[Infowarrior] - Hacker Breached HealthCare.gov

Richard Forno rforno at infowarrior.org
Thu Sep 4 16:13:12 CDT 2014


tl;dr version - reportedly via a default password still in the production system somewhere.  —rick


Hacker Breached HealthCare.gov Insurance Site
By DANNY YADRON CONNECT
Sept. 4, 2014 4:04 p.m. ET

http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043

A hacker accessed a server used to test code for the HealthCare.gov website in July.Associated Press

A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.

Investigators found no evidence that consumers' personal data was taken in the breach, federal officials said. The hacker appears only to have accessed a server used to test code for HealthCare.gov. The Department of Health and Human Services discovered the attack last week.

An HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the Affordable Care Act. It raised concerns among federal officials because of how easily the intruder gained access and how much damage could have occurred.

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," the Department of Health and Human Services said in a written statement. "We have taken measures to further strengthen security."

The attack comes as the federal government and insurance companies prepare for open enrollment, which begins Nov. 15. It is likely to be seized on by Republican lawmakers, who oppose the law, in fall campaigns as another sign of the health law's flaws. HealthCare.gov suffered from crippling technology problems when it launched in October, though the government has since improved the site.

Taken with recent data thefts from J.P. Morgan Chase & Co., Home Depot Inc., HD+1.04% and celebrities' iPhones, the HealthCare.gov hack further underscores that large organizations haven't yet mastered how to secure the troves of data they collect from consumers.

The White House and Congressional staff have been briefed on the matter, officials said. The Department of Homeland Security, Federal Bureau of Investigation and National Security Agency have aided the investigation, which is active. The FBI traced the attack to several Internet addresses—some overseas—but doesn't think it is the work of a state-backed actor, officials said.

"There is no indication that any data was compromised at this time," DHS spokesman S.Y. Lee said in a written statement. "DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary."

As an insurance enrollment portal, HealthCare.gov stores deeply personal details on Americans, including Social Security numbers, financial data and names of family members. None of that appeared to gain the still unknown hacker's interest, officials said.

Rather, investigators found that in July, the intruder did just one thing: install malware on a HealthCare.gov server so it could be used in future cyberattacks against other websites, federal officials said. Hackers often take over troves of computers and servers to direct mischief traffic at websites. The rush of traffic, known as a denial of service attack, overwhelms the site and knocks it offline.

Such types of cyberattacks are considered a nuisance and, if discovered at a private company, it is likely the firm wouldn't disclose the incident, cybersecurity attorneys have said.

"If this happened anywhere other than HealthCare.gov, it wouldn't be news," a senior DHS official said.

Investigators found that the hacker was scanning both federal and private websites for a certain type of server that the person would then hack. This suggests the hacker wasn't targeting the health-care website, the official said.

Washington officials said they are concerned that an intruder gained access to the HealthCare.gov network through a basic security flaw. The server accessed had such low security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.

"There was a door left open," the official said.

The department discovered the break in weeks later on Aug. 25 during a daily security scan. Buried amid lines of computer log files was data showing the test server had been contacted by the outside Internet, which wasn't supposed to happen.

HHS said it has taken cybersecurity seriously since launching HealthCare.gov nearly a year ago. The site undergoes quarterly security audits from Blue Canopy Group LLC, a private security company in Reston, Va. It also undergoes daily security scans and drill hacking exercises.

Lawmakers first raised security concerns about the website when it launched. At the time, then-Secretary of Health and Human Services Kathleen Sebelius said the department had a plan in the event of a security breach. Other hacking attempts reportedly have been made but none appear to have been successful before this.

Write to Danny Yadron at danny.yadron at wsj.com


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.



More information about the Infowarrior mailing list