OTR Interviews

'White hat hacker': Why HealthCare.gov isn't secure

Security expert who testified before Congress explains why your information on the federal ObamaCare site is not secure and how it is a gold mine for criminal hackers


This is a rush transcript from "On the Record," November 19, 2013. This copy may not be in its final form and may be updated.

GRETA VAN SUSTEREN, FOX NEWS HOST: This one is disturbing. A cyber security expert sounding the alarm saying hackers are definitely after HealthCare.gov. That disturbing warning is from "white hat hacker," David Kennedy, he is one of several security experts giving Congress more bad news about the ObamaCare website.


UNIDENTIFIED MALE: Do any of you today think today that the sight is secure?





UNIDENTIFIED MALE: Well, this is a hypothetical in your opinion do any of you think the site will be secure on November 30th?





UNIDENTIFIED MALE: In opinion, how long do you think it will be before the site could be secure, just give me an estimate of months.


UNIDENTIFIED MALE: Hard to estimate.

UNIDENTIFIED MALE: I don't have enough information.



VAN SUSTEREN: And David Kennedy, one of those four gentlemen joins us. Wow. Is that 0 and 4 or 4 and 0? I guess it was 0 and four both times.

DAVID KENNEDY, HACKER: Yes, definitely. It's not looking good for the ObamaCare website right now.

VAN SUSTEREN: Why is it so vulnerable?

KENNEDY: Well, if you look at how they actually developed the web site, it was done very swiftly. When you develop a website like this you put security in the whole process so you build security into the application. And what happened here is it was kind of rushed together, pieced together and at the very shoved out the door. Unfortunately that included a lot of security exposures and vulnerabilities that we were able to research and identify.

VAN SUSTEREN: All right, well, the administration keeps talking about the hub is just a hub. The information goes through the hub. It's not stored in the hub, but it's interfaced with so many agencies. Does that make it a security risk the fact that the hub. I mean, they brag about the hub being not a storage of information, but is that a point vulnerability?

KENNEDY: Right. Hackers what they do is if you look at how information traverses those different departments like the IRS or DHS or third parties like Expirion. They have to rely off trusted connections. The data hub actually access a kind of intermediary conduit to pull that information from different areas. If the hacker can get control of that they can get access to other databases and potentially expose other government agencies as well.

Scott White, who is a researcher for us as well as myself, did a lot of analysis on the website itself and found that you can basically hack the website, get access of it and start to take key components of the web site itself as well as extract a lot of sensitive information about people who have registered for it.

VAN SUSTEREN: Is there any way that this could be fixed between now and 30th of November?

KENNEDY: Not possible, unfortunately. In order for it to fix something this complex it's estimated that the website is 500 million lines of code and to put that in comparison, you know, Windows operating system is between 50 million to 80 million lines of codes, which is one of the most complex operating systems that we see out there. So it's six times more complex. To fix something like that is going to be near impossible in the short time frame.

VAN SUSTEREN: Don't you want to strangle yourself when you hear the government say this is all going to be 80 percent fixed by November? I mean, if you can log on, but you are so vulnerable to the security. I mean, that is just a lie that it works at that point.

KENNEDY: It's really unfortunate. The site could have been developed in a way that didn't have a lot of these exposures. I think, my testimony on Capitol Hill today, you know, some of the testimony was well, other websites get hacked so why are we any different? And if we are at that point and debating that? Then we have lost our motive around security, around security hasn't done job against those issues. We can protect against hackers and we owe it to Americans to protect this infrastructure and data that's on it. It's our personal information not the governments.

VAN SUSTEREN: It's been up six weeks has it been hacked so far?

KENNEDY: It's hard to tell, but it looks like it. If you look at the search bar on the website itself. Go to healthcare.com and put a semicolon in there. What you can actually see is that there's already been hacker attempts, the top results on the search engine actually show hackers trying to break into the website. Additionally they came out with the statistic that the website had been attacked 16 different times. To me that seems very low. I think that shows that there is little to low monitoring probably don't know they are being attacked.

VAN SUSTEREN: All right, when you say they have been attacked and fend off an attack, maybe 16 attacks, but has the system managed to successful live fight off 16 attacks so we should see that as success?

KENNEDY: We don't know enough information about it. They said that they are able to prevent it. The service attack which is about as rudimentary an attack as you can get. I think that if you look at statistics, you would say that, you know, most websites on average receive about 30,000 to 40,000 different types of attacks a month. Something like healthcare.gov is going to see more than that only 16. A lot of those have gone undetected access to this site or working on getting access to the site.

VAN SUSTEREN: Would you ever sign up to this point?

KENNEDY: Absolutely not.

VAN SUSTEREN: You didn't hesitate.

KENNEDY: No chance. Knowing the security around the infrastructure itself how it was rushed of out the door and exposures that we are seeing now. I got an email right in the middle of the congressional hearing of someone saying I have another 30 findings for you -- 30 vulnerabilities on the web ite.

VAN SUSTEREN: While you are in the hearing.

KENNEDY: While I'm in the hearing. It's like OK, so you have this amount of exposures, not doing hacking looking at outside view. We can see all these exposures that is pretty bad.

VAN SUSTEREN: Four out of four who say that it doesn't work, it won't get fixed and everything. Not like 3 and 1 but 0-4.

KENNEDY: Pretty unanimous.

VAN SUSTEREN: Unanimous as can you get. Anyway, David, thank you.

KENNEDY: Thanks, Greta. Appreciate it.