Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Says He Could Access 70,000 Healthcare.Gov Records In 4 Minutes

timothy posted about 7 months ago | from the all-eggs-one-basket dept.

Security 351

cold fjord writes with this excerpt from Computerworld: "[W]hite hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, 'I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent.' Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly 'fixed,' he told Congress it was even more vulnerable to hacking and privacy breaches. ... 'Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.' ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website's insecurity. ... Mitnick, the 'world's most famous hacker' testified: '... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices.'"

cancel ×

351 comments

Sorry! There are no comments related to the filter you selected.

Okay, but... (-1)

AmiMoJo (196126) | about 7 months ago | (#46027173)

Would a commercial company have done any better with their own website? History suggests not.

Re:Okay, but... (5, Insightful)

SJHillman (1966756) | about 7 months ago | (#46027297)

How many commercial companies would have this much customer data at risk? If Target loses a few million credit card numbers, all consumers have to do to be safe is cancel the card and get a new one... my CC company is doing automatically for anyone that they suspect has been compromised. However, Healthcare.gov has access to SS numbers, addresses, phone numbers, driver's license numbers and God knows what else. Not only is it damned hard to change some of those, but even if you succeed you could be ruined for the rest of your life. There's plenty of people out there who can't get credit or apply for many jobs *for the rest of their life* because of clerical errors and many more who have criminals opening credit in their names (one of the main goals of identity theft) that those people are now liable for. You would hope that they would invest a little more into securing it than a commercial entity would invest in just securing credit card numbers.

Re:Okay, but... (1)

i kan reed (749298) | about 7 months ago | (#46027417)

Yeah, as much as I think criticism of Obamacare is overblown(and claims of success also overblown, it didn't fix pricing problems), being legally mandated to do something dangerous isn't good.

Re:Okay, but... (5, Informative)

cbhacking (979169) | about 7 months ago | (#46027619)

Also, they had to know a priori this was going to be a *huge* target (no pun intended). Whether for the treasure trove of neatly collected data or a simple political agenda (doesn't even need to be a partisan one; lots of people who voted for Obama hate the ACA and healthcare.gov), it should have been obvious from the very beginning that the scrutiny of this site for security vulnerabilities would be far greater than most, and the costs (to the site developers) of an attacker exploiting one far more severe. Under those circumstances, business-as-usual things like PCI DSS and such should have looked like nothing. They should have hired an entire internal security team to oversee the development of the site starting from the design phase*, and an external penetration testing team to verify it at least once by now.

* Tacking security onto a design that is inherently insecure is expensive and often futile, just as is true of many other kinds of software bugs. Of course, if they'd designed competently in the first place, maybe the site wouldn't already be a laughingstock...

Re:Okay, but... (2, Insightful)

phantomfive (622387) | about 7 months ago | (#46027671)

The worst thing is, you don't even have to sign up for them to get that information.

Re:Okay, but... (5, Informative)

Anonymous Coward | about 7 months ago | (#46027705)

A mitigating start could be to outlaw the scam that is the credit reporting agencies in their current form.

Re:Okay, but... (2, Interesting)

interkin3tic (1469267) | about 7 months ago | (#46027849)

I'm not sure why healthcare.gov needs drivers license numbers, but those others are true of private healthcare companies, who appear to have more leaks than the government at least on this graph. [softpedia.com]

I'm not saying government is more secure, I'm just saying the dangers aren't unique to healthcare.gov.

Re:Okay, but... (5, Interesting)

funwithBSD (245349) | about 7 months ago | (#46027937)

Two things:

According to the article, the government is not REQUIRED to tell you about hacking attempts. HIPPA and other laws require that they disclose "hacks"

Second, as Sysadmin for a major healthcare company for 9 years, every single "hack" was the loss of a laptop or hard drive. No one ever "hacked" into the systems for access to data beyond the one account they hacked.

Re:Okay, but... (4, Funny)

Forty Two Tenfold (1134125) | about 7 months ago | (#46027905)

From the misery of this site it looks as if it was specifically designed to kill Obamacare.

Re:Okay, but... (4, Insightful)

fahrbot-bot (874524) | about 7 months ago | (#46027993)

How many commercial companies would have this much customer data at risk?

Well.. I can name at least three: Equifax [equifax.com] , Experian [experian.com] , and TransUnion [transunion.com] .

Re: Okay, but... (5, Insightful)

ranton (36917) | about 7 months ago | (#46027333)

While that is true, customers have the choice to not work with companies that have shown poor security practices. No one can stop paying taxes if they feel the government isn't protecting the information in their tax returns. If the government wants to be trusted with information we wouldn't give to a private company, then they bear a much higher responsibility to keep it secure.

