back to article Obamacare website 'either hacked or will be soon', warns infosec expert

Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a hearing of the House Homeland Security (HHS) Committee that the website was …

COMMENTS

This topic is closed for new posts.
  1. Sureo

    Sic 'em boy....

    If Obamacare is such an attractive honeypot, why don't they sic the NSA dogs on it and catch a few of those lowlifes? From what we've been hearing you'd think it would be easy for them.

  2. Anonymous Coward
    Anonymous Coward

    "I don't believe that the problems with the site's availability is due to any kind of DDOS attack," he added.

    Right, it's knackered by design.

  3. Anonymous Coward
    Anonymous Coward

    Since the only purpose that those so called hackers could have is to try to cripple the affordable health care act even further, I will be that these hackers are employees of Koch Industries.

    1. Anonymous Coward
      Holmes

      @AC 20:57 - "Since the only purpose that those so called hackers could have is to try to cripple the affordable health care act even further"

      I think it's the personal and financial the hackers might be interested in. Probably not so much DDoS'ing just for the sake of crippling a website.

    2. Matt Bryant Silver badge
      Stop

      Re: AC

      ".....hackers are employees of Koch Industries." <Sigh> You'd like to think that was just baiting, but after hearing the really fanatical sheeple spouting such male bovine manure as "If you don't vote for Obama it's because you're a racist" you begin to realise they really want to baaaah-lieve ANYTHING to avoid reality. Any hacker having a go at the Obamacare site is going to be a crook, probably interested in identity theft.

  4. Javapapa

    Distributed Denial of Service Attack?

    No, just tens of thousands of people trying to find out what the costs of plans will be.

  5. Anonymous Coward
    Anonymous Coward

    When you create a vast database of peoples personal details the crackers will come, and they'll not be going away just because you don't like it.

  6. Cubical Drone

    Yawn

    Doesn't most of this stuff apply to many systems out there, public and private?

    1. Anonymous Coward
      Anonymous Coward

      Re: Yawn

      Yes, but this one is new, big, and buggy. A prime target.

  7. Kevin McMurtrie Silver badge

    Robert'); DROP TABLE Students;--

    Does SQL injection still count as an attack or is it like breaking into a room by turning the door's knob?

  8. Red Bren
    Holmes

    Probing, but not necessarily with any success

    Reasons for Kennedy's gloomy prognosis are not hard to locate. Incredibly the Healthcare.gov website's search box helpfully suggests SQL injection attack strings in its autocomplete list - indicating someone at least has been probing the site.

    If the autocomplete list contains "Bollock Cancer", it doesn't mean American men all have the disease, it just means it's a frequently submitted search term.

    Similarly, if the list contains SQL injection strings, it doesn't mean the attempts were successful, it just means they were submitted frequently.

    I think the author needs to try harder to locate Reasons for Kennedy's gloomy prognosis

    1. Swarthy

      Re: Probing, but not necessarily with any success

      Good point. Actually, that it is returning the SQL string as a search result means that the site is escaping the SQL, so the DB sees it as a sting of characters, and not SQL. This is a good thing (-ish, it still means that a large portion of the search entries are SQL injection attempts, which is not a good thing to advertise.)

      Although, it may be beneficial to the aspiring black-hat to hit up the healthcare.gov auto-complete to get an into to SQL injection.

  9. JustWondering
    Thumb Down

    Really!

    It's bad enough when the government has all this information about their citizens without finding out they're not very good at retaining it. Who does the government think they are? A credit card company?

  10. Don Jefe

    Tied to Attacks

    The website sucks. Now that's out of the way, I think they need to provide a little more information. Are these 'real' attacks, or are these the same kind of attacks every large site on the planet copes with on a daily basis?

    I'm leaning towards the latter. Our benevolent government has a bit of proclivity for stretching the meaning of a word about as far as it can possibly go. Kind of like how scads of NSA & CIA staff have 'ties to terrorism' because their uncle's cousin's senior year music teacher once saw Gaddafi at a parade.

  11. Robert Helpmann??
    Childcatcher

    Why Go Live?

    It should have been obvious from the beginning that the site was not going to be up and working correctly on time. It is beyond me why anyone would want the half-baked mess that this has turned out to be in the public eye. It would have been far less damaging to be forced to say that it is running a bit (or even quite a bit) behind schedule than to serve up this dog's breakfast.

    Of course the site is going to be hacked. I would expect those doing the crime to be hunted down and prosecuted in the harshest of manners as this law has been a political hot button from the beginning.

    1. Don Jefe

      Re: Why Go Live?

