Thursday, November 21, 2013

WE'RE IN THE VERY BEST OF HANDS: Enrollment Data Entered Into Healthcare.gov Available in Google Search Results

Some rascal online called it IdentityTheft.gov and that assessment appears to have been validated by a top security research team. The Ohio firm TrustedSec has released a security assessment of Healthcare.gov and the results, even though they were cursory by modern standards, were very grim indeed.

David Kennedy, CEO of the firm, revealed that he withheld many of the vulnerabilities because they were so severe that publishing them could have meant the complete destruction of the site. His executive summary read simply, "based on what I can see … I would say the website is either hacked already or will be soon."

I perused the entire report (PDF) this evening. In short, the site is not only a complete catastrophe from an operational perspective, it's also a hacker's dream.

...The website cost an estimated $624 million and consists of over 500 million lines of code. With the number of lines of code, this is one of the most complex applications ever written in the history of applications. To put this in comparison, the Microsoft Windows 8 operating system, which is the latest, has an estimated 50 to 80 million lines of code and has over 25 years of development and maturity. It should be noted that with 80 million lines of code, the Windows operating system has had a significant amount of “exploits” that have hit their product line since it’s early existence...

Microsoft has one of the largest and most sophisticated security development, protection, and remediation processes today. This process has taken years to mature and places security at the forefront. With a website that is over 6 times more complex than the Microsoft operating system and developed in an extremely short period of time, there is and was no foreseeable way to build security into the website...

...there are clear indicators that even basic security was not built into the healthcare.gov website. TrustedSec is confident based on the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately...

...TrustedSec identified multiple severely critical exposures that it is not publishing publicly until they have been addressed.

...One of the more alarming trends is that the actual security testing of the website was deferred due to project delays. The website was launched without formal testing and with known risks around the security of the applications. Even further, there was little to no security built into the website or through the development. With the complexity of the website, this would indicate
that the website will suffer from significant security concerns for a long period of time unless significant action is taken to address the issues and flaws within it.

...It appears that individual user accounts and names are indexed via Google and can expose profile information of individuals that sign up on data.healthcare.gov.

Based on what I've seen, Healthcare.gov may be the single biggest magnet for identity thieves in world history.

And, come to think of it, that's another historic Obama first!


1 comment:

Anonymous said...

For some reason all the assurances that ObamaCare and it's pseudo-website will be just fine reminds me of this:

Songify This : Winning - a Song by Charlie Sheen
https://www.youtube.com/watch?v=9QS0q3mGPGg

Delusional druggie, washed out actor or Epic President? You decide.