Republicans warn of security flaws in Obamacare website

Comments (36)
Philipp123 wrote:

I bet most other US govt websites have security flaws too.

Jan 16, 2014 12:53am EST  --  Report as abuse
Bakhtin wrote:

David Kennedy is basically a rightie. He has been politically aligned against Obamacare from the beginning. Okay, righties will line up a load of other righties as witnesses – that is to be expected. But…

Kennedy was not authorised to do a security audit of healthcare.gov, so he did a bit of passive testing, reached a conclusion that is in alignment with his political views, *and then went public with it.*

Does anybody else see a problem with this?

Had he been authorised, he would have been bound by an NDA and forbidden to go public. As he wasn’t, he *should* have followed the ethical guidelines of responsible disclosure and not said anything until the alleged vulnerabilities where fixed.

He hasn’t done that, which is politically-motivated, unethical behaviour.

As for his revelations, and claims that the site should be shut down (not Kennedy… I know) – all that from passive testing? It is a joke. It is just politics.

Jan 16, 2014 1:49am EST  --  Report as abuse
jumpinthelake wrote:

Gee, just like Target but the ENTIRE UNITED STATES and all the people that ate up you PROMISES!! What was that apology? “I am sorry that THEY are finding themselves in the situation” If someone said that to me after wronging my family terribly I would kick him in that place so hard they’d pass out!!

Jan 16, 2014 1:51am EST  --  Report as abuse
Psyllicon wrote:

“Anybody who brings testimony that says there is a vulnerability on HealthCare.gov is only speculating unless they have actually executed the code, at which point they are hacking a government website and that would be illegal,” — ~hypocrisy~

Jan 16, 2014 3:42am EST  --  Report as abuse
Dehumanist wrote:

I’ve seen reports of holes like this from independent security professions, and quality assurance professionals, since the beginning. While David Kennedy may have a political axe to grind here the security holes are valid, and existing. The “blogger” who reported on the holes in October and November is a leader in QA/Testing and without any political angle he viewed the site and found many of the holes mentioned here.

Much of the problem is what was designed and tested for, and I will bet that security testing was cut since the project timeline was so short. It’s not an uncommon practice, although I am surprised no one tried hacking the site at all in the time it was having all it’s issues, unless all the people who would were busy over at Target.

Jan 16, 2014 5:10am EST  --  Report as abuse
AZreb wrote:

Ever hear the old saying “You pays your money and you takes your chances”? Here is the perfect example of that old saying.

Jan 16, 2014 7:53am EST  --  Report as abuse

That’s ok, the hackers are all US government agencies and contractors.

Jan 16, 2014 8:30am EST  --  Report as abuse

That’s ok, the hackers are all US government agencies and contractors.

Jan 16, 2014 8:30am EST  --  Report as abuse

That’s ok, the hackers are all US government agencies and contractors.

Jan 16, 2014 8:30am EST  --  Report as abuse
Overcast451 wrote:

**”To date there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site,” the statement said.**

That they are aware of. Meaning – there have either been no attacks, or the system is so flawed that they can’t even detect the hacks; which is quite possible – ask Target.

Jan 16, 2014 10:22am EST  --  Report as abuse
SaveRMiddle wrote:

I would think the hackers are currently busy filing fake tax returns just ahead of American taxpayers. They reap tens of billions each year because our government agencies cannot figure out a way to prevent it.

Jan 16, 2014 10:34am EST  --  Report as abuse
bluto1960 wrote:

@Overcast451,@SaveRMiddle

Both are very likely scenarios and outcomes !

Jan 16, 2014 10:44am EST  --  Report as abuse
Bakhtin wrote:

‘To date there have been no *successful* security attacks’. It doesn’t say there have been no unsuccessful attacks, or that there have been no attacks of any sort.

If the site is really as insecure as these guys claim, why have there been no successful attacks? Think of the political ammo that would give to the righties. I am sure some rabid tea-baggers in a basement are doing there best to hack into healthcare.gov, but clearly without success.

Jan 16, 2014 10:46am EST  --  Report as abuse
Fancy433 wrote:

If Obama and the rest of the Federal Government determines the security of this website like they did with the Benghazi Embassy we’re in deep trouble.

Jan 16, 2014 11:27am EST  --  Report as abuse
3122945529j wrote:

Bakhtin, anyone who develops software can tell with a cursory overview that there have been and still are issues with the basic structure of the site. Looking at the password requirements on day 1 told anyone familiar with programming and database security that there were huge vulnerabilities and avenues of attack. This isn’t partisan observation, developers I know who fully support the new health care laws have been horrified by what they’ve seen.

