l****z
发帖数: 29846 | 1 【 以下文字转载自 USANews 讨论区 】
发信人: lczlcz (lcz), 信区: USANews
标 题: 巴马医保网站7月份被黑客攻破
发信站: BBS 未名空间站 (Thu Sep 4 23:44:28 2014, 美东)
Hacker Breached HealthCare.gov Insurance Site
The Hacker Uploaded Malicious Software, But Consumers' Personal Data Didn't
Appear to Be Taken
A hacker broke into part of the HealthCare.gov insurance enrollment website
in July and uploaded malicious software, according to federal officials.
Investigators found no evidence that consumers' personal data were taken or
viewed during the breach, federal officials said. The hacker appears only to
have gained access to a server used to test code for HealthCare.gov, the
officials said.
The server was connected to more sensitive parts of the website that had
better security protections, the officials said. That means it would have
been possible, if difficult, for the intruder to move through the network
and try to view more protected information, an official at the Department of
Health and Human Services said. There is no indication that happened, and
investigators suspect the hacker didn't intend to target a HealthCare.gov
server.
The prospect nevertheless raised concerns among federal officials because of
how easily the intruder gained access and how much damage could have
occurred.
The HHS official said the attack appears to mark the first successful
intrusion into the website, where millions of Americans bought insurance
starting last year under the 2010 Affordable Care Act. The agency discovered
the attack last week.
"Our review indicates that the server did not contain consumer personal
information; data was not transmitted outside the agency, and the website
was not specifically targeted," HHS said in a written statement. "We have
taken measures to further strengthen security."
The attack comes as the federal government and insurance companies prepare
for the second year of open enrollment to buy health insurance under the law
, beginning on Nov. 15. Federal officials said that the incident shouldn't
have an effect on the process, and that the intruder has since been blocked.
The breach could add fresh ammunition to fall election campaigns by
Republican lawmakers, who oppose the law and have criticized its rollout.
HealthCare.gov suffered from crippling technology problems when it launched
in October, though the government has since improved the site. Some 5.4
million applicants signed up for health plans via the site by the end of
open enrollment.
Taken with recent cybersecurity incidents at J.P. Morgan Chase & Co., Home
Depot Inc. HD +1.04% and celebrities' iPhones, the HealthCare.gov hack
further underscores that large organizations haven't yet mastered how to
secure troves of data they collect from consumers.
The White House and congressional staff have been briefed on the matter,
officials said. The Department of Homeland Security, Federal Bureau of
Investigation and National Security Agency have aided the investigation,
which is active. The FBI traced the attack to several Internet addresses—
some overseas—but doesn't think it is the work of a state-backed actor,
officials said.
"There is no indication that any data was compromised at this time," DHS
spokesman S.Y. Lee said in a written statement. "DHS will continue to
monitor the situation and help develop and implement precautionary
mitigation strategies as necessary."
As an insurance-enrollment portal, HealthCare.gov stores deeply personal
details on Americans, including Social Security numbers, financial data and
names of family members. None of that appeared to gain the still-unknown
hacker's interest, officials said.
Rather, investigators found that in July, the intruder did just one thing:
install malware on a HealthCare.gov server so it could be used in future
cyberattacks against other websites, federal officials said. Hackers often
take over troves of computers and servers to direct mischief traffic at
websites. The rush of traffic, known as a denial-of-service attack,
overwhelms the site and knocks it offline.
Such types of cyberattacks are considered a nuisance. If discovered at a
private company, it is likely the firm wouldn't disclose the incident,
cybersecurity attorneys have said.
"If this happened anywhere other than HealthCare.gov, it wouldn't be news,"
a senior DHS official said.
Investigators found the hacker was scanning both federal and private
websites for a certain type of server that the person would then hack. This
suggests the hacker wasn't targeting the health-care website, the official
said.
Washington officials said they are concerned an intruder gained access to
the HealthCare.gov network through a basic security flaw. The server had low
security settings because it was never meant to be connected to the
Internet, the HHS official said. When the hacker broke in, it was only
guarded by a default password, which often is easy to crack.
"There was a door left open," the official said.
The department discovered the break-in weeks later on Aug. 25 during a daily
security scan. Buried amid lines of computer log files were data showing
the test server had been contacted by the outside Internet, which wasn't
supposed to happen.
Lawmakers first raised security concerns about HealthCare.gov when it
launched nearly a year ago. At the time, then-HHS Secretary Kathleen
Sebelius said the department had a plan in the event of a security breach.
Other hacking attempts reportedly have been made, but none appear to have
been successful before this.
"It is full of data that criminals covet," said Rep. Joe Barton (R., Texas),
who opposes the health-care law. "Handing private information over to the
government is bad enough. People should at least know it won't fall into the
hands of hackers."
Sen. Tom Carper (D., Del.), chairman of the Senate homeland security panel,
called the incident "deeply troubling."
HHS said it has taken cybersecurity seriously since launching HealthCare.gov
. The site undergoes quarterly security audits from Blue Canopy Group LLC, a
private security company in Reston, Va. It also undergoes daily security
scans and drill-hacking exercises.
It couldn't be learned whether the misconfigured server could be linked to
any of the several technology contractors who help set up the website.
—Stephanie Armour contributed to this article. |
|
