Category Archives: Security

Another one bites the dust…

Maryland fires contractor that built troubled health insurance exchange

Maryland has fired the contractor that built its expensive online health insurance marketplace, which has so many structural defects that officials say the state might have to abandon all or parts of the system.

The Maryland Health Benefit Exchange voted late Sunday to terminate its $193 million contract with Noridian Healthcare Solutions. Columbia-based Optum/QSSI, which the state hired in December to help repair the flawed exchange, will become the prime contractor, while Noridian will assist with the transition.

“We worked very hard with [Noridian] to find a path forward,” said Isabel FitzGerald, the Cabinet secretary in charge of information technology. “And the decision now is that we are just not making the progress that we had hoped.”

Wonder if they’ll get their money back?

As of Monday, Maryland had paid Noridian $67.9 million for its work and had unpaid invoices totaling $12.9 million, state health officials said.

Maryland “is preserving all rights to seek damages against Noridian and its subcontractors for problems with the IT system,” Joshua M. Sharfstein, state secretary of health and mental hygiene, said Monday before a legislative panel that is monitoring the exchange.

Let this simmer…

1010509_10201740429687609_1900304133_n

How the NSA Almost Killed the Internet

Why the Internet will never be the same.

But even if the spy programs are viewed as justified, and whether they are tempered or not, we’re still left with the most sickening aspect of the Snowden revelations: The vast troves of information gathered from our digital activities will forever be seen as potential fodder for government intelligence agencies. A lot of people became inured to worries about Little Brother—private companies—knowing what we bought, where we were, what we were saying, and what we were searching for. Now it turns out that Big Brother can access that data too. It could not have been otherwise. The wealth of data we share on our computers, phones, and tablets is irresistible to a government determined to prevent the next disaster, even if the effort stretches laws beyond the comprehension of those who voted for them. And even if it turns the US into the number one adversary of American tech companies and their privacy-seeking customers.

“I was naive,” says Ray Ozzie, who as the inventor of Lotus Notes was an early industry advocate of strong encryption. “I always felt that the US was a little more pure. Our processes of getting information were upfront. There were requests, and they were narrow. But then came the awakening,” he says. “We’re just like everybody else.”

Documents Reveal Top NSA Hacking Unit

Does this mean UPS, Fedex, and USPS are cooperating with this? Because that would be illegal.

Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called “load stations,” agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the “most productive operations” conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks “around the world.”

Even in the Internet Age, some traditional spying methods continue to live on.

H/T Instapundit

 

 

Hide the Hack…

Hiding the Hacking at HealthCare.gov

At least Target informed its customers of the security breach, as it is required by federal law to do. HealthCare.gov faces no such requirement; it need never notify customers that their personal information has been hacked or possibly compromised. The Department of Health and Human Services was specifically asked to include a notification requirement in the rules it designed for the health-care exchanges, but HHS declined.

Of course, they did…

Nobody’s This Stupid and Incompetent…

All you can do is sit back and laugh at the absurdness of it all…

Imagine the hours upon hours of bickering we’ll see between government bureaucrats and insurance company officials before, or if, this gets resolved. No one can possibly believe that the Obama administration won’t capitalize on this new opportunity to bully the industry it loves to hate. (Aside: I wonder how the folks in the insurance business who salivated over “all those new customers” they would gain feel about being in bed with Team Obama now?)

Months ago, we learned that HealthCare.gov enrollees will be on the “honor system” in submitting their personal and income data. Now we discover that the Internal Revenue Service, which is supposed to at least apply a sniff test to what users submit, “doesn’t have the system to check what your income is, to see what subsidies you are eligible for,” opening up the potential for massive fraud. Anyone who believes it can’t happen isn’t aware of the IRS’s multibillion-dollar failure to stop illegal aliens from taking bogus chid-care credits.

President Barack Obama has done very little to ensure that his “signature achievement” would get off the ground successfully. How little? Try “almost nothing.” According to a study by the Government Accountability Institute, the president only met with Health and Human Services Secretary Kathleen Sebelius one time since the Affordable Care Act became law. That was way back on April 21, 2010 — and even that was a joint meeting with then-Treasury Secretary Tim Geithner.

Meanwhile, this non-working clunker’s waste, likely fraud, and cronyism will almost certainly send its cost over the $1 billion mark — all for a site which some IT experts claim should have cost less than $10 million.

Obamacare’s damage is already spreading to the rest of the economy. Large-company CEOs are saying that the uncertainties it is imposing  are “harming the economic rebound.” (Yeah, I know. What economic rebound?) Black Friday weekend’s pathetic sales results make the concern I expressed several weeks ago that we could see a no-growth fourth quarter all too real.

This enterprise’s screw-ups, missed assignments, unaddressed problems and management failures have collectively created a level of disarray I have not seen in my lifetime — one which promises to sustain itself well into next year, if not longer. It’s likely that all we’ve seen so far represents the very small tip of a huge iceberg aimed straight at the economy and our civil society. Just wait until consumers get turned away because there’s no record of their enrollment, doctors and hospitals don’t get paid, and the frauds begin to be exposed.

