healthcare.gov vulnerability?

Odinn Cyberguerrilla odinn.cyberguerrilla at riseup.net
Fri Apr 11 11:28:07 PDT 2014


Healthcare.gov used to have some very bad vulnerabilities.  Some of which
still are laying around in wait,
 but --> https://www.ssllabs.com/ssltest/index.html
they've fixed it up since a while back.

However, that doesn't necessarily mean anything. One of the biggest
providers, Anthem (anthem.com) fails.  (servers: openroadfromanthem (cert
not even valid), deploy.static.akamaitechnologies.com... 'F' grades,
ssltest)  Supposedly people are getting connected to these health
insurance companies through healthcare.gov ~ real reassuring, right?



>>From: "dan at geer.org" <dan at geer.org>
>>To: jim bell <jamesdbell9 at yahoo.com
>
>>Jim,
>>And I wonder how all the tax preparation sites plus irs.gov are
>>waltzing with Heartbleed just now.  April 15 is Tuesday...
>>--dan
>
> Yes, it's amazing how much security on the Internet is constructed on
> foundations of sand, 23 years (for example) after the writing of PGP.
>  Organizations such as the NSA and CIA should be required to show that
> they are pulling their own weight, by discovering and fixing these kinds
> of bugs.  After all, ostensibly they exist for the benefit of the
> citizenry of America, right?  I would question the raison d'etre of the
> NSA if it found itself more interested in maintaining the existence of
> security bugs, than of closing them.  The NSA can't claim that nobody else
> could find them or exploit them.
>
> As for my idea about healthcare.gov vulnerability:  I thought of this many
> months ago, but I decided not to post it until the deadline had virtually
> expired.  (Although, it wasn't like I thought I was the only one who could
> imagine such a thing!).   I was amazed by the lack of discussion in the
> lamestream media about the potential vulnerabilities of people's personal
> data.  But, even more obvious to me was the fact that healthcare.gov
> virtually invited people to enter false data: It refused to provide people
> information about health care plans until they had entered their own
> personal information.  A person would be motivated to enter a mostly-fake
> set of data, solely for the purpose of getting access to the plans.
> And, there was a potential 'innocent reason':  Systems like this might get
> 'stuck', making it difficult to correct data, and people might be tempted
> to initiate a new account, solely for the purpose of abandoning old data.
>    I realized that depending on how well healthcare.gov had been written,
> a cracker with a script could upload thousands or even over a million
> accounts, presumably for the purpose of making the account-numbers look
> good.
>             Jim Bell





More information about the cypherpunks mailing list