When it comes to the atrocious state of HealthCare.gov security, white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, "I don't understand how we're still discussing whether the website is insecure or not. It is; there's no question about that." He added, "It is insecure - 100 percent."
Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly “fixed,” he told Congress it was even more vulnerable to hacking and privacy breaches. Before Thursday's congressional hearings, Kennedy wrote, “Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.”
Last week, Kennedy testified again about holes in healthcare.gov that could allow hackers to access personal information like names, social security numbers, email addresses, home addresses and more. And because other government sites like DHS and IRS are integrated into healthcare.gov, for verification purposes, hackers could also access those other government sites and create an online profile for practically anyone in the system.
Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system.”
Kennedy also told Fox News Sunday, “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.”
The problem is if you look at the integration between the IRS, DHS, third party credit verification processes, you have all of these different organizations that feed into this data hub for the healthcare.gov infrastructure to provide all that information and validate everything. And so if an attacker gets access to that, they basically have full access into your entire online identity, everything that you do from taxes to, you know, what you pay, what you make, what DHS has on you from a tracking perspective as well as obviously, you know, what we call personal identifiable information which is what an attacker would use to take a line of credit out from your account. It's really damaging. And I think it's one of the largest websites in history that we have that has this type of level of access into our personal lives.
Kennedy is not alone is sounding the cybersecurity warning alarm about healthcare.gov. At the House Science and Technology Committee hearing held last week, Kennedy and a pack of elite white hat hackers -- Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity. According to their signed statements [pdf]:
Kevin Mitnick, the 'world's most famous hacker' testified:
Healthcare.gov retrieves information from numerous third-party databases belonging to the IRS, Social Security Administration, Department of Homeland Security, and other State agencies. It would be a hacker's wet dream to break into Healthcare.gov and potentially gain access to the information stored in these databases. A breach may result in massive identity theft never seen before -- these databases house information on every U.S. citizen!
It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise or access to consumer proprietary information.
SANS Faculty Fellow Ed Skoudis affirmed:
Reviewing the security issues discovered in the healthcare.gov site, I can tell you: this is a breach waiting to happen. Or, given the numerous vulnerabilities, perhaps a breach already has happened. These are exactly the kind of security flaws bad guys exploit in large-scale breaches.
Conversely, Teresa Fryer, chief information security officer for the Centers for Medicaid and Medicare Services, testified before the House Oversight Committee that cybersecurity testing of Healthcare.gov had been successfully completed on Dec. 18. According to the Associated Press, Fryer claimed, “There have been no successful attacks on the site.” Fryer told CBS that security testing is conducted on a regular basis; and although a person can “never guarantee any system is hack-proof,” she noted that “the protections we have put in place have successfully prevented attacks.”
While claiming anything is unhackable is like daring attackers to prove it is entirely hackable, if the government is so confident that healthcare.gov has enough security to defeat hackers, then why not officially ask Kennedy, Mitnick, Skoudis and the other cybersecurity experts to hack it? If I were placing a bet on the outcome, my money would be on the white hat penetration testers. If black hat attackers decide to secretly breach it and make off with everyone’s online identity, then we’re all toast because the feds are not legally required to notify citizens if and when healthcare.gov is hacked.