Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some Guy)   Breathless media hype: "Researcher hacks Healthcare.gov and gets 70,000 people's information" Reality: Researcher does a search using Google tools and gets 70,000 results, none of which were viewed   (trustedsec.com) divider line 10
    More: Stupid, wind shears, United States Marine Corps  
•       •       •

1479 clicks; posted to Geek » on 21 Jan 2014 at 7:02 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



10 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-01-21 07:45:11 PM  
Even more troubling is that a book was dropped off on my door step that listed the names, addresses, and phone numbers of everyone in town. Is no one concerned with privacy anymore?
 
2014-01-21 07:45:45 PM  

Mad_Radhu: Even more troubling is that a book was dropped off on my door step that listed the names, addresses, and phone numbers of everyone in town. Is no one concerned with privacy anymore?


Mother of God.  That guy was at my house too last year.
 
2014-01-21 07:47:06 PM  
I hope they don't find out about my request for a penis reduction surgery and spread it all over the internet.
 
2014-01-21 07:47:51 PM  

Mad_Radhu: Even more troubling is that a book was dropped off on my door step that listed the names, addresses, and phone numbers of everyone in town. Is no one concerned with privacy anymore?


I heard the government is collecting data on people's address, height, weight, eye color, and other factors.  Anybody else concerned by this so called  DMV.
 
2014-01-21 08:00:35 PM  

Mad_Radhu: Even more troubling is that a book was dropped off on my door step that listed the names, addresses, and phone numbers of everyone in town. Is no one concerned with privacy anymore?


Some folks like the notoriety.

www.loveyourdash.com
 
2014-01-21 08:06:16 PM  
FTA: Update 2: The Washington Times - the author of the story responded and is correcting the article to reflect accurately.

In other news, people exist who are dumb enough to expect accuracy from the Washington Times.
 
2014-01-21 11:17:02 PM  
As a web developer, I feel at least somewhat qualified to say that this dude sounds like he just wants to get his name out there. When you look at the reasons why he THINKS the site is vulnerable, he comes off as rather aloof. Even his comparison to a car driving down the road with smoke billowing out under the hood makes no sense; that would only apply if you could actually see errors coming up in the site and there aren't even Javascript warnings for the site.

I did look at the document that he prepared for Congress (did they ask him for one?) and the only expert in that document that I trust is Mitnick who summarized his concerns as "Wow, there's a lot of information coming from other sites, if healcare.gov gets hacked, it could be bad." Really? THAT'S your security concern? Utter failure....
 
2014-01-22 01:43:33 AM  
For anyone who is curious, I will explain what they are talking about.  Generally when you do a google search the results are drawn from data google has amassed in the past.  By adding codes to your search you can tell google not to use this historical data but instead have its servers examine sites as they are right now.  Using Google rather than your own computers has several benefits.  First, the requests cannot be tracked back to you.  Second, it might not be detected at all because Google has hundreds of thousands of servers all over the world and they are sneaky about how they look for data.  Even the worst network admin will notice 10,000,000 hits from a single IP in 5 minutes, but many won't notice 100 hits from each of 100,000 computers.

Google doesn't just search the website, it searches the HTML code, and if the website is not set up properly it can even read databases which are loaded on the web-server.  Because this uses a lot of resources Google limits both how often you can do it and the number of results it will return.

Several years ago a couple of security researchers built a tool which uses these abilities to help detect vulnerabilities.  They allow you to do your own searches, but also built in a few hundred predefined searches that allow you to quickly search for well known vulnerabilities, hard coded usernames and passwords, or exposed confidential data such as SSNs or Credit Card numbers on computers connected to the internet. It also avoids some of the limitations that google places on both the number of searches you can perform and number of results that are returned.

In an actual penetration test, this tool is often used to look for starting points.  You have to go back and confirm any results that it reports, but it is pretty accurate.  In general, the more results it finds the more likely that the results are accurate. If it reports that there are 2 SSNs that areaccessible, chances are it is a false positive.  If it says there are 30,000 chances are they have a problem.

To sum up, yes it is a real tool that this person used.  The faults that he found are likely real, but further work would be required to confirm them.
 
2014-01-22 02:36:05 AM  
The Washington Times - the author of the story responded and is correcting the article to reflect accurately. Special thanks to them and the fast response.

Yeah, good luck getting that horse back in the barn.
 
2014-01-22 08:06:13 AM  

HK-MP5-SD: For anyone who is curious, I will explain what they are talking about.  Generally when you do a google search the results are drawn from data google has amassed in the past.  By adding codes to your search you can tell google not to use this historical data but instead have its servers examine sites as they are right now.  Using Google rather than your own computers has several benefits.  First, the requests cannot be tracked back to you.  Second, it might not be detected at all because Google has hundreds of thousands of servers all over the world and they are sneaky about how they look for data.  Even the worst network admin will notice 10,000,000 hits from a single IP in 5 minutes, but many won't notice 100 hits from each of 100,000 computers.

Google doesn't just search the website, it searches the HTML code, and if the website is not set up properly it can even read databases which are loaded on the web-server.  Because this uses a lot of resources Google limits both how often you can do it and the number of results it will return.

Several years ago a couple of security researchers built a tool which uses these abilities to help detect vulnerabilities.  They allow you to do your own searches, but also built in a few hundred predefined searches that allow you to quickly search for well known vulnerabilities, hard coded usernames and passwords, or exposed confidential data such as SSNs or Credit Card numbers on computers connected to the internet. It also avoids some of the limitations that google places on both the number of searches you can perform and number of results that are returned.

In an actual penetration test, this tool is often used to look for starting points.  You have to go back and confirm any results that it reports, but it is pretty accurate.  In general, the more results it finds the more likely that the results are accurate. If it reports that there are 2 SSNs that areaccessible, chances are it is a false positive.  If it says there are 30,0 ...


Cool.  Thanks for the info!
 
Displayed 10 of 10 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report