Friday, January 17, 2014

Healthcare.gov security "shameful"

I don't know that I agree that Kevin Mitnick is the "World's Greatest Hacker" but there's no doubt that he knows what he's talking about:
Security expert -- and once the world's most-wanted cyber criminal -- Kevin Mitnick submitted a scathing criticism to a House panel Thursday of ObamaCare's Healthcare.gov website, calling the protections built into the site "shameful" and "minimal."

In a letter submitted as testimony to the House Science, Space and Technology Committee, Mitnick wrote: "It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise."

...

Mitnick concluded that, "After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov Website, it's clear that the management team did not consider security as a priority."
Gee, ya think?
His comments were backed up by testimony by Kennedy, who is CEO and founder of TrustedSec LLC and a self-described "white hat hacker," meaning someone who hacks in order to fix security flaws and not commit cybercrime. In November, Kennedy and other experts testified before the same panel about security issues on Healthcare.gov.

Kennedy testified that most of the flaws they identified at the time still exist on the site, and said "indeed, it's getting worse," telling the panel that he and other experts have seen little improvement in the past two months.
Nothing got fixed in two months.  I guess that shows that security isn't a priority.  And this isn't cherry picking.  The Gaijin emails to point this bit of sleight-of-hand:
Hermansen discovered a vulnerability that would allow someone to take over another person’s account on the California site, and review or change the information entered there. He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month. “They must have been overwhelmed by people seeking help with the site,” he said.
Maybe security wasn't a priority?
On December 24, he finally got through by phone to a Covered California representative and he explained the issues he’d found, but they remained unfixed and he didn’t hear back from them. Given that it was Christmas, that’s not terribly surprising. But Hermansen, frustrated that the flaw had been out there for over a month already, decided two days later to release a video of the exploit to YouTube and posted it to a security sub-Reddit. That got the attention of a Covered California lawyer who contacted him to take the video down, and also flagged it with YouTube; it was soon removed.
Better security via public humiliation ...
Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down,” he said. Hermansen contacted Forbes at the beginning of January.
...
“They didn’t want a conversation about how to fix it,” he said. “They were defensive about the site. I didn’t put the vulnerabilities in your site. I’m just shining light on it.”
RTWT, including the bit about the visit from the FBI.

Relax, Citizen.  All is well.  In fact, all is for the best, in the best of all possible worlds.  Can't wait for Democrats to push Single Payer.

2 comments:

Scott_S said...

BP,

Gotta say I love your blog. It covers two of my favorite subjects, guns and security, I'm interested in what you think of the new "black phone".

Old NFO said...

SO frikiin glad I don't have to deal with this...