It is similar to how we require police to log every firing of their weapon, while we don't require the same of private gun owners. The fact that we trust the police with power we don't give to normal citizens means they have to be held to a higher level of scrutiny.

Re: Okay, but... (0, Troll)

Anonymous Coward | about 7 months ago | (#46027575)

ranton,

Stop trolling slashdot all day and get back to work on that security analysis for healthcare.gov.

-Boss

Re: Okay, but... (4, Insightful)

Anonymous Coward | about 7 months ago | (#46027715)

But what about the companies who store info on me that I've never done business with? There are plenty of data aggregators out there that have tons of people in databases without any of them ever having done any direct business with them.

Re:Okay, but... (1)

Anonymous Coward | about 7 months ago | (#46027341)

By history you mean current events, in the form of Target?

Re:Okay, but... (2, Insightful)

Anonymous Coward | about 7 months ago | (#46027383)

Commericial company who did Healthcare.gov [washingtonpost.com]

And my 'favorite' - Oregon's botched by Oracle [oregonlive.com]

It wouldn't be politically correct, but they could have had the work done much cheaper by cutting out the middle man and just hire Indians or an Indian firm directly.

Instead, they hired Indian developer resalers. Yep, that's all N. American companies - especially US companies - are: resalers of Indian and other Third World development talent.

Why spend the money on flashy suits with Rolex watches? Go direct! Go Indian!

Re:Okay, but... (-1)

Anonymous Coward | about 7 months ago | (#46027411)

Would a commercial company have done any better with their own website? History suggests not.

Aye. History also indicates the internet was designed for the FREE free exchange of information with with any other uses inherently being $tupidity and $tubbornly $tingy greed both in trying to disprove that and in raking in the $$$ from those that failed to learn from history. Unfortunately it influences the price of everything, including freedom, the availability of which seems to be dwindling rapidly.

Re:Okay, but... (4, Informative)

Anonymous Coward | about 7 months ago | (#46027433)

History suggests so.

The NASDAQ runs as an exchange operation, buying and selling stocks electronically as an exchange. The CBOE does the same thing for options, which have many similar features including risk profiles and such. The International Medical Exchange was a private venture designed to do exactly this kind of work and worked well; it was eventually acquired by Anthem Blue Cross and incorporated into their sign-up system to help match people to the right Blue Cross policies and options.

If you make a claim, fine, but use examples to back up your tear-down of the private sector. Private enterprise historically is far more productive and capable than Government in this kind of venture.

No. It's NOT the same thing (4, Insightful)

Anonymous Coward | about 7 months ago | (#46027787)

The example you gave - the securites markets - deal only with impersonal numbers. There have been a bit of screw ups in the past (Flash crash for exmaple.), but it's a matter of backing up trades and lecturing member firms and maybe a little slap on the wrist.

No real harm done other than some big Wall Street firms getting dinged a couple million dollars - chump change to them.

With Healthcare.gov, we're dealing with individuals information - individuals who don't have the means to defend themselves legally if or when someone abuses their information.

A big corp's nusence is a citizen's nightmare and ruin.

NOT The same thing.

Re:No. It's NOT the same thing (0)

Anonymous Coward | about 7 months ago | (#46027967)

Did you miss the part about the International Medical Exchange? Some research, as not much exists about the company any more:

http://en.wikipedia.org/wiki/Health_insurance_marketplace#Private_health_insurance_exchanges

However, you're a fool if you think that individuals are any safer. The financial services market is a fine example of how this should work; you have companies and individuals operating together, and the government looking over their shoulder to ensure that no abuses are being done while providing a safety net for individuals. This is why the banking sector is tightly controlled and regulated and has a safety net in the form of FDIC to protect individual's savings from the malpractice of larger business; the end result is you have a separate independent entity in the form of the Government acting to ensure everyone follows the rules. With this method, there are only two parties involved, the individual and the Government; the problem is the Government also sets the rules, and enforces the rules and provides the services. If the Government abuses their power as a service provider, who's going to stop them? They're no longer independent.

Re:Okay, but... (4, Insightful)

cbhacking (979169) | about 7 months ago | (#46027443)

Sure they would. Not all of them, true, but most. That's not to say they'd be perfect, but they would certainly have done better. Banking websites, despite often having stupid legacy requirements like 8-character passwords or relatively weak SSL ciphers, are routinely designed with vastly better security than is being described here. That's for their own sites; for ones operating under such a high-profile-the-gov-is-paying situation? They'd be idiots not to, and contrary to what it sometimes seems, not many successful companies are actually run by idiots. This whole fiasco has the potential to spell death for this company, and its top people, at least in government circles. They'll be too toxic to touch!

