For weeks the incredible level of flaws of the Affordable Care Act sites have been big news. There have been reports of attacks, data-handling issues, there was even a report of a specialized DDoS tool designed to attack the site specifically. Despite a number of assurances that all is running well, the security issues should be obvious even to the non-technical out there. Through it all, it should be clear that there would be many security flaws that would emerge, various reports of attempts and many more unreported. The latest report zeros in a number of state-run healthcare exchanges. A security researcher has discovered that a number of these exchanges have a particular type of Wi-Fi attack vulnerability that could put consumers in danger of having quite a bit of data revealed including usernames and passwords.

Mark Lanterman, CEO and chief technology officer released the information in conjunction with a KTSP investigation, a Twin Cities ABC affiliate. The details of the vulnerability haven’t come forward anywhere, but it reads as though being Wi-Fi in nature it is most likely a man in the middle type of attack. This would mean a sophisticated type of attack but also not terribly difficult to reproduce as the methodology for this is easily found and shared in hacker communities. The vulnerabilities were found to be affecting the exchanges in Minnesota, Colorado, Hawaii, Nevada, New Mexico, Maryland, New York and the District of Columbia. The federal web site we all know about HealthCare.gov was not found to have this particular flaw, in addition to a number of other states.

The report also states that at one point during which Healthcare.gov was being run on Google servers, that a capture of visitor MAC addresses was taking place. MAC addresses are hardware ID values assigned to physical hardware and are unique to every network interface on devices. Collecting this data would mean that the computers of visitors to the site could potentially be identified.

Only the beginning

Let’s review the variety of the known security issues that make up the issue we’re starting to hear now. Step one is to start looking at this from an ill-motivated hacker’s perspective, we have what is possibly one of the biggest targets ever – financial information, identity, medical info, and a whole lot of other information being collected into one place. We also have a number of fragmented standalone sites built through varying standards or at least delivered with varying quality throughout the country in these state-based exchanges. And we also have tangible and very public evidence that the site was not tested adequately and was at one point coded quite poorly, therefore there is beyond reason to suspect that security standards – how shall we say it – are not quite up to par. What could possibly go wrong? Mark these words, this is only the beginning. DDoS attacks, phishing, APT attacks – all of those things and more will be hitting in due time.  How long until the first mass data dump?

photo credit: Viktor Hertz Palagret via photopin via photopin cc