Hackers throw 16 attacks at HealthCare.gov plus a DoS for good measure

Filed Under: Denial of Service, Featured, Law & order, Security threats

Image of Caduceus, courtesy of ShutterstockHackers have thrown about 16 attacks at the US's HealthCare.gov website, a top US Department of Homeland Security (DHS) official says.

According to CNN, Acting Assistant Homeland Security Secretary Roberta Stempfley of the Office of Cybersecurity and Communications says that the attacks, now under investigation, all failed.

Ms. Stempfley testified at a hearing of the House Homeland Security (HHS) Committee, saying that the attempts were made between 6 and 8 November, but that none were successful.

Authorities are also investigating a separate report of a denial of service (DoS) tool designed to bombard the healthcare site with more requests than it can handle without going belly-up.

The tool was spotted for download from a few sites and mentioned in social media, as Arbor Networks researcher Marc Eisenbarth first described in a blog posting on 7 November.

Eisenbarth wrote at the time that there's been no evidence that HealthCare.gov has been subjected to any significant denial of service attacks since it went live in October.

He also said that the detected tool's request rate, non-distributed attack architecture and other limitations mean that the tool is "unlikely to succeed in affecting the availability of the healthcare.gov site."

The tool is designed to put a strain on the site by repeatedly alternating requests to the https://www.healthcare.gov and https:www.healthcare.gov/contact-us addresses.

healthcare.gov logoIf the tool were to make enough requests over a short period of time, it could overload some of the applications that the site relies on to make timely responses.

Eisenbarth said that the tool follows a recent trend wherein DoS attacks are used as tools of social or political protest, in retaliation against a policy, legal rulings or government actions.

Here's the text from a screenshot of the tool:

Destroy Obama Care.

This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of the program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!

At any rate, the tool doesn't appear to have been activated.

Dan Holden director of security research for Arbor Networks, told CNN that the site's availability problems don't seem to have been caused by the "Destroy Obama Care" tool:

We have not monitored any attacks. We have not seen any sizable, or anything to believe that these problems are related to DDOS. I don't believe that the problems with the site's availability is due to any kind of DDOS attack.

CNN also reports that a top Health and Human Services official, Chief Information Officer Frank Baitman, said in a separate hearing that his department had engaged an ethical hacker to perform penetration testing of the site - i.e., testing that simulates internal and external attacks that can then be used to evaluate computer and network defenses.

One would sure like to believe that the US government has enough security expertise on staff to limit the number of gaping holes a pen test would reveal.

And, indeed, Baitman said that the pen tester described between 7 and 10 items related to attempted security breaches, none of which Baitman said he would describe as serious, and most of which had been resolved.

Others have testified before HHS regarding "subpar" website design - assuredly a grievous accusation from a taxpayer's perspective, given that the site cost millions of dollars, if not hundreds of millions.

If the US government wants to spare us from paying through the nose to pen-test that deluxe-but-creaky site, they might want to do us all a favor and check out these tips on how to manage cost-effective pen testing.

Just a thought!

Image of Caduceus courtesy of Shutterstock.

, , , , ,

You might like

7 Responses to Hackers throw 16 attacks at HealthCare.gov plus a DoS for good measure

  1. ScottK · 694 days ago

    Lol the only DoS the healthcare site's experienced came from its own programming and 3 people trying to use it at the same time.

  2. Jim · 693 days ago

    what about the fact that their SSL cert leaks all of the hostnames to other related sites and their Dev/QA/Preprod environments?

    Seriously, are they really too lazy to get a separate cert for production?

  3. jack · 693 days ago

    How exactly does one do a DoS test against a site that doesn't work?

  4. NoSpin1600 · 693 days ago

    Why risk possible prosecution by trying to attack the healthcare site when it was non-functional all on its own.

  5. Anonymous · 691 days ago

    Cyber attacks are NEVER and act of civil disobedience. They're criminal, period. Nothing civil about them.

  6. Anonymous · 685 days ago

    After the FBI hacks and untold numbers of others, how can one ever state, "One would sure like to believe that the US government has enough security expertise on staff to limit the number of gaping holes a pen test would reveal."

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.