Don't get me wrong, really good web security is hard. There's simple fixes for pretty much every class of problem, but there are a *lot* of possible problems and some of them are pretty un-intuitive. Knowing what security to implement, where, and how to do it is pretty specialized knowledge. In theory, it should be something every web developer knows, of course. In practice, that's not the case at all. Instead, there are a bunch of basic guidelines every code monkey is given, and then there are a handful of experts who oversee the whole thing. Small companies, or those operating on a tight budget of either time or money, may opt to leave that part to some outside experts once the code is already written (I would know; this is what I do) but they still often at least make the attempt.

To go completely without such expertise, on such a high-profile project, though? Pure folly. Even where the implementation of security recommendations is hard (and sometimes it is), the cost of failing to implement them will be much greater, and they really should know that.

This Was Commercial (3, Informative)

mx+b (2078162) | about 7 months ago | (#46027571)

I think it is important to point out that effectively this was the work of a commercial company. It was contracted out, and the contractor subcontracted and did whatever it wanted at that point. (Sounds like relatively little government oversight of the project was had, considering the massive cleanup effort when it came to light).

I think it would be fair to argue that the government should have been more involved and had more oversight of the project. I actually wish it was developed "in-house" so to speak, and open source (as I think all publicly funded software should be). The government can do great things. Look at NASA. We have(had?) plenty of smart people with the goal to do something awesome. I wish we hired a software/computing/cryptography group like NASA to just go in there and get it done in an awesome manner. I think the government work could have been magnitudes better if it was done this way.

This was a failure on both sides really -- too many government officials that insist the best way to do things is like a private contractor do it (either for ideology or money), and commercial companies more interested in the paycheck than anything else.

Re:This Was Commercial (3, Insightful)

Anonymous Coward | about 7 months ago | (#46027623)

I think it is important to point out that effectively this was the work of a commercial company.

No its not. A commercial company would be losing money hand over fist, being sued by customers by the thousands, no one would choose to do business with it, and they would have run out of investment money long ago.

The ONLY way to have a failure of this magnitude is with the unlimited coffers of the government, funded by tax payers with no say in it.

Re:This Was Commercial (4, Informative)

CrimsonAvenger (580665) | about 7 months ago | (#46027639)

The government can do great things. Look at NASA.

NASA? Pretty much everything they do consists of issuing a design spec and taking bids. Even Apollo and Saturn were actually designed by private companies.

Re:Okay, but... (1)

mjm1231 (751545) | about 7 months ago | (#46027869)

Wasn't the work contracted out to a commercial company?

Before they patch the hole (4, Funny)

TimMD909 (260285) | about 7 months ago | (#46027181)

The root password is "password1".

Re:Before they patch the hole (2)

postmortem (906676) | about 7 months ago | (#46027267)

they just changed it to password2

So it has come to this (5, Funny)

Impy the Impiuos Imp (442658) | about 7 months ago | (#46027193)

> 70,000 Healthcare.Gov Records In 4 Minutes

Lie! There aren't even 70,000 people who have successfully registered yet.

Re:So it has come to this (3, Funny)

SJHillman (1966756) | about 7 months ago | (#46027329)

69,000 of those records are actually just "F1RST P0ST!". Just like a typical Slashdot article.

Re:So it has come to this (1)

flaming error (1041742) | about 7 months ago | (#46027609)

Each of the 7,000 who registered successfully first failed on average 9 times.

The system works (1)

ThatsNotPudding (1045640) | about 7 months ago | (#46027683)

Lie! There aren't even 70,000 people who have successfully registered yet.

See? Not incompetent coding; safeguards! "We mock what we don't understand."

New job for NSA (5, Insightful)

Anonymous Coward | about 7 months ago | (#46027209)

Idea: Let NSA work with securing government sites instead of terrorizing the entire world. I think that would be money better spent.

Re:New job for NSA (0)

Anonymous Coward | about 7 months ago | (#46027229)

Even better, how about we get computer savvy people to pitch MarkLogic and the NoSQL crap, and go back to tried and true RDBMS installs that actually are time tested in this field?

Re:New job for NSA (2)

Elder Entropist (788485) | about 7 months ago | (#46027379)

Well, at least you know it isn't vulnerable to SQL injection attacks.

Re:New job for NSA (3, Insightful)

cbhacking (979169) | about 7 months ago | (#46027503)

I'm not personally familiar with the database they're using, but it's worth noting that injection attacks work on some noSQL databases too. It all depends on how the data is added and accessed; any language (for even very loosely defined values of "language") that fails to clearly distinguish instructions from data risks the latter being interpreted as the former.

