Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Obamacare Website Suffers Few Hack Attacks

Affordable Care Act site has faced a relatively low volume of attacks, compared with other federal websites.

The beleaguered healthcare.gov website has scored a victory -- of sorts -- on the information security front: It's been targeted by online attackers only a small number of times -- far fewer than most US government websites.

Those attack-volume details became public Wednesday, when Roberta Stempfley, acting assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communications, told a House committee that based on reports -- largely from the Department of Health and Human Services, which under the Affordable Care Act (ACA) is in charge of implementing and managing the federal healthcare.gov website -- there have been just over a dozen cyber-attacks against healthcare.gov.

"We received about 16 reports from HHS that are under investigation and one open source report about a denial of service," said Stempfley. The open source report was apparently referring to an attack tool named "Destroy Obama Care!" that promised to launch distributed-denial-of-service (DDoS) attacks against healthcare.gov, and which had been offered for download through some social media sites.

[ What do companies do when they think passwords have been compromised? Read Facebook Forces Some Users To Reset Passwords. ]

Stempfley said that DDoS attack effort had failed.

For comparison's sake, how do the attacks against healthcare.gov stack up against other sites? One unnamed DHS official told ABCNews.com that the DHS website saw "228,700 cyber incidents" during 2012, which if averaged out equals about 626 attacks per day "involving federal agencies, critical infrastructure, and the department's industry partners."

The attack volume aside, members of the House Homeland Security Committee continued to ask: Is healthcare.gov secure?

In his opening remarks, Rep. Michael McCaul (R-Texas), the committee chair, called for the ACA to be halted until the kinks were ironed out of healthcare.gov. "We have a website that doesn't work," he said. "It seems to me that it ought to be delayed until that website is functional ... [and] we can receive assurances from the administration that these websites are secure, because of the personal data that's being put into them, into the exchanges."

Furthermore, asked McCaul, why wasn't Centers for Medicare and Medicaid Services (CMS), which is part of HHS and directly responsible for implementing healthcare.gov, working closely with DHS to protect the healthcare portal? "DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of healthcare.gov, the Health Exchanges, or the Federal Data Services Hub," McCaul said. "The only contact between DHS and CMS consisted of two emails and one phone call."

But Stempfley disagreed, saying that's not how government security efforts unfold. "It is not typical for a department or agency as they're building a specific application to involve DHS," she said. Furthermore, she noted, DHS shares extensive information security information with a number of agencies' CIOs and CISOs via the US government's CIO Council and CISO Advisory Councils. "We regularly communicate about threats in those forums," she said.

Even so, more advanced discussions are now underway, Stempfley told McCaul, including DHS detailing which of its "portfolio of capabilities and services" CMS might want to use for healthcare.gov. She said those discussions commenced on August 28 -- just one month before the healthcare portal's launch -- when the CISO of CMS approached DHS. Since then, however, the agency "has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems."

After the hearing, McCaul continued to question whether the healthcare.gov site was securely storing users' email addresses, phone numbers, birthdates, social security numbers, and personal health information. "This is a goldmine for hackers," McCaul told Reuters.

Metrics, data classification, governance, compliance, and your vendors, are all part of the risk management equation. The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make them fit and work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.