The latest security breach of the Healthcare.gov website underscores the continuing lack of adequate penetration testing and vulnerability assessment conducted on the troubled online health exchange by the federal IT managers and their contractors.
The most recent breach of the Obamacare website, first detected in late August and reported on September 4th, was described by federal administrators as “an intrusion on a test server” involving the installation of malware developed to initiate a denial-of-service (DoS) attack on other websites.
The agency reportedly acknowledged that the test server should not have been connected to the internet, the server manufacturer’s default password had not been changed and administrators had failed to conduct standard security scans of the server.
The incident is thought to have been part of a broader DoS attack effort in which hackers managed to upload malware to a development server used to test code. The server was not configured properly and was not supposed to be connected to the internet.