      I think the administration handled the site launch very badly. Not in the technical aspects (those were bad too) but in trying to make everything fair they kept letting the holdouts get on board at the last minute. The same people who spent years trying to forestall the inevitable came begging at the last minute to have the Feds consider their needs and exceptions. It's like if you were building an ERP system for a company and that company bought up 20 other companies two months before launch and wanted them all integrated prior to going live. Of course it's going to be a clusterfuck.

      I think what was missing were stick type incentives. That's why there are carrots and sticks, you need both as well as the knowledge and fortitude to use the most appropriate measures.

      1. Swarthy

        Re: Why Go Live?

        Wait.. There are carrots to this mess? All that I am seeing are "a stick, another stick and the promise of two more sticks". - Credit to Simon Travaglia

        1. Don Jefe

          Re: Why Go Live?

          You haven't used the site or interacted with the agents from your state have you? I thought not, you're just repeating what you heard on the radio. It must be sad not being able to make your own decisions.

  12. Eric Olson

    I don't think this is a repository of personal information...

    Based on the design schematics that were published when this originally blew up, there is little personal information stored within the website architecture itself. Rather, it relies on taking the information entered by a user and makes numerous calls to other, non-public sources that are outside of the website itself. Presumably, that would require knowing a person's information if you wanted to plumb the depths of what the government has on you.

    Of course, if the profiles that users have to set up are in fact stored within the public-facing system and can be accessed through the tried-and-true methods of SQL injection and the like, that's a problem. However, evidence to this point suggests such access does not exist (as pointed out by another commenter, the existence of SQL in the autocomplete only shows it's a frequently searched term by users, not a welcome mat with a key underneath). Executing a call to a separate system typically isn't that easy and would require a lot more knowledge of the design of the system as opposed to script-kiddies with too much time on their hands. A DDoS attack is still the mostly likely (and most damaging, from a PR standpoint) attack vector.

  13. Robert Moore

    Wow. The stupid is strong with this one.

    "We have not monitored any attacks," Holden told CNN

    Then i promise you that you are monitoring the wrong things. This is a big fat target. I would be surprised it someone had not already breached it.

  14. capricio

    '... it would never have gone live if it was a commercial, private concern.'

    Yeah, right. It's only the gubment that would be so lax. Please! Of course, he could have been using the snooty-speak definition of 'private concern' - high priced, high profile venture. But I think it is just more big-gov scape-goating... generally, the landscape is riddled with this poor coding.

    1. Don Jefe

      Yeah, that was a pretty dumb thing for them to say. If everybody waited for prime time functionality on their site before launching we'd be reading the print version of The Register and staying up until 11pm to watch the news. I can't think of a single website that worked even close 100% at launch. How easily people forget and forgive the mistakes of their merchants of fashion.

  15. 2cent

    So what now

    "David Kennedy, founder of computer security biz TrustedSec, told the hearing the healthcare.gov "is either hacked already, or will be soon”.

    The question not asked just after this one is, "Alright, show me one that isn't"

    "He added that site is so full of functional and "critical" security problems that it would never have gone live if it was a commercial, private concern.""

    If that were true, I must be reading news from a different planet.

    However what is implied is "If you hired me in the first place..."

  16. Matt Bryant Silver badge
    Facepalm

    Biggest "problem" is not the website.

    The biggest problem is the political overtones the whole subject has wrapped round it, so that the whole program has become so entangled with Obambi's public persona. Now many Americans are cheering the problems of a website set up with their tax dollars simply because they see it as an extension of Obambi's ego, whilst others cannot see its failings because to do so is tantamount to attacking their idol. Both sidea are shrieking at top volume about anything BUT the real problems facing Americans. Dummicrats are desperate to sweep it under the carpet whilst they enjoy the propaganda opportunity of the 50th anniversary of the JFK assassination (did I miss the same outpourings of "grief" on the 100th anniversary of the assassination of Republican POTUS William McKinley?), and Republicans are determined to forge a link between Obambi's administration and the website as though Obambi himself wrote the site's code. It's a website that appears to have problems due to poor scoping and possibly poor appreciation of security, end of.

    1. Anonymous Coward
      Anonymous Coward

      Re: Biggest "problem" is not the website.

      Biggest "problem" here is Prat Bryant

      Baaaaah Sheeple!!

      What a tool

      1. Matt Bryant Silver badge
        Happy

        Re: Absolute Cluetard Re: Biggest "problem" is not the website.

        You know when you're bang on target when all the sheeple can do is post more whining bleats.

This topic is closed for new posts.

Other stories you might like