Just in case you were being serious. :-)

Re:New job for NSA (2)

beatle42 (643102) | about 7 months ago | (#46027605)

They do that. There are 2 sides to the NSA, and one of them does what you suggest, but not only with government. They're the ones that helped produce SE Linux after all.

Re:New job for NSA (1)

joe_frisch (1366229) | about 7 months ago | (#46027837)

Completely agree. This really would be defending the country. If the NSA didn't spy on citizens they could even have provided assistance to private companies and individuals on computer security. Now though, they have lost all trust (by weakening encryption) so no one will ever trust any of their recommendations on security again.

Re:New job for NSA (1)

Anonymous Coward | about 7 months ago | (#46027975)

I've looked for, and not found, one iota of evidence that the present Government wants to solve any particular problem facing the country.

If you find any, evidence, by all means, share with the rest of us.

Didn't see that coming (0)

Anonymous Coward | about 7 months ago | (#46027213)

Clearly the other readers will be as shocked as I am.

Re:Didn't see that coming (2, Funny)

Anonymous Coward | about 7 months ago | (#46027319)

..... will be as shocked as I am.

Your winnings sir...

Government! (2, Funny)

Anonymous Coward | about 7 months ago | (#46027225)

We all know that the private sector could have done better!

.....

Bwahahahahahahahahahahahahahahahaahahahah!

Oh! I shit my pants!

Re:Government! (4, Informative)

TemperedAlchemist (2045966) | about 7 months ago | (#46027693)

The private sector did build the website.

Re:Government! (1, Insightful)

Anonymous Coward | about 7 months ago | (#46027963)

Based on specs from the government...

Re:Government! (0)

Anonymous Coward | about 7 months ago | (#46027695)

I was wondering where you got that post from.

Throw money at it! (0)

Anonymous Coward | about 7 months ago | (#46027251)

Quick, throw money at it! Hire more smart guys! If they worked at Google or Facebook or Microsoft they must know how to make a website, so keep throwing money at them!

Seriously, this is what you get when lawyers and politicians from on high direct their inefficient bureaucracies to handle a job they've never done before, bypass all Federal Acquisition Regulations to get it running to meet a political deadline, and basically give them a blank check. Forget the military-industrial complex; sequestration is shutting that down. Soon we'll have the government healthcare-internet developer complex to worry about.

Re:Throw money at it! (5, Insightful)

TheCarp (96830) | about 7 months ago | (#46027349)

> Forget the military-industrial complex; sequestration is shutting that down.

ROTFL really? You actually think that is shutting down or that the fake sequestration dance had shit to do with it?

Last year, right before sequestration hit, congress approved massive military spending on all sorts of pork. Sequestration itself was even only a cut in budget increases. Sequestration is very narrowly aimed at making paper cuts look like gaping wounds....and does so with exacting precision.

I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

The military industrial complex is alive and well.

Re:Throw money at it! (5, Insightful)

CrimsonAvenger (580665) | about 7 months ago | (#46027531)

I mean they closed down parks, did everything they could to make people feel the cuts as much as they could, all the while making no meaningful cut to anything.

Do remember that it was Obama that "closed down parks" and "did everything they could to make people feel the cuts", not Congress.

Most of the cuts did nothing that would've been noticed by the average citizen, but you can't generate outrage at Congress with barely noticable cuts. So they spent extra money putting traffic cones up blocking sites from which Mount Rushmore could be photographed, and shut off access to the Tomb of the Unknowns (which normally has no restrictions to access - it's in the middle of a lawn).

Re:Throw money at it! (1)

rgbscan (321794) | about 7 months ago | (#46027809)

I disagree. I'm still waiting for the IRS to process a form I sent back in October. I call every couple weeks and they say due to sequestration the customer service staff has been cut and they'll get to it when they get to it. It's driving me crazy.

Re:Throw money at it! (1)

Anonymous Coward | about 7 months ago | (#46027817)

I blame the other team!

Re:Throw money at it! (1)

Anonymous Coward | about 7 months ago | (#46027539)

You're a fool and clearly never worked in Defense Contracting. I have, at one of the big six, and I can assure sequestration was quite damaging. Layoffs at most industrial centers, cancelations of contracts which led to increased overhead, running up the costs of certain programs and turning them unprofitable, etc.

