Healthcare.gov problems have been well documented ever since the website was launched, and if that’s not all, it appears that there’s a gaping security vulnerability that is yet to be fixed. Even though back in November it was said that the website had been “fixed,” TrustedSec CEO David Kennedy believes otherwise. He was able to access 70,000 records within four minutes through a rudimentary attack that didn’t actually involve attacking the website itself, Kennedy extracted information from Healthcare.gov without needing to go into the system. The good thing about whitehat hackers is that they don’t exploit vulnerabilities to wreak havoc or for personal gain, Kennedy’s aim is to attract attention towards this vulnerability so that it may be fixed once and for all in order to avoid a future intrusion by hackers who don’t play nice.Speaking with Fox News Sunday, Kennedy says that 70,000 is just one of the numbers he was able to go up to, he stopped after that, adding that the same rudimentary attack can potentially give access to hundreds of thousands of records. “You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself,” he said. Kennedy explains that the problem lies in the integration between IRS, DHS and third party credit verification processes. These different organizations are feeding data into a single hub for the website’s infrastructure, who uses it to for validation purposes. An attacker only needs to gain access to that information hub, and they get access to entire online identities, “everything that you do from taxes to, you know, what you pay, what you make, what DHS has on you.”
He has raised this concern against the House Science and Technology Committee hearing last week along with an elite group of white hat hackers, but it is yet to be addressed. On the other hand, chief information security officer for Centers for Medicaid and Medicare Services, Teresa Fryer, testified before the House Oversight Committee that on December 18th, cybersecurity testing of HealthCare.gov was successfully completed. Fryer told CBS that “there have been no successful attacks on the site,” adding that the protections they have put in place have “successfully prevented attacks.”
Filed in . Read more about Government and Hacking.