An unknown hacker or hackers broke into a computer server supporting the HealthCare.gov website through which consumers enroll in Obamacare health insurance, a government cybersecurity team discovered last week, apparently uploading malicious files.
The Centers for Medicare and Medicaid Services (CMS), the lead Obamacare agency, briefed key congressional staff on Thursday about the intrusions, the first of which occurred on July 8, CMS spokesman Aaron Albright said.
The malware uploaded to the server was designed to launch a distributed denial of service (DDoS) attack against other websites, not to steal personal information, Albright said.
In a DDoS, Internet-connected computers are so overwhelmed by malware attempting to communicate with their website that, unable to handle legitimate requests, they crash.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” Albright said. “We have taken measures to further strengthen security.”
The Office of Inspector General of the Department of Health and Human Services, CMS’s parent agency, and HHS leadership were notified of the attack, which was first reported by the Wall Street Journal.
A spokesman for the Department of Homeland Security, which helps investigate cyber attacks, said its Computer Emergency Readiness Team (US-CERT) had forensically preserved the affected server and had identified and extracted the malware designed to launch a denial of service attack.
US-CERT analysis indicated that only one server was involved. It was not running HealthCare.gov, but was instead used by programmers to test new code before it goes live.
The test server was not supposed to be connected to the Internet, but somehow was. In addition, access to it was protected by a default password installed by the manufacturer, said Albright, who declined to say if that default was 1-2-3-4-5 or something equally breachable.
Cybersecurity expert David Kennedy, chief executive of the information security firm TrustedSec LLC, said he was unconvinced this was the first successful hack on HealthCare.gov.
“There are fundamental flaws in how they’re coding the website and it’s going to take a long, long time to fix it,” he told Reuters. “It continues to be a really big glaring security hole.” It is rare for hackers to upload malware without following through to use it, he added.
Rep. Diane Black of Tennessee, a longtime Republican critic of Obamacare, criticized CMS for the cyberbreach, saying “designing a secure website should have been a top priority for this administration.”
The attack, Albright said, will have no impact on the second open enrollment period for Obamacare, which begins on Nov. 15.
A jobless teenage hacker brought down the Metropolitan Police computer system with a cyber attack which crashed its web site.
Jordan Lee Jones brought down the site – used by thousands of officers and civilians every day – by overloaded internal Met computer systems, a court heard.
He was caught following an investigation carried out by detectives from their own cyber crime unit, and Cleveland Police.
Detectives arrested him at his home in Windermere Avenue, Billingham on Teesside and seized an encrypted laptop computer on March 18 this year.
The case has prompted a review of the Met’s computer system, and its security.
Jones, who is 19 and unemployed, pleaded guilty to four charges of impairing the function of a computer.
Teesside magistrates heard that between August 11 and 14 last year, he carried out an attack by ‘overloading’ the website.
There is no such thing as “too small to hack.” If a business has a website, hackers can exploit it.
I was recently looking for a place to board our cat this summer, and one business had on its home page, underneath the name of the company, the words “Viagra discounts” in small but legible type. Assuming the company isn’t branching out from felines to pharmaceuticals, why would this appear on its website? The answer, of course, is that the company didn’t put it there, and was probably unaware of it altogether.
When small business owners think about website security at all, their attitude is usually something along the lines of, “Why would anyone attack us? We’re not a bank and we don’t store credit card data.” Once the company sets up its website, it “sets it and forgets it.” It may check its search ranking once in a while to be sure it hasn’t been blacklisted by Google, but that’s as far as it is likely to go. However, hackers are attacking small business websites with increasing frequency and sophistication: In the cyber-attack ecosystem small business websites are both an attack platform and an attack target.
Unfortunately, the current upward trend of small businesses managing their own websites will only amplify this problem. The National Small Business Association 2013 Technology Survey found that nearly two-thirds of small businesses maintain their own websites, up 15% from the 2010 report. Meanwhile the report indicates that 64% of companies consider the time required to simply maintain the site “a major challenge.”
If you work in, or provide security services to, a small business, below are five points that you need to understand in order to effectively defend your website from attack.
5. New vulnerabilities threaten your business every day: Small business owners need to understand that vulnerability discovery and disclosure is dynamic. Just because a website hasn’t been updated lately doesn’t mean that new vulnerabilities aren’t a threat. In fact vulnerabilities in existing code are more likely to appear on websites that haven’t been updated. According to anonymized aggregated customer data we analyzed at 6Scan, for companies using Web content management systems this issue is even more critical. At any given time between 70% and 80% of WordPress users are running an outdated version which can contain critical, and well documented, vulnerabilities.
4. Your site is under attack 24/7: Many small business owners check their traffic figures daily, pleased to see any increase. They might not be so happy to learn, as we did from our analysis, that, on average, 7% of the traffic to their site is actively attacking it, attempting to detect and exploit vulnerabilities. A site that gets 100 unique visitors per day (placing it approximately at Alexa’s 100,000th most trafficked site) is a target of two breach attempts every hour of every day — almost 20,000 attacks per year. With these numbers it’s not a matter of if a vulnerability will be exploited but when.
3. Hackers are more efficient than ever: Cisco’s 2014 Annual Security Report referred to hacking legitimate websites as a “high-efficiency infection strategy.” Once a site is compromised, it turns into an attack platform, giving hackers the freedom to choose what devices to attack, what viruses to distribute, even what date and time to launch the attacks for maximum effect.
