Missing on stability is one thing. Missing the scale of operations, that’s another. Poor coding, well now that list piled up rather quickly didn’t it? Launching a major website with all of those things in question, that’s a whole other level. There has been some “circling the wagons” in response to an earlier article where I objectively described the ObamaCare website as a failure.  Someone please tell us about how it is successful, from a technical point of view. Now, we’re supposed to give the new fixes a chance, but as Jon Brodkin at ArsTechnica puts it:

“Government IT at its finest: Each time one problem is fixed, another pops up.”

As it stands, no one knows how long the site is going to take to fix. Two weeks. Two months. Ever? We are talking about what is supposed to be the biggest, highest profile, most sensitive collection of data ever created (Not counting the NSA, I suppose). Is there any way that a hastily put together, under poorly-designed and poorly-architected website/database behemoth with all of these documented issues of coding, of capacity, of mix-and-match of technologies – Can your data be trusted to it?  Getting in, registering your account, buying a policy – those things if they get fixed would be great, but we are asking if the site is even secure in the first place.  It is painfully obvious that the answer to that is no.

Attacks Are Going On Right Now

I can tell you without a doubt, that right now as you read this that site is being attacked. If you believe in the many reports of major sites being hacked, of DDoS attacks, of foreign hacker wars, and hacktivism, then you better believe that something shoddily put together like this can and probably will be hacked as well. It’s an inevitability and the signs are already there.  Lest not we forget how very recently every password on every account within the system was reset. Is there any way that was a security issue? It’s hard to say from the outside, and it was reported that this was some type of volume-corrective action. But does that sound right to anyone? I’d like to see that flowchart, because I can’t seem to connect high demand with ‘let’s reset everybody’s password’. Again, we’re on the outside looking in, so perhaps we give them that one – (but that’s still a big one).  Still, the security issues are more extensive than having to reset passwords.  Much bigger.

I mean here’s one of the more benign scans I found after a 3 second search:

1. 3306/tcp open   mysql    MySQL 5.1.70-cll
3. | mysql-info: Protocol: 10
5. | Version: 5.1.70-cll
7. | Thread ID: 285884
9. | Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
   ………….
10. Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (96%), OpenWrt 0.9 – 7.09 (Linux 2.4.30 – 2.4.34) (96%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (96%), Linux 3.0 (94%), Linux 2.4.18 (93%), Asus RT-N16 WAP (Linux 2.6) (92%), Asus RT-AC66U router (Linux 2.6) (92%), Asus RT-N66U WAP (Linux 2.6) (92%), Tomato 1.28 (Linux 2.6.22) (92%), Linux 2.6.38 (92%)

Hackers live on this stuff.  It looks like obvious information ‘so what’ information to some, but to a hacker, this and other pieces of information form a road map on what tools to pull out and what to try and crack.  It’s an obvious target and you can count on snoops from here on in.

Testing – Who Needs Testing?

Now if they clearly didn’t successfully test the site for operability, what could possibly make anyone think it was tested for security? We reported how the site was essentially killing itself by opening up multiple requests from within in the deeply flawed code.  Software errors discovered in code are some of the biggest threats in the business of cybersecurity, they threaten security, they threaten stability, they threaten performance, and it is something that should be tested for before live deployment of anything.

Healthcare.gov is teeming with security flaws, vulnerabilities and software errors, have a look around Pastebin, in the underground, blogs and some of the open forums. It’s pretty ugly. The list is made up of lots of fun fun stuff that keeps real security personnel up all night like clickjacking, cross-site request forgeries, plaintext cookies, malicious scripting, cookie theft, and if I give you any more than that I might as well tell you how to hijack this whole thing.  Reportedly a lot of the code delivered by contractors on the project may have been done on the cheap, outsourced overseas (beyond Canada) and ended up utilizing quite a bit of Javascript – a favorite in many hacker tools.  The point is from a code perspective, from ready for prime time security perspective – there’s just no way to say this is alright.

Goldmine of Info – All You Got to Do is Take It

When we think about what would motivate this, we’re talking about an incredible trove of information here – personal identifiable information and beyond. If you stop, think like a hacker for a second, you will quickly see all the goodies there for the taking – things like:

• Your entire medical history
• Social security numbers
• Addresses
• Birthdates
• Family
• and if you’re paying for it, how about financial information as well like your credit card or bank account.

Scared yet?  This is serious business.  But just hold on – fixes are being thrown together right now at the system and the goal here is to get these ‘glitches’ smoothed out. That’s an interesting message that may go over on some level, but if you have ever worked on a production system even remotely close to this scale, then you would know that there is no way that those fixes themselves are not creating new problems or challenges altogether.  This could be a while folks.  These issues are systemic, and that most definitely includes security. So without significant successful operational testing of any kind, if it didn’t pass that basic level, then there is absolutely no way this underwent the scrutiny of security testing. None. The facts show it.  An exploit or breach may have already happened, or is shortly on the way.  You just can not expect the opposite.

Crimes of Opportunity – Phishing, Scams

This blunder, the entire situation itself – it’s a vector for cybercrime, and the kick is you don’t even have to attack the site to do it.  Think about this – we have a lot of people waiting to sign up and get a policy -because you know if they don’t they’ll be fined and all. OK there were some issues getting started the first couple of weeks, so let’s put our hacker hats back on and – that’s right, that’s a prime opportunity to scam a lot of people out of valuable information. It’s in the news, people are waiting.  We’re talking fake websites, phishing attacks, complex setups that will be firing up very quickly to take advantage of this prime criminal opportunity. Just keep scanning the wire to see when the first story comes out and remember where you read about it first.  Crimes of opportunity, where there’s confusion, a cyber criminal sees an edge.

So here we are, many of us are forced under penalty of fine under the law to sign up before this deadline. One would hope that before being faced with this ultimatum that as the ‘glitches’ are being revised and smoothed out, that the security element is considered throughout, secured and validated.  In the meantime, there’s not much you can do about this situation except to get the word out on what to do to protect yourself and what to look out for. That messaging campaign will be a challenge as well, it’s late in the game and for reference, there are many companies that have trouble avoiding fraud, avoiding phishing, and educating their employees on cybersecurity when they have as little as 100 people to look out for.  It’s not easy or foolproof.  Take that, scale it up and imagine the 7 million that were projected to be required to sign up for the ACA.

So, while you’re out there signing up for your healthcare on a hurried and poorly written and poorly secured government-built website, be ready with a healthy responsible personal online protection plan. Keep an eye out for phishing attacks, scams that come in your email or even phone calls, watch out signs of fraud. Watch your credit, watch your regular mail, review your credit card bills and bank accounts, and you may even have to start watching your insurance account activities as well.