Friday, January 24, 2014

Surprise: Hackers can host almost anything on Obamacare website

So, how cool would it be to host IBCR, or promote it, using the spectacular failure that is www.healthcare.gov? While the site continues to be an abysmal disaster—with more bugs than a foreign embassy in Moscow—there is at least one “feature” that worked pretty well.


A security expert who has testified before Congress and spoken to the media about vulnerabilities of the Healthcare.gov website has weighed in on the website's latest security issue, which was first reported Thursday by THE WEEKLY STANDARD. David Kennedy, the CEO of TrustedSec, an information security firm, said that the unintended opening at Healthcare.gov detailed in the story would allow malicious scammers to fool users with a "website that’s legitimate to make them believe its something else." He said the existence of this potential pitfall on the site is "absolutely amazing," and added that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of healthcare.gov."

At issue is the profile feature of the data.healthcare.gov section of the website that allows anyone to set up a custom made page intended to host "data-sets" based on the insurance plan information database on the website. Users can sort, group, and otherwise manipulate the data to create unique presentations based on various criteria. However, the lack of disclaimers and other safeguards allow marketers, or worse, scammers and identity thieves, to establish what would appear to be legitimate Healthcare.gov webpages which can be used to redirect users to other sites.


Are you surprised? Me either. While the HHS “tech experts” have since removed the capability to create a profile and generate your own content, it still exposes a technical hole big enough to drive an 18-wheeler through.

This means that a scammer with malicious intent could have sent out a mass email promoting his enterprise, or promote it using social media, linking to what would appear to be a legitimate government-sponsored, government-endorsed, government-hosted website. That website could then redirect you to almost any website on the planet, including one designed to harvest your personal data, infect your computer with heaven knows what kind of malware or sell you some counterfeit pet medications.

Obamacare’s website has already cost nearly $600 billion. It’s been “under construction” since April, 2010. Almost four years in, and they’re discovering this security hole just now?

I guess if you like your government incompetence, you can keep it.

0 comments :