“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said David Kennedy, a so-called “white hat” hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

“It’s really hard to go back and fix the security around it because security wasn’t built into it,” said Kennedy, chief executive of TrustedSec. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”

According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.

“The privacy and security of consumers’ personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” said the spokesperson.

Another online security expert—who spoke at last week’s House hearing and then on CNBC—said the federal Obamacare website needs to be shut down and rebuilt from scratch. Morgan Wright, CEO of Crowd Sourced Investigations said: “There’s not a plan to fix this that meets the sniff test of being reasonable.”



  1. Dallas says:

    Now I’m newly outraged.

    During brunch today my friends and I were celebrating the end of the website sign up crisis. We were reflecting on where we were when the crisis broke . Now this security thing which doesn’t sound like a good thing.

    #devastated

  2. ECA says:

    Lets see now…

    INSTED OF:
    taking bids to build the site, AS THEY ARE SUPPOSED TO..

    Sted:
    they HIRE 2 crony companies to THROW something together..
    ITS a piece of crap, that cant even figure out what it supposed to do..
    THEY FIX IT(same 2 companies that ARE SUPPOSED to know how this works)
    AND its STILL CRAP..

    I mentioned before, that MOST states have setup sites already to deal with MEDICAID..(state run soc. sec.) and have been doing it for years..

    WHO would you call to setup a GREAt web site with HEAVY HEAVY security? Amazon? NEW EGG? EBAY??
    and those sites are SOOOO LARGE…they need GOOD security..
    And for what WE’ PAID for this…I want my money back..

    • ECA says:

      PS..
      for what they were PAID…everyone in the USA, would probably get $100 back..

      PSS..
      NOW you night THINK about who is feeding our PEOPLE IN WASHINGTON DC, BS info on how the net works..
      ANd how the NET FAILS..

      • Dipity DooDoo says:

        Think that’s something? Try reading a competent history book on the history of the Internet (although good luck finding one not written in extreme geek speak).

        Your tax dollars helped build what we now call the Internet. It was morphed from the old ARPANET (decommissioned in 1990) and NSFNET (decommissioned in 1995). So perhaps you’d like to ask why everyone now has to pay a PRIVATE ISP company to access it. Because it would seem that if our government had even an inkling of an idea how it all works we might have all been given some sort of free access to to it (although probably limited access).

        Now, go sign up SLAVE!

  3. MikeN says:

    They don’t care if you are forced to submit to TSA invasion of privacy. Why should they care what you do here? The whole point of the system is to bankrupt insurance companies so they can push for you to submit to even more government control. Having privacy violations is a feature not a bug.

  4. MikeN says:

    Obama couldn’t write his own book within the 18 month deadline, kept making up excuses until the publisher asked for their $125000 advance back. After not paying back the first publisher, he then got another publisher to pay him more money saying he would get it done. Finally turned to terrorist bomber Bill Ayers to finish his book.

    Why wait years, Mr President. Call Bill Ayers now and have him fix the website.

  5. MikeN says:

    Venezuela’s government set price controls on automobiles, and are blaming others for sabotaging their plans. Production is at one third of capacity and Ford is selling 70,000 cars this year down from over 100k last year. Now Venezuela is considering setting up a public option and selling their own cars directly.

    Why do I bring this up? Well apparently the website for buying your own car direct from the government is a security nightmare.

  6. Seth Griffin says:

    It’s horendous to me that my entire career as a software developer I’ve worked with teams of people who produce shoddy garbage like the healthcare website but not because we wanted to.

    This shit is just normal to me. Maybe I’ve worked for some really bad companies but I couldn’t get anyone to give a flying fuck at the moon about security concerns let alone get them to allocate time for us to fix problems we knew about.

    Hell, once I was hassled over whether or not an ssl cert was needed…by the Product Development Manager!

    My point is that this just shows that the government is equally corrupt and incompetent as any company out there.

    • Tim says:

      Ah. Hemm. Dallas? Give Seth a hug for me?

    • Dallas says:

      Don’t mean to be crude but you must really suck as a SW developer or have awful bad luck if this is normal to you.

      Back in the day, I wrote amazing TCAS software at Allied Signal/Bendix and it had to be ironclad secure with lots of hassling Prod Dev managers. Since then, the cert process is even more stringent, yet easier to comply with at the vast majority of SW outfits – which do the vast majority work for our amazing, yet bloated, government.

      Trivia: Pres Obama has REDUCED gov employment >2.6 percent over the last three years which is a record..

      • ± says:

        ******
        Trivia: Pres Obama has REDUCED gov employment >2.6 percent over the last three years which is a record..
        ******

        If this is true, then no doubt it is because the use of outside contractors increased 5.2%.

        • Dallas says:

          Why are you for big government and against private enterprise?

          Take your headset off and listen to all the great things happening because of President Obama (two term President).

          50% reduction in deficit, smaller government, killed Osama. I can go on but you get my point.

  7. sargasso_c says:

    Take an assurance from a vested security expert in a suit with a very big pinch of salt.

  8. Robert James Randolph III says:

    https://www.trustedsec.com/files/CONGRESS_Hearing_HealthCareSEC_FINAL_v1.1.pdf

    Here’s the actual report his company put together. I can’t comment on their ‘Undisclosed Exposures’, but most of the rest of it is bullshit. They only identified a couple of legit concerns (such as the password reset issue and the username enumeration) and those have already been fixed.

    There could actually be real security holes, but it’s going to take access to the source code or somebody much smarter than this bozo to find them.


1

Bad Behavior has blocked 9456 access attempts in the last 7 days.