Healthcare.gov used to have some very bad vulnerabilities. Some of which still are laying around in wait, but --> https://www.ssllabs.com/ssltest/index.html they've fixed it up since a while back.
However, that doesn't necessarily mean anything. One of the biggest providers, Anthem (anthem.com) fails. (servers: openroadfromanthem (cert not even valid), deploy.static.akamaitechnologies.com... 'F' grades, ssltest) Supposedly people are getting connected to these health insurance companies through healthcare.gov ~ real reassuring, right? >>From: "[email protected]" <[email protected]> >>To: jim bell <[email protected] > >>Jim, >>And I wonder how all the tax preparation sites plus irs.gov are >>waltzing with Heartbleed just now. April 15 is Tuesday... >>--dan > > Yes, it's amazing how much security on the Internet is constructed on > foundations of sand, 23 years (for example) after the writing of PGP. > Organizations such as the NSA and CIA should be required to show that > they are pulling their own weight, by discovering and fixing these kinds > of bugs. After all, ostensibly they exist for the benefit of the > citizenry of America, right? I would question the raison d'etre of the > NSA if it found itself more interested in maintaining the existence of > security bugs, than of closing them. The NSA can't claim that nobody else > could find them or exploit them. > > As for my idea about healthcare.gov vulnerability: I thought of this many > months ago, but I decided not to post it until the deadline had virtually > expired. (Although, it wasn't like I thought I was the only one who could > imagine such a thing!). I was amazed by the lack of discussion in the > lamestream media about the potential vulnerabilities of people's personal > data. But, even more obvious to me was the fact that healthcare.gov > virtually invited people to enter false data: It refused to provide people > information about health care plans until they had entered their own > personal information. A person would be motivated to enter a mostly-fake > set of data, solely for the purpose of getting access to the plans. > And, there was a potential 'innocent reason': Systems like this might get > 'stuck', making it difficult to correct data, and people might be tempted > to initiate a new account, solely for the purpose of abandoning old data. > I realized that depending on how well healthcare.gov had been written, > a cracker with a script could upload thousands or even over a million > accounts, presumably for the purpose of making the account-numbers look > good. > Jim Bell
