lately eh? What went on with Adobe Software (Photoshop etc.) last year? That started with “we were hacked but they got nothing… uh one month ago.” Then it was, “Uh, yeah, we knew about it but said nothing for a month and its worse, it looks like they were deep into our systems, got into customer info and access to our program code.” These are systems that require people to be connected to their “cloud” to run the software. Are you downloading hacked code that can spy on your info direct from your computer?

oryguncon on January 20, 2014 at 9:33 AM

Is there a point for the Democratic Party at which incompetence becomes intolerable?

JohnGalt23 on January 20, 2014 at 9:33 AM

How about an on-camera debate between Kennedy and the Turkey Neck Twins (Sebelius & Tavenner)?

jangle12 on January 20, 2014 at 9:30 AM

Eh, there would be a brown-shirted dude holding an AK right behind Kennedy acting as an official “monitor”.

The first rule of government debate club is always bring more guns than the other guy.

Bishop on January 20, 2014 at 9:34 AM

************** The SCROTCHING Of ACA **************************!!

canopfor on January 20, 2014 at 9:29 AM

A blast from the past, Scrotched Earth, still my favorite misspelling of all time.

Bishop on January 20, 2014 at 9:34 AM

Someone would have to be stupid on the level of plant life (or desperate) to participate in this scheme.

WhatSlushfund on January 20, 2014 at 9:36 AM

Foreign nationals stealing information from HealthCare.Gov? Mon Dieu!

QUICK—Let’s get the NSA working on this, stat! I’m sure the proletariat won’t mind if an Executive Order allows them to look at all communications, all the time, in real time, without fetters.
Because State Security, Comrade Citizen.

orangemtl on January 20, 2014 at 9:37 AM

canopfor on January 20, 2014 at 9:25 AM

I’m starting to wonder how many groups that DON’T have exemptions are left!!!!!

NavyMustang on January 20, 2014 at 9:31 AM

NavyMustang: No kidding,..I just stumbled on a Fox News Video
regarding above linky:)
=====================================

Another Obamacare delay
Jan. 19, 2014 – 5:14 – Kansas Senator Jerry Moran analyzes the impact
*********************************************************************

http://video.foxnews.com/v/3076780115001/another-obamacare-delay/#sp=show-clips

canopfor on January 20, 2014 at 9:39 AM

Awesome. Right now there is a Russian crime syndicate vacuuming up everything they can and soon there will be a spree of identity and electronic fund theft on a scale never before seen.

Bishop on January 20, 2014 at 9:06 AM

Russians, Chinese, Americans, Iranians… thieves from all over the world will be tripping over each other to get to obamacare.com. The crime explosion is going to be awesome.

petefrt on January 20, 2014 at 9:40 AM

canopfor on January 20, 2014 at 9:29 AM

A blast from the past, Scrotched Earth, still my favorite misspelling of all time.

Bishop on January 20, 2014 at 9:34 AM

Bishop: Why thank-you Bishop,..my Mission/Goal in life is to
B*stardize/Debaucherization of the English Language,haha:——:0

canopfor on January 20, 2014 at 9:46 AM

Three and a half years, hundreds of millions of dollars, and they didn’t even manage to set up basic security.

Un-friggin’-believable.

AZCoyote on January 20, 2014 at 9:51 AM

Like Obama and everything he touches, this thing is a POS and worse AFTER he touched than before…

easyt65 on January 20, 2014 at 9:56 AM

The security holes are by design. How else is the NSA going to mine everyone’s personal data (and eventually it will be EVERYONE)?

They got caught with their hand in the phone record cookie jar, so this it plan B.

CurtZHP on January 20, 2014 at 9:57 AM

Obviously this is racist or something…ask Preezy Compotentzee…

workingclass artist on January 20, 2014 at 10:06 AM

KENNEDY: That’s a great question. There is a technique called — what we call passer reconnaissance

This is what I was talking about the other day, without giving this much detail.

Yes, the data is just right there in the open.

dogsoldier on January 20, 2014 at 10:14 AM

Hmmmmmmmmmmmmmmmm,……………………..

Will ObamaCare Create a Retirement Stampede?
*********************************************

By Kathryn Buschman Vasel

Published January 20, 2014
FOXBusiness
************

http://www.foxbusiness.com/personal-finance/2014/01/20/will-obamacare-create-retirement-stampede/?intcmp=fbcolumnsblogs?cmpid=cmty_twitter_fb

canopfor on January 20, 2014 at 10:50 AM

And it gets better!

http://nypost.com/2014/01/18/obamacare-gets-outsourced-amid-unemployment-crisis/

Tech companies argue they need H-1B visas because there aren’t enough qualified American engineers, yet the facts do not bear this out. In truth there is no tech worker shortage or lack of skills and talent in America. The real motivation of offshore outsourcing companies like Accenture is cost. They use H-1B and other guest-worker visas to pay less wages than they would have to pay an equivalent American worker.

dogsoldier on January 20, 2014 at 10:54 AM

I work in Quality Assurance for a software security company. After Healthcare.gov went live I researched a little into the security problems. They were/are quite awful.

