[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

healthcare.gov vulnerability?

To: [email protected]
Subject: healthcare.gov vulnerability?
From: [email protected] (Odinn Cyberguerrilla)
Date: Fri, 11 Apr 2014 11:28:07 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

Healthcare.gov used to have some very bad vulnerabilities.  Some of which
still are laying around in wait,
 but --> https://www.ssllabs.com/ssltest/index.html
they've fixed it up since a while back.

However, that doesn't necessarily mean anything. One of the biggest
providers, Anthem (anthem.com) fails.  (servers: openroadfromanthem (cert
not even valid), deploy.static.akamaitechnologies.com... 'F' grades,
ssltest)  Supposedly people are getting connected to these health
insurance companies through healthcare.gov ~ real reassuring, right?



>>From: "[email protected]" <[email protected]>
>>To: jim bell <[email protected]
>
>>Jim,
>>And I wonder how all the tax preparation sites plus irs.gov are
>>waltzing with Heartbleed just now.Â  April 15 is Tuesday...
>>--dan
>
> Yes, it's amazing how much security on the Internet is constructed on
> foundations of sand, 23 years (for example) after the writing of PGP.
> Â Organizations such as the NSA and CIA should be required to show that
> they are pulling their own weight, by discovering and fixing these kinds
> of bugs. Â After all, ostensibly they exist for the benefit of the
> citizenry of America, right? Â I would question the raison d'etre of the
> NSA if it found itself more interested in maintaining the existence of
> security bugs, than of closing them. Â The NSA can't claim that nobody else
> could find them or exploit them.
>
> As for my idea about healthcare.gov vulnerability: Â I thought of this many
> months ago, but I decided not to post it until the deadline had virtually
> expired. Â (Although, it wasn't like I thought I was the only one who could
> imagine such a thing!). Â  I was amazed by the lack of discussion in the
> lamestream media about the potential vulnerabilities of people's personal
> data. Â But, even more obvious to me was the fact that healthcare.gov
> virtually invited people to enter false data: It refused to provide people
> information about health care plans until they had entered their own
> personal information. Â A person would be motivated to enter a mostly-fake
> set of data, solely for the purpose of getting access to the plans.
> And, there was a potential 'innocent reason': Â Systems like this might get
> 'stuck', making it difficult to correct data, and people might be tempted
> to initiate a new account, solely for the purpose of abandoning old data.
> Â  Â I realized that depending on how well healthcare.gov had been written,
> a cracker with a script could upload thousands or even over a million
> accounts, presumably for the purpose of making the account-numbers look
> good.
> Â  Â  Â  Â  Â  Â  Jim Bell

References:
- healthcare.gov vulnerability?
  - From: [email protected] (jim bell)
- healthcare.gov vulnerability?
  - From: [email protected] ([email protected])
- healthcare.gov vulnerability?
  - From: [email protected] (jim bell)

Prev by Date: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Next by Date: NSA alleged to have known & used Heartbleed for 2 years
Previous by thread: healthcare.gov vulnerability?
Next by thread: NSA good guys
Index(es):
- Date
- Thread