« | »

Hacker: O-Care Site Even Less Secure After Fix

From the Washington Free Beacon:

Expert: Healthcare.gov Security Risks Even Worse After ‘Fix’

By Elizabeth Harrington | December 3, 2013

The Obamacare insurance marketplace is even more vulnerable to security breaches since the administration “fixed” Healthcare.gov, according to a cyber security expert… “It doesn’t appear that any security fixes were done at all,” David Kennedy, CEO of the online security firm TrustedSec, told the Washington Free Beacon.

Kennedy said fundamental safeguards missing from Healthcare.gov that were identified by his company more than a month ago have yet to be put in place.

“There are a number of security concerns already with the website, and that’s without even actually hacking the site, that’s just a purely passive analysis of [it],” he said. “We found a number of critical exposures that were around sensitive information, the ability to hack into the site, things like that. We reported those issues and none of those appear to have been addressed at all.”

What a picker of nits. The good news is more and more people are now able to have their personal information hacked.

After warning Americans when testifying before Congress on Nov. 19 to stay away from Healthcare.gov [see story below], Kennedy now says the situation is even worse.

“They said they implemented over 400 bug fixes,” he said. “When you recode the application to fix these 400 bugs—they were rushing this out of the door to get the site at least so it can work a little bit—you’re introducing more security flaws as you go along with it because you don’t even check that code.” …

Kennedy said the team working on Healthcare.gov is more likely to hide its security flaws than address them. When it was revealed that the most popular searches on the website were hack attempts—confirmed by entering a semicolon in the search bar—the website simply removed the tool.

“The top results were hacker attempts,” Kennedy said. “Their fix for it wasn’t, ‘Hey let’s restrict people from inputting malicious code into the website,’—because that’s how hackers break into websites—it was, ‘we’re just going to completely disable that entire function completely, and not even show the search results back.’” …

As this article notes, Mr. Kennedy is the same ‘white hat’ hacker we heard from last week.

From CNBC:

No security ever built into Obamacare site: Hacker

By Matthew J. Belvedere | November 25, 2013

… "When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

"It’s really hard to go back and fix the security around it because security wasn’t built into it," said Kennedy, chief executive of TrustedSec. "We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."

So we know that will never happen.

According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities…

But on CNBC, Kennedy disputed those claims, saying vulnerabilities remain on "everything from hacking someone’s computer so when you visit the website it actually tries to hack your computer back, all the way to being able to extract email addresses, users names—first name, last name—[and] locations." …

So exactly who is hacking whom?

"When you look at the site itself, it could be really good. It could do really well. They’re just not building the security into the site itself," said Kennedy. "Putting your information on there is definitely a risk." …

Oh, come on. It’s worth it for ‘free’ birth control pills.

This article was posted by Steve Gilbert on Tuesday, December 3rd, 2013. Comments are currently closed.

No Responses to “Hacker: O-Care Site Even Less Secure After Fix”

Sorry, comments for this entry are closed at this time.




« Front Page | To Top
« | »