World's Most Famous Hacker, Kevin Mitnick, Calls Obamacare's Complete Lack of Security "Shameful"

Totally fixed, y'all. Mitnick submitted his report to the House Committee on Science, Space, and Technology.

[M]itnick wrote: "It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise."

...

Mitnick concluded that, "After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov Website, it's clear that the management team did not consider security as a priority."

His comments were backed up by testimony by Kennedy, who is CEO and founder of TrustedSec LLC and a self-described "white hat hacker," meaning someone who hacks in order to fix security flaws and not commit cybercrime. In November, Kennedy and other experts testified before the same panel about security issues on Healthcare.gov.

Kennedy testified that most of the flaws they identified at the time still exist on the site, and said "indeed, it's getting worse," telling the panel that he and other experts have seen little improvement in the past two months.

"Nothing has really changed since our November 19 testimony," Kennedy said.

How bad are the security flaws? Well, not that bad. I mean, a hacker could just take over your computer through the Healthcare.gov interface, is all.

“The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.

Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.

“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals.

They're doing "passive analysis," which means just looking at the code. "Active analysis" would be, obviously, an actual attempt to hack (in order to expose security flaws, not to actually steal information).

They could prove their claims, then, by hacking the site. But that is itself illegal, and I guess for some reason I can't fathom Obama won't sign an Executive Order permitting them to hack the site (under supervision) to see just how vulnerable it is.

Instead, I guess, we'll just all roll the dice and let a smile be our umbrella.

Here's how Reuters spins the story-- that Republicans, rather than hackers and security experts, are trying to scare people about Healthcare.gov's lack of security.

Republicans warn of security flaws in Obamacare website

Republicans in Congress sought to showcase what they call major security problems with the Obamacare website HealthCare.gov on Thursday, just as U.S. officials ramp up a national campaign to persuade young adults to use the site to enroll in health insurance.

In a public messaging tug-of-war that will likely intensify in coming weeks, the Republican-led House of Representatives targeted the healthcare reform law in three separate oversight hearings. Two were geared toward Republican claims that HealthCare.gov remains vulnerable to hackers more than three months after its botched October 1 rollout.

Democrats accused Republicans of "cherry picking" partial information about the website to try and scare consumers away from it

See? It's just Republicans making these claims. Not experts. Just a politically-motivated attack Republicans just made up, you see.

Are LOLcats still a thing? I was told LOLcats were still a thing.

And, Open Blog.

posted by Ace at 07:38 PM

| Access Comments