Obamacare website security called 'outrageous': How safe is it?

[lostinblue 1,989]

Obamacare website security called 'outrageous': How safe is it?

Glitches in the Obamacare website are well known, but some cyber experts are also raising red flags about the site's security. They point to a variety of concerns.

By Mark Clayton, Staff writer / October 14, 2013

• 

A man looks over the Affordable Care Act signup page on the HealthCare.gov website in New York in this photo illustration.

Mike Segar/Reuters

Cybersecurity professionals are voicing concerns about potential concerns in the new federal health care website system that could open the door to theft of personal information.

In the two weeks since the Affordable Healthcare Act site, www.healthcare.gov, went live, most complaints have centered on long wait times with sites initially overloaded by interested visitors. In response, government officials are scrambling to get more capacity for the main site and its satellites.

But potentially far more serious questions are emerging about cybersecurity. Experts have said that hackers could “spoof” the website with a look-alike website to collect personal information, or criminals could use an automated program to try repeatedly to enter the site even if it didn’t get a login correct.

RECOMMENDED: How much do you know about health-care reform? Take our quiz!

Experts have stopped short of calling these concerns “vulnerabilities” – a term that means a proven weak spot to hackers. But they say these red flags need attention.

“I’ll ask you your Social Security, your date of birth, [so] an hour later I can empty your bank account,” John McAfee, who founded the cybersecurity company of the same name but is no longer associated with it, complained on Fox News. The Obamacare websites, he said, have “no safeguards,” and the main site's architecture is "outrageous."

Federal officials say they have made website security a “top priority,” said Marilyn Tavenner, administrator for the Centers for Medicare & Medicaid Service, which operates the system, during a congressional hearing in July. “We will use appropriate policies, procedures, standards, and implementation specifications to ensure the privacy and security of consumer data in accordance with applicable law.”

For example, the site is supposed to adhere to cybersecurity standards for the federal government set by the National Institute of Standards and Technologies.

But just because all the standards are met does not mean all the holes are plugged. Some cybersecurity experts have echoed Mr. McAfee's comments. Here are some of the red flags they raise.

Request forgery. One potential flaw with the Obamacare website would grant automated “all-Access Request For Other Sites” – which basically allows another site to make a certain kinds of request to healthcare.gov that could lead to “cross-site request forgery” and potentially fooling the government site into releasing restricted information, writes Nidhi Shah, who works on research and development for HP's Web Security Research Group, on a company blog. That red flag appeared on some of the site's pages, but she admits it could not be confirmed at the time on the site’s most secure areas because of high traffic volume.

Clickjacking.' The government site lacks defenses to prevent an attacker from putting an invisible layer over the legitimate website, Ms. Shah added. As a result, a user clicking on a link or button might end up at a renegade site that looked just the same – and end up divulging personal information to that site.

'Cookie theft.' The site appears not to use a feature that prevents access to cookies that are stored on a user’s personal computer. "Healthcare.gov uses cookies to maintain user history on the site and [for] user identification," Shah writes. At the very least, an attacker could grab "sensitive information such as ... possible health issues, income level, and marital status.”

Verification. A more fundamental problem is the way the website is set up, contends Christopher Budd, communications manager for Trend Micro, a Tokyo-based cybersecurity company. "The health insurance exchange isn't made up of a single, authoritative site where people can go and register for coverage," he wrote in a blog post. "In addition to the federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage," he said.

While the main federal site uses a key security feature called SSL to verify itself, "a survey of state and third-party sites also shows that official sites aren't required to provide the ability to verify the site using SSL," he writes. Many of those sites don’t authenticate, he said.

"As people look for health care exchanges, they're going to be faced with potentially hundreds or thousands of sites that claim to be legitimate, but [they] won't be able to easily verify that claim," except based on how a site looks, Mr. Budd wrote.

Login fraud. Basic problems with the site could invite cybercriminals to use automated systems to hack individual accounts, according to researchers at TrustedSec in Strongsville, Ohio. They noted that there were no features to prevent an intruder from using an automated program to try repeatedly to enter the site even if it didn’t get a login try correct. Common tools are available to authenticate that a human is trying to make the attempted login, such as putting on the screen with a word that only a human can read – that would then have to be typed into a box.

“As you can imagine, the site is going to be a major target for hackers, other governments, and organized crime,” the TrustedSec researcher wrote. “There’s a lot of money to be made right now in an untapped market that is fresh for the picking.”

http://www.csmonitor.com/USA/Politics/2013/1014/Obamacare-website-security-called-outrageous-How-safe-is-it-video/(page

• 

Edited October 15, 2013 by lostinblue

[Harpa Timsah 13,258]

I hear an echo.

[Mr. Big Dog 10,747]

I hear an echo.

[Mr. Big Dog 10,747]

http://www.csmonitor.com/USA/Politics/2013/1014/Obamacare-website-security-called-outrageous-How-safe-is-it-video/(page

• 

[Pinocchio Liberal 268]

http://www.forbes.com/sites/theapothecary/2013/10/14/obamacares-website-is-crashing-because-it-doesnt-want-you-to-know-health-plans-true-costs/

[Novembro 1,763]

Will these threads ever be merged?

[Danno 1,228]

This is another example of Libs saying they are not interested in your private life..... meanwhile they demand your DNA and urine samples.

[Novembro 1,763]

This is another example of Libs saying they are not interested in your private life..... meanwhile they demand your DNA and urine samples.

[lostinblue 1,989]

http://www.cnbc.com/id/101225308 No security ever built into Obamacare site: Hacker

Text Size

Published: Monday, 25 Nov 2013 | 9:54 AM ET

By: Matthew J. Belvedere | Producer, CNBC's "Squawk Box"

The vulnerability of Healthcare.gov

Monday, 25 Nov 2013 | 7:14 AM ET

Dissecting the critical security problems with the website Healthcare.gov, with TrustedSec CEO David Kennedy. "It will take a long time to address some of the critical and high exposures on the website itself," he says.

It could take a year to secure the risk of "high exposures" of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.

"When you develop a website, you develop it with security in mind. And it doesn't appear to have happened this time," said David Kennedy, a so-called "white hat" hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

"It's really hard to go back and fix the security around it because security wasn't built into it," said Kennedy, chief executive of TrustedSec. "We're talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself."

According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.

"The privacy and security of consumers' personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers' personal information," said the spokesperson.

Another online security expert—who spoke at last week's House hearing and then on CNBC—said the federal Obamacare website needs to be shut down and rebuilt from scratch. Morgan Wright, CEO of Crowd Sourced Investigations said: "There's not a plan to fix this that meets the sniff test of being reasonable."

(Read more: Fix Obamacare site? 'Better chance of seeing God')

Last month, a Sept. 27 government memorandum surfaced in which two HHS officials said the security of the site had not been properly tested before it opened, creating "a high risk."

HHS had explained then that steps were taken to ease security concerns after the memo was written, and that consumer information was secure. Technicians fixed a security bug in the password reset function in late October, the agency said.

But on CNBC, Kennedy disputed those claims, saying vulnerabilities remain on "everything from hacking someone's computer so when you visit the website it actually tries to hack your computer back, all the way to being able to extract email addresses, users names—first name, last name—[and] locations."

Andrew Harrer | Bloomberg | Getty Images

Healthcare.gov

Government officials and contractors have been working around the clock for weeks, releasing fixes on HealthCare.gov nightly with the goal of meeting the Obama administration's self-imposed deadline of the end of the month to have the site working smoothly.

"When you look at the site itself, it could be really good. It could do really well. They're just not building the security into the site itself," said Kennedy. "Putting your information on there is definitely a risk."

The federal portal serves 36 states not operating their own health insurance exchanges. Fourteen other states and the District of Columbia run their own marketplaces. All of them launched on Oct. 1 as part of the Obamacare provision mandating most Americans have health-care coverage for next year or face tax penalties.

(Read more: Obamacare extensions for 2014 and 2015 deadlines)

Kennedy said those state-operated exchanges also face security risks. "These are going to be a large area for attack." He pointed to a problem on the Vermont website on Friday. Officials overseeing the Vermont Health Connect website confirmed a security breach on the system last month.

When it comes to securing personal information online, Kennedy cited Amazon, Facebook, and Twitter as models for the industry. He even said the IRS website does regular testing to help "ensure that when the websites come out they're protected."

—By CNBC's Matthew J. Belvedere. Follow him on Twitter @Matt_SquawkCNBC

Edited December 3, 2013 by lostinblue

[luckytxn 2,265]

Will we ever have a man be president again?