Hackers have thrown about 16 attacks at the US’s HealthCare.gov website, a top US Department of Homeland Security (DHS) official says.
According to CNN, Acting Assistant Homeland Security Secretary Roberta Stempfley of the Office of Cybersecurity and Communications says that the attacks, now under investigation, all failed.
Ms. Stempfley testified at a hearing of the House Homeland Security (HHS) Committee, saying that the attempts were made between 6 and 8 November, but that none were successful.
Authorities are also investigating a separate report of a denial of service (DoS) tool designed to bombard the healthcare site with more requests than it can handle without going belly-up.
The tool was spotted for download from a few sites and mentioned in social media, as Arbor Networks researcher Marc Eisenbarth first described in a blog posting on 7 November.
Eisenbarth wrote at the time that there’s been no evidence that HealthCare.gov has been subjected to any significant denial of service attacks since it went live in October.
He also said that the detected tool’s request rate, non-distributed attack architecture and other limitations mean that the tool is “unlikely to succeed in affecting the availability of the healthcare.gov site.”
The tool is designed to put a strain on the site by repeatedly alternating requests to the https://www.healthcare.gov and https:www.healthcare.gov/contact-us addresses.
If the tool were to make enough requests over a short period of time, it could overload some of the applications that the site relies on to make timely responses.
Eisenbarth said that the tool follows a recent trend wherein DoS attacks are used as tools of social or political protest, in retaliation against a policy, legal rulings or government actions.
Here’s the text from a screenshot of the tool:
Destroy Obama Care.
This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.
The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.
You can open as many copies of the program as you want. Each copy opens multiple links to the site.
ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!
At any rate, the tool doesn’t appear to have been activated.
Dan Holden director of security research for Arbor Networks, told CNN that the site’s availability problems don’t seem to have been caused by the “Destroy Obama Care” tool:
We have not monitored any attacks. We have not seen any sizable, or anything to believe that these problems are related to DDOS. I don't believe that the problems with the site's availability is due to any kind of DDOS attack.
CNN also reports that a top Health and Human Services official, Chief Information Officer Frank Baitman, said in a separate hearing that his department had engaged an ethical hacker to perform penetration testing of the site – i.e., testing that simulates internal and external attacks that can then be used to evaluate computer and network defenses.
One would sure like to believe that the US government has enough security expertise on staff to limit the number of gaping holes a pen test would reveal.
And, indeed, Baitman said that the pen tester described between 7 and 10 items related to attempted security breaches, none of which Baitman said he would describe as serious, and most of which had been resolved.
Others have testified before HHS regarding “subpar” website design – assuredly a grievous accusation from a taxpayer’s perspective, given that the site cost millions of dollars, if not hundreds of millions.
If the US government wants to spare us from paying through the nose to pen-test that deluxe-but-creaky site, they might want to do us all a favor and check out these tips on how to manage cost-effective pen testing.
Just a thought!
Image of Caduceus courtesy of Shutterstock.
7 comments on “Hackers throw 16 attacks at HealthCare.gov plus a DoS for good measure”
Lol the only DoS the healthcare site’s experienced came from its own programming and 3 people trying to use it at the same time.
what about the fact that their SSL cert leaks all of the hostnames to other related sites and their Dev/QA/Preprod environments?
Seriously, are they really too lazy to get a separate cert for production?
How exactly does one do a DoS test against a site that doesn’t work?
that’s easy enough 🙂
Why risk possible prosecution by trying to attack the healthcare site when it was non-functional all on its own.
Cyber attacks are NEVER and act of civil disobedience. They’re criminal, period. Nothing civil about them.
After the FBI hacks and untold numbers of others, how can one ever state, “One would sure like to believe that the US government has enough security expertise on staff to limit the number of gaping holes a pen test would reveal.”