Monday, February 10, 2014

ObamaCare's security nightmare

02.10.2014


Fraudsters on the inside, hackers on the outside. Here we are, stuck in the middle with the security nightmare called ObamaCare.

After the website crashes during last fall's federal health insurance exchange rollout, enrollees will soon wish the entire system had stayed down.

The latest? U.S. intelligence agencies have notified the Department of Health and Human Services that the HealthCare.gov infrastructure could be infected with malicious code.

Who's responsible? Washington Free Beacon national security reporter Bill Gertz writes that U.S. officials have “warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected” of possible sabotage. A government tech bureaucrat in the Belarusian regime bragged last summer on Russian radio that HHS is “one of our clients” and that “we are helping Obama complete his insurance reform.”

One of our intel people spelled it out for Gertz: “The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks.”

The friends of Vladimir Putin are not our friends. If you've been paying attention, you know that Belarus and other Eastern European hacking gangs have been at the center of several recent international cybercrimes. These aren't merely schemes to steal credit card numbers or vandalize websites with annoying graffiti. They're acts of espionage and sabotage — like using malware in a phishing scheme aimed at White House employees to gather military intelligence and pilfer sensitive government documents.

For their part, ObamaCare officials are making their usual “don't worry about it, the problem's under control” noises. But we already know the problem is far out of control. Last month, GOP oversight hearings exposed persistent failures by ObamaCare overseers to fix security lapses.

Former most-wanted cybercriminal Kevin Mitnick concluded in a letter to Capitol Hill: “It's shameful the team that built the HealthCare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise.”

David Kennedy, head of the computer security consulting firm TrustedSec LLC and a former cybersecurity official with the National Security Agency and the U.S. Marine Corps, warned that “HealthCare.gov is not secure today” and said nothing had changed since he gave Congress that assessment three months before.

Among the vulnerabilities that the Obama administration still hasn't fixed: “Tens of thousands of user-based data appear to be vulnerable on the specified website and have not been addressed. There are a number of other exposures that have been reported privately that continue to expose users of the HealthCare.gov website.”

Also, “there are multiple open redirects still vulnerable on the HealthCare.gov website and supporting sub-sites.” In other words, “an attacker can send a targeted email to an individual that has signed up for HealthCare.gov or is looking to and have it appear valid and legitimate and originate from the HealthCare.gov website.”

These can open avenues so that victims click on links, “redirecting to a malicious website that hacks the computer and takes complete control over it.”


source

No comments: