Vulnerabilities / Threats
11/8/2013
11:11 AM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Threaten Destruction Of Obamacare Website

DDoS tool targets the federal Affordable Care Act website. But will it work?

20 Great Ideas To Steal In 2013
20 Great Ideas To Steal In 2013
(click image for larger view)

"Destroy Obama Care!"

That's the not-so-subtle name of a homegrown distributed denial-of-service (DDoS) attack tool that's being advertised for download on some social networks, and which promises to overwhelm the Healthcare.gov website.

"This program continually displays alternate page of the ObamaCare website. It has no virus, Trojans, worms, or cookies. The purpose is to overload the ObamaCare website, to deny serivce [sic] to users and perhaps overload and crash the system," reads the program's grammar- and spelling-challenged "about" screen. "You can open as many copies of this program as you want. Each copy opens multiple links to the site."

"ObamaCare is an affront to the Constitutional rights of the people," it adds. "We HAVE the right to CIVIL disobedience!"

This is hardly the first DDoS attack tool designed to right perceived political wrongs, according to Marc Eisenbarth, research manager at DDoS defense firm Arbor Networks. "This application continues a trend [Arbor] is seeing with denial-of-service attacks being used as a means of retaliation against a policy, legal rulings or government actions," he said in a blog post.

Indeed, by 2011, Arbor was reporting that half of all DDoS attacks seemed to be driven by ideological motives. Some recent examples have included attacks against everyone from U.S. financial institutions and the Vaticanto Mexican drug cartels and North Korean government sites.

In this case, the anti-Obamacare DDoS tool, which is written in Delphi, is designed to launch numerous layer seven -- application-layer -- requests to the Affordable Care Act website (www.healthcare.gov) as well as the site's contact page (www.healthcare.gov/contact-us). The intent is to overwhelm the sites with traffic, making them inaccessible to would-be insurance buyers.

Could this attack application be the nail in the coffin for the Healthcare.gov insurance exchange website, which has faced a rocky launch since its Oct. 1 rollout? The fallout from the botched launch has already lead to the CIO of the Centers for Medicare & Medicaid Services deciding to defect to the "private sector"for an undisclosed position, and President Obama continually promising that the site's kinks will soon be worked out.

Eisenbarth said this DDoS tool most likely can't deliver what it promises. "The request rate, the non-distributed attack architecture and many other limitations make this tool unlikely to succeed in affecting the availability of the healthcare.gov site," he said. Furthermore, he noted that to date, Arbor has seen no "active use of this software."

In part, the tool's apparent inability to take down targeted Healthcare.gov websites demonstrates how grassroots DDoS attacks often face an uphill battle, owing to either technical problems or a lack of a critical mass of participants. Indeed, even some past, large-scale DDoS attacks launched by the hacktivist collective Anonymous didn't succeed in overwhelming targeted sites until -- reportedly -- bot-master benefactors temporarily brought legions of "zombie" PCs to bear on targeted sites.

What of the "Destroy Obama Care!" tool's premise that it allows users to exercise their right to civil disobedience? On this front, the tool's author has read his or her U.S. legal code incorrectly. Indeed, U.S. law enforcement agencies have vigorously prosecuted people who launch DDoS attacks against any website.

For example, after a DDoS tool called Low Orbit Ion Cannon(LOIC) was released under the Anonymous banner in 2010, many users found out -- the hard way -- that the tool didn't mask their IP address. As a result, when users turned the tool on websites designated for attack by Anonymous IRC chat-room operators during Operation Payback, many inadvertently transmitted not only attack packets, but their IP address.

In short order, attacked businesses -- which included MasterCard, PayPal and Visa -- reportedly shared their network logs with the FBI, which traced the IP addresses back to service providers' subscribers, and began arresting suspected LOIC users. Those arrests have been ongoing, and last month, the Department of Justice indicted 13 more men who allegedly used LOIC in 2010 and 2011 as part of Operation Payback.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
proberts551
50%
50%
proberts551,
User Rank: Apprentice
11/11/2013 | 5:28:33 PM
re: Hackers Threaten Destruction Of Obamacare Website
I agree with you, except the voting part. I know for a fact our voting is manipulated with my experience with the Norm Coleman / Al Franken deboggled election. Franken won because of fraud, but was still alllowed to stay in office. The voting was manipulated, and now with 20 million non documented ilegals in the country, No voter I.D., our laws are not being inforced to keep them from voting. Why couldnn't dishonest people manipulate voting machines? They can, we had voting machines the voted for Obama, when Romny was selected. It would sure be nice if it was as easy as voting people out.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/11/2013 | 5:15:42 PM
re: Hackers Threaten Destruction Of Obamacare Website
I had a similar experience. What could have happened to you is the same thing I had happen. I've had my current physician for about ten years. I am currently taking statin and blood pressure prescriptions. Even though my cholesterol and blood pressure have been managed by these medications, about four years ago he told me he was going to order a much broader panel of blood tests that look for various diagnosis markers in my system. The markers would provide him information regarding my predisposition to heart disease and diabetes. I asked him what these tests cost and he assured me that my out of pocket would be roughly the same as the "typical blood tests".

My first surprise was when the nurse started drawing blood. Instead of the typical one or two vials, she took six (perhaps as many as eight -- I lost count). My next surprise came when bills showed up at my house. Instead of using local labs, he had sent blood work to three different testing facilities in California. Overall, the total cost for all the tests at the labs cost upwards of $5,000. Since my primary care physician ordered them, the insurance company ended up paying for most of that expense. Unfortunately and to my surprise, a deductible applied and my HSA was completely exhausted. Normally doctors office visits and preventive care are 100% covered with no deductible or copay. I also ended up getting billed by one of the labs for about $500.

I was pretty steamed and later discovered that this was yet another way to game the system. My doctor apologized and even contacted the lab on my behalf to get me a refund of the out-of-pocket expenses I had incurred. Unfortunately the refund was never made and when I explained that it's not just my OOP but the HSA money, the doctor shrugged.

Regardless, I still wasn't a true consumer. Even thought he HSA money was exhausted, I took comfort in the fact that my annual deductible was now over and anything that happened the rest of the year would be deductible free.

Then I discovered a game that the insurance company played. Even though they covered the expense because my primary care physician prescribed it, they considered it out of network. In network and out of network have separate deductibles and my out of pocket and the amount they paid were not applied to future in network activity. Of course I didn't discover this until one of my kids needed an outpatient procedure to remove a cyst inside their cheek. Here came the deductible. Luckily since the company contributed funds to the HSA I was also able to commit money to an FSA to help defer these costs. Of course that isn't free. FSA comes out of my pocket but with the advantage of lowering my AGI since its pre-tax.

FSA is just another game. It's almost like a "favor" from congress to a group of business people who wanted to create a new industry that managed healthcare expenses and tax deductions. IMO -- an example of corporate welfare not unlike the DMV satellite offices in my state. The state purposely doesn't provide enough DMV offices. Instead it grants political favors to campaign contributors to run private DMV offices that are then allowed to charge a fee on top of what the state charges for license renewals and so forth. It's a small fee $2, $4 or a bit more depending on what you need. More corporate welfare. They also offer an on-line method which, surprise, surprise, also has a fee. My gues si the on-line site is run by a private benefactor and that's why the fee is charged. I cannot imagine the state creating a web site and it not being cheaper for them to allow thousands of folks to use it instead of the state run office that require property, equipment and labor. I'm sure someone might read this and say otherwise but don't believe what they say. It's just another game to reach into our pockets by professional politics.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
11/11/2013 | 4:08:47 PM
re: Hackers Threaten Destruction Of Obamacare Website
"This isn't sustainable and I don't see anything in the AHCA that changes
how the medical community games the system. To be clear, I don't
necessarily blame the medical community. They aren't doing anything
illegal but I wonder what their oath says about what they are doing?"

This resonated with me. Not too long ago, it cost me nearly $1000 to have routine blood work as part of my annual physical-- and I have health insurance! I was flabbergasted at the time, but this was shortly before the report came out that detailed how hospitals only a few miles apart charge drastically different prices for the same procedure. Confirmation of the helter-skelter nature of medical pricing made me furious. As you say, I wonder what they think of their oath. "Do no harm?" Being complicit in a pricing system that discourages people to go to the doctor isn't exactly doing "no harm." It's only one symptom of the illness that pervades the entire health care system, and like you, I can't easily blame individual doctors. But talk about a broken system.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/11/2013 | 4:05:11 PM
re: Hackers Threaten Destruction Of Obamacare Website
You hit the nail on the head. We need to be consumers of healthcare. What we have now and what the AHCA reinforces is similar to the good intentions of the 401k plan. Boat loads of cash flowing into a market that isn't properly regulated and anything but free. In fact, it's guaranteed revenue and that always attracts corruption.

What I don't understand is 10 minutes later you argue that patents are what's killing healthcare.

While patents can also be used by the corrupt, if the 99% had to pay $250/month for some claimed wonder drug, how many would choose to do that? Sure, the 1% might even pay $1,000 but that's still not enough patients to convince pharma to invest. They need the entire population to be eligible so they can get millions of patients paying $250/month. The patent system isn't creating this game and patents serve a good purpose.

What needs to be fixed is firms who are patent trolls. An easy fix is require a patent to be used in an actual product within a few years by the firm that owns it. Otherwise the patent enters the public domain. That would end the trolls and force patent holders to at least sell to a company that will create a product. Plus when a patent is sold, the patent office should require licensing to competitors. Only the original inventor should be granted exclusivity when their company builds the product. I'm sure there would be loop holes with this approach where inventors are then forced to create paper-companies that are purchased and kept alive for no other purpose than to enable a company with deep pockets to fund a product and leverage exclusivity. However, it's a start over what we have now which is ridiculous.
zman58
50%
50%
zman58,
User Rank: Apprentice
11/11/2013 | 3:43:19 PM
re: Hackers Threaten Destruction Of Obamacare Website
It is how it is being done that is evil. Obamacare basically mandates how healthcare must be provided and forces the middle class to pay for the expansion of it. Big insurance businesses and healthcare providers win because risks are mitigated at the expense of the public--in particular the middle class.

Healthcare costs will continue to rise unchecked because Obamacare provides a pro-motive conduit for higher prices, more costs, and broader coverage. It does the opposite of reducing costs; It invites higher costs of goods and services by provide an even greater flow of money towards the providers.

Have you checked the prices on the exchanges in comparison to traditional plans? Costs are far higher for the vast majority of people.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/11/2013 | 3:38:55 PM
re: Hackers Threaten Destruction Of Obamacare Website
Good points and I agree -- we shouldn't throw it out. We're too far into it and we need to try to fix it. If we can fix the parts that aren't working, it will at least be a slightly better mess than what we have now. However, I still don't think its sustainable.

If we don't want a single payer system, the only sustainable option seems to be one where people are consumers of healthcare. When someone is prescribed a $250/month Rx and pays a $25 copay, they are not a consumer. When someone is told to get an MRI and even with a 20% copay they don't check prices and realize the hospital charges $3,000 and a dedicated facility $600, they are not consumers. Yes -- even though their out of pocket is $600 vs. $180, most don't bother to compare. They simply allow their physician to schedule the appointment for them. The medical community also makes it difficult to compare because they don't want a free market. If the truth was known, a reasonable cost for an MRI is probably $100 at the hospital, where underlying expenses can be spread over a much more diverse set of services. If $100 is fantasy, how can a dedicated facility retire it's capital debt (they had to buy an expensive piece of tech), hire dedicated technicians and office staff to navigate the insurance claim submission maze, rent a office space and still not make a SIGNIFICANT profit when charging only $600? There has to be tremendous profit -- otherwise who would invest in an independent facilities that might break even or make peanuts? In a truly competitive environment, the hospital should always win since their underlying costs can always be spread over a much more diversity than an independent facility that only exists to perform one procedure. (i..e think Wal-Mart vs. a mom-n-pop five and dime.)

This isn't sustainable and I don't see anything in the AHCA that changes how the medical community games the system. To be clear, I don't necessarily blame the medical community. They aren't doing anything illegal but I wonder what their oath says about what they are doing?

I also have a friend who sells goods and services to hospitals. From his perspective, the hospitals have told him they don't make any money. In fact, he says money is very tight at hospitals and he always has a tough sell. Frankly, I find that hard to believe given the fact that the hospitals in my area are always under construction (adding new wings, departments and physician facilities) and outpatient surgery centers have come into existence that are owned by physician groups. Who is loaning these facilities money to make these capital investments when their business plans all say they will never make a profit? Are we to believe medical investment folks and Twitter investors are one in the same? Really?
zman58
50%
50%
zman58,
User Rank: Apprentice
11/11/2013 | 3:28:49 PM
re: Hackers Threaten Destruction Of Obamacare Website
There is only one workable solution to health care costs, but the powers to be do not want to change anything. Making tons of money off of the middle class is more important to them than actually creating a system where costs of healthcare goods and services is manageable.

The costs of healthcare goods and service should be affordable to typical middle class Americans without paying a cent in health care insurance. Seriously the cost of staying in a hospital and receiving care should be manageable without insurance. Every wonder why this is not the case?

The only solution is patent reform, real patent reform, specifically get rid of the patents. Because of the patent system we have monopolized goods and services that result in prices that continue to spiral up and up. Only if and when the current patent system (legalized monopoly) is seriously halted can this change.

So instead of making the changes necessary to reduce costs of goods and services we end up with laws, such as Obamacare, that mandate propping up the very model that has created this mess--the patent system.
jvanbeek
50%
50%
jvanbeek,
User Rank: Apprentice
11/11/2013 | 3:20:48 PM
re: Hackers Threaten Destruction Of Obamacare Website
Please don't attack healthcare.gov and give the administration an excuse for it not working. They are doing a great job on their own!
zman58
50%
50%
zman58,
User Rank: Apprentice
11/11/2013 | 3:17:13 PM
re: Hackers Threaten Destruction Of Obamacare Website
In the US, hospitals have always cared for people, anyone. Even when you have nothing to your name and go to the hospital, you get care. They are required by law to care for you. If they are unable to collect, they they write off the expenses as a loss. This is already established and has been this way for many years. When big-business health and insurance companies bought hospitals over the past 20 years, they decided things need to change.

Obamacare changes the landscape of who pays, not who gets care. With Obamacare, the middle class and healthy foot the bill-while the entire system is expanded to cover new risks and expenses. Obamacare is basically a law that states you must buy health care coverage, even if you don't want or need it. This allows the insurance companies and for-profit healthcare providers to enrich themselves even further. Under Obamacare, if you don't buy health care coverage you get fined.

Obamacare does nothing to limit costs of health care. It is far from free. In fact, it provides an endless unchecked flow of money to increase the costs of health care--by fleecing the middle class. I have noticed that, without doubt, health care on the exchanges costs far more than traditional plans outside of the exchange. So much for free health care, it is not happening here and Obamacare has nothing to do with "free".

Years ago many hospitals were Christian non-profit organizations. Now they are operated and controlled by large for-profit entities who want to profit from these businesses and have the influence in Washington to make it happen--hence Obamacare. The rich get richer, the poor get poorer and the middle class foot the entire bill. Only in the US.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/11/2013 | 3:10:36 PM
re: Hackers Threaten Destruction Of Obamacare Website
Those "checks and balances" are a false sense of security. While Lincoln may have a point about fooling all of the people, all the time, it's just a technicality. The DC establishment is quite adept at fooling a significant majority of voters all the time. That's all that matters and out the window goes those checks and balances.

The AHCA/Obamacare is not evil. It does have good things such as removal of preexisting conditions, removal of lifetime maximums and ending the threat of being cancelled if you get an "expensive" illness. All of these have been abused by insurance companies to bankrupt families and leave the medical community holding the bag. However, the entire law was ill-conceived and passed in a complete partisan manner.

America is a land of great diversity. We should be skeptical when anything is passed without significant compromise that garners bi-partisan approval. Even though I'm a moderate and I don't typically vote for the folks who passed this bill and even though they admit they didn't understand it, I hope that we can discover it's flaws and move to quickly fix them. I don't think starting over is smart. Let's fix what's wrong with it rather than throw it out.

Unfortunately there doesn't seem to be ANY spirit of compromise on either side and we should all brace ourselves for another round debt ceiling pandering. To put us all at ease, I urge everyone to become educated about this topic. We all must understand the difference between a hitting a debt ceiling, a TRUE government shutdown and defaulting on our national debt.

Our government has plenty of annual income to make the interest payment on the current debt. About ~$3 trillion this year and the interest on our current debt is about ~$250 billion. Other than by deliberate choice and/or complete incompetence, there's no reason that we cannot continue to pay our obligations on our national debt. In fact, depending on how Amendment 14 S4 is interpreted, it's probably unconstitutional to default on our debt. It's just the DC establishment demonstrating its ability to fool a majority of voters. Don't believe what I write. Go find out for yourself. Maybe you will interpret things differently. I welcome the debate.
<<   <   Page 2 / 4   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.