According to Reuters, computer security experts will testify before congress today that the problems with Healthcare.gov are much more serious than that.
According to David Kennedy, head of computer security consulting firm TrustedSec LLC, hackers could steal personal information, modify data or attack the personal computers of the website’s users, he said. They could also damage the infrastructure of the site.
Kennedy said he last week presented technical details describing the vulnerabilities in the site to seven independent cyber security experts, who reviewed videos of potential attack methods as well as logs and other documentation.
They wrote notes to the House Committee saying they were concerned about the site’s security, which Kennedy provided to Reuters and will be released on Thursday to the committee led by Republicans who oppose the Affordable Care Act.
(…)”The site is fundamentally flawed in ways that make it dangerous to people who use it,” said Kevin Johnson, one of the experts who reviewed Kennedy’s findings.
Johnson said that one of the most troubling issues was that a hacker could upload malicious code to the site, then attack other HealthCare.gov users.
“You can take control of their computers,” said Johnson, chief executive of a firm known as Secure Ideas and a teacher at the non-profit SANS Institute, the world’s biggest organization that trains and certifies cyber security professionals.
On the bright side that is good news for the folks at MSNBC as now they have an excuse when one of their hosts make a disgusting on-air comment. They could say the teleprompter must have been hacked via Healthcare.gov.
Kennedy said he learned of that particular attack method from another security researcher who had identified and tested it.
Yet Kennedy said he identified many other problems on his own, conducting what is known as “passive analysis” of the site, by using an ordinary Web browser and other software tools to look at HealthCare.gov’s content and architecture from the outside.
He said he did not take the additional step of hacking into the site to look for other problems because he did not have permission from the government.
“Anybody who brings testimony that says there is a vulnerability on HealthCare.gov is only speculating unless they have actually executed the code, at which point they are hacking a government website and that would be illegal,” said Krush, who will also testify before the committee on Thursday.
Krush said he has not reviewed Kennedy’s findings or done any work on the HealthCare.gov site itself.
It is also important to keep in mind that to this date there has been no hacking of the Obamacare website, but that doesn’t necessarily mean it cannot be hacked.