When he says the windows of a parked car are down he is not kidding. Specifically when your web browser talks to the healthcare site and give it a username, even with a wrong password, the site spits back much of the personal information in the transmission it sends back to your browser. This data is not visible on the surface, but if you look at the page source it is. (Lest you think I’m giving details away to hackers this information is already out there on the web in much more accessible locations than a comment on Hotair.)

At least that was how bad it was on launch. I’ve heard conflicting reports on if it is still there, and I am scared enough of the potential to stick a worm on my computer that I refuse to visit the healthcare site again to check myself. It may be that it is slightly more difficult to access now, but I wouldn’t be surprised if it’s still being sent out somewhere in the underlying site code and they just obfuscated it instead of fixing the architecture, because this flaw signals a major flaw in the underlying design. The user’s machine should not need to get the personal information back until after a successful secure sign in, and even then it should be better protected.

Additionally, there is no timeout for bad username/passwords, so you can just keep sending random usernames to the site until one returns with information. This is so bad that a script kiddie still in middle school could “hack” this site… and probably already has.

Sackett on January 20, 2014 at 11:12 AM

This guy said he’d test the system, gratis, but they won’t call him.

Schadenfreude on January 20, 2014 at 11:15 AM

I’m starting to wonder how many groups that DON’T have exemptions are left!!!!!

NavyMustang on January 20, 2014 at 9:31 AM

Can’t be sure, but I’m sure it’s the ones you and I are in…

taterblade on January 20, 2014 at 11:39 AM

And it gets better!

http://nypost.com/2014/01/18/obamacare-gets-outsourced-amid-unemployment-crisis/

Tech companies argue they need H-1B visas because there aren’t enough qualified American engineers, yet the facts do not bear this out. In truth there is no tech worker shortage or lack of skills and talent in America. The real motivation of offshore outsourcing companies like Accenture is cost. They use H-1B and other guest-worker visas to pay less wages than they would have to pay an equivalent American worker.

dogsoldier on January 20, 2014 at 10:54 AM

dogsoldier:

I wonder who is getting Foreign H-1b’s that the Obama Administration
is sailing through!:)

canopfor on January 20, 2014 at 12:11 PM

I think the only way this would get shut down would be for some “white hat” via the website, to get private, personal data on the staff members of Pelosi, Reid, or Schumer and publish it all.

kurtzz3 on January 20, 2014 at 12:26 PM

Whats been going on with Target and other retailers lately eh? What went on with Adobe Software (Photoshop etc.) last year? That started with “we were hacked but they got nothing… uh one month ago.” Then it was, “Uh, yeah, we knew about it but said nothing for a month and its worse, it looks like they were deep into our systems, got into customer info and access to our program code.” These are systems that require people to be connected to their “cloud” to run the software. Are you downloading hacked code that can spy on your info direct from your computer?

oryguncon on January 20, 2014 at 9:33 AM

Exactly right, before they were even done apologizing for the ‘nothing’ that the hackers got, BofA sent email alerts informing me that my BofA checking card has been ‘compromised’ and they’re sending me a new one…my wife and all my friends who are with BofA were mailed their new BofA checking cards in the past week or are in the process of getting it…so much for ‘they got nothing’…

jimver on January 20, 2014 at 12:36 PM

This guy said he’d test the system, gratis, but they won’t call him.

Schadenfreude on January 20, 2014 at 11:15 AM

And IBM said they’d BUILD the system gratis, and were told thanks but no thanks.

The Schaef on January 20, 2014 at 12:58 PM

Ed –
You mean the websites aren’t working perfectly on day one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen eighteen nineteen twenty twenty-one twenty-two twenty-three twenty-four twenty-five twenty-six twenty-seven twenty-eight twenty-nine thirty thirty-one thirty-two thirty-three thirty-four thirty-five thirty-six thirty-seven thirty-eight thirty-nine forty forty-one forty-two forty-three forty-four forty-five forty-six forty-seven forty-eight forty-nine fifty fifty-one fifty-two fifty-three fifty-four fifty-five fifty-six fifty-seven fifty-eight fifty-nine sixty sixty-one sixty-two sixty-three sixty-four sixty-five sixty-six sixty-seven sixty-eight sixty-nine seventy seventy-one seventy-two seventy-three seventy-four seventy-five seventy-six seventy-seven seventy-eight seventy-nine eighty eighty-one eighty-two eighty-three eighty-four eighty-five eighty-six eighty-seven eighty-eight eighty-nine ninety ninety-one ninety-two ninety-three ninety-four ninety-five ninety-six ninety-seven ninety-eight ninety-nine one hundred one hundred one one hundred two one hundred three one hundred four one hundred five one hundred six one hundred seven one hundred eight one hundred nine one hundred ten one hundred eleven one hundred twelve
verbaluce on October 1, 2013 at 10:18 AM

(H/T NotCoach)

There Goes the Neighborhood on January 20, 2014 at 1:13 PM

Is there a point for the Democratic Party at which incompetence becomes intolerable?

