Drudge Retort: The Other Side of the News
Monday, January 20, 2014

Darlene Storm, ComputerWorld: When it comes to the atrocious state of Healthcare.gov security, white hat hacker David Kennedy, CEO of TrustedSec, may feel like he's beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. It is; there's no question about that." He added, "It is insecure -- 100 percent." ... Last week, Kennedy testified [to Congress] again about holes in Healthcare.gov that could allow hackers to access personal information like names, social security numbers, email addresses, home addresses and more. ... Then yesterday, after explaining "passive reconnaissance, which allows us to query and look at how the website operates and performs," Kennedy said he was able to access 70,000 records within four minutes! It was "a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system."

Advertisement

Liberal Blog Advertising Network

Menu

Advertisement

Subscriptions

Author Info

zack991

 

Advertisement

MORE STORIES

 

Advertisement

More

Kennedy also told Fox News Sunday, "70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself."

Comments

Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.

well that was quick.

#1 | Posted by zack991 at 2014-01-20 12:49 PM | Reply | Flag:

So what kind of information did he get specifically?

I hacked some RX normative data once, I didn't even try. Of course it was just names and addresses, useless really, unless I just wanted it to be a ticket to get on the cable snewz so I could say I "hacked" into something

so what exactly did he get?

#2 | Posted by ChiefTutMoses at 2014-01-20 12:53 PM | Reply | Flag:

We should incorporate the same security systems on Healthcare.gov that were on our electronic voting machines in Florida and Ohio.

#3 | Posted by danni at 2014-01-20 12:56 PM | Reply | Flag:

Danni, nice deflection. Unfortunately for you that FL didn't have those secure Democrat machines like Philadelphia.

#4 | Posted by KBM at 2014-01-20 03:32 PM | Reply | Flag:

I updated the link to a story that has much more detail. But even it doesn't explain the way the information could be collected without breaking in to the servers.

The U.S. has switched vendors on Healthcare.gov, so it ought to be fixed more swiftly. But there's no excuse for bad security on any government website where private information on Americans is collected.

#5 | Posted by rcade at 2014-01-20 03:44 PM | Reply | Flag:

I hacked some RX normative data once

#2 | POSTED BY CHIEFTUTMOSES AT 2014-01-20 12:53 PM

No you didn't. Pulling up records on patients at work is a HIPPA violation, not a hack. Try again [...]

#6 | Posted by LIVE_OR_DIE at 2014-01-20 03:59 PM | Reply | Flag:

"No you didn't. Pulling up records on patients at work is a HIPPA violation, not a hack"

Really? Name and address is considered PHI? Wow!
Anyway, since you are apparently so knowledgeable on this; what exactly did this guy get as a result of his aca "hack"?

#7 | Posted by ChiefTutMoses at 2014-01-20 04:30 PM | Reply | Flag:

Curious...what's an example of a site or database that expert hackers would say is NOT easily hacked?

#8 | Posted by TheTom at 2014-01-20 06:12 PM | Reply | Flag:

Curious...what's an example of a site or database that expert hackers would say is NOT easily hacked?

#8 | POSTED BY THETOM

Target.com ...oh wait...

#9 | Posted by Sycophant at 2014-01-20 06:46 PM | Reply | Flag:

Curious...what's an example of a site or database that expert hackers would say is NOT easily hacked?

#8 | POSTED BY THETOM AT 2014-01-20 06:12 PM | REPLY | FLAG:

I've written some solutions that aren't bad. It's not just "a site" or "a database". The total design has to be comprehensive. You have to dig into every detail, every last script, configure all of the devices involved, and analyze and test and analyze and test and test some more.

The DB server is isolated, the only server that can talk to it talks to users through an app that heavily restricts what a user can send to the server. All packets are encrypted to & from the user.

You would have to root the server that talks to the DB server, but as long as it's well run, patches are up to date, non-essential services killed, and appropriate alarms in place you'll do pretty okay on security.

#10 | Posted by sitzkrieg at 2014-01-20 07:01 PM | Reply | Flag:

Really? Name and address is considered PHI? Wow!
Anyway, since you are apparently so knowledgeable on this; what exactly did this guy get as a result of his aca "hack"?

#7 | POSTED BY CHIEFTUTMOSES AT 2014-01-20 04:30 PM

I want to hear more about you "hacking" a healthcare system by inappropriately pulling up patient records on your EMR at work. LOL

#11 | Posted by LIVE_OR_DIE at 2014-01-20 07:04 PM | Reply | Flag:

No matter how well written and debugged it will always be one social engineering attack from being owned anyways. One mad employee did a number on the nsa not to long ago.

#12 | Posted by sitzkrieg at 2014-01-20 07:29 PM | Reply | Flag:

The fascisti doesn't want the sheeple to trust the internet because then some of the non stupid ones might demand a direct democracy. The diebold mess and now the healthcare website were designed to create this fear.

Ask yourself why microsoft is never hacked for longer than 5 minutes despite near constant attempts.

#13 | Posted by Shawn at 2014-01-20 10:15 PM | Reply | Flag:

Perhaps it would be secure if we spent 1 billion dollars on the site - oh wait, we probably have by now. Why not just give 3 million dollars to each and every U.S. citizen and call it a day?

#14 | Posted by Gr8Music at 2014-01-21 08:04 AM | Reply | Flag:

Ask yourself why microsoft is never hacked for longer than 5 minutes despite near constant attempts.
#13 | POSTED BY SHAWN AT 2014-01-20 10:15 PM | FLAG:

Microsoft has some of the most consistently attacked, and hacked, products on the planet. It's the nature of the business.

Windows Update isn't there to grab extra features. It's there to have an automatic mechanism to implement the never-ending flow of security updates that come from MS.

Here's a recent fun one: We have issued MS13-096 to address the Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2013-3906)

You know what that means? It means somebody figured out how to glitch a video card on a remote computer, which in turn allowed them to execute remote code. What does "remote code" do you ask? Whatever you can code it to do, from turning that computer into a bot-net slave to siphoning out data.

#15 | Posted by sitzkrieg at 2014-01-21 08:34 AM | Reply | Flag:

You are obfuscating.

#16 | Posted by Shawn at 2014-01-21 05:19 PM | Reply | Flag:

Advertisement

Post a comment

Comments are closed for this entry.

Home | Breaking News | Comments | User Blogs | Stats | Back Page | RSS Feed | RSS Spec | DMCA Compliance | Privacy | Copyright 2014 World Readable

 

Advertisement

Drudge Retort