is Hacker-Bait, Say Security Experts

Healthcare.govAs it now exists,, the federal exchange for approved health plans,
“creates massive opportunity for fraud, scams, deceptive trade
practices, identity theft and more,” Morgan Wright, CEO, Crowd
Sourced Investigations, LLC told the House Science, Space, and
Technology committee in a
hearing held yesterday
. He was only one of several
cybersecurity experts who testified as to the vulnerabilities of
the already infamous Website, launched October 1 as part of the
rollout of Obamacare. Perhaps the onlly saving grace is the
frequency with which Healthcare.goc crashes, dissuading people from
entering infortion, or even making use impossible, and so sparing
them the high risk of data theft.

In his
(PDF), Wright said:

The first major issue is the lack of, and inability to conduct,
an end to end security test on the production system. The number of
contractors and absence of an apparent overall security lead
indicates no one was in possession of a comprehensive, top down
view of the full security posture. 3For a system dealing with what
will be one of the largest collections of PII, and certain to be
the target of malicious attacks and intrusions, the lack of a
clearly defined and qualified security lead is inconsistent with
accepted practices.

Wright pointed to a flaw involving the management of names and
passwords, discovered by a private security researcher, that would
have allowed hacke to take control of people’s accounts. That hole
has been fixed, but others have been assigned a fix date of May 31,
2014—while the Website remains up and running.

This is completely unacceptable from an industry perspective,
and is in extreme contravention of security best practices. Only in
the government could such a gaping hole be allowed to exi st
without fear of consequence. This shows a lack of understanding for
the consequences to consumers and the protection of also creates
massive opportunity for fraud, scams, deceptive trade practices,
identity theft and more. Much of this is playing out right now.

Avi Rubin, professor of Computer Science at Johns Hopkins
pointed out
(PDF), “One cannot build a system and add security
later any more than you can construct a building and then add the
plumbing and duct work afterwards.” He then discussed the
challenges faced in necessarily doing exactly that with the federal

Dr. Frederick R. Chang, Bobby B. Lyle Centennial Distinguished
Chair in Cyber Security Southern Methodist University, was
similarly critical

The fact that there is not one single place to sign up for
health care coverage will lead to confusion by the public. There is
the main federal site, individual state sites, as well as
legitimate third party sites. As I understand it , there is no
official designation or marking that a consumer can use to
determine whether they are on the correct site or not. As people
seek to register for health care coverage they may find that there
are a dizzying array of websites to select from. When it comes to
typing in information like a social security number into a web
form, many people might be cautious about doing so, but given that
it has do with health insurance coverage people might be more
inclined to do so (particularly if they think the request is coming
from a legitimate website). These two factors could combine to
create a ripe circumstance for personal information to get into the
wrong hands. It is difficult to estimate how much traffic these
fake websites will siphon off, but it could be significant

David Kennedy, CEO and Founder of TrustedSec,
(PDF) that existing reports of hacking attempts on are incomplete and that, because of poor security
precautions, “in the event that the website is hacked (or already
has been), the attacks would go largely unnoticed and the website
would remain compromised for a long period of time.” He went on to
detail a series of vulnerabilities his company discovereon the
site, and then alluded to others he said he was unwilling to
publicly reveal.

Kennedy recommended building an entirely new
website while the first one is up and running (including its flaws)
and replacing the existing one when it’s ready. If, instead, the
already bought and paid-for site is taken down for a full fix, “the
remediation process will span seven to twelve months at a

Fixing the exisiting site while it’s being used would take even

from Hit & Run

Leave a Reply

Your email address will not be published.