I worked in the industrial side, building ships. The Navy had to delay several ship procurements, which led to a lack of economies of scale and efficient manufacturing methodology which icnreased cost; our bids were based on a set schedule of production and the delays ramped that up. Other guys building vehicles had programs cut, which lowered the numbers of the base contract subsequently increasing the unit cost of each vehicle, as you have fewer to spread your fixed overhead and industrial manufacturing requires a lot of fixed overhead. Same thing on the aircraft side, and the cutbacks flow down through their subcontractors, laying people off. I have several PhD friends working as civilian researchers for the DoD; their budget was bigger than NASA's entire budget. Most of their programs got cut back, and suddenly a bunch of PhDs were sitting around twiddling their thumbs doing paperwork instead of researching new materials and communications systems; most left for the private sector. Sequestration was a serious blow.

Politically I'm happy it hit; there was too much expansion of the DoD under the last two wars and it needed to be paired back. But with a scalpel, not with the battle-axe that sequestration was.

Re:Throw money at it! (0)

Anonymous Coward | about 7 months ago | (#46027757)

Shh! Stop using logic! Stop it!

Re:Throw money at it! (0)

Anonymous Coward | about 7 months ago | (#46027725)

You clearly have no idea what you're talking about.

Re:Throw money at it! (3, Informative)

MightyYar (622222) | about 7 months ago | (#46027755)

I'm amazed at how poorly government can handle even modest changes in funding... and not just at the federal level. During the financial crisis, our local school system had a 5% cut, and you would have thought the world had ended. They zeroed out maintenance, fired teachers, cut programs, all to preserve a yet-to-be-negotiated pay raise for the staff. Meanwhile, in my job in the private world we all took a 25% reduction in pay for a while when the company's revenue went suddenly to nearly zero, so my sympathy was not exactly running high.

Mind you, cutting 5% returned them to the previous year's levels. No one could answer my question about how they managed to hold it all together the year before if the funding was "so bad".

Every citizen? (3, Interesting)

maharvey (785540) | about 7 months ago | (#46027261)

Whats this about every US citizen?

Re:Every citizen? (5, Interesting)

Crudely_Indecent (739699) | about 7 months ago | (#46027327)

As I understand it, the system is tied into other federal databases. Just because you haven't signed up, doesn't mean you aren't in one of the other databases that healthcare.gov is connected to.

Stop signing up for things (1)

Anonymous Coward | about 7 months ago | (#46027713)

I saw where this was going about 10 years ago. Since there is no stopping the continuous expansion of government, the only way to minimize the impact of government data collection is to stop signing up for things. Don't put your name on ANYTHING unless you absolutely have to -- and that goes double for anything related to government. Don't get speeding tickets. Don't get parking tickets. Don't go on unemployment. Don't register to vote. Throw away the census papers. I realize that it is impossible to ignore coercive authority, but you can distance yourself from the system as much as possible, which has clearly proven to be unstoppable.

Re:Every citizen? (0)

Anonymous Coward | about 7 months ago | (#46027385)

I wouldn't be surprised if the database is also integrated with the IRS (for tracking down those people who don't sign up)

Re:Every citizen? (0)

SJHillman (1966756) | about 7 months ago | (#46027435)

Considering the IRS is responsible for collecting the "tax" for not having healthcare, you can be damned sure they're tied in.

Re:Every citizen? (4, Insightful)

SJHillman (1966756) | about 7 months ago | (#46027397)

You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.

Re:Every citizen? (-1, Troll)

kelvin31415 (1310803) | about 7 months ago | (#46027463)

So, just Obama then?

Re:Every citizen? (0)

Anonymous Coward | about 7 months ago | (#46027933)

You kid, but as has been reported:

"We learned today from the White House. [...] They said his staff did it and that’s because of his unique circumstance obviously, as commander-in-chief, that his personal information is not in various government databases, so Healthcare.gov could not actually verify his identity, oddly enough."

Re:Every citizen? (-1)

Anonymous Coward | about 7 months ago | (#46027543)

You find me a US citizen who has no information in any of the databases that Healthcare.gov connects to. They'd have to have no birth (or death) records, no SS#, no driver's license, no registered vehicles, no house, no legal spouse, never filed a tax return, no credit card, no bank accounts... even in the most backwoods redneck areas of the country, you'd have trouble finding someone that doesn't exist in any government database.

Oh.. So you mean only the 55 Million aborted babies since Roe vrs Wade?

Re:Every citizen? (2)

SJHillman (1966756) | about 7 months ago | (#46027697)

From Homeland Security's website:
----------
To become a citizen at birth, you must:
- Have been born in the United States or certain territories or outlying possessions of the United States, and subject to the jurisdiction of the United States; OR
- had a parent or parents who were citizens at the time of your birth (if you were born abroad) and meet other requirements

To become a citizen after birth, you must:
- Apply for “derived” or “acquired” citizenship through parents
- Apply for naturalization
----------
You'll notice that there is no way to become a citizen *before* birth. An abortion happens *before* birth, therefore no, fetuses are not citizens and would not count.