Mesmerizingly Brilliant…

No security ever built into Obamacare site

It could take a year to secure the risk of “high exposures” of personal information on the federal Obamacare online exchange, a cybersecurity expert told CNBC on Monday.

“When you develop a website, you develop it with security in mind. And it doesn’t appear to have happened this time,” said David Kennedy, a so-called “white hat” hacker who tests online security by breaching websites. He testified on Capitol Hill about the flaws of HealthCare.gov last week.

“It’s really hard to go back and fix the security around it because security wasn’t built into it,” said Kennedy, chief executive of TrustedSec. “We’re talking multiple months to over a year to at least address some of the critical-to-high exposures on the website itself.”

According to the Department of Health and Human Services, which oversaw the implementation of the website, the components used to build the site are compliant with standards set by Federal security authorities.

“The privacy and security of consumers’ personal information are a top priority for us. Security testing happens on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” said the spokesperson.

Another online security expert—who spoke at last week’s House hearing and then on CNBC—said the federal Obamacare website needs to be shut down and rebuilt from scratch. Morgan Wright, CEO of Crowd Sourced Investigations said: “There’s not a plan to fix this that meets the sniff test of being reasonable.”

Internet Engineers Plan a Fully Encrypted Internet

MITTech

Bet it won’t take nearly as long as the ObamaCare website roll-out…

n response to the public outcry over mass Internet surveillance by the National Security Agency (NSA), the engineers who develop the protocols that underpin the Internet are deep into an effort to encrypt all Web traffic, and expect to have a revamped system ready to roll out by the end of next year.

The effort, by the Internet Engineering Task Force, or IETF, an informal organization of engineers that changes Internet code and operates by rough consensus, involves HTTP, or hypertext transfer protocol, which governs information exchanges between the Web browser on your phone and computer and the servers that hold the data of the website you are visiting.

Leaked documents brought to light by former NSA contractor Edward Snowden suggest the NSA routinely harvests and stores huge amounts of information from major cloud computing platforms and wireless carriers. Today, much of the Web traffic between your device and Web server is not encrypted unless websites choose to use a variant of the HTTP protocol called HTTPS—which includes an encryption step, called transport layer security. This is commonly used by banks, e-commerce sites, and by some big sites, including Google and Facebook. (If a website’s address starts with “https://” it already uses encryption.)

The IETF change would introduce encryption by default for all Internet traffic. And the work to make this happen in the next generation of HTTP, called HTTP 2.0, is proceeding “very frantically,” says Stephen Farrell, a computer scientist at Trinity College in Dublin who is part of the project.

The hope is that a specification will be ready by the end of 2014. It would then be up to websites to actually adopt the technology, which is not mandatory.

Changing IP address to access public website ruled violation of US law

ArsTechnica

Changing your IP address or using proxy servers to access public websites you’ve been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving Craigslist and 3taps.

The legal issue is similar to one in the Aaron Swartz case, in which there was debate over whether Swartz “had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking imposed by system administrators trying to keep Swartz off the network,” law professor Orin Kerr wrote yesterday on the Volokh Conspiracy blog.

The ruling in Craigslist v. 3taps (PDF) is the first “directly addressing the issue,” Kerr wrote. 3taps drew Craigslist’s ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps’ systems.

“3taps bypassed that technological barrier by using different IP addresses and proxy servers to conceal its identity and continued scraping data,” wrote Judge Charles Breyer of US District Court in Northern California. Craigslist subsequently accused 3Taps of violating the CFAA, which “imposes criminal penalties on any person who, among other prohibitions, ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer.’”

Makes Me Yearn For a Car From the 70s…

Hackers Reveal Nasty New Car Attacks–With Me Behind The Wheel

This fact, that a car is not a simple machine of glass and steel but a hackable network of computers, is what Miller and Valasek have spent the last year trying to demonstrate. Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.

The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry’s security problems before malicious hackers get under the hoods of unsuspecting drivers. The need for scrutiny is growing as cars are increasingly automated and connected to the Internet, and the problem goes well beyond Toyota and Ford. Practically every American carmaker now offers a cellular service or Wi-Fi network like General Motors’ OnStar, Toyota’s Safety Connect and Ford’s SYNC. Mobile-industry trade group the GSMA estimates revenue from wireless devices in cars at $2.5 billion today and projects that number will grow tenfold by 2025. Without better security it’s all potentially vulnerable, and automakers are remaining mum or downplaying the issue.

As I drove their vehicles for more than an hour, Miller and Valasek showed that they’ve reverse-engineered enough of the software of the Escape and the Toyota Prius (both the 2010 model) to demonstrate a range of nasty surprises: everything from annoyances like uncontrollably blasting the horn to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers. Finally they directed me out to a country road, where Valasek showed that he could violently jerk the Prius’ steering at any speed, threatening to send us into a cornfield or a head-on collision. “Imagine you’re driving down a highway at 80 ,” Valasek says. “You’re going into the car next to you or into oncoming traffic. That’s going to be bad times.”

Follow

Get every new post delivered to your Inbox.

Join 541 other followers

%d bloggers like this: