Reports have been publicly trickling in that show some of the fears people have had thus far about the state of security for the healthcare.gov website. Critics have been pointing out how the site’s issues with stability, speed and reliability indicate a development process that could not possibly be considered secure. The obvious has been clear from the beginning, the site just doesn’t work well, and it has been easy to point out many bugs within the hundreds of millions of lines of code. In addition to that, there have been multiple reports of serious security issues that have emerged after running elements of the site through web development tools. A month ago, software tester Ben Simo pointed out some of these flaws in a blog post – Is Healthcare.gov security now fixed? The answer to that is obviously no, not yet and maybe not anytime soon.

What he found was seriously troubling:

I quickly discovered that the main browser window would often display a status other than what was actually occurring. For example, the form submission would fail to get a response from the server but the user interface would report that the form was submitted. Once I saw this behavioral mismatch between what was displayed in the browser and what was actually happening, I kept developer tools on as I used the site.

While watching the interactions between my web browser and the Healthcare.gov servers, I saw information being sent to my computer that likely should not have been sent by the server. After I was told that Healthcare.gov will not take reports of security concerns, I started blogging them.

Easy phishing

That was just the beginning – Simo also found out how easy it was to execute a phishing operation because of the amount and ease one could string together an automated collection of information without any authentication in the way.

I identified a series of steps that could be easily automated to collect usernames, password reset codes, security questions, and email addresses from the system — without any kind of authentication.

Attackers could use this information to go phishing. Exposing this information gives attackers sufficient information to gain trust and trick people into disclosing their security question answers.

If a malicious party wanted to take information it would be rather simple to put together a phish scheme to get people to reveal their personal information thinking the site they were on was the actual healthcare.gov. The fun has just begun though. There have been numerous reports of backend information disclosure within the web transactions that take place on the site. This is considered a pretty serious violation of secure practices, it opens the door to a number of vectors by which information can be snooped, impersonated or used to exploit the backend. Hackers look for info like this because once they gain information about the backend and the architecture they have some tools from which to launch attacks on vulnerabilities and flaws.

In a recent Reuters report, news emerged that an investigation had been launched into over a dozen cyber attacks on the site and that the Department of Homeland Security (DHS) was involved.

Roberta Stempfley, acting assistant secretary of the Department of Homeland Security’s Office of Cybersecurity and Communications, said her department was aware of “about 16” reports from the Department of Health and Human Services – which is responsible for implementing the healthcare law – on cybersecurity incidents related to the website.

Testifying before the House of Representatives Homeland Security Committee, Stempfley also said officials were aware of an unsuccessful attempt by hackers to organize a “denial of service” attack to overwhelm and take down the website.

Fixes or not it will probably take a complete rebuilt to get it right

Avah Litan, Gartner security analyst shares what many have feared to be the truth.

Frankly, I think the Obama Administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten. And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex – you can’t just throw horsepower at them. You need intelligent software and layers of defense. That takes time to bake in.

We’re still not done however, the site is so flawed that there are numerous reports from various states that state information has been sent to the wrong person. This is only what is being reported, the underground is teeming with information about and from the site after only a few weeks.  So you also have that element that information as it has been put here all along, has been mishandled. The deadline to ‘fix’ the site is coming up, take a step back and let’s see if that’s the case.

photo credit: Untitled blue IntelFreePress via photopin cc