Jump to content
Washington Football Team Logo
Extremeskins
Forum Rules and Guidelines

Reuters: Some cyber security experts recommend shutting Obamacare site

Zguy28

By Zguy28
in The Tailgate

Recommended Posts

Zguy28

Zguy28

Posted
Posted

Some cyber security experts recommend shutting Obamacare site

 

http://news.yahoo.com/exclusive-expert-warn-congress-healthcare-gov-security-bugs-144729835--sector.html

By Jim Finkle and Alina Selyukh

 

(Reuters) - President Barack Obama's HealthCare.gov site is riddled with security flaws that put user data of millions of people at risk and it should be shut down until fixed, several technology experts warned lawmakers on Tuesday.

 

In a rapid "yes" or "no" question-and-answer session during a Republican-sponsored hearing by the House of Representatives Science, Space and Technology Committee, Republican Representative Chris Collins of New York asked four experts about the security of the site:

"Do any of you think today that the site is secure?"

The answer from the experts, which included two academics and two private sector technical researchers, was a unanimous "no."

"Would you recommend today that this site be shut down until it is?" asked Collins, whose party is opposed to Obamacare and has sought to capitalize on the failures of the website since it opened for enrollment on October 1.

Three of the experts said "yes," while a fourth said he did not have enough information to make the call.

 

Wow. As somebody who works closely with cyber-security folks (my team implements what they "recommend"), this is bad. I would not put my info up there. Then again, after what I've seen over the  last two years defending against APT's, I fear I may have also grown a bit paranoid. is it bad that I get a shiver when I think of Chinese food? ;)

Link to comment
Share on other sites
Zguy28

Zguy28

Posted
  • Author
Posted

It would be helpful if the article stated who those experts were and who invited them to the hearing.

 

To be clear: It was a republican sponsored hearing... did republicans pick the experts? 

The article states at least 3 of the 4.

 

Morgan Wright, CEO of a firm known as Crowd Sourced Investigations.

David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst.

Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security.

Link to comment
Share on other sites
Renegade7

Renegade7

Posted
Posted

Smh, every Fortune 500 company has been hit by at least one or more successful cyber attacks.  I don't even want to get into how badly infiltrated parts of our own government have become (*cough, South Carolina).  Don't tell me its unsecure, everything is unsecure.  Tell me the specific vulnerabilites and what you plan to do about it (if anything)...

 

It's frustrating that we have the resources to fix this, but are too busy fighting with each other to just shut up and get it done. 

Link to comment
Share on other sites
Springfield

Springfield

Posted
Posted

I don't know what's worse, the fact that this thing has been such a failure or the fact that one side wants nothing more than for it to fail.

Democrats suck because they can't responsibly implement a successful health care system. Republicans suck because they don't care about the health of their citizens.

Link to comment
Share on other sites
Duckus

Duckus

Posted
Posted

How would these folks, completely unaffiliated with the project, have any knowledge regarding the security of the site?

 

I would actually be really interested in knowing more about the security of the site and if there are any real issues. But quick fire Yes/No questions set-up to create a press release with absolutely no information isn't very compelling to me.

Link to comment
Share on other sites
Duckus

Duckus

Posted
Posted

Morgan Wright, CEO of a firm known as Crowd Sourced Investigations.

 

 

His Twitter account is filled with conservative candidate support, anti-Obama language, Fox News appearance promotions, and even some anti-Muslim stuff thrown in (spent a lot of time last year mocking #ReligionOfPeace. 

 

This took me 20 seconds to find. Good lord. For a cyber security person, sure puts a lot of stupid **** online.  :lol:

 

Its filled with Cuccinelli stuff, like so...

 

 

 

.@washingtonpost at @KenCuccinelli HQ in Sterling - seeing what real enthusiasm looks like! @KennyCunningham pic.twitter.com/61459LobqY

 

 

 

Don't really have a problem with him being political - but maybe not the best witness. The other folks look legit though.

Link to comment
Share on other sites
Duckus

Duckus

Posted
Posted

Sooo we shouldn't fix the website security to help with the consumer privacy because a GOP dude suspects a problem. Guess we can go by the other folks opinion.

 

Not at all.

 

I would love to hear about the security issues of the site. I want more information and would love a real discussion on issues and fixes.

 

If you want to share anything you got from the testimony, please link it. 

 

What sort of security issues are we talking about? What are the known issues currently? Are the fixable? Are there work arounds that can be implemented short term?

 

My point was that rapid fire YES/NO questions without any information to people not even involved doesn't really do anything for me. Maybe it does it for others though...

 

And as I said, the other folks look legit. Morgan Wright looks like a political hack, with little technical knowledge, who jumped at the opportunity to go after ACA. 

 

Weird how in a thread about internet security, I am the weird one for looking into experts backgrounds. The irony is glorious...  :lol:

Link to comment
Share on other sites
chipwhich

chipwhich

Posted
Posted

Not at all.

 

I would love to hear about the security issues of the site. I want more information and would love a real discussion on issues and fixes.

 

So would the bad guys.  :lol:

 

How about Congress lets all the hackers know the known security flaws so everyone can breach them.

Good call!  B)

Link to comment
Share on other sites
Zguy28

Zguy28

Posted
  • Author
Posted

Not at all.

 

I would love to hear about the security issues of the site. I want more information and would love a real discussion on issues and fixes.

 

If you want to share anything you got from the testimony, please link it. 

 

What sort of security issues are we talking about? What are the known issues currently? Are the fixable? Are there work arounds that can be implemented short term?

 

My point was that rapid fire YES/NO questions without any information to people not even involved doesn't really do anything for me. Maybe it does it for others though...

 

And as I said, the other folks look legit. Morgan Wright looks like a political hack, with little technical knowledge, who jumped at the opportunity to go after ACA. 

 

Weird how in a thread about internet security, I am the weird one for looking into experts backgrounds. The irony is glorious...  :lol:

Why on earth would you want them to publish the vulnerabilities? I'm just amazed by the sheer magnitude of the lines of code. They've got to have products like HP Fortify for static code analysis and vulnerability scanners like Rapid7 to point at it. That's probably where Kennedy got his 17 page vulneriblilty report. I just wonder what the actual number of available exploits are.

Link to comment
Share on other sites
Springfield

Springfield

Posted
Posted

So would the bad guys. :lol:

How about Congress lets all the hackers know the known security flaws so everyone can breach them.

Good call! B)

So we should just take these people's word for it?

How about this. I proclaim that healthcare.gov is the most secure website on the Internet. Does that make it any more/less safe?

In reality, it probably isn't safe, or any more safe than any other .gov website. It probably isn't any less safe than any other website you enter all of your personal information into. So yeah, it probably isn't safe.

Link to comment
Share on other sites
Duckus

Duckus

Posted
Posted

So would the bad guys.  :lol:

 

How about Congress lets all the hackers know the known security flaws so everyone can breach them.

Good call!  B)

 

Well, now I am confused. 

 

There are security flaws that are so obvious that outside experts not even associated with the project can easily find them.

 

AND it is super secret and we should never talk about these obviously flaws in any substantial way because hackers (who are probably much smarter than these experts) might find them.

 

Instead, the solution is to have a public testimony talking about broad generalities in YES/NO format. Brilliant! So totally solved.  B)

 

I am not talking about breaking down how to hack the site 101 - there is a middle ground. 

Link to comment
Share on other sites
chipwhich

chipwhich

Posted
Posted

Well, now I am confused. 

 

There are security flaws that are so obvious that outside experts not even associated with the project can easily find them.

 

I don't know what they have access too.  I am sure they didn't randomly pick people with no access to information regarding the site, and they are just making a guess.

Or maybe they are just making a guess, and were provided no architectural details about the site.

That type of information I would like to hear.

Link to comment
Share on other sites
Duckus

Duckus

Posted
Posted

I don't know what they have access too.  I am sure they didn't randomly pick people with no access to information regarding the site, and they are just making a guess.

Or maybe they are just making a guess, and were provided no architectural details about the site.

That type of information I would like to hear.

 

Agreed. I would like to know that as well.  :)

Link to comment
Share on other sites
Corcaigh

Corcaigh

Posted
Posted

No doubt the healthcare.gov website is a complete failure in project management, but I'm deeply skeptical that it contains 500 million lines of code; there's some strange 'accounting' going on.

I'd bet good money that is out by a factor of at least 50 based simply on common metrics of cost per lines of code,

And lines of code without any qualification is about as dumb a measure of complexity as you can get.

Link to comment
Share on other sites
Zguy28

Zguy28

Posted
  • Author
Posted

http://www.foxnews.com/tech/2013/11/19/healthcaregov-already-compromised-security-expert-says/
 

Not only is healthcare.gov at risk, it may already have been compromised, a security expert testified before the Senate.

“Hackers are definitely after it,” said David Kennedy, CEO of information security firm TrustedSEC before a House Science, Space, and Technology committee hearing on security concerns surrounding the problematic Healthcare.gov website.

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

Kennedy told FoxNews.com he based this on an analysis revealing a large number of SQL injection attacks against the healthcare.gov website, which are indicative of "a large amount" of hacking attempts.

 

"Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures – if a hacker wanted access to the site or sensitive information – they could get it," he told FoxNews.com.

 

Knowing what I know, it is very common for any public website to be attacked with SQL injections probing for exploits. Happens to us all day long. However, if he does have intimate knowledge of the site's security vulnerbilities, this is pretty serious.

Link to comment
Share on other sites
Bang

Bang

Posted
Posted

I don't know what they have access too.  I am sure they didn't randomly pick people with no access to information regarding the site, and they are just making a guess.

Or maybe they are just making a guess, and were provided no architectural details about the site.

That type of information I would like to hear.

 

Seriously,,  the way it works is you pick people who will give you the answer you want to spread your agenda.

 

**** trusting anything anymore.

It's not the healthcare  site that is broken and unusable.. it's this country.

 

what a mess.. and all anyone ev er does is continue to choose up the same old sides and be manipulated by the same old bull****.

Oh, and then argue how the other guys is being manipulated by bull****.

 

Here's the solution= There is no solution.

the party is ****ing over. this country is dead..   just flopping violently around while it heaves it's last few.

 

~Bang

Link to comment
Share on other sites
Wrong Direction

Wrong Direction

Posted
Posted

Pretty sure I read there's a public report and a confidential report which contains details.

 

I'm not a website guy but the risks sound substantial, both to ObamaCare and to anyone who tries to hack the website. The latter probably has every spy agency paying attention right now to mitigate risk to the former.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...