Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

HealthCare.gov riddled with flaws that could expose user data, experts say

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 17 Jan 2014 09:46:49 +0000 (UTC)
http://arstechnica.com/security/2014/01/healthcare-gov-riddled-with-flaws-that-could-expose-user-data-experts-say/

By Dan Goodin
Ars Technica
Jan 16 2014
The federal government's HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill.
David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn't discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing.
"TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable," Kennedy wrote in a statement submitted in advance of Thursday's proceedings. "However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns."
HealthCare.gov is the portal website that administers Obamacare in 36 states. The difficulty it had scaling to levels of even basic public interest during its rollout in October badly tarnished what is arguably President Obama's signature legislation. Shortly after the launch, Kennedy and several other security experts also criticized the site for failing to follow established practices for protecting user data. In November, Kennedy warned of 18 vulnerabilities. Since then, he said he has learned of at least 20 more from fellow researchers. 

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
Previous By Date Next
Previous By Thread Next

Current thread: