Tuesday, January 21, 2014

Hand over Obamacare website to the Afghan security forces?

David Kennedy, CEO of the online security firm TrustedSec, testified at a congressional oversight hearing on Thursday that the Obamacare website, Healthcare.Gov, remains vulnerable to hackers and that the website's security flaws have gotten worse since Kennedy last testified before congress in November of last year.

Aside from being the CEO at TrustedSec, Mr. Kennedy has also previously worked at the National Security Agency (N.S.A.) and the US Marines in cyber warfare and forensics analysis activities.

Mr. Kennedy spoke with Fox News host, Chris Wallace, on Sunday about the latest concerns he has with the Obamacare website:
When we [online security experts] testified in front of Congress in November, Chris, what we learned was that, you know, they had rushed through what we call the software development life cycle where they actually build the application. So when you do that, security doesn't really get integrated into it. And what happened with the rocky launch in October, is they slapped a bunch of servers in trying to fix the website just to keep it up and running so that people could actually go and use it. But the problem is they still didn't embed any security into it. So when you have another, you know, few hundred developers actually running code to try to keep the site up and running, you know, and you increase the line count of code, it increases more and more exposures. And that's what we saw here over the period of time. And that's what we testified on. It's much worse than what we saw back in November.
Mr. Kennedy added that it was fairly simple to gain access to the personal information of 70,000 ObamaCare enrollees within four minutes:
There is a technique called -- what we call passer reconnaissance, which allows us to query -  look at how the website operates and performs. And these type of attacks that, you know, I'm mentioning here in the 70,000 that you're referencing is very easy to do. It's a rudimentary type attack that doesn't actually attack the website itself, it extracts information from it without actually having to go into the system. Think of it this way. Think of something where you have a car and the car doors are open and the windows are open, you can see inside of it. That's basically what they allow you to do. And there is no real sophistication level here. It is just really wide open. So, there is no hacking actually involved. And 70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I'm sure it's hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it's just wide open. You can literally just open up your browser, go to this and extract all this information. Not actually having to hack the website itself.
Mr. Wallace proceeded to ask Mr. Kennedy:
You say that you could access - if you were to actually hack the site - names, addresses, social security numbers, birth dates. And you also say that because healthcare.gov is linked to the IRS and to the Department of Homeland Security, you could also get in and see what they had to say about the individual person who was signed up... What could a hacker do with what seems like an awful lot of private information?
Kennedy replied:
...It's not just TGI, and it's not just, you know, HHS and CMS, it's a number of different companies. It all came together to kind of match this thing up to make it what it is today. And you're seeing that, you know, happening right now...

And now, the problem is if you look at the integration between the IRS, DHS, third party credit verification processes, you have all of these different organizations that feed into this data hub for the healthcare.gov infrastructure to provide all that information, validate everything. And so when an attacker gets access to that, they basically have full access into your entire online identity, everything that you do from taxes to, you know, what you pay, what you make, what DHS has on you from a tracking perspective as well as obviously, you know, what we call personal identify information which an attacker would use to take a line of credit out from your account. It's really damaging. And I think it's one of the largest websites in history that we have that has this type of level of access into our personal lives...

And it's not just myself that is just saying this website is insecure, it is also seven other independent security researchers that also looked at all of the research that I've done and came to the exact same conclusion. And these are folks that work really well in the industry. And they're highly respected, have an extensive experience of working for the government... But what is pretty evident right now is that the site itself is not secure. It's much worse off.
However, there may be a simple solution to deal with the Obamacare website's security flaws:

Why not hand over control of the website to the Afghan security forces? They've got plenty of experience in security matters, and they've done such a remarkable job in securing their country, haven't they?

The only concern that might arise with the aforementioned handover is how the Afghan security forces would deal with the Obamacare website hackers after the hackers are captured and incarcerated. Bear in mind that the Afghan government recently announced its plans to release 88 prisoners from a jail that was handed over by the Obama administration to Afghan control - which means the Afghan forces might also release the hackers. That's a problem.........