JohnGalt23 on January 20, 2014 at 9:33 AM

Why am I laughing so much at a simple question?

There Goes the Neighborhood on January 20, 2014 at 1:16 PM

WALLACE: Well, I’m going to ask you about that and how you know that. Because you say you did not hack the site and, yet, you say you could access 70,000 records of various people who have signed up for health care under — at the website within four minutes. How do you know that if you haven’t hacked the site?

KENNEDY: That’s a great question. There is a technique called — what we call passer reconnaissance, which allows us to queering look at how the website operates and performs. And these type of attacks that, you know, I’m mentioning here in the 70,000 that you’re referencing is very easy to do. It’s a rudimentary type attack that doesn’t actually attack the website itself, it extracts information from it without actually having to go into the system.

Oh dear God, they’re using sequential ID numbers instead of GUIDs!

Please tell me they aren’t THAT stupid!

dominigan on January 20, 2014 at 1:48 PM

dogsoldier:

I wonder who is getting Foreign H-1b’s that the Obama Administration
is sailing through!:)

canopfor on January 20, 2014 at 12:11 PM

Hi Canopfer, Accenture for one, but there are several H! shops as such places are called up here in New England. I have interviewed at these places, never meeting a US Citizen during a three hour interview process with six people.

It’s part of the game. They must interview a number of citizens and find reasons to disqualify them to justify the H1 hire to the government.

Accenture is so bad, they paid a foreign guest worker $25,113 per year — for the title of “chief programmer.” Typically chief programmers make six figures in the United States.

This statement is correct.

Now, if I learn the hiring manager or other people determining whether I work or not are H1 (yeah H1 managers!) I won’t go on the interview.

I admit it makes me angry that the country I served allows foreigners to decide whether we work or not.

dogsoldier on January 20, 2014 at 2:02 PM

Oh dear God, they’re using sequential ID numbers instead of GUIDs!

Please tell me they aren’t THAT stupid!

dominigan on January 20, 2014 at 1:48 PM

Sorry – no can do.

Actually, I’d like someone to prove they aren’t that stupid, but you can’t prove a negative.

jackal40 on January 20, 2014 at 2:11 PM

Clearly, the NSA will need further authority to track down these haxors.

Snowblind on January 20, 2014 at 2:18 PM

When government apparatchiks talk about healthcare.gov website security, they are talking about the risk that their government desk chairs might be stolen or a possible delay of their next raise.

When citizens talk about healthcare.gov website security, they are talking about the risk of their identity being stolen and their home and all of their assets being lost because of government incompetence and/or carelessness.

…and never the twain shall meet.

Meanwhile, there is absolutely no way that healthcare.gov would pass the same security examination which all e-commerce sites must pass in order to be allowed to process credit cards (aka “PCI Standards”).

The talking heads which the (mal)Administration deployed to the Sunday shows to pooh-pooh the security problems just embarrassed themselves by displaying a complete and total lack of understanding of “security.” None of them should ever be allowed to hold a broker’s license or a fiduciary position in a financial institution.

landlines on January 20, 2014 at 3:03 PM

Sackett on January 20, 2014 at 11:12 AM

that is so scary. the people who built the site clearly aren’t even trying to make it safe.

Sachiko on January 20, 2014 at 3:33 PM

I just spotted this related article:

In related news:

After firing CGI, no-bid contract for Obamacare site goes to firm whose former top researcher developed Obama campaign voter tracking

The Obama administration gave the latest no-bid Obamacare website contract to a company whose former top analytic researcher developed the complex voter-tracking computer strategies that led Obama to victory in 2012.

The Centers for Medicare and Medicaid Services, a division of Kathleen Sebelius’ Department of Health and Human Services, recently fired Obamacare website contractor CGI Federal after the botched website rollout that began in October — though CGI Federal still holds five major tech contracts with CMS that are valid for at least another year.

CMS replaced CGI Federal — which employs Michelle Obama’s Princeton classmate and White House Christmas dinner guest Toni Townes-Whitley as a top executive — with another firm that has close links to Obama-world.

Read more: http://dailycaller.com/2014/01/20/after-firing-cgi-no-bid-contract-for-obamacare-site-goes-to-firm-that-ran-obama-campaign-tech/#ixzz2qymWq372

dogsoldier on January 20, 2014 at 5:20 PM

This needs video.

Kennedy needs to take a video capture of his team extracting peoples info from the website (with the names blurred, of course) and then it will get the attention it deserves. The media can’t resist video.

My guess is that once you log into an account you can start url crawling various pages here and there to get at other peoples info.

Serious Cat on January 20, 2014 at 5:40 PM