Back in my days at Zone Labs (one of the early desktop firewall vendors) malware email attachments were all the rage. Now bad guys don’t need to go through all the effort to push malicious attacks with a single payload — they just hack legitimate websites and the victims to come to them. If they want to beta test a new iOS exploit, they can run that for a few days. If they want to build a botnet with proven malicious code, they just pop that up. The victims will just keep showing up, not knowing the site has been compromised. This ruthless strategy puts the “viral” back in viral marketing.
2. Your site — no matter how small — is valuable to hackers: There is no such thing as “too small to hack.” If a business has a website, hackers can exploit it. Stealing personally identifiable information from users and visitors is one way they derive value. But even without credit card data, user/password credentials can be valuable when used as part of a bigger scam.
Hackers also breach legitimate websites to post phishing pages — this is essential to get around anti-spam software that will flag a link to a blacklisted IP. According to the Websense 2014 Threat Report, 85% of all malicious Web links are hosted on hacked legitimate sites. A third way attackers can use a hacked site is to host malicious content used in phishing scams.
1. Your reputation gets hacked as well: Being blacklisted by Google damages a small business’s brand, but it pales in comparison to being used as a platform to attack its business partners — and this is not a spy-movie, spear-phishing scenario. Last year the networks of Facebook, Twitter, Microsoft, and Apple were compromised in “watering hole” attacks. In these attacks, cyber criminals hacked into small business Web sites that are known to be frequented by employees of the targeted companies. These specific attacks focused on small mobile application developers, but the model works for any industry.
The days of small businesses putting up a few web pages and relying on “security through obscurity” to protect them are gone forever. Hackers have great incentive to unleash sophisticated — and often highly automated — attacks on even the smallest sites. Small business stakeholders must begin to regard website security as a necessary part of operating in an online world, or their customers and partners will pay the price.
Over the weekend the PlayStation Network, Microsoft’s Xbox Live, Blizzard’s Battle.net, and Grinding Gears Games reported massive network disruptions caused by large scale distributed denial of service (DDoS) attacks. These attacks occurred around the same time that a bomb threat was made against an American Airlines plane carrying John Smedley, president of Sony Online Entertainment.
Video game networks are commonly targeted by hacker groups looking for fame and recognition using DDoS because they are easy to disrupt and cater to younger audiences who go to social media to air grievances. Gaming networks themselves are publicly available, often already have an already high volume of traffic, and therefore have trouble handling massive spikes of traffic generated by DDoS.
The PSN service attacks appear to be perpetrated by a hacker who goes by the Twitter moniker @Famedgod and another group known as @LizardSquad. Both users have claimed credit for attacks, with FamedGod locking horns with LizardSquad over credit for the weekend’s PSN outage. FamedGod claims to have taken down the PSN network to highlight security issues still persistent in the network even after the 2011 outage (mentioned below.)
None of the networks affected have reported hacking or loss of customer information, only disruptions due to denial of service attacks.
In the past DDoS attacks have been used by groups such as LulzSec and DerpTrolling in order to increase notoriety and recognition. Both LulzSec and DerpTrolling targeted gaming networks, and most notably during the reign 2011 of LulzSec, the PlayStation Network suffered a massive outage triggered by a successful hacking attempt that ended with the service being offline for almost a month.
Modern DDoS attacks can be generated using massive botnets that exploit well known or new amplification techniques. In the case of DerpTrolling, an exploit in the Network Time Protocol (NTP) allowed a smaller botnet to wreak greater havoc.
In this current storm of DDoS attacks numerous separate networks have been hit with spike traffic causing disruptions and outages. The PlayStation Network suffered an outage over the weekend but has since been restored. The Xbox LIVE network skipped its regular maintenance today, Monday, August 25 due to the disruptions over the weekend. Blizzard’s Battle.net service reported disruption as well, the service supports the World of Warcraft and Starcraft titles.
Sony Online Entertainment President John Smedley’s plane diverted
During the DDoS attacks an American Airlines plane inbound to San Diego, CA was diverted to Phoenix, AZ after a bomb threat. It is known that CEO of Sony Online Entertainment, John Smedley, was on board. Game Informer broke the story with tweets from John Smedley.
The hacker group known as @LizardSquad tweeted about the bomb threat (amidst taking credit for the PSN outages.)
@AmericanAir We have been receiving reports that @j_smedley‘s plane #362 from DFW to SAN has explosives on-board, please look into this.
Shortly after news of the diverted plane broke, Smedley tweeted that he was alright and everything was fine.
The FBI is now looking into the situation.
The Wall Street Journal confirmed in a Tuesday report that an outside party – believed to be W0rm, a Russian hacker selling a stolen database for a Bitcoin – exploited a vulnerability and hacked into its news graphics systems.
Andrew Komarov, CEO of IntelCrawler who tipped off The Wall Street Journal to the incident, told SCMagazine.com on Wednesday that photos W0rm posted revealed that the news site was vulnerable to SQL injection.
The attacker could have access to all available databases on the server – close to 23 – and could additionally extract information about system users from MySQL, Komarov said. He was quoted in the report as stating the attacker could modify content and users on the server.
The compromised systems have been taken offline and an investigation is ongoing, according to the report. No customers are believed to be impacted.