Re:Every citizen? (1)

Anonymous Coward | about 7 months ago | (#46027759)

Could have been 55 million and one had your parents been smarter.

What data? (3, Insightful)

WPIDalamar (122110) | about 7 months ago | (#46027299)

What data was he able to access?

Two ends of a possible spectrum I see...
- Being able to tell 70k accounts exist by some numerical ID
- Getting full personal information for 70k accounts including name, address, ssn, payment details

Go Team USA! (1)

Anonymous Coward | about 7 months ago | (#46027301)

Are you guys ever going to do anything?

If I was a US Citizen I would be on the phone and In my local Mp's Office faster than Slashdots robot voice could finish this article.

Isn't enough, enough! or do you need more convincing that the people you have elected have only their interests at heart and are filling their pockets as fast as they can. /Sigh as a non-US citizen I am slightly scared about what's going to happen every day, at some point I'm sure a breaking point will be reached and as sad as this is the USA still has quite a hold on global markets (not to mention warfare) its generally not as much as they think but a civil war in the USA would be a global problem.

Re:Go Team USA! (1)

Zane Blanton (2921559) | about 7 months ago | (#46027421)

We don't have MPs in the US. We have representatives.

Re:Go Team USA! (0)

Anonymous Coward | about 7 months ago | (#46027441)

We would, but we have something called a JOB. Without that JOB we don't have HEALTHCARE. Without HEALTHCARE we die. Therefore we must go to our JOB and don't have time to complain.

Re:Go Team USA! (3, Insightful)

Enry (630) | about 7 months ago | (#46027649)

Hence the reason why decoupling your insurance from your employer is a great idea.

Re:Go Team USA! (0)

Anonymous Coward | about 7 months ago | (#46027887)

Here in our land of the free we organise our own insurance, it seems to work very well for us, for example I have full medical, dental, car and life insurance, it costs me $22 pw or $1144 per year

Re:Go Team USA! (1)

Minwee (522556) | about 7 months ago | (#46027935)

If only there was some sort of web site which could help you fix that...

Re:Go Team USA! (0)

Anonymous Coward | about 7 months ago | (#46027815)

I am slightly scared about what's going to happen every day, at some point I'm sure a breaking point will be reached and as sad as this is the USA still has quite a hold on global markets (not to mention warfare) its generally not as much as they think but a civil war in the USA would be a global problem.

I'm a little surprised that's the extent of what you think might happen. I'm a resident of the USA, and what makes me nervous is that the US military still has a significant nuclear capability. Imagine what the end result would be if the smart people and the wealth left the US: you basically get a nation of child-level thinkers in possession of nuclear devices.

Now imagine that child decides to throw a tantrum. I'm not sure if there would be a safe place on earth from that. OTOH, I've got friends in the military, and I'm reasonably confident that someone in the chain of command would seriously question or stop an order to deploy nuclear devices before it got to the silos - *most* of them, anyway. It's just a question of where the remaining few would go.

I don't expect to see this within our lifetime, but the gradual erosion of education and critical thought is certainly enough to make me think about this scenario. (I think wealth will be clutched at for far longer than education, unfortunately.)

free the innocent stem cells healthcare.love (0)

Anonymous Coward | about 7 months ago | (#46027347)

never a better time to consider ourselves in relation to creation & our centerpeace momkind. little miss dna cannot be wrong we are good sports with good spirits who have been bushwhacked etc...

facepalm (1)

Anonymous Coward | about 7 months ago | (#46027353)

Doesn't it seem like everything done by the Obama administration so far has been a huge disappointment? I was doing much better financially under bush. My insurance premiums are almost double what they were before the ACA. I really wish they would change the name to something more appropriate like the Unaffordable Care Act. My parents are still waiting for the rural broadband Obama promised back in 2008. They are finding it difficult to use the internet on their dialup modem.

Sometimes I wonder about numbers (5, Insightful)

kruach aum (1934852) | about 7 months ago | (#46027381)

If he could access 70,000 in 4 minutes, does that mean he could access 140,000 in 8 minutes? 140k In 5 minutes, 280k in 6 minutes? Or could he only access 70,000 total, and is the time in which he did it irrelevant to the story? These are the interesting questions to ask, because they would actually tell us something significant, and wouldn't smack of a lame attempt to analogize something in terms of football fields (or going 0 to 100 in x seconds).

