Sic 'em boy....
If Obamacare is such an attractive honeypot, why don't they sic the NSA dogs on it and catch a few of those lowlifes? From what we've been hearing you'd think it would be easy for them.
Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a hearing of the House Homeland Security (HHS) Committee that the website was …
".....hackers are employees of Koch Industries." <Sigh> You'd like to think that was just baiting, but after hearing the really fanatical sheeple spouting such male bovine manure as "If you don't vote for Obama it's because you're a racist" you begin to realise they really want to baaaah-lieve ANYTHING to avoid reality. Any hacker having a go at the Obamacare site is going to be a crook, probably interested in identity theft.
Reasons for Kennedy's gloomy prognosis are not hard to locate. Incredibly the Healthcare.gov website's search box helpfully suggests SQL injection attack strings in its autocomplete list - indicating someone at least has been probing the site.
If the autocomplete list contains "Bollock Cancer", it doesn't mean American men all have the disease, it just means it's a frequently submitted search term.
Similarly, if the list contains SQL injection strings, it doesn't mean the attempts were successful, it just means they were submitted frequently.
I think the author needs to try harder to locate Reasons for Kennedy's gloomy prognosis
Good point. Actually, that it is returning the SQL string as a search result means that the site is escaping the SQL, so the DB sees it as a sting of characters, and not SQL. This is a good thing (-ish, it still means that a large portion of the search entries are SQL injection attempts, which is not a good thing to advertise.)
Although, it may be beneficial to the aspiring black-hat to hit up the healthcare.gov auto-complete to get an into to SQL injection.
The website sucks. Now that's out of the way, I think they need to provide a little more information. Are these 'real' attacks, or are these the same kind of attacks every large site on the planet copes with on a daily basis?
I'm leaning towards the latter. Our benevolent government has a bit of proclivity for stretching the meaning of a word about as far as it can possibly go. Kind of like how scads of NSA & CIA staff have 'ties to terrorism' because their uncle's cousin's senior year music teacher once saw Gaddafi at a parade.
It should have been obvious from the beginning that the site was not going to be up and working correctly on time. It is beyond me why anyone would want the half-baked mess that this has turned out to be in the public eye. It would have been far less damaging to be forced to say that it is running a bit (or even quite a bit) behind schedule than to serve up this dog's breakfast.
Of course the site is going to be hacked. I would expect those doing the crime to be hunted down and prosecuted in the harshest of manners as this law has been a political hot button from the beginning.
I think the administration handled the site launch very badly. Not in the technical aspects (those were bad too) but in trying to make everything fair they kept letting the holdouts get on board at the last minute. The same people who spent years trying to forestall the inevitable came begging at the last minute to have the Feds consider their needs and exceptions. It's like if you were building an ERP system for a company and that company bought up 20 other companies two months before launch and wanted them all integrated prior to going live. Of course it's going to be a clusterfuck.
I think what was missing were stick type incentives. That's why there are carrots and sticks, you need both as well as the knowledge and fortitude to use the most appropriate measures.
Based on the design schematics that were published when this originally blew up, there is little personal information stored within the website architecture itself. Rather, it relies on taking the information entered by a user and makes numerous calls to other, non-public sources that are outside of the website itself. Presumably, that would require knowing a person's information if you wanted to plumb the depths of what the government has on you.
Of course, if the profiles that users have to set up are in fact stored within the public-facing system and can be accessed through the tried-and-true methods of SQL injection and the like, that's a problem. However, evidence to this point suggests such access does not exist (as pointed out by another commenter, the existence of SQL in the autocomplete only shows it's a frequently searched term by users, not a welcome mat with a key underneath). Executing a call to a separate system typically isn't that easy and would require a lot more knowledge of the design of the system as opposed to script-kiddies with too much time on their hands. A DDoS attack is still the mostly likely (and most damaging, from a PR standpoint) attack vector.
'... it would never have gone live if it was a commercial, private concern.'
Yeah, right. It's only the gubment that would be so lax. Please! Of course, he could have been using the snooty-speak definition of 'private concern' - high priced, high profile venture. But I think it is just more big-gov scape-goating... generally, the landscape is riddled with this poor coding.
Yeah, that was a pretty dumb thing for them to say. If everybody waited for prime time functionality on their site before launching we'd be reading the print version of The Register and staying up until 11pm to watch the news. I can't think of a single website that worked even close 100% at launch. How easily people forget and forgive the mistakes of their merchants of fashion.
"David Kennedy, founder of computer security biz TrustedSec, told the hearing the healthcare.gov "is either hacked already, or will be soon”.
The question not asked just after this one is, "Alright, show me one that isn't"
"He added that site is so full of functional and "critical" security problems that it would never have gone live if it was a commercial, private concern.""
If that were true, I must be reading news from a different planet.
However what is implied is "If you hired me in the first place..."
The biggest problem is the political overtones the whole subject has wrapped round it, so that the whole program has become so entangled with Obambi's public persona. Now many Americans are cheering the problems of a website set up with their tax dollars simply because they see it as an extension of Obambi's ego, whilst others cannot see its failings because to do so is tantamount to attacking their idol. Both sidea are shrieking at top volume about anything BUT the real problems facing Americans. Dummicrats are desperate to sweep it under the carpet whilst they enjoy the propaganda opportunity of the 50th anniversary of the JFK assassination (did I miss the same outpourings of "grief" on the 100th anniversary of the assassination of Republican POTUS William McKinley?), and Republicans are determined to forge a link between Obambi's administration and the website as though Obambi himself wrote the site's code. It's a website that appears to have problems due to poor scoping and possibly poor appreciation of security, end of.