Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Insecure healthcare.gov Allowed Hacker To Access 70,000 Records In 4 Minutes

cold fjord (826450) writes | about 7 months ago

3

cold fjord (826450) writes "Computerworld reports, "... white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. ... It is insecure — 100 percent." Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly “fixed,” he told Congress it was even more vulnerable to hacking and privacy breaches. ... “Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed ... other security researchers have also identified an additional 20+ exposures on the site.” ... Kennedy said he was able to access 70,000 records within four minutes ... At the House Science and Technology Committee hearing held last week ... elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity. ... Mitnick, the 'world's most famous hacker' testified:"... It would be a hacker's wet dream to break into Healthcare.gov ... A breach may result in massive identity theft never seen before — these databases house information on every U.S. citizen! It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices ... """
Link to Original Source

cancel ×

3 comments

Sorry! There are no comments related to the filter you selected.

Double standard (1)

JustNiz (692889) | about 7 months ago | (#46018677)

>> Kennedy said he was able to access 70,000 records within four minutes

Several people have already been arrested/punished while whitehat hacking government computers, some as a result of telling the government about their own vulnerabilities. The US government have already made it clear that even if you're a whitehat with purely good intentions, it is no defence for hacking government computers. Any/all hacking of governemt computers is illegal and will be prosecuted.

So why hasn't this guy been arrested already? especially after having made a public confession....

Re:Double standard (1)

schwit1 (797399) | about 7 months ago | (#46019535)

Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”

Re:Double standard (1)

JustNiz (692889) | about 7 months ago | (#46026235)

ITs all semantics. At what point do you say you're in the system?
Unless its a man-in-the-middle, (which people on normal internet connections aren't really in the position to implement), I dont even slightly buy that he didn't at least do SQL inejction,

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>