SQL Injection on Healthcare.gov
- Thread starter somarco
- Start date
In other words:
If the government was a building, the website would be the ground floor. Nothing important is there, and the security is not so great. Anyone can come and go, and anyone that wants can probably sneak through a back door or into a room they shouldn't go in. Everything flows through, but nothing is stored. Yes, you could "intercept" information as it moves through, but that's not easy.
But, importantly, there are doors, stairs, and elevators (the hub) leading right into the other, heavily guarded floors (the places where the information actually is stored). Information goes there incessantly, you can follow anything and find where it goes. Thanks to this new project, there are new entrances to these floors, and they still are not properly guarded. Not to mention, never before has even getting to one of these doors been so easy.
If the government was a building, the website would be the ground floor. Nothing important is there, and the security is not so great. Anyone can come and go, and anyone that wants can probably sneak through a back door or into a room they shouldn't go in. Everything flows through, but nothing is stored. Yes, you could "intercept" information as it moves through, but that's not easy.
But, importantly, there are doors, stairs, and elevators (the hub) leading right into the other, heavily guarded floors (the places where the information actually is stored). Information goes there incessantly, you can follow anything and find where it goes. Thanks to this new project, there are new entrances to these floors, and they still are not properly guarded. Not to mention, never before has even getting to one of these doors been so easy.
- Thread starter
- #3
My son is a security expert for a large insurance carrier and has talked quite a bit about SQL injection. Although I don't really understand the process, I do follow what he says when he tells me hackers use SQL injection to gain access to your site and everything that is there, and everything it touches.
Prior to his current job he worked for a major university that also had a med school and hospital on campus. He found a "hole" in one of their sites that allowed patients to make appointments with their doctor. By hacking that gateway he could gain access to patient files, payroll records and anything else connected to the school and hospital.
Prior to his current job he worked for a major university that also had a med school and hospital on campus. He found a "hole" in one of their sites that allowed patients to make appointments with their doctor. By hacking that gateway he could gain access to patient files, payroll records and anything else connected to the school and hospital.
10,000 foot overview of what happens.
SQL is a type of database, it's where all the info is stored. This includes usernames, passwords, and all associated info. Think of an excel sheet, it's quite similar in layout (although, massively more complex in everyday use, I have tables with a million+ entries on relatively tame sites.)
Basically, you "inject" a fake password into the database, where a real password was. Voila, you just changed the password on an account and gained access.
More maliciously, do the same thing for an administrative account (as it sounds in your university example). Make it think you're the admin, and all the sudden, you are. You can also do things like change where information is sent by changing a destination address within the table. Putting things like that in code is a HUGE NO-NO, it goes into a table, the code pulls it from the table, and inserts as necessary.
If you're extra sneaky, you'll gain access to the whole table.
To put it in paper terms, this is like going into the file room and changing the contact info on a case to yourself, and then legitimately requesting it like it's yours. Going a step further, it's like getting hired as the file keeper.
SQL is a type of database, it's where all the info is stored. This includes usernames, passwords, and all associated info. Think of an excel sheet, it's quite similar in layout (although, massively more complex in everyday use, I have tables with a million+ entries on relatively tame sites.)
Basically, you "inject" a fake password into the database, where a real password was. Voila, you just changed the password on an account and gained access.
More maliciously, do the same thing for an administrative account (as it sounds in your university example). Make it think you're the admin, and all the sudden, you are. You can also do things like change where information is sent by changing a destination address within the table. Putting things like that in code is a HUGE NO-NO, it goes into a table, the code pulls it from the table, and inserts as necessary.
If you're extra sneaky, you'll gain access to the whole table.
To put it in paper terms, this is like going into the file room and changing the contact info on a case to yourself, and then legitimately requesting it like it's yours. Going a step further, it's like getting hired as the file keeper.
Security was never built into the system in the first place, and the security vulnerabilities are critical, according to CNBC's interview with a notable expert.
No security ever built into Obamacare site: Hacker
No security ever built into Obamacare site: Hacker
- 8,448
How will stolen identities, credit card numbers, etc.. be able to be tracked back to healthcare.gov as the source? I hope there's a way. Saying that security is poor is much like the early warnings of higher 2014 premiums. Seeing was believing.
The Congressional investigation into stolen identities, funds, credit cards, would make the recent HHS/CMS hearings look tame by comparison. Maybe that's why President Obama is so eager to get Private Insurers and Web Brokers to take the reins of quoting and enrolling. Can you imagine the political commercials featuring people who've lost their assets thanks to the OBAMAScare website?
ac
- Thread starter
- #7
It depends on how much detective work DC wants to do, and how much they are will to reveal.
If it becomes apparent that identity theft can be tracked to someone in the Russian Federation and they leave tracks (which can easily be found if there are multiple visits) and if the govt decides to reveal the breach we will know the source. But unless there is a whistleblower we probably will never know.
If it becomes apparent that identity theft can be tracked to someone in the Russian Federation and they leave tracks (which can easily be found if there are multiple visits) and if the govt decides to reveal the breach we will know the source. But unless there is a whistleblower we probably will never know.
Half of being a good hacker is covering your tracks. Generally, if they're smart enough to break in, they're smart enough to get out clean. They run through proxies, bogus/zombie computers, and put the file on servers in separate countries that don't recognize subpoenas for information from the US. Even if you find a "track" it's usually just one relay in a series of dozens.
There's quite a few places in Europe that have become safe havens, it's not just Russia and the -stan countries anymore. Even if they want to track the hacker down, do you really think they'll make the breach public? I'd expect them to hide it with everything they have.
There's quite a few places in Europe that have become safe havens, it's not just Russia and the -stan countries anymore. Even if they want to track the hacker down, do you really think they'll make the breach public? I'd expect them to hide it with everything they have.
- 8,448
Republicans should find a few hundred volunteers, provide them with token credit cards, bank accounts, etc.. and have them used only to buy an exchange plan. Then, sit back and wait a few weeks or months for fraudulent charges to begin showing up. While waiting, give these folks free coaching sessions for looking sorrowful and angry while testifying.
Similar threads
