Healthcare.gov Gets Fuzzed Amid General Condemnation by Security Professionals

As the flagship effort of President Obama’s terms in office, and a massive new repository of personal financial and medical information, Healthcare.gov was already a huge cyber attack target before the site even went live. The technical difficulties many users have experienced have been mostly due to inadequate testing during the site’s development, however, there are signs of very severe cyber attacks on the horizon.

A recent House hearing on security vulnerabilities on the website ended with the panel of experts; including Morgan Wright, CEO of Crowd Sourced Investigations; Fred Chang of Southern Methodist University; Avi Rubin of John’s Hopkins University; and David Kennedy, CEO of TrustedSEC, all declaring it was unsafe for Americans to trust their personal data to the website in its current form, and three of the four saying that the website should be pulled immediately and the implementation of the healthcare program delayed in order to address the website security issues.

Recently an implementation problem in the site’s search bar autocomplete function was revealing the ongoing “fuzzing” attacks being made on the site’s forms and databases.  A “fuzzing” attack is part of a technique called SQL injection, wherein an attacker uses the outward facing elements of a website, such as forms that feed into the site’s databases, to input commands to the database, potentially revealing or deleting confidential data. The autocomplete issue has been solved, however the attacks are certainly ongoing, with an unknown level of success.

The bottom line of this entire incipient misadventure is that website initiatives, especially ones that are juicy targets for political and personal data reasons, must be designed with security in mind first and foremost, and extensive security testing must be employed before the sites and their vulnerabilities are released on an unsuspecting public.

Dan Gifford – MCySec Media Manager

Leave a Reply