Re:Sometimes I wonder about numbers (0)

Anonymous Coward | about 7 months ago | (#46027547)

It means that the queries he ran returned in average of 290 records per second... and based on the constant complaints about the site that number sounds about right.

Re:Sometimes I wonder about numbers (0)

Anonymous Coward | about 7 months ago | (#46027621)

The numbers have a little more qualification in the article: “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.”

So, whether true or not, the article title cites the number (70k in 4 minutes) at the expense of the overall point ("the system is wide open and I can get anything I want").

Re:Sometimes I wonder about numbers (0)

Anonymous Coward | about 7 months ago | (#46027647)

Isn't being able to access 1 enough? your govt spent 700m+ on this so far. the database contains personal information which in the wrong hands could be used for identity theft.

 

Re:Sometimes I wonder about numbers (1)

turkeydance (1266624) | about 7 months ago | (#46027953)

fed brooks would know.

healthcare.gov or Nieman Marcus (2)

xanthos (73578) | about 7 months ago | (#46027393)

somehow I don't think that a group of people looking for government subsidies for their healthcare represent the best targets for identity fraud.

Mitnick, an elite white hat hacker? (0)

Anonymous Coward | about 7 months ago | (#46027423)

Mitnick is no hacker. He's little more than a scammer and a con-man.

The world needs to move to two-factor auth (1)

Anonymous Coward | about 7 months ago | (#46027445)

Our de-facto national ID, the social security number, will not survive the increasing ubiquity of the Internet and the utter lack of security on behalf of the government.

Re:The world needs to move to two-factor auth (1)

Minwee (522556) | about 7 months ago | (#46027867)

Are you suggesting that before the rise of the ubiquitous Internet, the Social Security Number was somehow a secure, reliable form of authentication?

I can almost imagine how it might be done (5, Interesting)

QilessQi (2044624) | about 7 months ago | (#46027467)

Disclaimer: I've never been to the site, but I can almost imagine how such a hack might be done, because it's so easy to code a bad webapp:

1. Create an account on the site.
2. Log in.
3. Notice that your URL ends in something like /showUserProfile?userID=70001
4. While still in your session, tweak the URL's userID to some other numbers to see if you can bring another user's profile up. If you can, then:
5. Automate the grabbing of userIDs 1 through 70000 via a Perl/Python/whatever script.

A properly-designed app would validate the authenticated session against any data it was trying to access. A poorly-designed one would not, and so be vulnerable to this sort of attack.

Re:I can almost imagine how it might be done (4, Interesting)

cbhacking (979169) | about 7 months ago | (#46027879)

Yep. I see this all the time. Sometimes it's a little more subtle, though. Like, say, storing that value in a cookie. Most people never look at their cookies, but a web security expert (on either side) is more likely to see the cookies than they are to see the actual site rendering. Or the value might be something that in the abstract is impossible to guess (like 59340341412091985) but if you happen to know your SSN and your birthdate, you might recognize those values in that 17-digit mess (it's even easier if, for example, there's a | character between the parts) and then you can (relatively easily) start guessing other peoples' pairs.

Sometimes it's even more subtle and requires some actual work to get at it, like storing an ID value concatenated with some other garbage like the date in a cookie encrypted with a static key (this one is actually fairly commonly done as a method of generating a token *identifying* the authenticated session, after all, if you don't have the key you can't generate the authentication token, right?). However, if you can guess which bits of that token are the ID (not hard; they're the ones that are the same whenever a given account signs on, but different for every account) you can twiddle the bits and basically brute-force the search space of valid IDs. There are still many ways to make this at least *somewhat* harder to attack, but a lot of developers won't bother... and there are ways to do it *worse*, too, like using an XOR with a constant mask instead of a merely re-using the key with a real cipher.

Aunts and Uncles implementing security (0)

Anonymous Coward | about 7 months ago | (#46027485)

In my last job for fortune 10 company, whole families worked on the projects. Uncle helped hiring niece, her husband, some friends etc.
In USA they call it "networking" - hiring your family, neighbours and school friends.
I would not surprised if similar approach was used here.

$700 million - and still insecure!!! (2, Insightful)

Anonymous Coward | about 7 months ago | (#46027495)

No commercial company would have spent USD $700 million and STILL had an insecure site. Further - we have NOT seen one single f'ing firing...in the commercial world - heads would have rolled!

Re:$700 million - and still insecure!!! (0)

Anonymous Coward | about 7 months ago | (#46027709)

Bull.

Companies spend a ridiculous amount of money on their software, to only find holes in it decades later, and no one gets punished.

