Menu
Jeff Goldblum Stars in funny GE Link Ad

Jeff Goldblum Stars in funny GE Link Ad

iPhone 6c is possible as iPhone 5c Sales Surge

iPhone 6c is possible as iPhone 5c Sales Surge

Pee-Wee Herman stars in New TV on the Radio Video

Pee-Wee Herman stars in New TV on the Radio Video

Windows 10 Preview Download Release is Today

Windows 10 Preview Download Release is Today

William Shatner and Leonard Nemoy to Star in New Volkswagen e-Golf Commercial

William Shatner and Leonard Nemoy to Star in New Volkswagen e-Golf Commercial

So You Found An Obamacare Website Is Hackable. Now What?

Jan 15 2014, 6:01pm CST | by , in News

So You Found An Obamacare Website Is Hackable. Now What?
Photo Credit: Forbes
 
 
Full Story

So You Found An Obamacare Website Is Hackable. Now What?

Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him, and he couldn’t help but notice problems with the California site, which has seen the most registrations for healthcare in the country.

The technical problems with the website set up for the Affordable Care Act have been well-documented. When critics started calling the main federal Obamacare site a “hacker’s dream,” people rightly pointed out that the more sensitive information — social security numbers, incomes, and birthdates — is instead in the hands of the state-level portals. That of course is exactly what the Covered California site is. Hermansen discovered a vulnerability that would allow someone to take over another person’s account on the California site, and review or change the information entered there. He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month. “They must have been overwhelmed by people seeking help with the site,” he says.

On December 24, he finally got through by phone to a Covered California representative and he explained the issues he’d found, but they remained unfixed and he didn’t hear back from them. Given that it was Christmas, that’s not terribly surprising. But Hermansen, frustrated that the flaw had been out there for over a month already, decided two days later to release a video of the exploit to YouTube and posted it to a security sub-Reddit. That got the attention of a Covered California lawyer who contacted him to take the video down, and also flagged it with YouTube; it was soon removed. The lawyer’s tone was contrite in the email. “I am sorry no one responded to you earlier,” he wrote. “We will have to figure out where or how your prior message to us got lost.”

Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down,” he says.

In the grand scheme of things, the vulnerability was not a major one. You would need to know someone’s username in order to take over their account, and you would only be able to see the last 4 digits of their social security number if you did break in. Hermansen says he found more serious issues — such as an exposed admin interface and a potentially raidable database that might have made it easy to steal complete social security numbers en masse — but that he did not explore or expose them publicly to avoid running afoul of the law. He was most dismayed though by how the site’s administrators reacted to his finding flaws: first ignoring him, then trying to sweep his disclosure under the rug, rather than immediately addressing or fixing the problem that he had found.

“They didn’t want a conversation about how to fix it,” he says. “They were defensive about the site. I didn’t put the vulnerabilities in your site. I’m just shining light on it.”

This is a common complaint from white-hat hackers. They find security problems in products and the people who make those products aren’t often eager to hear about them or to see them exposed. However, given the controversy surrounding Obamacare and its websites, I was surprised they would ignore a problem like this. Hermansen’s posting the video publicly did get the job done. By mid-January, it appears the account-hijacking issue has been fixed. I created a test account for Hermansen to try to access and he was unable to.

On Wednesday, Hermansen says the FBI visited him and told him not to talk about this publicly anymore. “This chilling effect on security research is not the best way to serve the public interest,” he says.

Matt Ploessel, a security researcher who collaborated with Hermansen, reported the problems to the government’s vulnerability clearinghouse US-CERT. He says he also got a call from the F.B.I. Wednesday. “They told me that creating a test account because we didn’t want to touch real live data is fraudulent,” Ploessel says. “In our industry, getting a visit from the FBI when you do something good is not unusual, but it’s still scary.”

“Covered California meets all state and federal regulations regarding online security and privacy,” says Covered California spokesperson Anne Gonzales. “Consumer protection is a high priority for Covered California, and we take it very seriously. We built protections into the system, we monitor the system continuously and we are ready to address any possible issue as it might arise. Should a security breach occur, we would notify any affected consumer directly.”

Hermansen argues that a breach could have already occurred if anyone has taken advantage of the flaw he found. He was cheered by news this month that the House has passed a bill that would require the Department of Health and Human Services to notify people of any potential breaches of their information through the health sites. Ploessel says the 48-hour requirement in the bill is unrealistic though. It has not yet passed in the Senate. Conservative lawmakers, eager to find flaws in any aspect of Obamacare, are holding a hearing Thursday morning about the risk of identity theft through Affordable Care Act-affiliated sites.

Hermansen did not try to find vulnerabilities on other state Obamacare portals. “I only look for vulnerabilities in the sites I actually use when not hired to do so,” he says. He does think that Covered California and other sites need a better reporting mechanism for security flaws.

Source: Forbes

Updates

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Shay Mitchell Breaks Up With Boyfriend Ryan Silverstein
Shay Mitchell Breaks Up With Boyfriend Ryan Silverstein
Pretty Little Liars' star Shay Mitchell and Ryan Silverstein break up after one year.
 
 
Jackie Chan might be coming to your TV Screens for Rush Hour
Jackie Chan might be coming to your TV Screens for Rush Hour
Brett Ratner is in talks with Warner’s TV division to turn the Rush Hour series into a TV show. Bill Lawrence will be the runner for the show and we can anticipate a hearty good cop time on the show. The question is whether Jackie Chan and Chris Tucker will be reprising their roles as Lee and Carter on the TV show?
 
 
New iPad Air 2 Comes in Gold
New iPad Air 2 Comes in Gold
Bloomberg reports that Apple will introduce a gold iPad Air 2 to match the iPhone 6 colors.
 
 
Neil Patrick Harris reveals Details about his Wedding
Neil Patrick Harris reveals Details about his Wedding
Neil Patrick Harris told all regarding the details of his same-sex wedding with David Burtka.