The Obama administration hasn’t had the easiest of times in the rollout of its Affordable Health Care for America Act (commonly referred to as Obamacare) and its associated Websites led by Heathcare.gov. In addition, to site accessibility delays that have plagued Obamacare Websites since day one, security researchers are now also warning about potential risks.
Obamacare Websites include the primary U.S. government site at Healthcare.gov as well as individual state Websites. Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, told eWEEK that he has concerns about many of the Obamacare sites and expects them to be juicy targets for attackers.
Adams stressed that he did not complete a comprehensive penetration testing exercise against any Obamacare site, as he did not have permission from the sites. However, he was able to passively ascertain security posture via a number of noninvasive activities.
At a high level, Adams said that the core Healthcare.gov site is built mostly on a Java stack and doesn’t have any obvious security red flags. When it comes to individual states, however, Adams has some concerns about the Kentucky health care site which he referred to as being “fairly buggy.”
“The biggest indicator is they expose a whole lot of information about how the back end is implemented through the client interface,” Adams said. “They’re also passing around implementation details like the private object names that are used throughout the application.”
The state of Vermont also exposes back-end details, and the state of Maryland was found in Adams’ analysis to not be using Secure Sockets Layer (SSL) encryption for some of its traffic. The use of SSL is critical as it limits the risk of data being read in the open by anyone.
XSS and SQL Injection
Two of the most common forms of Web attack today are cross-site scripting (XSS) and SQL injection, and Obamacare sites might well be at risk from both. Adams said that while he didn’t conduct a full analysis, he did throw some invalid inputs into the Obamacare sites to see what would happen.
An example of the invalid input is the use of letters instead numbers in a form field for phone numbers. Security researchers can learn a lot from how a system responds to invalid inputs.
“I got some strange error messages back that would indicate that things aren’t being validated properly,” Adams said. “If you see signs of bad input validation in one place, it’s usually an indicator that bad input validation exists elsewhere across the site.”
Without proper input validation, an attacker could potentially perform a SQL injection attack. Adams said he found evidence of bad input validation for the Vermont Obamacare site as well as the main Healthcare.gov site.
The error that Adams got on the Healthcare.gov site to the bad input was an “unhandled exception” error.
“If you can throw something at an application and it results in an error, then there is a good chance that if you craft the input value correctly, you can get the application to handle it improperly,” Adams said.
The Big Picture
Eric Cowperthwaite, vice president of advanced security and strategy at CORE Security (and former CISO at Providence Health) told eWEEK that healthcare.gov either maintains a significant amount of personally identifiable information or it is the gateway or interface to systems that do.
“Any system that contains large amounts of personally identifiable information could be the source of a massive breach,” Cowperthwaite said. “And the more complex the system is, the more likely there are significant vulnerabilities that can breached.”
In Cowperthwaite’s view, the even bigger smoking gun about Obamacare Website security is the various glitches, bugs and issues that are impacting system functionality today.
“Security is often defined as the confidentiality, integrity and availability of systems and data,” Cowperthwaite said. “Healthcare.gov has had quite well-documented problems with both availability and integrity.”
Issues with Healthcare.gov site availability however might also potentially be a good thing for security. Craig Carpenter, vice president of strategy at AccessData, told eWEEK that he would be surprised if the site’s security hadn’t already been compromised, perhaps many times over—even with a small population of users actually being able to get in.
“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.