FFS, this happens ALL the time. New software goes live, especially rushed software, massive numbers of holes are found...and get patched. Maybe, maybe a CTO gets fired a few months later. Or in the case of a certain DayZ clone, eventually have Steam return all their money. Okay, bad example there...

It's perhaps a trite example, but they're still posting hotfixes for WinXP, note. Haven't heard of too many MS execs being whacked over the continuing holes in their security, and I think it's fair to say MS has spent a lot of money on trying to fix XP over the years.

oblig (4, Funny)

cellocgw (617879) | about 7 months ago | (#46027507)

Even worse, after accessing all those records, he logged in again as Bobby Tables and...

Here It Comes (0)

Anonymous Coward | about 7 months ago | (#46027509)

Obama's ACA plan will be hacked and all other plans will point to it.

End result. Obama owes IRS AND a vast assortment of [sarc]Healthcare providers[/sarc] more money than Greece owes the ECB!

No wonder Obama is going to the Vatican to meet Pope Francis! Now, Obama REALLY needs a miracle that even the NSA can't steal.

Ha ha

Most famous hacker? (0)

Anonymous Coward | about 7 months ago | (#46027597)

Mitnick is famous still?

I mean, I'll give him his props. He's developed his security skills since his release, but wasn't Mitnick famous for socially-engineering his way into systems? Yes, this is important, considering various past stories on ./ concerning how useful SE is for exploiting security holes. But aren't the hearings focusing more on the actual code holes that exist?

Big mouth (4, Funny)

jargonburn (1950578) | about 7 months ago | (#46027615)

He should probably shut it. Doesn't he know that the best security is obscurity? If he keeps talking about how vulnerable that website is, someone MIGHT actually hack it! Is that what he wants??

Re:Big mouth (2)

jargonburn (1950578) | about 7 months ago | (#46027635)

I failed to append the /sarcasm tag. *sigh*

Just as expected (0)

Anon-Admin (443764) | about 7 months ago | (#46027651)

I am not surprised, when people scream that the government should do something about an issue they never stop to think about the government and what it really can do.

When there is an issue, the government has three options in it's tool box to fix it.

#1) Make it illegal
#2) Declare war on it
#3) Throw your money at it and hope it goes away.

So, they started subsidizing your healthcare (With your own tax $$). They paid to have an exchange created (With your tax $$). The exchange had security issues. Well they can fix that as well, just through more of your tax $$ at it and hope it will go away.

While all this is going on they are obviously hurting for tax $$ as THEY sent me a letter telling me that my wife and kids do not exist and they are instructing the company I work for to change my W4 to single male and to withhold the maximum amount until I send the IRS PROOF that I have a wife and kids.

Hey David, (2)

Cornwallis (1188489) | about 7 months ago | (#46027677)

Would you please take a crack at Vermont's site - also made by CGI? It is crap and we are getting nothing but a snowjob from the powers-that-be.

How do I get clients like this? (4, Funny)

rebelwarlock (1319465) | about 7 months ago | (#46027701)

I get between a few hundred and a few thousand USD for any given contract, and my clients actually expect their software to work. How does one go about getting this much money for a steaming pile of shit?

Re:How do I get clients like this? (1)

Anonymous Coward | about 7 months ago | (#46027813)

Kickback 50% to the dipshits awarding the contracts -- duh! :)

Then Why No Hack Job? (1)

jasnw (1913892) | about 7 months ago | (#46027777)

OK, so if the site is so damned vulnerable why hasn't it been cracked by a Black Hat yet? Access to this sort of information is the wet dream of most hackers-for-hire. TFA quotes a Government person saying that the site is secure. The White Hat hackers say it isn't. Unless someone is lying about there having been no break-ins yet, then I have a hard time accepting that the site is a plum waiting to be picked by the next script kiddie that comes along. I could see that there would be a desire to cover up any hack job, but I don't know that a cover-up of something that juicy could hold up for long. Some missing pieces to this story.

Re:Then Why No Hack Job? (3, Insightful)

Shatrat (855151) | about 7 months ago | (#46027943)

The whole point is that it probably has, and their security is so bad they can't even detect it, let alone prevent it.

priorities (1)

k6mfw (1182893) | about 7 months ago | (#46027791)

could reason be there are so many problems is because priorities of top men in govt/corp is other than healthcare.gov.

funny thing (1)

cascadingstylesheet (140919) | about 7 months ago | (#46027989)

When you let government control everything, then everything (including data security) is at government standards.

Some people were suggesting that this was one of many reasons that letting government control everything wasn't such a good idea.

But whew, at least we don't have binders full of women, or whatever it was we were supposed to be so worried about instead ...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>