Lack of know successful attacks does not prove security, in fact that mind set is the most damaging kind, much like security via obscurity. It is entirely possible and quite likely that it has been compromised and no one knows it yet. It’s not “rabid tea-baggers in a basement” they need to worry about, it’s identity thieves and “professional” criminal rings that stand to make huge amounts of money via fraud. They have the resources and the motivation, and where as someone trying to prove problems for political reasons would likely reveal immediately exploits they found, these entities will not. What they will do is exploit holes to gather data, and continue to do so until the holes are shut down. They will make decisions about when to use the fraudulent data, that will be based on several factors. First how much risk there is that the compromise will be revealed through the use of the data obtained. Why exploit the use of 10 peoples private information, when it will compromise your ability to accumulate 10 thousand individuals private info to exploit? Age of the data will be a concern, closely related to events like tax time. Personal data obtained has a shelf life, info that allows them to file fraudulent tax returns for 2013 may not be valid for 2014. However if data age cause them to lose opportunities to exploit thousands for 2013 may be sacrificed if they believe they will be able to gain millions of opportunities in 2014.

If anyone is being partisan, it’s you, in your attempt to defend the indefensible.

Jan 16, 2014 12:20pm EST  --  Report as abuse
b.pocklington wrote:

An “insecure” website huh?

Was it bullied into having low self esteem?

Jan 16, 2014 1:49pm EST  --  Report as abuse
AlkalineState wrote:

Well I warn of security flaws on foxnews. There, we’re even.

Jan 16, 2014 4:44pm EST  --  Report as abuse
Speaker2 wrote:

“There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site.”

More Republican and Hannity fantasies. Do something for the people, you know restore unemployment extensions and food stamps, cut military spending and doing something for a change, to help create jobs.

Jan 16, 2014 5:22pm EST  --  Report as abuse
Speaker2 wrote:

@fancy443 There was no Benghazi Embassy. It was a foreign consular office. Big difference in security for the two types of foreign offices. Another low information Faux News watcher. Obama had nothing to do with security there.

Funny how Republicans are cutting state department security funding again, 224-million on one hand and scream there was no security.

Jan 16, 2014 5:29pm EST  --  Report as abuse
QuidProQuo wrote:

H.R. 3811, Health Exchange Security and Transparency Act is a bill that better pass with 0 nays. It has Zero cost and it is a simple one sentence bill: The legislation would require the Secretary of Health and Human Services to provide notice to individuals in the event of a breach of security in a health exchange system that results in their personally identifiable information being stolen or unlawfully accessed.
Every senator owes their constituents at least that much.
And if POTUS threatens to veto a bill like this, then arrest him for treason because the truth about where his heart really lies will be fully revealed. This is a simple common sense bill. Don’t you want to know if your financial and personal data has been compromised so you can monitor your credit and bank accounts with heightened scrutiny?

Jan 16, 2014 7:08pm EST  --  Report as abuse
simian wrote:

“David Kennedy, head of computer security consulting firm TrustedSec LLC”
me, me, put me in coach. the guy is obviously a ringer and i’m sure he’d welcome a fat contract to fix the problem that has invented. are there any verified security breaches of the website?

Jan 16, 2014 9:07pm EST  --  Report as abuse
simian wrote:

“David Kennedy, head of computer security consulting firm TrustedSec LLC”
me, me, put me in coach. the guy is obviously a ringer and i’m sure he’d welcome a fat contract to fix the problem that has invented. are there any verified security breaches of the website?

Jan 16, 2014 9:07pm EST  --  Report as abuse
4825 wrote:

The Democrats sure have screwed up with the failed Obamacare law in a big way. They have bumbled the whole process. I feel like I am watching The Three Stooges. Instead of Larry, Moe and Curley; we have Barrack, Harry and Nancy.
It is also humorous to watch the liberal sheep doing their best to cover all the failures. Like a cat in a litter box.

Jan 16, 2014 9:22pm EST  --  Report as abuse
Bakhtin wrote:

3122945529j wrote:
“Bakhtin, anyone who develops software can tell with a cursory overview that there have been and still are issues with the basic structure of the site. Looking at the password requirements on day 1 told anyone familiar with programming and database security that there were huge vulnerabilities and avenues of attack.”

Aaaah… the lame old ‘everyone knows’ argument. Sorry, that one doesn’t fly. It proves nothing.

You have to do better than that. If this really is such an insecure site, if there really is the crisis you righties say there is, why is it still secure? Why has nobody, in real-life, exploited these vulnerabilities that you say anyone can see just by looking at the password?

Jan 16, 2014 9:37pm EST  --  Report as abuse
wildcat48 wrote:

Cannot believe the naivety of some people. It hasn’t happened yet, so there’s nothing to worry about. Wait until people start entering credit card and debit card numbers. I don’t understand people who fear Fox…there is NBC, CBS, ABC, MSNBC who spout their opinions…such fear of the TRUTH.

Jan 16, 2014 9:53pm EST  --  Report as abuse

Wait, Diane Feinstein is a Republican?

Jan 16, 2014 9:57pm EST  --  Report as abuse
4825 wrote:

@Bakhtin wrote: “You have to do better than that. If this really is such an insecure site, if there really is the crisis you righties say there is, why is it still secure? Why has nobody, in real-life, exploited these vulnerabilities that you say anyone can see just by looking at the password?”
Well Bakhtin, you have to do better than that. You are basically arguing there is no proof of security vulnerabilities being exploited when in fact there is no proof that they have not been exploited. If your identity is stolen or your credit card number is ripped off it, you won’t know until they use that information. You are using the lame “everyone knows it is safe” argument and that does not fly. No proof.

Jan 16, 2014 10:31pm EST  --  Report as abuse
Bakhtin wrote:

4825 wrote:
“You are basically arguing there is no proof of security vulnerabilities being exploited when in fact there is no proof that they have not been exploited.”

Wrong. Do you know what this is? -> “?”

It is a question mark. It means I am asking something, not presenting an argument. I am asking people like you for a real-life example of healthcare.gov being vulnerable – and you don’t have any. You have no *evidence*, just the usual hyperbole and sky-is-falling fear-mongering.

Jan 17, 2014 3:09am EST  --  Report as abuse
UScitizentoo wrote:

> security flaws in Obamacare website
You mean the flaw where the government is gathering every single piece of information about you into databases ultimately controlled by the NSA? That flaw? Your entire family medical history and employment records now added to your phone calls, text messages, searches, tracking location data from phones, religious affiliations, face scans, street camera surveillance and new federal drones?
You are already so date/time stamped the government will know not only when when you spit in your back yard but when you decided to spit in your back yard. And all this directly against the 4th amendment. Vote all standing members out of office. Every single last one of them. Send a message to the shadow government it’s we the people, NOT we the NSA.

Jan 17, 2014 10:47am EST  --  Report as abuse
ertdfg wrote:

Security expert — and once the world’s most-wanted cyber criminal — Kevin Mitnick submitted a scathing criticism to a House panel Thursday of ObamaCare’s Healthcare.gov website, calling the protections built into the site “shameful” and “minimal.”

Is an ex-hacker turned computer security expert a Republican? I can’t find his political leanings; but I can find the holes he clarifies exist in the website.

Why is it only Republicans would listen to experts and be in any way concerned about forcing people to use an unsafe website as they enter all their personal data?

I guess Democrats are Pro-Identity Theft now?

Jan 17, 2014 11:10am EST  --  Report as abuse
Timbuk3 wrote:

Hey right wing morons, obamacare does not require you to enter your credit card info through the website, you manage payment directly with the insurance provider.

More GOP scare tactics…

Jan 17, 2014 11:19am EST  --  Report as abuse
unionwv wrote:

“Had (Kennedy) been authorised (to test the Obamacare website), he would have been bound by an NDA and forbidden to go public.” – Bot Kin

So, the public would have been kept in the dark about their personal information being subject to stealth.

“Anybody see a problem with that”?

Jan 17, 2014 11:40am EST  --  Report as abuse
Crash866 wrote:

…and many other issues but most don’t want to know…you voted…twice…

Jan 17, 2014 11:43am EST  --  Report as abuse
Bakhtin wrote:

@unionwv

I see… so now you are trying to pretend that it is all a noble crusade to protect personal information.

Okay. lets run with that.

Consider two scenarios. In Scenario one, Cyber Security Dude approaches some web site owners, obtains authorisation to do some penetration testing. He quietly runs some penetration tests, quietly informs the site owners of any vulnerabilities he has found, and they quietly fix them.

In Scenario two, Cyber Security Dude gets no authorisation from the site owners, runs a few basic passive tests, concludes that the site is full of vulnerabilities, and announces this too the whole entire world including all the hackers.

In *your* opinion, and in the light of your claimed concern for the security of personal information, which scenario does the better job of protecting information held on the web site: scenario one or scenario two?

Jan 17, 2014 12:24pm EST  --  Report as abuse
betrayed wrote:

Obamacare supporters, including federal and state officials, staged a six-hour presentation on YouTube.com intended to drive enrollment among 18-to-34-year-olds.
Send in the clown’s and the stupid will follow. Do you know how extensive the information they want for the Obamacare web site? just to log on you need to put down ALL your private info that if hacked will send your credit into a multi year fire fight. good Luck comrade.

Jan 17, 2014 12:58pm EST  --  Report as abuse
betrayed wrote:

@Bakhtin thanks for your support comrade.

Jan 17, 2014 1:04pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.